What is API Security?

Modern identity and access management (IAM) provides a wide range of capabilities required to secure application programming interfaces (API).

An application programming interface (API) is a piece of software that allows two applications to communicate with one another.

API security is critical to ensuring that backend applications and services, such as operating systems, are protected from unauthenticated and unauthorized users. By checking and enforcing identity associated with data at rest and in transit, providers can ensure data confidentiality and integrity is maintained in order to achieve local regulatory compliance, including alignment with financial-grade API (FAPI) the OpenID Connect FAPI Working Group standards, including FAPI 1.0 and the soon-to-be published FAPI 2.0 specifications.

Identity-enabled FAPI can be compared to a securely insulated plumbing system which prevents unwanted water leakage. By taking advantage of standards such as OAuth 2.0, OpenID Connect (OIDC), Security Assertion Markup Language (SAML), and User Managed Access (UMA) 2.0, providers can ensure that users with access to API endpoints have cleared appropriate authentication checks to provide identity attestations as well as appropriate authorization to ensure the appropriate scope of access is granted to data being pushed via APIs. In other words, providers can ensure that users granted access to the API are who they claim to be and that they can't do anything they are not allowed to do. API security also audits "logged" users to ensure they are held accountable for their actions while interfacing with the said API.

The ForgeRock Identity Gateway provides a full suite of capabilities required to enforce FAPI-grade security within the providers' existing ecosystem and API architecture, enabling single sign-on (SSO) and sign-out experiences while significantly reducing the risk of denial-of-service (DDoS) attacks through fine-grained authorization. This is achieved through sophisticated authentication filters that enable the APIs to be protected by JSON Web Tokens, OAuth 2.0 and OIDC standards. The latter capability helps providers ensure a consistent level of service by throttling API access based on business requirements, with configurable parameters for setting limits for time, day, week, user, domain, IP address, and/or subscription levels.

Throttling helps providers to regulate fluctuations in API traffic volume to identify and counteract malicious DDoS attacks, by extending authorization capabilities of the ForgeRock Identity Gateway as an independent policy enforcement built on OAuth 2.0 and SAML standards. This capability also helps providers to accelerate their API configuration workloads with a powerful design studio that lets developers configure ForgeRock Identity Gateway into a test or production environment only once, thereby saving precious time and resources. Drawing analogy to a plumbing system, ForgeRock Identity Gateway provides skilled trade professionals with the capability to control inflow, outflow, and retention of water within given sections of the end-to-end water system, while giving them the ability to monitor flow metrics in real-time.

Secure FAPIs are critical in highly regulated and secured industries such as financial services and healthcare, ensuring that data is protected at rest and in transit while being transmitted across API endpoints. Identity-enabled FAPIs have been particularly critical in the development of highly regulated Open Banking and Open Finance systems in the United Kingdom, European Union, and Australia. The ForgeRock open source Secure API Gateway for Open Banking (SAPI-G), helps financial service providers and their trusted third-party providers (TPPs) achieve compliance with PSD2 (and soon-to-be PSD3/PSR1), FAPI specifications, and Open Banking API requirements. These, in turn, enable financial service providers to deepen relationships with their customers through personalization, up-sell, and trust assurance, while their personal financial data is opened up to TPPs in exchange for revenue-generating services.

The ForgeRock Secure API Gateway for Open Banking helps financial services providers deliver both test and production Open Banking and custom APIs from one framework, enforced by the ForgeRock Identity Platform. Building Open Banking and custom APIs can now be done in weeks, not months or years, producing significant cost savings for the said providers. ForgeRock has worked closely with the Open Banking Implementation Entity (OBIE; now Open Banking Limited) to deliver a comprehensive range of test APIs aligned with the UK Open Banking API specifications, and continues to offer the service to other banks interested in accelerating their Open Banking investments.

Securing APIs with modern IAM capabilities is increasingly important with the wider API economy. Indeed, the API management market alone is estimated to be worth $41.5 billion by 2030 with a 34.5% compound annual growth rate (CAGR). Financial-grade APIs, or FAPIs, are also seen as a critical driver of the embedded finance (worth an estimated $7 trillion by 2030), Open Banking (worth an estimated $20.1 billion in 2022 with a 27.2% CAGR), and Open Finance (worth an estimated $41.4 billion with a 24.4% CAGR) opportunities world-wide. Without secure, identity-enabled APIs, providers would be unable to expand both their internal (connecting multiple identity-dependent systems and data sources) and external (connecting multiple TPP systems and data sources) ecosystems, and thus unable to compete in an increasingly digital age. Harnessing identity-enabled secure APIs helps providers open up and accelerate new revenue streams, mitigate account takeover (consumer-facing APIs) and unauthorized access risks (workforce-facing APIs), and achieving regulatory compliance while significantly reducing total costs of ownership (TCO).