API Security: What's the Difference between Private/Partner/Public and Internal/External APIs?

preview_player
Показать описание
API security is important, as we can see from recent examples such as the Peloton API leak. One source of problem is that security sometimes is not managed well because it is assumed that private APIs (i.e., the ones consumed by an organization's own consumers) don't have to be secured. This is particularly risky when these APIs are exposed externally.
In this video, we discuss the basics of two axes of API security:
- Who is an API for? This is where the private/partner/public distinction comes into play. However, this is not really mostly a security discussion, but one where the focus is mostly on who to design an API for.
- Where is an API available? This is where the internal/external distinction comes into play. Some APIs may only be available internally, but even many private APIs have to be externally available because the API consumers are not on the organization's internal network.
Treating these two axes consciously and separately can help with reducing the risk of API security issues. Generally speaking, practicing zero trust is a good idea for APIs, where the general stance always is that an API trusts neither the network nor the user without proper authentication and authorization.

00:00 Intro
00:56 API Consumers: Who and Where?
01:43 Private/Partner/Public APIs
04:06 Internal/External API Exposure
05:37 Zero Trust Security
Рекомендации по теме
Комментарии
Автор

Thanks a lot for this Erik! It's great to hear your perspective on this.

I ended up splitting one field (visibility) into two:
1. Visibility
Open - The product will be visible on the portal without needing to log in.
Hidden - The product will only be visible to logged-in users.

2. Audience
PUBLIC - Self-Service.
"Public" means that the product is included in the product catalog, the customer can still choose if the product is Open or Hidden. If the consumer can see the product then they can subscribe to it.

PARTNER - For some chosen Partners.
"Partner" means that the Product is not available for general users regardless of whether they are logged in or not. The only visibility option when Partner is selected is "Hidden." In order to get access to a Partner product, the customer must create a new subscription and associate this product with this consumer. When there is a subscription with this product, then the Partner can see the product in the portal.

allanknabe
Автор

It would be interesting to have a structured course from you (and maybe partnered with Mike Amundsen) on proper API planning, implementation, architecture, security, etc. Something on Udemy or something like that.

DesignfulDev