What Is API Ownership and How Can It Help Your Team?
APIs have become the nervous-system equivalent for data and telemetry (logs, traces, and metrics) transmission in and around contemporary organizations. Keeping them secure should be one of a business's top priorities. Deciding which APIs to deploy, how they work, and who has access to the data they pass and extract leads us to the topic of today's post: API ownership.
To be more specific, this article exposes numerous API ownership roles, responsibilities, and best practices. But before we jump into these topics, it's worth making sure you have a working knowledge of the core subject. We'll do this by defining a single meaning for API ownership.
API Ownership: A Definition
You may have used open APIs from other companies to access specific datasets from their applications. This effectively means that the organization as an entity owns the API. However, when you look closer, different personas are responsible for a variety of aspects of every API. One person may have come up with the idea, and someone else might have written the code. Yet another person may be in charge of maintaining it.
In light of the above, ownership refers to the actors and activities around the safe and efficient function of an organization's APIs. Leaving the roles and responsibilities open ended in this definition is intentional. After all, organizations seldom adopt identical roles and assign the very same responsibilities for every single API they own.
Typical API Ownership Roles and Responsibilities
With the definition out of the way, let's inspect a few template roles and responsibility situations. The plan here is to prove how API ownership works and hopefully prove that it's by far the best approach to a safe and efficient API strategy. You may also note how ownership differs based on the function of an API.
Typically, the IT department (which might have created most of them) owns the internal infrastructure support APIs. You may also have a group of operational teams and individuals in charge of APIs that integrate systems internally. Lastly, the business itself may own APIs related to customer experience.
Even if you look at the API as just one service offered by the business, all three team types mentioned above will have some input and impact on its existence. They all own it at varying levels of roles and responsibilities. Let's review how this is possible.
1. Product Manager
The product manager is typically the person who defines the APIs for an organization. Knowing the business and technical angles of delivering a product gives them a unique perspective and therefore the ability to point out specific and relevant data points for which a company should apply APIs.
2. VP of Engineering/Tech Leadership
The VP of engineering or another tech leader assigns and oversees multiple teams of developers working on specific features of APIs. For smaller organizations, this can be the same person who created the APIs. Their technical intimacy with the anatomy of the API makes it imperative that they would own its functional efficiency.
3. API Manager/Gatekeeper
The API manager or gatekeeper can be someone within the operations groups responsible for deploying and managing APIs. Testing how well an API fits within the business objectives and functions for which it is minted and suggesting alterations would be their key responsibilities.
4. API Security
Since all APIs carry a business's data, they're easily the softest target for anyone looking to gain unauthorized access to a business's systems. It's for this reason that an owner with the sole mandate of securing APIs should be part of the ownership strategy. No doubt they should be technically inclined and have a set of responsibilities loosely associated with the manager role above.
Creating API Ownership Teams
There might be other owners, as well, depending on the number and purpose of APIs that a company universally owns. More important than the title of who does anything around an API is how they blend into a team that creates and deploys high-quality APIs.
That a single API gets both technical and operational input from the business floor grants that different approaches will come together to build and maintain it. This is probably the best way to guarantee that an API satisfies stakeholders, both internally and in the general population.
The first step to creating dream teams for the ownership of APIs is deliberately planning and matching skills to roles across the API delivery life cycle. Your best bet is to create a governance policy that standardizes how everyone views and reacts to incidences around APIs. After all, they're sensitive business assets. A few best practices immediately come to mind.
API Ownership Best Practices
The following best practices should guide you toward putting together the best teams and ensuring safe API usage.
- Create teams or assign an owner based on the purpose of each API. This prevents different people from throwing blame at each other if and when an adverse incident takes place. It also improves the reaction time whenever this happens.
- Think about API security early in the life cycle. Yes, they can be a simple set of functions and variable requirements, but if you rush to deploy APIs, you can waste time debugging or even patching security vulnerabilities down the line. Encourage a security-first approach to ownership and deployment of APIs even for nontechnical owners.
- Avoid using in-house security tools to monitor your APIs. This is an easy way of overlooking vulnerabilities that any of your teams may have (usually) overlooked due to their familiarity and laser-focused (blinkered) tools. An external tool that covers your security needs along with a range of others is the best guard against losses and disappointments in the future.
- Adopt a multilayered approach to managing and securing your APIs. Some components must be responsible for rate limiting only, while others act as firewalls and even behavioral monitors (AI) to improve your understanding of incoming threats. This is a great way of making life hard for attackers, all while giving API owners some peace of mind.
By now you have probably noticed how heavily the few best practices curated above lean toward the security aspect of creating teams and APIs themselves. The range of security threats and relaxations companies take for granted can deem your good intentions with APIs futile. It's for this reason that it's best to take your time before getting started on creating and deploying APIs.
API Ownership: Final Thoughts
No modern business can deny the power of an API-based application over monolithic approaches. Creating data bridges and improving experiences are just the tip of the iceberg of the benefits of APIs. Just keep in mind that every API should have an owner. Someone needs to be in charge of keeping them functional and, most importantly, secure.
We can trace many data breaches today back to lateral movements that emerged from exposed APIs. Attackers want nothing more than to be on the receiving end of sensitive corporate data, and sadly your APIs can be the gateway to that and more. This comprehensive guide to building secure APIs is your first step toward not being a statistic.
Anyone can build an API, and they should. It's monitoring, securing, updating, and maintaining (owning) an API that determines how much return you gain from them.
This post was written by Taurai Mutimutema. Taurai is a systems analyst with a knack for writing, which was probably sparked by the need to document technical processes during code and implementation sessions. He enjoys learning new technology and talks about tech even more than he writes.
The Inside Trace
Subscribe for expert insights on application security.