Anil John
Making Digital Services Secure and Trustworthy

Anil John

Can Web APIs Bridge the Sharing and Safeguarding Gap?

 Tweet  Share  Comment  Print  Email

Web APIs, API Management, and Open Data are hot topics these days for application developers. At the same time, protecting the information/data transferred over a variety of delivery channels are top of mind to the identity and security folks. I am seeking current practices and approaches that address the needs and concerns of both communities.

For application developers, these are exciting times during which more and more data is available over Web APIs, and there is increasing relevance for the “Internet of Things”. For identity and security folks these are “interesting” times where perimeters are disappearing, delivery channels are expanding, and the application of security controls are no longer at a device or app server, but at the level of data and information. The security market place has responded with acquisitions such as Intel/Mashery, Axway/Vordel and CA/Layer 7.

As I’ve noted before, these changes do not need to be treated in isolation but as an opportunity to work together. As such, I’ve been trying to be more intentional about stepping outside the usual “identity, access, compliance, security” bubble to seek out, learn and understand the needs and priorities on the service delivery and application development side of the house.

In trying to educate myself by having discussions with the smart people in this domain, I have also started to put together a set of questions that need to be answered to meet the needs of all concerned:

  • What are the current approaches and best practices for securing web APIs?
  • How easy is it use the capability from an API consumer’s (developer’s) perspective?
  • What options exist for the management of APIs across multiple organizations?
  • Are there consistent approaches for securing APIs that deliver data over multiple channels (web, mobile etc.)?
  • What approaches exist for integrating the API and API management into an organization’s existing security and identity infrastructure?
  • What current protocols bridge the gap between how identity and security is done on the web side to how it is done on the web API side?
  • Are there best practices around implementing identity and access management for publicly facing APIs that are used by those outside your organization?
  • What federation protocols play well across both Web SSO and Web APIs? Are there particular use cases where they work best?

I am not sure if I am on the right track (and I know that my questions are weighted towards the security side, which is not ideal), so am looking to become smarter about this topic. If you have knowledge and expertise in this area and are interested in having a conversation, please feel free to ping me directly (if you have my contact info) or via LinkedIn.


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog ( The opinions expressed here are my own and do not represent my employer’s view in any way.

By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a Public Interest Technologist. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone