Are APIs a weak link in your customer data protection strategy?
High-profile data breaches have become all too common in the past few years, but 2018 has shone a bright spotlight on a corner of data security that companies have long taken for granted—how their APIs collect, share and protect customer data.
In the wake of the notorious Cambridge Analytica scandal, Facebook reportedly shut down 13 of its APIs. And in recent months, T-Mobile has revealed that API security weaknesses exposed millions of customers’ private financial data. Thanks to Europe’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018, API security has become an even more pressing issue as companies doing business in the EU must disclose how consumers’ data is protected, including the data shared by APIs.
The problem of API security is pervasive. APIs are everywhere today. They’re the basic building blocks of modern app development. How can companies secure them to lock down consumers’ valuable private data?
Nordic APIs is an international group of API practitioners and enthusiasts exploring that question and assembling a knowledge base on API best practices. We spoke with Nordic APIs’ editor in chief, Bill Doerrfeld, to get his perspective on the top three priorities for companies looking to secure their APIs.
If you’re exposing data unnecessarily, you need to know where it’s going. It could be a vulnerability.
— Bill Doerrfeld, Editor in Chief, Nordic APIs
Priority 1: Decide What API Data Your Business Really Needs
First and foremost, Doerrfeld recommends that companies reevaluate the amount and kind of data that their APIs expose.
Data points can linger in an API even after their business value has faded, simply because downstream developers say that they need it. Managers need to balance whether sharing those kinds of data points benefit their own business rather than simply serve the desires of an outside client.
“If you’re exposing data unnecessarily, you need to know where it’s going,” Doerrfeld says. “It could be a vulnerability.”
Say, for example, that you manage a photo-sharing app and decide that you no longer want to share a user’s geocoordinates via APIs. But a partner wants the location data to target your users with ads about local restaurants. While the ad revenue might be helpful, consumers could be alienated if they learn via new GDPR compliance disclosures or news headlines that their location data is being used without their consent.
Doerrfeld suggests that managers from different parts of the business come together and decide what data they really need, then audit existing APIs and break off ties with any clients that use data inappropriately.
Priority 2: Monitor and Manage Your API Programs
Companies often build APIs so that developers can access and use their services freely—without someone watching and approving the developer’s every move. But in today’s API economy, monitoring is essential.
Doerrfeld recommends running regular testing and integrating real-time monitoring into your API management process. Monitoring can help to catch suspicious API calls or other API-related anomalies, he points out. Setting limits on the number of API calls per day can also help to stem the data flow—and help to detect companies that are receiving significantly more data than average.
Another valuable strategy could be to implement a user privacy management certification. This can help companies to verify who is accessing their customer data through APIs, and to ensure that the data is being used responsibly. Companies could be incentivized to participate in this program through the promise of higher request limits.
Priority 3: Communicate Your Data Policies Clearly
Today, companies face eroding trust in their abilities to protect consumers’ personal data. A recent PwC report found that only 25 percent of respondents think that companies handle consumers’ personal information responsibly.
But it’s not all-bleak news: PwC found that companies could restore consumer trust with transparency, honest communication, and meaningful changes when they break that trust. In fact, a major goal of the recent GDPR legislation is to help consumers better understand what happens with their data when they download an app.
Doerrfeld recommends that companies clearly define their data-privacy responsibilities, and that they include data-sharing language in their terms of service agreements. The easier that language is to understand, the easier it will be to build trust with consumers.
Companies are slowly catching up. Doerrfeld notes that apps are including more checkpoints to remind users that data is being collected. It may add more time and hassle—for developers as well as consumers—but studies show that people are increasingly prioritizing security over convenience online.
And in the end, consumer trust has a direct positive impact on a company’s bottom line: According to PwC’s findings, if consumers don’t trust you to handle their data, most (87 percent) will take their business elsewhere.