Can You Join The API Economy While Maintaining Top-Notch Security?

If anything exemplifies the extended enterprise, it's the notion of the "API economy": Unlocking value in your organization's unique data and services by publishing open APIs (application programming interfaces) for access by third parties. As Laura Koetzle notes, business leaders today are prioritizing growth above all -- and fostering a third-party developer ecosystem is becoming a great way to boost revenue. Best Buy, eBay, and USA Today are examples of companies with APIs and external developer communities.

But, but, but...just how secure is an open API? Especially if you, the security professional, can't fully control these external developers' actions? This is where it gets exciting, because security and identity-based access control are enablers of these new business opportunities. After all, an API of this sort is essentially a digital product whose use must be metered.

Many organizations in this position are turning to the OAuth technology to solve a host of security challenges that arise from opening up APIs. I'm excited to be bringing the latest in OAuth business cases, adoption news, and recommendations to my Forrester Security Forum track session on "Securing And Identity-Enabling Monster Mashups." Hope to see you at the Forum November 9-10 in Miami!

(Got a great API security story, or maybe some questions? Don't wait till November; feel free to share in a comment here, or ping me on Twitter using the #FSF11 hashtag.)

Protecting The Extended Enterprise

"To succeed, Security & Risk leaders need to be part of the business strategy." If I had a nickel for every time I've heard someone give some variation on that piece of advice, I'd be rich. As you all know, that's an easy thing to say but a difficult thing to do. And that's particularly true now, because our business leaders today are prioritizing growth - they're entering new markets and releasing new products and services to grow revenue. Your business will unleash the creativity of its entire extended enterprise ecosystem - employees, partners, suppliers, and current customers - to find new ways to win and serve new customers. And your extended enterprise will connect via mobile and social applications and use cloud services.

Vulnerability of your..Voicemail?

Yup, another target for hackers – voicemail. It falls pretty low on the totem pole of items to secure, and leaves many vulnerabilities for that reason. For example, a mobile phone will rarely ask you for a password when you call from your own phone – what happens if you lose it? Anyone who picks it up can dial in and listen to your messages. eSecurityPlanet’s Robert McGarvey recently wrote an interesting piece on the subject which offers tips for securing your voicemail. He called upon Miro’s Sam Alapati for expert advice on the subject. Here are some tips from the article:

• Set up your VM so that you have to type in a password every time you access it. Disable “password bypass” settings on your phone.
• Delete VMs when you listen to them, and don’t leave sensitive info in VM.
• Check your VM settings and do this periodically. Are copies automatically forwarded to numbers you don’t recognize? The settings control how VM is handled but most users never check them.
• Create the most complicated password your system allows and change it frequently.

In Cloud-Friendly Web Services Security, "There Is No Enterprise." Wait. What?

"There is no enterprise -- the work we do is a collection of people that dynamically changes through a mix of organization control." That's what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)

What I found was that forward-thinking enterprises of many types - not just hip-happenin' Web 2.0 companies - are pushing service security and access management to the limit in environments that can truly be called "Zero Trust," to use John Kindervag's excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between "internal" and "external" users. They've kind of turned themselves inside-out.

No more chewy centers, indeed. And OAuth is playing an increasing role in a variety of business scenarios, from B2B to identity federation to variants on classic SOA security, wherever light weight and agility are prized. I hope you'll get a chance to check out the report to see my recommendations for using OAuth effectively in whisper-light app environments, and weigh in here with your thoughts.