We have been saying for a while now that organizations aren’t just transforming, they are becoming Digital Enterprises. This means the transformation is on-going and pervasive as the Digital Enterprise is evolving to better enable the way we do business… And then 2020 happened.
In just a few months’ time, the COVID-19 crisis has brought about years of change in the way companies in all sectors and regions do business. According to a new McKinsey Global Survey of Executives, companies have accelerated the digitization of their customer and supply-chain interactions and their internal operations by three to four years. And in that same survey, the executives expect that many of the changes they have adopted because of the pandemic will remain after the crisis is over. There’s no going back to the way things were. From an IT perspective, this has been achieved through:
- Rapidly expanding the use of APIs to access the resources needed for a user (customer, partner, employee) to get the job done.
- Deploying third-party services to quickly fill the gaps in the enterprise portfolio.
- Expanding to the cloud to provide the speed and scale required to meet the accelerating needs.
Before the pandemic, 83% of all web traffic was API based, now we suspect that percentage has grown significantly. And while many enterprises struggled to fully understand their API infrastructure before COVID, the increased exposure of internal APIs, adoption of 3rd party APIs and operating in hybrid /multi-cloud environments has created security exposures that must be discovered and brought under control.
At the simplest level, when a web or mobile application calls an API the underlying server application must get answers to the following questions to protect user privacy and secure the exchange:
- What can the user do? In other words, in what ways can the user interact with the resources (data sources and computing services) controlled by the application?
- What can the application know and remember about the user?
- What can the application share with other 3rd parties?
Traditionally, web or mobile applications build and pass API credentials that outline who the user is and what the user has the ability to do. Often, it’s the app developer that has to copy (or code) the routines that gather and organize these credentials. But just understanding who and what is not enough; more context is needed in order to manage the complex and fluid nature of the relationships with customers, suppliers, and employees.
Even if knowing who and what were good enough, the API (server-side) developers need to understand the data capture and sharing rules and develop the code that executes the user request with proper data protection.
And therein lies the rub…
- Where do you put the code that evaluates the answers to these questions and grants access to the resource? (in API-called code, not imbedded in the applications themselves)
- Who is most qualified to define and encode the rules that ensure resources and privacy are protected? (security specialists not the client or server-side developers)
For example, a large Indian Telco rolled out a complete mobile network and a value-added application marketplace. They needed a way to quickly onboard millions of customers and manage access and subscription details for thousands of apps. They could have pieced together their own authentication and authorization capabilities but that would have created a maintenance nightmare.
Instead, the customer deployed a Cloudentity solution including the Cloudentity Authorization Control Plane as the authorization decision point and the Cloudentity MicroPerimeter within the API gateway layer as the policy enforcement point. The deployment separated and standardized resource access and data protection policy enforcement across and between a broad spectrum of internally developed and 3rd party applications. This level of dynamic authorization enables policy to evolve in real time, speeds time to market, and ensures consistency across all environments.
This example shows the power of a solution like Cloudentity and its ability to enable digital transformation through dynamic authorization. The same patterns can be applied to safely facilitate the changes all companies are facing with the