There are many benefits to opening APIs to external stakeholders. But as with any digital strategy, there are also risks that need to be managed.
API governance is a business and technical approach to managing the risks and security threats of a digital financial services provider’s open API initiative. An API governance approach identifies risks to a provider’s reputation, brand, partnership relationships, and customer data. API governance involves establishing clear oversight of an API initiative and identifying and managing potential risks according to the level of severity that they represent. If a provider addresses governance and security when it first embarks on an open API strategy, it can build these considerations into the design of its APIs without slowing down the innovation process.
API governance processes ensure that there is a high level of security and risk management. In today’s complex enterprise software architecture, an enterprise’s perimeters have become blurred. Enterprise software is now generally made up of legacy systems, reusable API components created for internal teams that are then opened to partners, and external APIs that are consumed by the business alongside third-party software-as-a-service tools. This arrangement creates security risks. It also means that there are a variety of data assets and business capabilities that need to be restricted to ensure they can only be accessed by users with the right permissions and authorization.
Some key aspects of API governance and risk management include ensuring that only authorized, fully authenticated users can access the capabilities and data exposed by an API; that systems secure confidential consumer data; that end-customers give consent before developers connect to their accounts; and that a provider's brand reputation is maintained when third parties start building solutions for the same customer base.
CGAP’s work in API governance focuses on:
- API governance processes
- Managing risks posed by an open API strategy
- Managing security in an open API platform