API stands for “application programming interface,” and the word compliance means “the act of obeying an order, rule, or request,” according to Cambridge Dictionary. But what does API compliance really mean in the context of the development space? It can mean many different things, depending on so many factors. For example, these factors can include what type of API is being used, who the API practitioner is, what regulations are set, and what data compliance standards are being practiced.
With this intention, I spoke to a few people in the developer community to see what they had to say about what API compliance means to them. All in all, this article aims to dig deeper into the definition of API compliance and why it is so important today.
Describing API Compliance
Personally, the first thing that comes to mind when I see API compliance is that it has something to do with ensuring that your API is following certain regulations. Therefore, this raises a series of other questions: What regulations? Set by who? What type of API? For what reason?
According to Alfrick Opidi of Rakuten RapidAPI, API compliance “refers to the regulations that API practitioners must follow to ensure the sensitive data they expose are protected from mishandling, abuse, or loss.” Moreover, these regulations are set by national laws, international laws, or the API industry.
Given all that, the main reason why API practitioners must comply with regulations is to protect their APIs and back-end data. Lucy Kerner of Tech Beacon states that the most critical API compliance risks include:
- Broken object level
- User- and function-level authorization
- Excessive data exposure
- Lack of resource
- Security misconfiguration
- Insufficient logging and monitoring
To clarify, API compliance shouldn’t be mistaken for API security. API security involves authentication and authorization. On the other hand, an API gateway manages the relationship between a client and a collection of back-end services.
It’s important to realize that API compliance regulations can be heavily based on what type of API is used. Here are the different types of APIs, according to Jamie Juviler of HubSpot:
- Open APIs
- Partner APIs
- Internal APIs
- Composite APIs
- REST (representational state transfer)
- SOAP (simple object access protocol)
- RPC (remote procedural call)
To learn more, check out Traceable AI’s e-book “The Practical Guide to API Security,” which does a great job explaining this and current best practices in API compliance.
What the Community Had to Say
I asked a few people from the development community what API compliance means to them. The people I received input from were a CTO, an engineering manager, and a data engineer. Evidently, since the term API compliance is so complex, the initial response I received from all of them was uncertainty.
Here is what the CTO said: “Do you have any concrete starter examples? I guess very broadly I keep GDPR (the General Data Protection Regulation) in my mind. And from my former life in e-commerce, PCI (Payment Card Industry), so don’t store credit cards yourself. I suppose in healthcare there is HIPAA (Health Insurance Portability and Accountability Act). These different regulatory requirements would influence what data is present, and probably what additional checks and audits are in place. All three of those regulatory requirements seem pretty domain-specific.”
The Engineering Manager
Then, the engineering manager shared his agreement with the CTO’s comments: “There are some best practices for designing APIs that are usually learned by experience, or you can follow some specs like JSONAPI. Although, they are usually not complete enough for a whole application. Compliance is usually granted by a specific organization with specific requirements. Healthcare versus fintech is very different, for example.”
The Data Engineer
Lastly, the data engineer shared his predictions of what’s to come next year: “When I hear compliance I think of regulatory compliance. It seems like data privacy regulation is going to be a huge thing in the coming year. 2023 will start stricter data laws in CA, CO, and VA, not to mention other countries. GDPR is already demolishing companies like Meta/Google.”
Summing up, the one thing these thought-provoking opinions had in common is that the meaning of compliance all depends on the main data compliance standards mentioned: GDPR, PCI-DSS, and HIPAA, along with who the API practitioner is.
What Are the Main Data Compliance Standards?
Evidently, it’s an advantage to know what the main data compliance standards are and what regulations an API practitioner needs to comply with. Rakuten RapidAPI helps us decipher what each of these data compliance standards means.
Since it came into effect in May of 2018, the General Data Protection Regulation “outlines the privacy and security expectations for handling users’ data within the European Union (EU).” In addition, this applies to firms that are not based in the EU but collect and process the personal information of EU residents.
Established in 2006, the Payment Card Industry Data Security Standard applies to businesses handling customers’ financial information. This “set of security requirements ensures that enterprises that receive, process, keep, or transmit credit card data operate in a safe and secure environment.”
The Health Insurance Portability and Accountability Act of 1996 is a piece of US legislation that safeguards the privacy and security of electronic health information. HIPAA outlines how the personally identifiable information held by healthcare professionals should be secured from theft and fraud.
“ISO 27001 is an international standard published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). ISO and IEC are independent, non-governmental organizations known for developing a wide range of leading international standards.”
Finally, the System and Organization Controls “is a suite of auditing reports developed by the American Institute of Certified Public Accountants (AICPA). These reports offer proof that a firm has passed extensive audit processes and follows industry-leading security and suitability requirements.”
To summarize, the world of API compliance is more important than ever today. Cyber threats get more sophisticated by the day and are continuously changing. Because of this, it gets harder to stay on top of the constant changes. Therefore, it takes every team within an organization to work together to safeguard its interests.
To help with this, Traceable AI stays on top of the changes by providing complete observability across your cloud-native applications. They can complete a topology map, full API specifications, and performance metrics almost instantly, which means that they are an invaluable resource to assist in end-to-end security.
And to this end, Traceable AI as part of the team by providing support for the below:
- Blocking emerging threats and OWASP API top 10
- Automatically preventing attacks
- Delivering alerts via Slack, email, or existing SOC systems
- Investigating, diagnosing, and fixing problems across infrastructures
- Deploying into Kubernetes or other microservices environments