Google Cloud sees storm brewing over API security

  • 27/04/2022

If you're developing software or working with anything serverless, you'll know that remote and as-a-service APIs are what make the clouds float.

It's debatable whether the proliferation of cloud APIs is a good thing, and taking remote API advice from Google may strike some people as unusual given its past. Nonetheless, Google Cloud's director of product, Vikas Anand, and Google Cloud senior product manager David Feuer published a jointly-written blog post of seven trends in the cloud API world they've noted.

API security needs will push zero trust adoption

Citing data from Gartner, Google said attacks against cloud APIs will be the most common vector responsible for data security breaches in 2022. Securing said APIs spread across wide portions of business networks and cloud providers has further disrupted traditional security perimeters, which the IT giant reckons will lead to increased adoption of zero-trust security systems.

"We expect to see more organizations moving away from network-focused security towards models that prioritize zero-trust and layered defense based on encryption, application identity, and strong authentication and authorization," the post said. 

The results of a recent survey from The Register paint a picture that makes it appear as if rapid zero-trust adoption may not be happening anytime soon: Knowledge of it is lacking, and enthusiasm seems low, with only a fifth saying they've implemented any form of zero trust.

Microservice APIs on the rise

As more apps are decomposed into APIs, the potential for microservice siloing increases. Avoiding that means more APIs, this time for each microservice; "that's why we expect to see microservices APIs becoming a new focus for IT departments in 2022 and beyond," the duo explained. 

That raises the question of whether breaking everything down into microservices and introducing additional APIs to manage communication between them is actually more efficient than monolithic apps. Sam Newman, author of multiple books on microservices, concludes definitely not.

Newman said that it's difficult to do microservices well, and that they have a potential to become "the worst of the monoliths, the distributed monolith." In other words, whether microservice APIs can save such an architecture may be irrelevant if it's a bad model to begin with.

APIs keep EDA alive

Event-driven architecture was at the peak of its hype all the way back in the early days of Web 2.0. Citing another study from Solace, the blog said 85 percent of organisations still consider EDA to have "critical business value." 

Software that only acts under certain conditions has become valuable with the rise of serverless, asynchronous and streaming user cases, the blog said. It has also been used to support API-agnostic real time data exchanges between microservices, but lacks a critical feature that APIs can be built with: Security. 

"EDA technology falls short of many of today's digital requirements, so we expect to see more and more solutions appear with security, access control, and governance capabilities," the post said.

REST will step aside for GraphQL

GraphQL is a new API design standard that's gained ground in recent years. Citing Gartner again, Anand and Feuer said that more than 50 percent of enterprises will use GraphQL by 2025, up from less than ten percent in 2021. 

The adoption of GraphQL APIs will further the "backends for frontends" pattern, which creates a separate layer below frontends to handle API communication to the user interface. "One of GraphQL's standout benefits is that it enables developers to seamlessly query data from multiple apps and services with a single API call," the post said, citing that as a reason for its increased adoption in 2022.

Multi-APIM will rise to support hybrid deployments

Working with multiple clouds, software vendors and providers can be difficult for those that work with a lot of API, the post said. API Management (APIM) software can manage some of that load, but APIs aren't necessarily designed to interface with multiple APIMs. 

"Expect to see more 'multi-APIM by design' during 2022 to enable hybrid API management that is lightweight, portable, and scalable," the post predicted. 

Vendors will unlock conversational APIs

Google makes the point that we're living in an age of voice experiences, with smart homes, digital assistants, chatbots and more. "There's a pressing need to enable voice experiences as quickly as other more traditional interfaces, such as mobile apps and websites," Anand and Feuer said. 

Because of that, they predict chat and voice platforms that already have conversational APIs will release them to the world to further their reach. 

APIs will stop being shadow IT

Developers often build APIs without alerting IT and security teams, the blog said. While this could be a headache, it actually gives IT an opportunity: those APIs can be a useful tool for governing data access.

"More IT departments will start to recognize that APIs are the key way to expose data from tools and apps for internal use," the post said.

The one thing an arrangement like that will need is for API developers to follow a standard process, they said, which will likely include reporting new APIs, and what they do, to IT. ®

Source

https://www.theregister.com/2022/04/26/google_cloud_api/

Comments