Issue link: https://resources.axway.com/i/1025054
Chapter: Risks Associated with APIs 10 RISKS ASSOCIATED WITH APIs As with any technology, there are risks associated with implementation and ongoing control. When dealing with new technology, an awareness of the major risks and a mitigation approach is especially important. This section reviews the major risks associated with API technology and suggests steps to address them. 5 Figure 4: Risks to Manage with API Use Source: Celent Data security risk is paramount. This is true for internal use and when insurers open their APIs to third parties. User identity verification and deliberate management of account- related instructions are essential. Insurers must be able to correctly determine client/partner authentication and verify that any policy/account instructions are genuine. Such controls should be varied according to company policy and local regulatory considerations. If a partner makes an error with either data or account instructions, the insurer may be held responsible by either regulators or customers. To address these exposures, insurers must have security and throttling models to limit who pulls data, and when and how frequently data is pulled. The approval and version control of account instructions must also be controlled. Data definitions must be managed to avoid multiple definitions of the same data item. A second security risk involves protecting users against data leakage, tampering, and/or illegal transactions. One control mechanism, token authentication, occurs when an insurer authenticates a user, and creates a token that will give a third party access. The token defines the data range and content of available services to which the external party will be given access. The partner then uses that token to transmit and receive data from the insurer. Reputational and product liability exposures arise, especially if APIs are public and an insurer is generating revenue from them. Managing the entire lifecycle of APIs — from design, through construction, release, and ongoing use — ensures quality and reduces 5 Technology risk is not considered because Celent considers API technology proven in industries outside of insurance. For example, Salesforce.com generates 50% of its revenue through APIs, eBay generates 60%, and Expedia.com generates 90%.