API compliance is ensuring your API conforms to specific regulations and legal standards. These differ from country to country and industry to industry but broadly centre around keeping data safe and secure.
Why is API compliance important?
API compliance is important because it helps keep data safe from loss, leakage or theft. That data might include:
- Personally identifiable information (PII)
- Healthcare data
- Credit card details
- Other financial data
- Anything else held in a system that an API touches
From a business perspective, API compliance is also important as it helps an organisation maintain its reputation and avoid regulatory fines (and criminal prosecution) related to non-compliance.
What are the common data compliance standards?
An API compliant with the latest standards will have various security features and processes. Remember that the rest of your architecture must also conform to whichever standards cover your industry and region. Consider this when mapping your tech stack, access patterns, security procedures, etc.
Some of the most common data compliance standards include:
- GDPR: the General Data Protection Regulation (GDPR) covers all 27 EU member countries, while the UK has retained the legislation in its domestic law (the UK GDPR). The GDPR states that any entity which collects or processes personal data belonging to residents of the EU must comply with its regulations. As such, it can apply to businesses across the globe, not just those based in the EU.
- HIPAA: the Health Insurance Portability and Accountability Act (HIPAA) in the US lays out regulatory standards relating to the disclosure and use of protected health information. They apply to any organisation that transmits health information, including through APIs.
- PCI DSS: the Payment Card Industry Data Security Standard (PCI DSS) protects cardholder data (credit card numbers, security codes, expiration dates and so on). It applies to any entity that stores, processes and/or transmits that data – including by API. It is a global standard, meaning that any such entity must comply, irrespective of geographical location.
- PSD2: the Revised Payment Services Directive (PSD2) applies across the EU and the European Economic Area. It relates to payment service providers, who must comply with its requirements, including in relation to the use of APIs.
- ISO/IEC 27001: published by the International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 27001 is designed to manage information security. Organisations must operate a watertight and well-evidenced information security management system to achieve and maintain ISO/IEC 27001 certification.
- SOC 2: SOC 2 (the SOC part stands for System and Organisation Controls) relates to managing customer data. It is a US auditing procedure that covers five trust principles relating to data: security, availability, processing integrity, confidentiality and privacy. The audit results are unique to each organisation, with certification relating to compliance with the trust principles.
Are APIs vulnerable?
APIs are vulnerable to data loss, leakage and theft if not configured, secured and maintained correctly. Man-in-the-middle attacks, SQL injections, cross site scripting (XSS) attacks, cross site request forgery attacks, credential stuffing and distributed denial of service (DDoS) attacks are all threats to API security.
API risks and how to reduce them
According to OWASP, the top ten API security risks in 2023 relate to:
- Broken object level authorisation
- Broken authentication
- Broken object property level authorisation
- Unrestricted resource consumption
- Broken function level authorisation
- Unrestricted access to sensitive business flows
- Server-side request forgery
- Security misconfiguration
- Improper inventory management
- Unsafe consumption of APIs
Security flaws in these areas combine to present some specific API compliance risks:
API risk #1: regulatory compliance violations
Failure to comply with regulatory requirements can result in businesses incurring significant financial and reputational damage and regulatory penalties.
API risk #2: data breach
Data breaches harm businesses and their customers. A slapdash attitude to API compliance makes a data breach more likely, highlighting the importance of implementing API security that supports compliance obligations.
API risk #3: SLA penalties
Service level agreements are used to define uptime and performance standards. Not complying with these commitments can see an API provider incur SLA-related penalties and a dramatic decline in customer goodwill.
Best practices for ensuring API compliance
Ensuring API compliance can be achieved through a proactive approach to managing API security and following well-established best practices when developing and deploying your APIs. These include:
- Implementing robust authentication and authorisation using OAuth 2.0, OpenID Connect and JSON web tokens (JWTs) and fine-grained access control.
- Applying security policies at the gateway level so that no APIs slip through the net regarding adhering to your required standards.
- Encrypting all network traffic.
- Cleansing and validating inputs.
- Implementing error wrapping.
- Only returning as much data as is necessary.
Ready to learn more? Then check out these API governance articles.
