What is API Compliance?

Compliance, a word that generally connotes “following orders,” has a special meaning in the business world. It means following the law. In almost every country in the world, businesses must comply with regulations that affect the way they operate. A company is not allowed to pollute, for example, if it wants to comply with environmental regulations. 

Given the criticality of information technology (IT) in business operations, many regulations cover how a company handles its digital processes. Some of these are government statutes, such as the Health Insurance Portability and Accountability Act (HIPAA). Others are industry rules, agreed upon to protect consumers against fraud and invasions of privacy. Complying with such regulations usually falls to the IT departments, who may work with the cybersecurity team and a Chief Compliance Officer (CCO). 

Systems that manage personal identifying information (PII) and financial transactions, to name two of many examples, are subject to compliance. Application programming interfaces (APIs) that touch such systems also need to be compliant. API compliance is an area of IT that deals with making sure that APIs comply with relevant regulations and industry rules. 

It’s worth taking a moment to differentiate between two uses of the word “compliance” in IT and information security. In network management, a device is said to be compliant if it is configured to operate under network rules, such as blocking certain ports. Or, an API might be judged compliant with security policies, such as access controls. These forms of compliance are internal in nature, and therefore different from external regulatory compliance. In some cases, the two types of compliance overlap, however. 

Understanding API compliance risk

API compliance risk is comparable to compliance risk that arises from applications, networks, and data. For example, HIPAA specifies that healthcare companies must protect the privacy of patient health records. This means, among other things, storing those records in systems the company owns, with certain kinds of security controls in place. If there is an API connecting an electronic health record (EHR) system to another system, such as patient billing software, the API must adhere to those controls. If the API does not support the controls, such as by exposing the EHRs to unauthorized access, then the healthcare company is exposed to API compliance risk.

Mitigating API compliance risk

To succeed with API compliance, API owners and their partners in cybersecurity must make sure that their APIs are protecting any sensitive data exposed by those APIs. Depending on the regulation, that might mean making sure that controls are in place to protect data from being mishandled, exfiltrated, modified or lost. 

This may sound like a major workload, but the good news is that much of API compliance is already covered by API security processes and countermeasures. For example, API security testing can usually uncover vulnerabilities and misconfigurations that would lead to a compliance problem. 

The challenge is to connect security steps with compliance. A compliance auditor, for instance, might want to see documentation of how an API prevents excessive data exposure or controls user and function-level authorization. The API manager has to identify the relevant security control and establish that it is addressing a requirement of a compliance framework.

Why achieving compliance is important

API compliance is important for multiple reasons. First is the law itself. A company that is not complying with regulations is, at some level, breaking the law. In the case of the Sarbanes Oxley Act (SOX), there are even criminal penalties for deliberate non-compliance. For almost all regulatory programs, there are financial penalties from the government for non-compliance. These can be more than the proverbial “slap on the wrist.” A violation of the European Union’s General Data Protection Regulation (GDPR) on privacy can run into millions of Euros. 

Then, there is the reputational damage that can come from being found non-compliant with regulations. A financial firm, for instance, will struggle to regain credibility and client trust if a data breach exposes client information to malicious actors. Paying a hefty regulatory fine, too, is embarrassing and makes a firm look like it’s not well run. 

Costs are a factor in compliance violations, as well. Running afoul of regulatory authorities almost always translates into legal bills, expensive public relations campaigns, and remediation projects like mass mailings and the like. Even the basic ability to be in business can be at risk. For instance, if a company cannot process credit cards because it failed to comply with industry standards for consumer data protection, that’s a company that may struggle to remain a going concern.

What are the leading compliance standards

APIs factor into nearly every data compliance standard. These include:

• GDPR is a set of regulations covering privacy and security for consumer PII in the EU. Applications and data management systems, along with any APIs they expose or interact with, must comply with the law. GDPR requires companies that hold PII, the so-called “data custodians” to protect consumer data from breach, know what PII they have, and allow consumers the “right to be forgotten” by deleting their data. The California Consumer Privacy Act (CCPA) in the US is a comparable regulation.
• Payment Card Industry Data Security Standard (PCI-DSS) applies to any entity that handles consumers’ financial information from credit and debit card transactions. PCI-DSS sets out strict controls, verified by audits, to ensure that “enterprises that receive, process, keep, or transmit credit card data operate in a safe and secure environment.”
• HIPAA protects the security and privacy of health data in electronic form.
• ISO/IEC 27001 offers a broad-based framework for information security. Companies may elect to comply with ISO 27001 to demonstrate their level of security.
• System and Organization Controls (SOC) is a suite of auditing reports from the American Institute of Certified Public Accountants (AICPA) that prove that a business has passed an in-depth audit process, following security requirements. 

In addition, API compliance comes up when trying to adhere to regulations covering the operations of financial firms, defense contractors, and firms in other regulated industries. 

Conclusion

API compliance will be part of the job description for API owners and security managers at companies that must comply with government regulations or obligatory industry standards. APIs may expose sensitive PII and financial data that is covered by these rules. It’s a serious matter, given the potential for high fines, remediation costs, and reputation damage. It is possible to achieve a large proportion of API compliance, however, through existing API security practices and controls.