As API adoption continues, early autonomy incentives often have led to shadow IT and infrastructure sprawl. To secure our growing API attack surface, technology leaders must implement organizational accountability through security oversight, platform observability, and role clarity. Establishing processes to graduate API infrastructure to a mission-critical role will eliminate inefficiencies and ensure resilience against constant cyber threats.

Need for organizational structure and accountability

Setting up the right structure

As a technology leader in your business, one of your tasks is setting up the right organizational structure to drive responsibility and accountability for all personnel. 

Updating strategies and structures

As our applications evolve, the expectations from the developers and the architects also evolve. To stay on trajectory, our original strategy may need to be updated to manage risk, stay in compliance, and drive success. The decisions that we made yesterday may not be optimal tomorrow.

Problems created when using microservices

In the past few years, organizations have directed short-term solutions. The reason for this is to incentivize their teams to move fast and transition to new architectures, like microservices and Kubernetes, and break out of the old monolith tradition. 

In doing so, they also gave lots of freedom to teams to make strategic infrastructure decisions. That was the correct strategy at the time; we needed our teams to rapidly iterate and drive success and to inspire other teams to follow their path, without too many blockers.

As more applications teams followed the microservices transformation, what started as an early incentive quickly transformed into a more problematic long-term solution: the formation of shadow IT infrastructures, the emergence of inefficiency in teams building products and infrastructure, platform and security teams unable to assess the security and tightness of our API environments, and so on. 

With the rapid explosion of APIs in this new era of the company where APIs and microservices are established trends, now’s the time to reassess the situation and manage the organizational risks.

Establishing API accountability

At scale, our teams need proper scalable and secure infrastructure to be successful in their work. They don’t have enough bandwidth to both build the apps and manage the infra. When something breaks, we become potential targets for cyberattacks. 

When that happens, the responsibility ultimately falls on the organization’s leaders. Therefore, it’s time to finally graduate our API infrastructure to its new mission-critical role and stray away from the experimentations of the early days.

To do so, we need an organizational process that does the following.

• Allows the security teams to approve the configurations we've deployed in our API infrastructure
• Gives the platform team awareness of what APIs and services are running in the organization to properly monitor, secure, and control them
• Frees up teams to become more productive by focusing on their applications and less on building infrastructure (and becoming “users” of infrastructure instead). 

Establishing organizational accountability

Our APIs are constantly under attack today, and we just might not know it yet. Attackers are always searching for an entry point, and it’s only a matter of time before our internal inefficiencies become tangible attack vectors.

This post is part of a series on becoming a secure API-first company. For a deeper dive, check out the eBook Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company.