The first step when opening up functionality to partners via APIs was to identify which business services were to be externalized. Once done, subsequent steps were required to apply suitable Web Service Manager (WSM) policies and API Gateway policies to satisfy first-line and second-line defense security requirements. This was achieved as follows:
- Identify which business services are the candidates to be exposed as an API
- Work jointly with the security team to define a set of policies to be applied to these APIs, both first line and second line of defense:
- Authentication: where to authenticate the external users?
- Authorization: once they are authenticated, authorize users to determine access rights to an API?
- Service-level agreements: ...