October 30, 2018 • Garrett Garitano
Scale Up Your Platform’s APIs and External Users Securely with These 6 Tips
Build a platform and your business will grow faster. Even better, you don’t have to rely upon your resources for growth. External users, such as consultants, open source developers, and others, will help. Take Slack for example. The company’s growth to $200 million in annual recurring revenue depended upon several strategies, including integrations with 1,000 […]

Build a platform and your business will grow faster. Even better, you don’t have to rely upon your resources for growth. External users, such as consultants, open source developers, and others, will help. Take Slack for example. The company’s growth to $200 million in annual recurring revenue depended upon several strategies, including integrations with 1,000 other products.
It’s not just Slack. Leveraging platform growth has the potential to deliver incredible results. This growth strategy does come at a cost, and it’s a cost that some companies misunderstand. When you rely upon external users to fuel your company’s growth, you need to balance risk and relationship management. Before looking at solutions, take a peek at just how serious external user risk can become.
The Risk of APIs and External Users Impacts Every Organization, Even Google
For many people, Google is a symbol of business success. The company’s products, including search, YouTube, Gmail, and Google Maps, are constantly used. Those popular products helped the company earn over $100 billion in revenue in 2017. Despite all that success, even Google is vulnerable to external user security problems.
In October 2018, Google announced it was closing Google+, its social network, to the public. There were a few reasons for the change. First, the product had low user engagement. More importantly, Google announced that there was a severe security breach in Google+. A security problem in the platform’s API meant user data was exposed. Google hasn’t found evidence of developers misusing their access, but that doesn’t matter. When you have Google’s profile, there are high expectations. Unfortunately, Google stumbled here, and the market will be watching to see how it recovers.
In fact, measuring the impact of the failure is difficult. As Google stated in its announcement, “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug.” Now, imagine if you faced Google’s objective: to build a large-scale product with APIs and millions of users.
The Wrong Way to Solve External User Security Challenge
Some solutions to this risk inflict collateral damage and need to be avoided. A highly risk-averse solution: shut down API access. That move will signal that your company is less innovated, and reduce growth. You’ll also have to explain why your product offers minimal integrations. Clearly, this isn’t a good solution.
Instead of shutting down APIs, you could scale up your security requirements and processes. This solution is much better. Without a doubt, companies and consumers demand better cybersecurity protections. The drive for convenience hasn’t disappeared. If you use manual security processes and reviews regularly, you’ll face problems. Customers will leave because security controls take too long to complete. This manual approach just isn’t sustainable.
Use These Six Steps to Cut External User Access Risk
Is there a way to scale your platform without sacrificing external user security? Yes, there is. Follow these steps and you’ll be back on track.
- Identify your cybersecurity risks
Does external user risk matter to your organization? The best way to answer that question lies in assessing all your cyber risks. That’s what will give you the context to make decisions. If you have a public-facing platform for customers or developers, you need to address this risk exposure.
- Map your external users landscape
Find out all the systems that accept external users. This may include community sites for developers and payment portals for customers. If you have an identity management solution in place, review the available user reports first. Without that solution, you may need to create a user list on spreadsheets manually. Make sure to note users that have unusual privileges, such as the ability to approve other users.
- Remove inactive users
Using “last login date” as a metric, identify which external users are inactive. Next, flag the users that have been inactive for more than three months. Once you have that list, craft an outreach program to those users. After all, you may be able to get more user engagement with your product. If users are unresponsive, decide how and when to remove their access.
- Revisit your third-party software
External users take a variety of different forms. That’s why you should review third-party software tools. Specifically, focus your attention on software that accesses core business functions such as finance, software development, and customer service. After you identify and fix problems in this area, appoint a manager to manage this risk exposure on an ongoing basis.
- Review third-party service providers
Locking down cloud and SaaS services connected to your account is a good start. After that point, you’ll need to govern your third-party services. Should you bother with this step? That depends upon your company’s size and use of outside consultants. At a minimum, review the external user accounts used by management consultants, developers, marketers, and sales professionals, as these types of users have access to sensitive data.
- Reduce user access privileges
With excellent user access comes great responsibility. Unfortunately, many organizations lack a systematic governance approach to access privileges. To land a quick win in this area, start by cutting back on “super users,” meaning those with authority to create new users, modify user access, and make similar changes.
For additional tips on this strategy, read our past article: Cut Your Access Governance Complexity with the Principle of Least Privilege. If a user doesn’t need access to a system to perform job duties, then he or she shouldn’t have access to it.
What’s Next for Your Cybersecurity Program?
Now that you have external user access under control, what’s next? Take a closer look at your organization’s passwords. Like it or not, passwords remain a weak spot. Poor password management by employees puts your organization at risk. To combat this threat, set aside time to offer password management training. Once you have password practices improved, improve your security further by implementing multi-factor authentication.









