SaaS series - Drata: Open APIs make compliance easy

This is a guest post for the Computer Weekly Developer Network written by Brian Elmi in his role as VP of Product at Drata – the company is known for its technology that works to automate an organisation’s compliance journey from start to audit-ready and beyond, it provides support from the security and compliance experts who built it.

Elmi writes in full as follows…

Compliance programmes are undergoing a major transformation.

In today’s era of trust, automation and transparency, APIs are a conduit to streamlining compliance by connecting with any technology stack. A compliance-focused open API empowers developers to design customised solutions for complete visibility of an organisation’s compliance programme.

Choosing the right API, however, requires some homework.

This five-step checklist will help you evaluate APIs for the benefit of your compliance program your developers and integration with your enterprise requirements.

#1 API endpoints

Do the API endpoints support your organisation’s compliance monitoring needs?

You need an API with the right endpoints to ensure your developers can integrate enterprise systems with your compliance monitoring platform so questions to ask here include:

  • Are there use cases to check and ensure the right endpoints are available?
  • Will these endpoints save time and boost efficiency?
  • Are there thorough step-by-step guides for easy implementation?
  • Are the variables they return easy to understand?

#2 API platform interface

Question 2 comes down to asking yourself – what is the best API platform interface?

Making it easy for your developer to implement the API is important, so it is best to choose the technology everyone across the business is most attuned with. In most cases, this comes down to either a RESTful architectural style or alternatives such as the GraphQL query language and runtime environment. Each choice has pros and cons depending on the specific applications of a business.

Most businesses will choose the approach that their developers already know – REST. RESTful APIs are easy to develop and implement as they provide simple, uniform interfaces and are available through web URLs, while alternatives have a harder learning curve.

#3 API security

Can you drill down into the API’s security features? Access control should be a top priority for a compliance Open API.

In modern times when breaches can happen at any time, APIs that allow unlimited access should be avoided.

Overly permissive API keys will only lead to the complication of having to develop additional controls for extra protection of your networks.

#4 Permissions

Can I scope permissions?

An API with granular security will allow you to scope permissions and makes it easier for your developers to integrate with your security stack. You should carefully review the options available for access per-endpoint, permissions and the available scope to edit or revoke a key at any time.

5# Troubleshooting

Drata’s Elmi: All about the APIs.

Does it allow for troubleshooting?

Make sure you choose an API that generates fine-grained activity logs and offers dynamic query tools. With the right API, developers can troubleshoot issues before pushing code into production and monitor suspicious behaviour. A well-designed compliance Open API will enable engineers to focus on business-critical initiatives instead of identifying and resolving ad hoc errors.

API for compliance best practice

For the long term there are some best practice pointers on how to continuously improve APIs based on feedback coordinated with developers. 

Keep it simple: The more complex your API, the harder it will be for developers to use it. Keep your API simple, easy to understand and consistent with the conventions of the industry.

  • Provide clear documentation: Providing clear documentation for your API is critical. Use updated specifications to generate documentation that is consistent with your API.
  • Use consistent naming conventions: Use consistent naming conventions for your API endpoints, parameters and responses. This will make it easier for developers to understand and use your API.
  • Test your API: Testing your API is critical to ensure that it works as expected and best fits your business needs.
  • Continuously improve your API: Continuously improve your API based on feedback from developers, new technologies and changing industry standards.

Continuous compliance

Compared to traditional compliance which is manual and confined to a specific time window, API-led compliance strategies enable a continuous process, which delivers constant verification and visibility into control status that can scale as required.

By allowing developers to create APIs that can be easily integrated with different software systems, businesses can comply with the ever-growing number of regulatory requirements and achieve limitless customisation.