Partner POV | Securing Travel Industry API Integrations
In this article
This article was written and contributed by our partner, Akamai.
They opted for an API Security's software as a service (SaaS) solution to enhance their API security, benefiting from behavioral analytics, intuitive threat visibility, and a managed threat hunting service to address their unique security needs.
The Challenge of securing APIs
Hotel chains have many different API-based integrations supporting their internal business intelligence systems, as well as a growing collection of external APIs with travel industry partners, including major travel websites like Expedia and Booking.com, online travel agencies (OTAs), and various other vendors and smaller agents. While many of these API functions are centralized in the company's property management platform, the security team found that they lacked visibility into the specific ways that partners were accessing and interacting with their systems — or any ability to govern these activities. After a scare when two of the company's travel partners were compromised, the team decided that a more sophisticated and proactive approach to API security was needed. This experience increased the company's sense of urgency to implement a more sophisticated set of API security capabilities.
Success factors of secure APIs
Hotel technology teams face many competing pressures on a daily basis, spanning cybersecurity and other critical operations functions. For this reason, they look for a solution that would reduce API risk without overwhelming the team with noise and manual effort. It was also important for the approach to extend beyond obvious attacks to cover more nuanced forms of API abuse originating from partners.
Why API Security was selected
API Security's (formerly Neosec) software as a service (SaaS) model allowed the hotel chain to get an initial implementation running in a matter of hours. "It was a very easy integration without any unnecessary friction," notes the company's representative. "We weren't overloaded with new tasks, so there wasn't any interference with our daily operations." Once the system was up and running, the API Security team collaborated with the hotel's team to fine-tune the data sources and configuration to meet the company's unique objectives.
Given the company's focus on detecting abuse, API Security's behavioral analytics capabilities set it apart from other options in the marketplace. The API Security platform was able to map the relationships between the hotel chain's API users and resources, providing valuable context. "Rather than focusing solely on blocking attacks, API Security was able to help us understand what was actually happening and zero in on undesirable behavior that would otherwise go unnoticed," the representative says.
The hotel's team was also very impressed with API Security's ability to present large amounts of information about API activity and threats in an intuitive, timeline-based view. "When you don't have information, you can't have a conversation or fix things," the representative explains. "As soon as you have an understanding of what an API is supposed to do and how this compares to what is actually happening, you can involve all of the relevant parties to fix any problems."
While the hotel has in-house security expertise, they see significant value in API Security's managed threat hunting service. "Our team's focus is often split between cybersecurity and supporting revenue-generating activities, so being able to engage a managed service that proactively alerts us when new API risks are identified is really important to us," the representative says. "It gives us access to people who are on the cutting edge of these API security issues, who are also very committed and easy to work with."