What kind of automated catalog do you use for keeping a list of all 3rd party software API integrations exchanging data to external 3rd parties?  Additionally, who does the data classification for all these software integrations in your org?  A major issue that we are seeing is dependence on 3rd party software services being called from the various code bases is increasing, and declaring all data sub-processors accurately is a challenge in terms of communication between teams and visibility when audits and customer data privacy requests come through.

413 views9 Upvotes4 Comments

IT Manager in Transportation, 10,001+ employees
Limit you APIs and depend more on internal solutions. 
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
put rate limits
Associate Director, IT, 10,001+ employees
I would start with establishing a API Governance body which will include Lead Developers/Architects. Then start analyzing with the biggest platforms first - Salesforce, AWS etc. You should do it platform by platform. We have very effective IDE's and configuration tools which will give the list of all the end points in the code and metadata with some regular expressions. Once you have the list made, keep adding the new ones to the list as the team identifies them. Let the Governance body act as an SME and guide the future implementations. In parallel run a "Technical Debt" program which will either fix the issues in increasing sprints or re-design the whole thing with some new design pattern (Microservices?). And also, the Governing Body should analyze if you need to consume so much data from the 3rd party applications. If any of it is static or doesn't change frequently (lets say quarterly), batch jobs will help to bring in the data. It will also improve the performance of the application. 
IT Manager in Energy and Utilities, Self-employed
I agree that one of the first things to do is establishing governance. In my organization, our application architect developed a web based tool to catalogue all applications, their owners, type of data used, APIs, type of APIs, locally developed or 3rd party …etc. The decision to classify the data is governed by our data classification policy which is under Data Architecture team. The security classification is also done by our cybersecurity team.

Content you might like

Accountability - There's no system for accountability - we just rely on people keeping their word33%

Innovation - There's a structured process to contribute an idea and see the eventual outcome and decisions52%

People - Our company finds it difficult to do any of the above33%

People - Laggards hold things back but certain people and teams make it happen31%

General - We find it difficult to do any of the above15%

IT - We are held back from most of the above by legacy systems and a dependence on IT25%

Processes and Workflow - We've reached a point where email, chat and documentation have been replaced with accountable tasking and repeatable processes17%

Processes and Workflow - We publish processes or documentation and try to keep it up-to-date13%

Something else (comments below)1%


4.9k views6 Upvotes2 Comments

IaC User Data10%

Configuration Framework (Puppet/Chef)44%

Custom Post Provision (AWS SSM)25%

EC2 Image Builder/Packer16%

Other (comment below)3%