The Challenge of Securing APIs for a Luxury Hotel Chain
Dan Hotels is a luxury hotel chain with properties across Israel and India, and when the organization realized its partners were compromised, it turned to Akamai API Security to secure its many travel industry API integrations.
The challenge of securing APIs
The Dan Hotels chain has many different API-based integrations to support its internal business intelligence system. It also has a growing collection of external APIs with travel industry partners, including major websites like Expedia and Booking.com, online travel agencies, and various other vendors and smaller agents.
Although many of these API functions are centralized in the company’s Silverbyte property management platform, the security team found that they lacked visibility into the specific ways that partners were accessing and interacting with its systems — and any ability to govern these activities.
Needed: A more sophisticated and proactive approach
After two of the company’s travel partners were compromised, the Dan Hotels team recognized that a more sophisticated and proactive approach to API security was needed.
“When we were investigating the incident with our partners, we realized how little control we have over how our APIs are used,” says Yossi Gabay, Vice President of Information Systems, Dan Hotels. “It was clear that less secure partners could put our systems at risk.”
This experience increased the company’s sense of urgency to implement a more sophisticated set of API security capabilities.
Success factors of secure APIs
The Dan Hotels technology team faces many competing pressures on a daily basis, including cybersecurity and other critical operations functions. For this reason, they were looking for a solution that would reduce API risk without overwhelming the team with alerts and time-consuming manual efforts.
It was also important that whatever solution they chose be able to extend beyond obvious attacks to cover more nuanced forms of API abuse originating from partners (Figure).
API Security discovers, audits, and monitors all APIs and their activity using behavioral analytics to detect and respond to threats and abuse.
Why Dan Hotels selected API Security
API Security was the top choice for Dan Hotels because of its easy integration, advanced real-time analysis capabilities, intuitive view of the data, and managed services.
Easy integration
API Security’s software-as-a-service (SaaS) model allowed Dan Hotels to begin an initial implementation in a matter of hours. “It was a very easy integration without any unnecessary friction,” notes Yossi. “We weren’t overloaded with new tasks, so there wasn’t any interference with our daily operations.”
Once the system was up and running, the API Security team collaborated with the Dan Hotels team to fine-tune the data sources and configuration to meet the company’s unique objectives.
Advanced real-time analysis capabilities
Given the hotel chain’s focus on detecting abuse, API Security’s real-time analysis capabilities set it apart from other options in the marketplace. The API Security platform was able to map the relationships between the company’s API users and resources, providing valuable context.
Says Yossi, “Rather than focusing solely on blocking attacks, API Security was able to help us understand what was actually happening and zero in on undesirable behavior that would otherwise go unnoticed.”
Intuitive view of runtime data
The Dan Hotels team was also very impressed with API Security’s ability to present large amounts of information about API activity and threats.
“When you don’t have information, you can’t have a conversation or fix things,” explains Yossi. “As soon as you have an understanding of what an API is supposed to do and how this compares to what is actually happening, you can involve all of the relevant parties to fix any problems.”
Managed services
Dan Hotels sees significant value in API Security’s managed services.
“Our team’s focus is often split between cybersecurity and supporting revenue-generating activities,” says Yossi, “so being able to engage a managed service that proactively alerts us when new API risks are identified is really important to us. It gives us access to people who are on the cutting edge of these API security issues, who are also very committed and easy to work with.”
Check it out
Want to explore what our API security product could do for your organization? Test it yourself — check out Akamai API Security.
