API Security: What's the Difference between Private/Partner/Public and Internal/External APIs?

API security is important, as we can see from recent examples such as the Peloton API leak. One source of problem is that security sometimes is not managed well because it is assumed that private APIs (i.e., the ones consumed by an organization's own consumers) don't have to be secured. This is particularly risky when these APIs are exposed externally.
In this video, we discuss the basics of two axes of API security:
Who is an API for? This is where the private/partner/public distinction comes into play. However, this is not really mostly a security discussion, but one where the focus is mostly on who to design an API for.
Where is an API available? This is where the internal/external distinction comes into play. Some APIs may only be available internally, but even many private APIs have to be externally available because the API consumers are not on the organization's internal network.
Treating these two axes consciously and separately can help with reducing the risk of API security issues. Generally speaking, practicing zero trust is a good idea for APIs, where the general stance always is that an API trusts neither the network nor the user without proper authentication and authorization.


00:00 Intro
00:56 API Consumers: Who and Where?
01:43 Private/Partner/Public APIs
04:06 Internal/External API Exposure
05:37 Zero Trust Security