Today Cloudentity, a company specializing in the burgeoning authorization layer, announced it was adding GraphQL support to its collection of API management tools. The process adds more fine-grained control to the access points allowing deeper and more precise command over what data is released in which circumstances. 

The move also extends the ambitions of the company. In the past, authorization tended to be a binary decision made at the beginning. A software package was either authorized or not. The GraphQL integration brings more control, not just to each API request but to the individual fields themselves. 

“GraphQL APIs bring a lot of net new benefits to the developer community,” Nathaniel Coffing, the CSO and co-founder of Cloudentity, told VentureBeat. “The developer community has recognized it and now they’re adopting those at a very, very rapid pace that exceeds what we saw from the RESTful adoption.“

How GraphQL improves data exchange

GraphQL has become popular lately by offering developers a more effective and elegant mechanism for data exchange. Basic requests can specify more elaborate queries that may span several data collections or APIs. It’s often seen as a direct competitor for older protocols like SQL because it offers front-end developers an especially rich set of options. The new Cloudentity layer will police these requests, ensuring that only properly authorized data will be released according to the authenticated user’s role. 

Cloudentity has staked out a place providing authorization services to developers, a market segment that has been growing as companies search for better control over the data they rely upon. Political pressure over embarrassing privacy lapses from leaked personally identifiable information is forcing developers to look for better solutions. 

The announcement also reflects the changes in the marketplace. In the past, companies like RSA were happy to add more security to the login process through tokens or dongles. Lately, companies like OneLogin, ForgeRock, and Okta have been expanding to offer more secure API-based integration that simplifies data sharing. Last year in May, Okta completed an acquisition of Auth0, another company specializing in simplifying authorization through a hosted service, citing a desire to build a “single, unified identity platform.” 

Microsoft also offers Identity and Access Management, a service for securing web applications running on Azure and other locations in the cloud. Its Active Directory also aims to offer a single, unified mechanism for controlling access. 

Pushing deeper into the data stack

This new announcement shows that the companies are pushing deeper into the stack by offering more complex and customizable options for developers who need a nuanced retrieval of data. 

The announcement offers developers a service that will filter the data moving in and out of their stack through APIs and use more in-depth knowledge of the user’s identity and consent to regulate the flow. If the request is too broad, it will restrict particular fields or the entire request. 

If the incoming data is too detailed, it will redact it. The Cloudentity GraphQL layer will actively delete extra data that might be included in some response to an API call. 

“Let’s say some API returns all this PII and other information about me that you’re not authorized to have contractually? Once it’s out there, then it’s out there,” says Coffing. “Nobody knows what the developer’s gonna do. They might publish it down to the SIM, drop into the syslog, put it in a flat file, share it out to another API. So I have to be very explicit on my authorization policies about what data is allowed to go across that wire and redact that before it gets to the service.”

Cloudentity also wants to make the entire process more automated so that managers can add more high-level direction that will be translated automatically into the kind of fine-grain commands that will rule over the GraphQL API interfaces. 

Coffing says that the company is exploring using more AI and ML techniques to improve this automation in the future. 

“We’re bringing in more ML and AI so we can analyze not just the request and responses, but also make better and finer-tuned policy suggestions of exactly what’s transpiring.” explained Coffing. “So if we see PII, if we see first name and last name, then we say, `OK, you should probably have consent because there is all of this data in here. ‘That’s very important. And you should probably have fine-grained consent.”

The new support is available through the company’s SaaS platform as an external, declarative authorization service that can filter API calls, orchestrate provisioning by providing transaction-level enforcement of rules about privacy, personally identifiable information and other sensitive data. 

More information will be available at an upcoming online seminar, “Securing GraphQL: Protect APIs and Control Data Access.”