Email Security

    APIs at Work: Real Experience, From the Trenches

    See how APIs and automation helped a leading practitioner manage 50,000 mailboxes worldwide – and stay sane

    by Devin Hamilton

    Key Points

    • Even after a large organization consolidates messaging and productivity systems, its environments are likely still far too complex to operate manually.
    • Automation via APIs can improve accuracy as well as speed, and enables better remediation, too.
    • You may have to “drop everything” and manually perform some new complex process that can’t wait — but you can automate that process before it happens again.

    If you’re responsible for a mission-critical IT, communications, or security environment, why should you care about APIs? I found many reasons to care when my job involved providing email services for some 50,000 employees worldwide across more than 100 agencies and over 300 brands at one of the world’s leading advertising and marketing agencies. But one reason rose above the rest: Automation was the only way to keep your sanity.

    Consolidation Offers Business Value — But the Tech Isn’t Simple

    Like many enterprises that grow through M&A as well as organically, our agency group started a journey to consolidate IT, moving to Office 365 and Mimecast’s centralized secure email gateway. We found compelling value in that transition. After consolidation, however, we also found ourselves with far less staff than we needed. Consolidation made us more efficient, in the big picture. But given our agencies’ unique brands and individual business requirements, we needed to securely manage not just one environment, but 125 of them. We’d had 30 people before; now we had to do it with six.

    In my experience, this isn’t all that unusual. Even after organizations work hard to streamline their environments, they find themselves running multiple Office 365 environments, possibly with Google Workspace or something else still somewhere in the mix. The boardroom imagines everything is simple now — but it isn’t. In the trenches, you quickly find that it’s almost as complex to securely operate your new cloud services as it had been before. You need different skillsets, not fewer of them.

    Things get really painful when you have to act fast. Senior executives might need something done, or the company’s counsel may need a hold related to specific litigation. Even when business leaders aren’t involved, the faster you can address a potential security issue, the less risk you face. Tasks like blocking a sender may need to be performed immediately, across the enterprise. Without automation, you may find yourself doing it manually, step by step, account by account. You’ve had to drop everything, delaying other important tasks – and that also increases risk.

    APIs and Automation Make ‘Fire Drills’ Manageable — and Accelerate Core Processes, Too

    Mimecast’s Federated Account Administration (FAA) empowered us to set and change many high-level policies. That helped a great deal, but many urgent repetitive tasks still needed more automation. Mimecast’s APIs were invaluable to us: We could run the relevant API and go do something else while time-critical actions were running on all our accounts, worldwide.

    For instance, using Mimecast’s APIs, we could globally block a sender who was trying to send phishing emails impersonating the CEO. We could immediately place all users under a litigation hold in response to a request from our legal team. And we could make sure a company-wide communication was delivered to every user — never landing in a spam folder or getting sidetracked by an agency-specific mail delivery policy. 

    Even certain routine processes, such as user deprovisioning, should run ASAP. Those, too, were excellent candidates for API calls that are automatically triggered when an account requires immediate removal. Automated deprovisioning became even more critical as we increasingly relied on third-party application services. These sometimes require directory synchronization — a time-consuming process that should be triggered instantly, lest individuals maintain access after they should be disconnected. Even where a full synchronization isn’t necessary, APIs can automate delivery of individual Disable User instructions to external services faster than anyone can do it manually. Since APIs can be triggered immediately from SOAR playbooks or other sources, tasks that might once have been batched on a predefined schedule can instead happen immediately, as they should.

    We found that automation helped us improve accuracy, not just speed. Inevitably, when six people are repeatedly performing the same manual process, they’ll make mistakes. Even simple typos can mean that a process fails to execute properly. But if you’re using the APIs correctly, they’ll run identically on every account.

    As most IT, email and security admins know too well, “fire drills” happen at 3 a.m., too. I’d rather not be awakened in the middle of the night unless it’s truly necessary. Using Mimecast’s APIs, we could automatically perform tasks like blocking mail to a newly compromised domain, triggering this as soon as the risk was identified through any of our systems — next-gen AV, firewall, or wherever else.

    In approaching automation, we got plenty of value from a simple principle: “We had to do this manually once. Let’s make sure we don’t have to do it manually again.” Whenever some critical task came to us on a “drop-everything-do-it-now” basis, we made sure to automate that task before it came our way again.

    Simplify Organizational Change, Accelerate Remediation

    Company reorganizations, mergers, and acquisitions represent another area where automating via APIs can be especially valuable. Without automation, this can involve a complex set of repetitive processes, including careful double-checking. With Mimecast’s APIs, we could build logic and error handling to quickly transition large groups of users. We gradually refined our logic to handle more exceptions, until virtually no human intervention was required.

    Over time, as we became more comfortable with APIs, we increasingly used them for more and faster remediation at scale. For example, removing messages from user inboxes worldwide, so if a high-risk message is identified in one part of the world it can be removed in other regions overnight, before most employees ever encounter it.

    My peers, colleagues, and I have increasingly recognized that maturing security practices means automating extensively: relying on integration and APIs, not people, to do things. Yes, we humans make sure things are happening as expected, but the real-time actions are automated. They have to be. It’s the only way to sleep at night — and the only way to stay sane.

    The Bottom Line

    You can’t effectively manage enterprise email, IT, or security without prioritizing automation. We automated via APIs, and by prioritizing large-scale “do it now” tasks we’d actually encountered, we automated routine processes that needed to happen faster and identified ways to automate remediation, too.

     

    Devin Hamilton managed more than 50,000 mailboxes worldwide for one of the world’s largest advertising and marketing companies. Now at Mimecast, he has helped customers worldwide succeed with Mimecast email security technologies.

     

     

    **This blog was originally published on January 25, 2022.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page