Securing Travel Industry API Integrations at Dan Hotels

The Dan Hotels chain has many different API-based integrations supporting its internal business intelligence system, as well as a growing collection of external APIs with travel industry partners, including major travel websites like Expedia and Booking.com, online travel agencies (OTAs), and various other vendors and smaller agents. While many of these API functions are centralized in the company’s Silverbyte property management platform, the security team found that they lacked visibility into the specific ways that partners were accessing and interacting with its systems — or any ability to govern these activities. After a scare when two of the company’s travel partners were compromised, the team decided that a more sophisticated and proactive approach to API security was needed. “When we were investigating the incident with our partners, we realized how little control we have over how our APIs are used. It was clear that less secure partners could put our systems at risk,” says Yossi Gabay, Vice President of Information Systems, Dan Hotels. This experience increased the company’s sense of urgency to implement a more sophisticated set of API security capabilities.

The Dan Hotels technology team faces many competing pressures on a daily basis, spanning cybersecurity and other critical operations functions. For this reason, they were looking for a solution that would reduce API risk without overwhelming the team with noise and manual effort. It was also important for the approach to extend beyond obvious attacks to cover more nuanced forms of API abuse originating from partners.

API Security’s (formerly Neosec) software as a service (SaaS) model allowed Dan Hotels to get an initial implementation running in a matter of hours. “It was a very easy integration without any unnecessary friction,” Gabay notes. “We weren’t overloaded with new tasks, so there wasn’t any interference with our daily operations.” Once the system was up and running, the API Security team collaborated with the Dan Hotels team to fine-tune the data sources and configuration to meet the company’s unique objectives.

Given the company’s focus on detecting abuse, API Security’s behavioral analytics capabilities set it apart from other options in the marketplace. The API Security platform was able to map the relationships between the hotel chain’s API users and resources, providing valuable context. “Rather than focusing solely on blocking attacks, API Security was able to help us understand what was actually happening and zero in on undesirable behavior that would otherwise go unnoticed,” Gabay says.

The Dan Hotels team was also very impressed with API Security’s ability to present large amounts of information about API activity and threats in an intuitive, timeline-based view. “When you don’t have information, you can’t have a conversation or fix things,” Gabay explains. “As soon as you have an understanding of what an API is supposed to do and how this compares to what is actually happening, you can involve all of the relevant parties to fix any problems.”

While Dan Hotels has in-house security expertise, they see significant value in API Security’s managed threat hunting service. “Our team’s focus is often split between cybersecurity and supporting revenue-generating activities, so being able to engage a managed service that proactively alerts us when new API risks are identified is really important to us,” Gabay says. “It gives us access to people who are on the cutting edge of these API security issues, who are also very committed and easy to work with.”

Dan Hotels is a luxury hotel chain based in Israel. The company manages over 4,000 rooms across 18 hotel properties in Israel and India, along with a diverse collection of other hospitality offerings such as airport lounges and catering.

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world’s most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai’s security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.