API management software mirrors legacy SOA strategies by often confusing IT and developers with scope-creep, feature-creep and overdone governance processes. Here, we talk about why it's important to focus on the basics when managing both on-premises and in-cloud APIs.
APIs are becoming the main entrance to the digital business and for some enterprises, they're absolutely crucial. For example, at Expedia, which handles travel bookings for thousands of business partners, 80% of partner transactions are through its API. One look at the explosion of publicly available APIs makes clear how APIs have transformed business processes and software development practices. Indeed, AWS alone has dozens of APIs to control its many services, while one survey found that the number of documented APIs increased almost eightfold from 2010 to 2013.
API management definition and features
As the use and importance of APIs has grown, so too have the number of stakeholders. No longer of concern just to developers, the functionality, reliability, security and popularity of APIs now affects IT and business units. Indeed, the term API isn't tied to any particular protocol like SOAP, REST or POSIX, but any interface providing an abstraction layer that provides data from or control over an external service. As Gartner puts it, APIs are "a programmatic channel into your enterprise."
This eclectic mix of constituencies has fostered growth in the breadth and complexity of API management software. Gartner proposes a broad definition of the product category that covers overall application and service governance, including the planning, design, implementation, publication, operation, consumption, maintenance and retirement of APIs. This expansive view of API management leads to a useful categorization of the features:
- Developer support: Includes managing the overall API catalog; metadata; and customization including source code control, or integration with existing SCCS. An important element of metadata and API inventory management is documentation. Developers need to understand what an API does before trying to use it and whether documentation is part of a management product or integrated via services like Github, written instructions and Github-style comments and discussions are key to API management. Indeed, as the open source movement has demonstrated, engaging developers in a social community where they can share ideas, propose bug fixes and comment on others' code can improve API quality and usage.
- Lifecycle management: Included SCCM-like features to handle versioning, publishing, change, and issue and ticket tracking.
- Security, communication and integration: Features to secure, control and monitor API access including end-to-end data privacy and protect the interface from abuse or attack (e.g. DDoS).
- Measurement and monitoring: Features to measure API usage and reliability and demonstrate business value, including metrics like availability, aggregate and individual user activity, and SLA compliance. API analytics are also useful in understanding where to prioritize enhancements, detecting errors in usage or execution, and the use of system resources.
API management software simplifies API deployment, whether on private servers, public infrastructure as a service (IaaS) or using a vendor's software as a service (SaaS) product; traffic management; and resource caching. This is often done via a proxy server sitting between the API user and resource provider (i.e. your application server). Some products also provide isolated runtime sandboxes to facilitate code development and testing.
Since most APIs have been designed to make it easy for developers to access and use the interface and are often hastily released to gain market and mindshare, security usually is an afterthought. As the business importance of APIs increases, this oversight turns into a vulnerability and is a key driver behind interest in API management software. Indeed, a recent survey of 1,200 IT professionals found that 75% of respondents consider API security a CIO-level concern, yet only 30% have API security processes and controls. For example, 20% of respondents don't even limit API access.
Like almost all enterprise software, API management can be implemented on-premises on private servers or in the cloud as either SaaS or IaaS. Cloud deployments are increasingly popular given their convenience and the fact that developers, particularly of mobile apps, often use a mix of private and public resources and data sources.
While not as full-featured as dedicated API management suites, two cloud offerings are noteworthy due to the popularity of IaaS as an app back end: the Amazon API Gateway and Azure API Management. Amazon's service is designed as a "front door" to application services running on EC2, Lambda or even REST interfaces on external systems. Although it's great for existing AWS users, it doesn't include a developer portal or advanced analytics and is missing some of the lifecycle management features found in a general-purpose API management product.
Azure API Management is similar to Amazon's gateway except that it includes a developer portal and analytics. Microsoft also offers a complete platform as a service (PaaS) product, Azure App Service, which rolls API management into a package that includes features from Azure Web Sites, Mobile Services and Biz Talk. The service supports what Microsoft calls "API Apps" with features like metadata management, access control, external API integration, IDE (Visual Studio) integration and API discovery (Swagger).
An assessment from a Mashery executive (now owned by Tibco but posted on an Intel site) highlights the importance of and path to successfully incorporating APIs into enterprise digital business strategies. To start, existing business assets should be recast into "well-deﬁned, stable interfaces, suitable for internal, partner, or public consumption." We would add that the universe for supported APIs must not be limited to internal digital assets, but all external systems including IaaS and SaaS products used in the organization.
These APIs must be scalable, secure and managed to ensure compliance with security, regulatory, privacy and other IT policies. In order to be effective, APIs must be easy to use, which means interface definitions must be thoroughly documented, maintained and easily accessed by the target developer audience, whether internal, partners or public. Supporting infrastructure for both the services -- and data -- provided by the API and the API management system must be treated like the critical business assets that they are; they must be reliable, secure and cost-effective. Integrating third-party APIs into the mix is often easiest via an API Gateway product like those from AWS and Azure. Collectively, these requirements make the case for an API management product; however, given the wide variety of features and costs organizations must carefully define their needs and choose accordingly to avoid overbuying or overwhelming IT and developers with unwanted complexity.
API management tools: bridging the gap between REST and Web services?
Why you need API management
Enterprises look to API management for better security
Five tips for handling your API changes