The boundaries of the enterprise are increasingly more gray than black or white. The wide availability of Software as a Service technologies, the ever-increasing need for information sharing with other entities, and the more access to information by and from mobile devices, are causing companies to formalize the integration point it makes available to parties outside its firewall. Such an integration point is referred to as an application program interface (API), and the technical capabilities associated with making these APIs available are now referred to as API management technologies. This is the first in a four-part series on the capabilities and selection process of API management technology.
The API management space has largely been an outgrowth of the SOA governance space, with the majority of vendors having previously provided technologies closely tied to the peak of the SOA hype in the mid-2000s. These technologies were focused on internal integration and interactions within the firewall.
SOA and API management
There is an inherent connection between the internally-facing world of SOA, and the now external-facing world of APIs.
As the hype around SOA died down, it was replaced by hype around cloud technologies, with Amazon's offerings being the poster children. While it was Amazon's public exposure of these APIs that gained notoriety, Amazon is a perfect example of the connection between SOA and API management. A Google engineer who worked for Amazon famously posted an internal mandate from Amazon's CEO, Jeff Bezos, which stated all teams must expose data and functionality through service interfaces, and those service interfaces, without exception, must be designed from the ground up to be externalized.
There is an inherent connection between the internally facing world of SOA, and the now externally facing world of APIs. While Amazon's mandate may have made the public APIs and internal APIs equivalent, for most companies, the suite of interfaces exposed publicly will be a subset of the interfaces exposed internally, as shown below.
The technologies have now embraced the need to not just create an integration point and manage it inside the firewall, but to also allow them to be exposed and managed outside of the firewall.
Integration point must-have capabilities
There are five major capability areas API management technologies should provide:
- API portal/consumer engagement
- Service lifecycle management
- Integration/service exposure
- Policy enforcement
- Instrumentation, analytics and reporting
API portal/consumer engagement capabilities allow services and APIs to be discovered by potential consumers and then allow management of the interactions required for those consumers to utilize them.
Service lifecycle management is the other side of the equation. The strategy focuses on documentation and processes associated with building a service and exposing it to potential consumers. Changes then need to be tracked and managed throughout the lifecycle of the service and its APIs.
Integration/service exposure addresses the development aspects of API management, as there are still plenty of enterprises that are leveraging technologies that lack the ability to expose APIs suitable for general consumption.
Policy enforcement moves away from the interactions of the people involved and towards systems. The most common capability area within this space is security. With public exposure, however, active policy enforcement for traffic is increasingly important, since a provider doesn't have control over what consuming systems do outside the corporate firewall.
Finally, instrumentation, analytics and reporting collect various metrics from processes and the run-time interactions, allow analysis of that information, as well as the generation of reports suitable for all the parties involved. With the exposure of APIs publicly, services and their interfaces can't be thought of as just another component of an application. They are products and can be monetized. As such, APIs must be managed like a product.
More on API management
API testing critical for enterprise success
How to properly build an API
APIs advance thanks to cloud, mobile apps
The API portal is the domain of sales and account management and the interface to the customer. Service lifecycle management is the domain of the product manager, ensuring feedback from the sales channel gets back into the product pipeline, and the product meets all quality standards of the company.
Integration and service exposure is focused on optimizing production costs. Policy enforcement ensures the product is used appropriately by customers, since products are shared by all. Finally, instrumentation, analytics and reporting provide the data necessary to drive the evolutionary decision making that occur.
These five areas represent the breadth of the capabilities of API management technologies, which should factor into business decisions. The relative weight of each will depend on the particular situation.
About the author:
Todd Biske is an enterprise architect with a Fortune 50 company in the St. Louis metro area. He has had architecture experience in many different verticals, including healthcare, financial services, publishing and manufacturing over the course of his 20-year career.