SlideShare una empresa de Scribd logo

Choosing the Right API Management Solution for the Enterprise User

CA API Management
CA API Management

Address key functional and operational characteristics of an effective API management solution This white paper examines the different functional and operational requirements for an enterprise-level API Management solution. In doing so, it gives IT managers, Web managers and enterprise architects key information for selecting an API Management solution. The API is undergoing a transformation as more and more organizations open their information assets to external developers. Publishing APIs to an external developer community raises a number of questions, including: How do you protect your APIs from abuse or attack? How do you deliver your APIs as reliable services with no downtime? How do you govern access to and usage of your APIs? How do you help developers discover your APIs? How do you make money from your APIs? Enterprises cannot afford the reputation damage that may result from not answering these questions swiftly and definitively. To do this, an enterprise will need an API Management solution that can address some basic functional areas: Security Lifecycle management Governance Developer enablement and community building Monetization This solution must also be able to deliver certain operational characteristics relevant to the enterprise’s unique IT experience: Security that meets the enterprise’s specific needs and requirements Manageability tailored to the enterprise’s development styles and process Reliability guaranteed to maintain the level of uptime the enterprise expects

1 de 9
Descargar para leer sin conexión
API Management Solutions Choosing the right solution for the enterprise user Layer 7 Technologies White Paper
API Management Solutions Contents The API Opportunity................................................................................................................... 3 The Enterprise API Management Challenge ................................................................................... 3 API Management Solution Functional Requirements ....................................................................... 4 API Management Solution Operational Requirements..................................................................... 7 Conclusions............................................................................................................................... 8 About Layer 7 Technologies......................................................................................................... 9 Contact Layer 7 Technologies ...................................................................................................... 9 Legal Information ...................................................................................................................... 9 © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 2
API Management Solutions The API Opportunity The application programming interface (API) may be an old concept but it is one that is undergoing a transformation as, driven by mobile and cloud requirements, more and more organizations are opening their information assets to external developers. Today, 75% of Twitter traffic and 65% of Salesforce.com traffic comes through APIs. But APIs are not just for the social Web. According to ProgrammableWeb.com, the number of open APIs being offered publicly over the Internet now exceeds 2000 – up from just 32 in 2005. Opening APIs up to outside developers enables many technology start-ups to become platforms, by fostering developer communities tied to their core data or application resources. This translates into new reach (think Twitter’s rapid growth), revenue (think Salesforce.com’s AppExchange) or end user retention (think Facebook). The use of APIs for sharing information and functionality with outside developers is not limited to technology start-ups. More and more enterprises, driven by cloud, mobile and partner integration initiatives are using APIs to put themselves at the center of a developer ecosystem and – in so doing – driving new reach, revenue and retention possibilities around their information assets. However, unlike many start-ups, enterprises must approach API publishing with great caution. They have a good deal on the line, including reputation, regulation and the simultaneous needs of customers, partners, employees and shareholders. The Enterprise API Management Challenge Publishing APIs to an external developer community, be it partner or public, introduces a number of challenges and risks for the enterprise. How do you protect the information assets you are exposing from abuse or attack? How do you deliver your APIs as reliable services with no downtime that can impact your API users? How do you govern access and usage of your APIs in a consistent, policy driven way? How do you make money from your APIs? How do you help developers discover your APIs and self-manage their access? While these questions are relevant to start-up and enterprise alike, they are more acute and urgent for enterprise IT organizations. Enterprises cannot afford the reputation damage that may result from a rushed API Management strategy. They have deliberate IT processes and safeguards that need to be upheld. But no matter what type of API an enterprise wants to expose, it will need an API Management solution that can address some basic functional areas:  API Security – Enterprises cannot afford misuse or abuse of their information or of any application resources exposed by an API.  API Lifecycle Management – Enterprises need a way to ensure API updates do not break when they upgrade/version APIs or move between environments, geographies, datacenters and the cloud.  API Governance – Enterprises need a way to control and track the broader operational character of how APIs get exposed to different partners and developers, through policy characteristics like metering, SLA, availability and performance. © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 3
API Management Solutions  Developer Enablement and Community Building – Enterprises need a way to bring developers on board, manage these developers and assist them in making the most of the exposed APIs.  API Monetization – for some enterprises, publishing APIs is not enough. APIs also represent a new revenue opportunity. Different API Management solutions enable monetization to different degrees. For enterprises, addressing these functional requirements is non-negotiable. However, along with these functional requirements, an enterprise will expect its API Management solution to deliver certain operational characteristics relevant to its unique IT experience.  Solution Security – Since API Management solutions get deployed in the DMZ, enterprises will also need robust IT-class API solutions that can meet a range of security requirements, from penetration protection to PCI compliance to FIPS to HSM support for API key security.  Solution Manageability – Enterprises have development, test and production environments that span geographies, datacenters and clouds. They will therefore need an API Management solution that can fit their specific development styles and processes.  Solution Reliability – Enterprises publishing APIs commercially expect 5 9’s uptime, if not greater. Enterprises cannot afford outages. What are the characteristics of a robust and available solution? This whitepaper examines these different functional and operational requirements, to provide IT managers, Web managers and enterprise architects key information for selecting an API Management solution. API Management Solution Functional Requirements API Security When looking for an API Management solution, security features are often top of mind for prospective buyers – not least when the buyer is an enterprise looking to protect vital information exposed through an API independent of standards like SOAP, REST or JSON. API security concerns begin with access control. For externally facing APIs, this means having the ability to:  accept different kinds of credentials for authentication  issue different kinds of credentials to developers  support different “resource” authorization schemes including federated ones like OAuth and SAML For enterprises this challenge is compounded by the need to integrate with existing identity infrastructure. Therefore, the overarching goal is to achieve both flexibility and integration. In policy there should be an ability to support different kinds of access tokens and even move from one kind of developer API key to another, without touching code. The solution should be able to support a wide range of OAuth schemes (given the standard’s growing importance for APIs) but also handle a variety of OAuth styles like HMAC and combinations with enterprise standards like SAML. Of course, the API © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 4
API Management Solutions Management solution also needs to work with pre-existing identity investments from companies like Oracle, IBM, CA and RSA. However, API security doesn’t stop at access control. APIs provide the programmatic window into your data. For that reason, an enterprise-class API Management solution will need to give the enterprise architect or security administrator fine-grained control over what data get exposed, how this information is kept confidential and how its transmission can be guaranteed against interception or tampering. Lastly, API security rests on the integrity of both the API and the data/functionality it exposes. This requires an ability to ensure APIs are not compromised by attack, denial of service or misuse. A good API Management solution will equip its operator with a wealth of threat protection controls that will assure the availability and fidelity of the API and the communications it enables. API Lifecycle Management APIs are not built in a vacuum. Like any application functionality, APIs demand their own development lifecycle, from design to coding to testing to deployment. This requires an ability to track changes to an API across the development lifecycle, whether the development process follows a waterfall or agile approach. For this reason, any API Management solution aiming to meet the needs of an enterprise will need to have fully-functional workflows for:  Promoting APIs from development to production  Managing the associated policy metadata  Restricting change contributions using an integrated RBAC control  Accommodating approvals and rollbacks A fully-functional API Management solution should also be able to accommodate multiple versions in production simultaneously, either to accommodate older clients or to accommodate different access technologies like SOAP, REST and JSON. However, a lifecycle management framework that can only accommodate localized development will not meet the needs of most modern enterprises. With the growing importance of the cloud, both public and private, enterprises will require an API Management solution that can span testing and production in the cloud. This will require an ability to isolate API developers from the vagaries of network idiosyncrasies and topology. API Governance Governance is a broad term often used to capture a wide range of management, process and visibility requirements. It defines the terms and conditions under which an API is exposed to one or more consumers. While “governance” encompasses security and lifecycle concepts, it also articulates various SLA, monitoring and reporting requirements. Furthermore, in the case of API Management solutions, it is relevant to the broader imperative of enabling differentiated terms and conditions for sharing API data and functionality to different consumers based on their identity, capability, subscription level or other transactional context that can be defined in policy. Effective API governance is all about flexibility. The technology for controlling how APIs get shared should follow the preferences and processes of the enterprise and not the other way around. This © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 5
API Management Solutions means that an API Management solution should be configurable around any SLA, security, log or other control using policy. Policy is at the heart of flexibility and assures consistency from one implementation to the next. API Management solutions that constrain administrators to course-grained controls without a full policy IDE limit what can be governed and how it can be controlled. Developer Enablement and Community Building Governing an API ensures consistent control for the publisher. However, if that API cannot be easily discovered and consumed by external developers, the publisher risks that it will go unused. For that reason, most modern API Management solutions go beyond control features like security, lifecycle and governance to provide functionality that helps publishers expose information about their APIs to outside developers – often via developer portals. A developer portal provides a single point of interaction for the developer to register for an account, request an API access key, discover what APIs are available and see example code. An API developer portal focused on enterprise usage should:  Support different classes of external developers (e.g. the publisher should be able to attribute different rights to partner developers and public developers).  Provide various self-service capabilities (e.g. subscription levels and rate plans).  Give developers visibility into their API usage and key performance metrics (e.g. response time).  Allow developers to share best practices through community features (e.g. a forum). Since different enterprises will come to API publishing with different experiences and priorities, a one- size-fits-all API portal approach will be no more attractive than a one-size-fits-all API security, lifecycle and governance framework. For this reason, many enterprises will want to consider a decomposable API portal. This could mean a white-label portal that can be customized to suit a particular developer engagement strategy. It could also mean an API portal that can be consumed as discrete components by a pre-existing enterprise developer portal. Again, flexibility is the watchword. API Monetization Related to the idea of developer enablement is the concept of monetization. While many enterprises will want to foster adoption by allowing free access to their Web and mobile APIs, others will want to offer pay-per-use options for higher tiers of access. Again, there is no single right way of approaching the monetization problem. Some options are:  A “freemium” model where usage below a certain threshold of data transmission or client requests is free  Charging for specific levels of service guarantee or for priority over free users  Offering premium information or functionality unavailable to non-paying customers Regardless of which approach is taken, the API Management solution should be sophisticated enough to give an enterprise flexibility in how it sets up its revenue criteria. The solution should be able to:  Capture a range of usage statistics, to create a basis for measuring consumption  Provide advanced SLA and Class of Service capabilities, allowing for traffic prioritization  Compose virtual pay-only APIs that could be isolated for paying customers, without coding © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 6
API Management Solutions API Management Solution Operational Requirements Solution Security Since an API Management solution will often be the only piece of technology separating enterprise APIs from the outside world, the level of security the solution can confer on APIs will only be as strong as the security of the solution itself. If the solution is compromised, any security rendered onto the APIs will be similarly compromised. Therefore, enterprises examining API Management solutions should make the solution’s security an absolutely critical consideration. Since these solutions will be interposed as intermediaries between the outside world and internal APIs, the first quality often evaluated is whether the solution itself can be compromised. This will depend on what kind of penetration testing the solution has undergone, how constrained access to the solution is and whether it has met key vulnerability assessments. Consideration should be given to STIG tested solutions, PCI DSS certification for solutions that will pass credit card information, FIPS compliance and Common Criteria certification for solutions that need to meet higher government security standards. For most practical purposes, enterprises will often look at API Management solutions that are proxy based for handling the intermediation of outside requests to an internal API. Intermediary- based API Proxies offer the advantage of clear inline points of control and isolation, making security certification and administration simpler (just like with network firewalls). Some may also offer onboard HSM support for encrypting API keys. Since API keys in many scenarios are the main line of authentication defense against abuse, protecting those keys from theft through encryption is a prudent strategy. Solution Manageability Unlike a typical startup, which may run its entire production Web site from a single Amazon instance or small hosted provider, an enterprise will typically have varied development and production environments. For example, an enterprise may have:  Geographically-distributed developer teams  Production environments that span global datacenters  Cloud-based disaster recovery systems Therefore, manageability will be central to any selection decision. Considerations like how you manage clusters of API proxies, how you load balance geographically, how you operate in a lights-out datacenter environment and how you handle peak loads will take priority over other features. Again, not all API Management solutions are designed to cater to the specific needs of the enterprise, so care should be taken in evaluating how various solutions support cluster management, fail-over, load bursting, disaster recovery and other operational management factors before embarking on a particular path. Solution Reliability Once an enterprise decides to embark on an API publishing program, it will effectively become a service provider to its API consumers. These consumers will come to rely on the enterprise and expect continuous uptime. In this context, an enterprise will inevitably place a considerable premium on reliability when selecting its API Management solution. The enterprise will look for solutions where © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 7
API Management Solutions redundancy is built in and risk of downtime has been extremely minimized, if not eliminated. The need for continuous uptime may eliminate hosted or cloud-based options. While not inherently unreliable, most pure-play cloud API Management solutions are run by small companies that tend not to provide the kind of mission-critical redundancy and support enterprises have come to expect. For that reason, enterprises looking at API Management solutions may want to consider only those solutions that can:  Be deployed in the enterprise’s own datacenters and private cloud  Meet the kind of high availability, redundant configuration that would guarantee continuous uptime Conclusions No two enterprises have exactly the same needs or environment. Therefore, there will never be a one- size-fits-all API Management solution. However, all enterprises share a common need for excellence in functional capability and operation. For most organizations endeavoring to start publishing APIs externally, this will translate into a desire for a flexible, policy-driven API Management solution that can meet the production rigor of a dial-tone class service provider. Functionally, it will require an API Management solution that can meet a variety of security pre-requisites, accommodate common development lifecycles, be governable through policy, enable developer onboarding, foster developer engagement and support the option of monetization. Operationally, the API Management solution should be secure, manageable and reliable. For more detail and example case studies please contact info@layer7.com. © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 8
API Management Solutions About Layer 7 Technologies Layer 7 is a leader in API security and governance for SOA, Web and Cloud. With over 150 global enterprise customers using its API Proxy, Lifecycle and Portal solutions Layer 7 has strived to meet the needs of its customers’ integration and API publishing needs. Contact Layer 7 Technologies Layer 7 Technologies welcomes your questions, comments, and general feedback. Email: info@layer7.com Web Site: www.layer7.com Phone: (+1) 604-681-9377 1-800-681-9377 (toll free within North America) Fax: 604-681-9387 Address: Layer 7 Technologies 1200 G Street, NW, Suite 800 Washington, DC 20005 Layer 7 Technologies Suite 405-1100 Melville Street Vancouver, BC V6E 4A6 Canada Legal Information Copyright © 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved. SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or trademarks are the property of their respective owners. © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 9

Recomendados

Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...CA API Management
 
API Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkAPI Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkWSO2
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mulesoft API
Mulesoft APIMulesoft API
Mulesoft APIKleverton Fortunato
 
Deploying mule applications
Deploying mule applicationsDeploying mule applications
Deploying mule applicationsBhargav Ranjit
 
SeaJUG May 2012 mybatis
SeaJUG May 2012 mybatisSeaJUG May 2012 mybatis
SeaJUG May 2012 mybatisWill Iverson
 
How to Choose an API Automation Tool for a Distributed Cloud-based App: To...
How to Choose an API Automation Tool for a Distributed Cloud-based App: To...How to Choose an API Automation Tool for a Distributed Cloud-based App: To...
How to Choose an API Automation Tool for a Distributed Cloud-based App: To...Altoros
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptJonathan LeBlanc
 

Recomendados

Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...CA API Management
 
API Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkAPI Management Platform Technical Evaluation Framework
API Management Platform Technical Evaluation FrameworkWSO2
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mulesoft API
Mulesoft APIMulesoft API
Mulesoft APIKleverton Fortunato
 
Deploying mule applications
Deploying mule applicationsDeploying mule applications
Deploying mule applicationsBhargav Ranjit
 
SeaJUG May 2012 mybatis
SeaJUG May 2012 mybatisSeaJUG May 2012 mybatis
SeaJUG May 2012 mybatisWill Iverson
 
How to Choose an API Automation Tool for a Distributed Cloud-based App: To...
How to Choose an API Automation Tool for a Distributed Cloud-based App: To...How to Choose an API Automation Tool for a Distributed Cloud-based App: To...
How to Choose an API Automation Tool for a Distributed Cloud-based App: To...Altoros
 
Secure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptSecure RESTful API Automation With JavaScript
Secure RESTful API Automation With JavaScriptJonathan LeBlanc
 
OpenERP 6.1 Framework Changes
OpenERP 6.1 Framework ChangesOpenERP 6.1 Framework Changes
OpenERP 6.1 Framework ChangesOdoo
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyManageIQ
 
API Management point of view
API Management point of viewAPI Management point of view
API Management point of viewRavish Adka Rao
 
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...Vladimir Bacvanski, PhD
 
Светлана Исакова «Язык Kotlin»
Светлана Исакова «Язык Kotlin»Светлана Исакова «Язык Kotlin»
Светлана Исакова «Язык Kotlin»e-Legion
 
MyBatis 개요와 Java+MyBatis+MySQL 예제
MyBatis 개요와 Java+MyBatis+MySQL 예제MyBatis 개요와 Java+MyBatis+MySQL 예제
MyBatis 개요와 Java+MyBatis+MySQL 예제정완 전
 
SpringBoot with MyBatis, Flyway, QueryDSL
SpringBoot with MyBatis, Flyway, QueryDSLSpringBoot with MyBatis, Flyway, QueryDSL
SpringBoot with MyBatis, Flyway, QueryDSLSunghyouk Bae
 
RESTful API Automation with JavaScript
RESTful API Automation with JavaScriptRESTful API Automation with JavaScript
RESTful API Automation with JavaScriptJonathan LeBlanc
 
MyBatis
MyBatisMyBatis
MyBatisRoman Dovgan
 
Kotlin in action
Kotlin in actionKotlin in action
Kotlin in actionCiro Rizzo
 
A brief introduction to Realm with Kotlin
A brief introduction to Realm with KotlinA brief introduction to Realm with Kotlin
A brief introduction to Realm with KotlinLeonardo YongUk Kim
 
Frisby: Rest API Automation Framework
Frisby: Rest API Automation FrameworkFrisby: Rest API Automation Framework
Frisby: Rest API Automation FrameworkQuovantis
 
Web API Test Automation using Frisby & Node.js
Web API Test Automation using Frisby & Node.jsWeb API Test Automation using Frisby & Node.js
Web API Test Automation using Frisby & Node.jsChi Lang Le Vu Tran
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
API Management - Why it matters!
API Management - Why it matters!API Management - Why it matters!
API Management - Why it matters!Sven Bernhardt
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API ManagementWSO2
 
Why APIs are not SOA++
Why APIs are not SOA++Why APIs are not SOA++
Why APIs are not SOA++Apigee | Google Cloud
 
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?Taiwan Inbound Marketing Envangelist
 
How to Design a Successful Test Automation Strategy
How to Design a Successful Test Automation Strategy How to Design a Successful Test Automation Strategy
How to Design a Successful Test Automation Strategy Impetus Technologies
 
Test Automation Framework Design | www.idexcel.com
Test Automation Framework Design | www.idexcel.comTest Automation Framework Design | www.idexcel.com
Test Automation Framework Design | www.idexcel.comIdexcel Technologies
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 

Más contenido relacionado

Destacado

OpenERP 6.1 Framework Changes
OpenERP 6.1 Framework ChangesOpenERP 6.1 Framework Changes
OpenERP 6.1 Framework ChangesOdoo
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyManageIQ
 
API Management point of view
API Management point of viewAPI Management point of view
API Management point of viewRavish Adka Rao
 
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...Vladimir Bacvanski, PhD
 
Светлана Исакова «Язык Kotlin»
Светлана Исакова «Язык Kotlin»Светлана Исакова «Язык Kotlin»
Светлана Исакова «Язык Kotlin»e-Legion
 
MyBatis 개요와 Java+MyBatis+MySQL 예제
MyBatis 개요와 Java+MyBatis+MySQL 예제MyBatis 개요와 Java+MyBatis+MySQL 예제
MyBatis 개요와 Java+MyBatis+MySQL 예제정완 전
 
SpringBoot with MyBatis, Flyway, QueryDSL
SpringBoot with MyBatis, Flyway, QueryDSLSpringBoot with MyBatis, Flyway, QueryDSL
SpringBoot with MyBatis, Flyway, QueryDSLSunghyouk Bae
 
RESTful API Automation with JavaScript
RESTful API Automation with JavaScriptRESTful API Automation with JavaScript
RESTful API Automation with JavaScriptJonathan LeBlanc
 
Kotlin in action
Kotlin in actionKotlin in action
Kotlin in actionCiro Rizzo
 
A brief introduction to Realm with Kotlin
A brief introduction to Realm with KotlinA brief introduction to Realm with Kotlin
A brief introduction to Realm with KotlinLeonardo YongUk Kim
 
Frisby: Rest API Automation Framework
Frisby: Rest API Automation FrameworkFrisby: Rest API Automation Framework
Frisby: Rest API Automation FrameworkQuovantis
 
Web API Test Automation using Frisby & Node.js
Web API Test Automation using Frisby & Node.jsWeb API Test Automation using Frisby & Node.js
Web API Test Automation using Frisby & Node.jsChi Lang Le Vu Tran
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
API Management - Why it matters!
API Management - Why it matters!API Management - Why it matters!
API Management - Why it matters!Sven Bernhardt
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API ManagementWSO2
 
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?Taiwan Inbound Marketing Envangelist
 
How to Design a Successful Test Automation Strategy
How to Design a Successful Test Automation Strategy How to Design a Successful Test Automation Strategy
How to Design a Successful Test Automation Strategy Impetus Technologies
 
Test Automation Framework Design | www.idexcel.com
Test Automation Framework Design | www.idexcel.comTest Automation Framework Design | www.idexcel.com
Test Automation Framework Design | www.idexcel.comIdexcel Technologies
 

Destacado (20)

OpenERP 6.1 Framework Changes
OpenERP 6.1 Framework ChangesOpenERP 6.1 Framework Changes
OpenERP 6.1 Framework Changes
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John Hardy
 
API Management point of view
API Management point of viewAPI Management point of view
API Management point of view
 
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
Crash Introduction to Modern Java Data Access: Understanding JPA, Hibernate, ...
 
Светлана Исакова «Язык Kotlin»
Светлана Исакова «Язык Kotlin»Светлана Исакова «Язык Kotlin»
Светлана Исакова «Язык Kotlin»
 
MyBatis 개요와 Java+MyBatis+MySQL 예제
MyBatis 개요와 Java+MyBatis+MySQL 예제MyBatis 개요와 Java+MyBatis+MySQL 예제
MyBatis 개요와 Java+MyBatis+MySQL 예제
 
SpringBoot with MyBatis, Flyway, QueryDSL
SpringBoot with MyBatis, Flyway, QueryDSLSpringBoot with MyBatis, Flyway, QueryDSL
SpringBoot with MyBatis, Flyway, QueryDSL
 
RESTful API Automation with JavaScript
RESTful API Automation with JavaScriptRESTful API Automation with JavaScript
RESTful API Automation with JavaScript
 
MyBatis
MyBatisMyBatis
MyBatis
 
Kotlin in action
Kotlin in actionKotlin in action
Kotlin in action
 
A brief introduction to Realm with Kotlin
A brief introduction to Realm with KotlinA brief introduction to Realm with Kotlin
A brief introduction to Realm with Kotlin
 
Frisby: Rest API Automation Framework
Frisby: Rest API Automation FrameworkFrisby: Rest API Automation Framework
Frisby: Rest API Automation Framework
 
Web API Test Automation using Frisby & Node.js
Web API Test Automation using Frisby & Node.jsWeb API Test Automation using Frisby & Node.js
Web API Test Automation using Frisby & Node.js
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
 
API Management - Why it matters!
API Management - Why it matters!API Management - Why it matters!
API Management - Why it matters!
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API Management
 
Why APIs are not SOA++
Why APIs are not SOA++Why APIs are not SOA++
Why APIs are not SOA++
 
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
如何從搏來客行銷(Inbound marketing) 進化到成長駭客行銷(growth hacker marketing)?
 
How to Design a Successful Test Automation Strategy
How to Design a Successful Test Automation Strategy How to Design a Successful Test Automation Strategy
How to Design a Successful Test Automation Strategy
 
Test Automation Framework Design | www.idexcel.com
Test Automation Framework Design | www.idexcel.comTest Automation Framework Design | www.idexcel.com
Test Automation Framework Design | www.idexcel.com
 

Más de CA API Management

Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 

Más de CA API Management (20)

Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 

Choosing the Right API Management Solution for the Enterprise User

  • 1. API Management Solutions Choosing the right solution for the enterprise user Layer 7 Technologies White Paper
  • 2. API Management Solutions Contents The API Opportunity................................................................................................................... 3 The Enterprise API Management Challenge ................................................................................... 3 API Management Solution Functional Requirements ....................................................................... 4 API Management Solution Operational Requirements..................................................................... 7 Conclusions............................................................................................................................... 8 About Layer 7 Technologies......................................................................................................... 9 Contact Layer 7 Technologies ...................................................................................................... 9 Legal Information ...................................................................................................................... 9 © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 2
  • 3. API Management Solutions The API Opportunity The application programming interface (API) may be an old concept but it is one that is undergoing a transformation as, driven by mobile and cloud requirements, more and more organizations are opening their information assets to external developers. Today, 75% of Twitter traffic and 65% of Salesforce.com traffic comes through APIs. But APIs are not just for the social Web. According to ProgrammableWeb.com, the number of open APIs being offered publicly over the Internet now exceeds 2000 – up from just 32 in 2005. Opening APIs up to outside developers enables many technology start-ups to become platforms, by fostering developer communities tied to their core data or application resources. This translates into new reach (think Twitter’s rapid growth), revenue (think Salesforce.com’s AppExchange) or end user retention (think Facebook). The use of APIs for sharing information and functionality with outside developers is not limited to technology start-ups. More and more enterprises, driven by cloud, mobile and partner integration initiatives are using APIs to put themselves at the center of a developer ecosystem and – in so doing – driving new reach, revenue and retention possibilities around their information assets. However, unlike many start-ups, enterprises must approach API publishing with great caution. They have a good deal on the line, including reputation, regulation and the simultaneous needs of customers, partners, employees and shareholders. The Enterprise API Management Challenge Publishing APIs to an external developer community, be it partner or public, introduces a number of challenges and risks for the enterprise. How do you protect the information assets you are exposing from abuse or attack? How do you deliver your APIs as reliable services with no downtime that can impact your API users? How do you govern access and usage of your APIs in a consistent, policy driven way? How do you make money from your APIs? How do you help developers discover your APIs and self-manage their access? While these questions are relevant to start-up and enterprise alike, they are more acute and urgent for enterprise IT organizations. Enterprises cannot afford the reputation damage that may result from a rushed API Management strategy. They have deliberate IT processes and safeguards that need to be upheld. But no matter what type of API an enterprise wants to expose, it will need an API Management solution that can address some basic functional areas:  API Security – Enterprises cannot afford misuse or abuse of their information or of any application resources exposed by an API.  API Lifecycle Management – Enterprises need a way to ensure API updates do not break when they upgrade/version APIs or move between environments, geographies, datacenters and the cloud.  API Governance – Enterprises need a way to control and track the broader operational character of how APIs get exposed to different partners and developers, through policy characteristics like metering, SLA, availability and performance. © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 3
  • 4. API Management Solutions  Developer Enablement and Community Building – Enterprises need a way to bring developers on board, manage these developers and assist them in making the most of the exposed APIs.  API Monetization – for some enterprises, publishing APIs is not enough. APIs also represent a new revenue opportunity. Different API Management solutions enable monetization to different degrees. For enterprises, addressing these functional requirements is non-negotiable. However, along with these functional requirements, an enterprise will expect its API Management solution to deliver certain operational characteristics relevant to its unique IT experience.  Solution Security – Since API Management solutions get deployed in the DMZ, enterprises will also need robust IT-class API solutions that can meet a range of security requirements, from penetration protection to PCI compliance to FIPS to HSM support for API key security.  Solution Manageability – Enterprises have development, test and production environments that span geographies, datacenters and clouds. They will therefore need an API Management solution that can fit their specific development styles and processes.  Solution Reliability – Enterprises publishing APIs commercially expect 5 9’s uptime, if not greater. Enterprises cannot afford outages. What are the characteristics of a robust and available solution? This whitepaper examines these different functional and operational requirements, to provide IT managers, Web managers and enterprise architects key information for selecting an API Management solution. API Management Solution Functional Requirements API Security When looking for an API Management solution, security features are often top of mind for prospective buyers – not least when the buyer is an enterprise looking to protect vital information exposed through an API independent of standards like SOAP, REST or JSON. API security concerns begin with access control. For externally facing APIs, this means having the ability to:  accept different kinds of credentials for authentication  issue different kinds of credentials to developers  support different “resource” authorization schemes including federated ones like OAuth and SAML For enterprises this challenge is compounded by the need to integrate with existing identity infrastructure. Therefore, the overarching goal is to achieve both flexibility and integration. In policy there should be an ability to support different kinds of access tokens and even move from one kind of developer API key to another, without touching code. The solution should be able to support a wide range of OAuth schemes (given the standard’s growing importance for APIs) but also handle a variety of OAuth styles like HMAC and combinations with enterprise standards like SAML. Of course, the API © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 4
  • 5. API Management Solutions Management solution also needs to work with pre-existing identity investments from companies like Oracle, IBM, CA and RSA. However, API security doesn’t stop at access control. APIs provide the programmatic window into your data. For that reason, an enterprise-class API Management solution will need to give the enterprise architect or security administrator fine-grained control over what data get exposed, how this information is kept confidential and how its transmission can be guaranteed against interception or tampering. Lastly, API security rests on the integrity of both the API and the data/functionality it exposes. This requires an ability to ensure APIs are not compromised by attack, denial of service or misuse. A good API Management solution will equip its operator with a wealth of threat protection controls that will assure the availability and fidelity of the API and the communications it enables. API Lifecycle Management APIs are not built in a vacuum. Like any application functionality, APIs demand their own development lifecycle, from design to coding to testing to deployment. This requires an ability to track changes to an API across the development lifecycle, whether the development process follows a waterfall or agile approach. For this reason, any API Management solution aiming to meet the needs of an enterprise will need to have fully-functional workflows for:  Promoting APIs from development to production  Managing the associated policy metadata  Restricting change contributions using an integrated RBAC control  Accommodating approvals and rollbacks A fully-functional API Management solution should also be able to accommodate multiple versions in production simultaneously, either to accommodate older clients or to accommodate different access technologies like SOAP, REST and JSON. However, a lifecycle management framework that can only accommodate localized development will not meet the needs of most modern enterprises. With the growing importance of the cloud, both public and private, enterprises will require an API Management solution that can span testing and production in the cloud. This will require an ability to isolate API developers from the vagaries of network idiosyncrasies and topology. API Governance Governance is a broad term often used to capture a wide range of management, process and visibility requirements. It defines the terms and conditions under which an API is exposed to one or more consumers. While “governance” encompasses security and lifecycle concepts, it also articulates various SLA, monitoring and reporting requirements. Furthermore, in the case of API Management solutions, it is relevant to the broader imperative of enabling differentiated terms and conditions for sharing API data and functionality to different consumers based on their identity, capability, subscription level or other transactional context that can be defined in policy. Effective API governance is all about flexibility. The technology for controlling how APIs get shared should follow the preferences and processes of the enterprise and not the other way around. This © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 5
  • 6. API Management Solutions means that an API Management solution should be configurable around any SLA, security, log or other control using policy. Policy is at the heart of flexibility and assures consistency from one implementation to the next. API Management solutions that constrain administrators to course-grained controls without a full policy IDE limit what can be governed and how it can be controlled. Developer Enablement and Community Building Governing an API ensures consistent control for the publisher. However, if that API cannot be easily discovered and consumed by external developers, the publisher risks that it will go unused. For that reason, most modern API Management solutions go beyond control features like security, lifecycle and governance to provide functionality that helps publishers expose information about their APIs to outside developers – often via developer portals. A developer portal provides a single point of interaction for the developer to register for an account, request an API access key, discover what APIs are available and see example code. An API developer portal focused on enterprise usage should:  Support different classes of external developers (e.g. the publisher should be able to attribute different rights to partner developers and public developers).  Provide various self-service capabilities (e.g. subscription levels and rate plans).  Give developers visibility into their API usage and key performance metrics (e.g. response time).  Allow developers to share best practices through community features (e.g. a forum). Since different enterprises will come to API publishing with different experiences and priorities, a one- size-fits-all API portal approach will be no more attractive than a one-size-fits-all API security, lifecycle and governance framework. For this reason, many enterprises will want to consider a decomposable API portal. This could mean a white-label portal that can be customized to suit a particular developer engagement strategy. It could also mean an API portal that can be consumed as discrete components by a pre-existing enterprise developer portal. Again, flexibility is the watchword. API Monetization Related to the idea of developer enablement is the concept of monetization. While many enterprises will want to foster adoption by allowing free access to their Web and mobile APIs, others will want to offer pay-per-use options for higher tiers of access. Again, there is no single right way of approaching the monetization problem. Some options are:  A “freemium” model where usage below a certain threshold of data transmission or client requests is free  Charging for specific levels of service guarantee or for priority over free users  Offering premium information or functionality unavailable to non-paying customers Regardless of which approach is taken, the API Management solution should be sophisticated enough to give an enterprise flexibility in how it sets up its revenue criteria. The solution should be able to:  Capture a range of usage statistics, to create a basis for measuring consumption  Provide advanced SLA and Class of Service capabilities, allowing for traffic prioritization  Compose virtual pay-only APIs that could be isolated for paying customers, without coding © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 6
  • 7. API Management Solutions API Management Solution Operational Requirements Solution Security Since an API Management solution will often be the only piece of technology separating enterprise APIs from the outside world, the level of security the solution can confer on APIs will only be as strong as the security of the solution itself. If the solution is compromised, any security rendered onto the APIs will be similarly compromised. Therefore, enterprises examining API Management solutions should make the solution’s security an absolutely critical consideration. Since these solutions will be interposed as intermediaries between the outside world and internal APIs, the first quality often evaluated is whether the solution itself can be compromised. This will depend on what kind of penetration testing the solution has undergone, how constrained access to the solution is and whether it has met key vulnerability assessments. Consideration should be given to STIG tested solutions, PCI DSS certification for solutions that will pass credit card information, FIPS compliance and Common Criteria certification for solutions that need to meet higher government security standards. For most practical purposes, enterprises will often look at API Management solutions that are proxy based for handling the intermediation of outside requests to an internal API. Intermediary- based API Proxies offer the advantage of clear inline points of control and isolation, making security certification and administration simpler (just like with network firewalls). Some may also offer onboard HSM support for encrypting API keys. Since API keys in many scenarios are the main line of authentication defense against abuse, protecting those keys from theft through encryption is a prudent strategy. Solution Manageability Unlike a typical startup, which may run its entire production Web site from a single Amazon instance or small hosted provider, an enterprise will typically have varied development and production environments. For example, an enterprise may have:  Geographically-distributed developer teams  Production environments that span global datacenters  Cloud-based disaster recovery systems Therefore, manageability will be central to any selection decision. Considerations like how you manage clusters of API proxies, how you load balance geographically, how you operate in a lights-out datacenter environment and how you handle peak loads will take priority over other features. Again, not all API Management solutions are designed to cater to the specific needs of the enterprise, so care should be taken in evaluating how various solutions support cluster management, fail-over, load bursting, disaster recovery and other operational management factors before embarking on a particular path. Solution Reliability Once an enterprise decides to embark on an API publishing program, it will effectively become a service provider to its API consumers. These consumers will come to rely on the enterprise and expect continuous uptime. In this context, an enterprise will inevitably place a considerable premium on reliability when selecting its API Management solution. The enterprise will look for solutions where © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 7
  • 8. API Management Solutions redundancy is built in and risk of downtime has been extremely minimized, if not eliminated. The need for continuous uptime may eliminate hosted or cloud-based options. While not inherently unreliable, most pure-play cloud API Management solutions are run by small companies that tend not to provide the kind of mission-critical redundancy and support enterprises have come to expect. For that reason, enterprises looking at API Management solutions may want to consider only those solutions that can:  Be deployed in the enterprise’s own datacenters and private cloud  Meet the kind of high availability, redundant configuration that would guarantee continuous uptime Conclusions No two enterprises have exactly the same needs or environment. Therefore, there will never be a one- size-fits-all API Management solution. However, all enterprises share a common need for excellence in functional capability and operation. For most organizations endeavoring to start publishing APIs externally, this will translate into a desire for a flexible, policy-driven API Management solution that can meet the production rigor of a dial-tone class service provider. Functionally, it will require an API Management solution that can meet a variety of security pre-requisites, accommodate common development lifecycles, be governable through policy, enable developer onboarding, foster developer engagement and support the option of monetization. Operationally, the API Management solution should be secure, manageable and reliable. For more detail and example case studies please contact info@layer7.com. © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 8
  • 9. API Management Solutions About Layer 7 Technologies Layer 7 is a leader in API security and governance for SOA, Web and Cloud. With over 150 global enterprise customers using its API Proxy, Lifecycle and Portal solutions Layer 7 has strived to meet the needs of its customers’ integration and API publishing needs. Contact Layer 7 Technologies Layer 7 Technologies welcomes your questions, comments, and general feedback. Email: info@layer7.com Web Site: www.layer7.com Phone: (+1) 604-681-9377 1-800-681-9377 (toll free within North America) Fax: 604-681-9387 Address: Layer 7 Technologies 1200 G Street, NW, Suite 800 Washington, DC 20005 Layer 7 Technologies Suite 405-1100 Melville Street Vancouver, BC V6E 4A6 Canada Legal Information Copyright © 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved. SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or trademarks are the property of their respective owners. © Copyright 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com) 9