|By Application Security||
|October 18, 2013 06:55 PM EDT||
Why should you think of API management as a platform? Because it’s becoming one of the most prodigious and important aspects of how Enterprises of all sizes participate in the digital economy.Keeping in line with the standard platform technology definition, an API management platform supports the deployment of Enterprise APIs without the introduction and expense of a new process or technology. A platform allows the management of APIs as a first class citizen for the Enterprise.
To date, many of the discussions around API management from vendors and analysts alike have been very technology or implementation focused. This is understandable as APIs tend to appeal to a technical audience. The details are great but sometimes it is worthwhile to step back and look at general capabilities.
If we take the wider view, what sort of capabilities or functional modules should an API Management platform have?
Gartner’s Eric Knipp released new research last week that begins to define API management as a complete platform. The research is entitled Run and Evolve a Great Web API with API Management Capabilities. Not everyone will have a Gartner subscription, but I think this research will be one of the most important for Enterprises looking to deploy API management due to the breadth of material it covers.
In this research note, Eric is one of the first analysts to describe a comprehensive set of capabilities for API Management.
API Management Platform Capabilities
He breaks the topic into four categories which he calls (i) enable developers, (ii) manage the API life cycle, (iii) communicate securely, reliably, and flexibly, and (iv) measure improve business value.
Enabling developers includes all aspects of managing API metadata, the API catalog, community management, and also includes interesting capabilities such as developer API customization which is an advanced concept that really puts the developer in control of the API. Here the developer can morph the interface to their liking, allowing the consumer to effectively participate in the interface design. It really puts the developer at the center of how data is accessed. Also, this category expands the discussion to include the notion of SDKs and sample code that developers can directly incorporate, moving one step beyond just providing interfaces definitions.
Managing the API Life cycle includes how APIs are published, how versioning is handled as well as changes and issue tracking. For example, an API management platform needs to have CRM capabilities and ticket tracking, truly treating the developers as customers.
Communicate Securely, Reliably, and Flexibly includes all aspects of surfacing APIs from legacy systems, scaling traffic, handling authentication, SLAs, building service orchestrations, and providing threat defense and data privacy. This is the largest category in terms of the sheer number of capabilities and approximates the “runtime”or “traffic’ portions of moving data in and out of interfaces.
Measure and Improve Business Value includes all the capabilities needed to relate APIs to the business as well as measuring uptime, activity, user auditing, contracts and terms of service, and SLA monitoring. This generic set of capabilities answers the questions: Is my API providing value? Is it up and running? How are business relationships maintained?
One of the merits of this article is that it does a great job of outlining precise requirements without diving into specific implementation choices. As with most things that involve software and technology, implementations can have different physical instantiations but still support a consistent set of common capabilities. Talking in capabilities allows decision makers to stay out of technology “rat holes” that can color and bias business decisions.
Long Live APIs
This research note advances the discussion around API management by widening its scope and purpose, moving it from a technology discussion to a capability and platform discussion. Early in the article Eric widens the definition of APIs.
He explicitly covers messaging APIs, SOAP APIs and custom APIs in addition to RESTful APIs. I think this move is absolutely correct. Not only does it more closely approach the original definition of the term, but it matches well with the idea of subsuming the older SOA terminology to militate under a new banner of APIs, similar to a previously article I wrote on the subject, Long Live API Management.
We are only killing the name, not the act of service enablement. Eric’s article seems to represent APIs as big concept, including the full suite of programmatic access whether realized as REST, JSON, XMLSOAP, XML-RPC, Messsage-Oriented-Middleware (MOM), FTP and file protocols, as well as (correctly) broadening the definition to include software development kits and sample code. One can even go as far as to say any programmatic interface is an API – and voila, APIs are regaining their original definition as a true application programming interface. The lesson here is to ditch the jargon and apply what works for the Enterprise.
Eric also makes some statements around APIs a universal tunnel to the Enterprise and correctly describes them as follows: “As a programmatic channel into your enterprise, it is critical that you identify and address any attacks or misuse of your API”.
This critical point highlights the importance of APIs moving forward, if businesses like Expedia are doing 80% of their revenue through APIs, it’s APIs that are the front door to your Enterprise, and by implication, apps that send and receive data over this channel, – not necessarily the website.
Attackers always look for the weakest link, and APIs are largely wide-open at this point. Many of the existing 30,000+ APIs in the wild have been optimized for rapid adoption and bolstering a developer ecosystem, not for protecting Enterprise assets.
This is why APIs need rock-solid, bulletproof API management for increased protection.
APIs and Data Protection
Eric also mentions encryption under the data privacy category and talks about both transport level security and message level security. To expand the discussion here we can also add things like JSON message level security, format preserving encryption and even the “ancient” WS-Security/XML Security protection mechanisms here. I was also excited to see the inclusion of data masking. Eric describes this as two-way, which I think is the correct approach though my terminology would be different as we use the term tokenization here, but the concept is the same. The distinctions we use in our product line include redaction (for one-way removal of sensitive information) and tokenization, to indicate a reversible mechanism for replacing plaintext with a surrogate.
I can’t reproduce Eric’s entire article here, but it’s definitely worth a read and matches what we are hearing from Enterprises today – it’s about understanding and supporting the breadth of capabilities.
If you’d like more information on Intel’s API Management products, please visit our website.
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
Aug. 27, 2015 04:00 PM EDT Reads: 334
Early in my DevOps Journey, I was introduced to a book of great significance circulating within the Web Operations industry titled The Phoenix Project. (You can read our review of Gene’s book, if interested.) Written as a novel and loosely based on many of the same principles explored in The Goal, this book has been read and referenced by many who have adopted DevOps into their continuous improvement and software delivery processes around the world. As I began planning my travel schedule last...
Aug. 27, 2015 03:45 PM EDT Reads: 469
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
Aug. 27, 2015 02:30 PM EDT Reads: 299
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Aug. 27, 2015 02:15 PM EDT Reads: 504
The Microservices architectural pattern promises increased DevOps agility and can help enable continuous delivery of software. This session is for developers who are transforming existing applications to cloud-native applications, or creating new microservices style applications. In his session at DevOps Summit, Jim Bugwadia, CEO of Nirmata, will introduce best practices, patterns, challenges, and solutions for the development and operations of microservices style applications. He will discuss ...
Aug. 27, 2015 02:15 PM EDT Reads: 372
In his session at 17th Cloud Expo, Ernest Mueller, Product Manager at Idera, will explain the best practices and lessons learned for tracking and optimizing costs while delivering a cloud-hosted service. He will describe a DevOps approach where the applications and systems work together to track usage, model costs in a granular fashion, and make smart decisions at runtime to minimize costs. The trickier parts covered include triggering off the right metrics; balancing resilience and redundancy ...
Aug. 27, 2015 02:00 PM EDT
Docker containerization is increasingly being used in production environments. How can these environments best be monitored? Monitoring Docker containers as if they are lightweight virtual machines (i.e., monitoring the host from within the container), with all the common metrics that can be captured from an operating system, is an insufficient approach. Docker containers can’t be treated as lightweight virtual machines; they must be treated as what they are: isolated processes running on hosts....
Aug. 27, 2015 01:30 PM EDT
Before becoming a developer, I was in the high school band. I played several brass instruments - including French horn and cornet - as well as keyboards in the jazz stage band. A musician and a nerd, what can I say? I even dabbled in writing music for the band. Okay, mostly I wrote arrangements of pop music, so the band could keep the crowd entertained during Friday night football games. What struck me then was that, to write parts for all the instruments - brass, woodwind, percussion, even k...
Aug. 27, 2015 01:00 PM EDT Reads: 333
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...
Aug. 27, 2015 01:00 PM EDT Reads: 162
SYS-CON Events announced today that G2G3 will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based on a collective appreciation for user experience, design, and technology, G2G3 is uniquely qualified and motivated to redefine how organizations and people engage in an increasingly digital world.
Aug. 27, 2015 11:30 AM EDT Reads: 385
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
Aug. 27, 2015 10:30 AM EDT Reads: 426
SYS-CON Events announced today that DataClear Inc. will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. The DataClear ‘BlackBox’ is the only solution that moves your PC, browsing and data out of the United States and away from prying (and spying) eyes. Its solution automatically builds you a clean, on-demand, virus free, new virtual cloud based PC outside of the United States, and wipes it clean...
Aug. 27, 2015 10:30 AM EDT Reads: 302
What does “big enough” mean? It’s sometimes useful to argue by reductio ad absurdum. Hello, world doesn’t need to be broken down into smaller services. At the other extreme, building a monolithic enterprise resource planning (ERP) system is just asking for trouble: it’s too big, and it needs to be decomposed.
Aug. 27, 2015 08:30 AM EDT Reads: 294
Several years ago, I was a developer in a travel reservation aggregator. Our mission was to pull flight and hotel data from a bunch of cryptic reservation platforms, and provide it to other companies via an API library - for a fee. That was before companies like Expedia standardized such things. We started with simple methods like getFlightLeg() or addPassengerName(), each performing a small, well-understood function. But our customers wanted bigger, more encompassing services that would "do ...
Aug. 27, 2015 08:15 AM EDT Reads: 152
The pricing of tools or licenses for log aggregation can have a significant effect on organizational culture and the collaboration between Dev and Ops teams. Modern tools for log aggregation (of which Logentries is one example) can be hugely enabling for DevOps approaches to building and operating business-critical software systems. However, the pricing of an aggregated logging solution can affect the adoption of modern logging techniques, as well as organizational capabilities and cross-team ...
Aug. 27, 2015 07:15 AM EDT Reads: 333
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
Aug. 27, 2015 07:00 AM EDT Reads: 187
DevOps has traditionally played important roles in development and IT operations, but the practice is quickly becoming core to other business functions such as customer success, business intelligence, and marketing analytics. Modern marketers today are driven by data and rely on many different analytics tools. They need DevOps engineers in general and server log data specifically to do their jobs well. Here’s why: Server log files contain the only data that is completely full and accurate in th...
Aug. 27, 2015 02:45 AM EDT Reads: 299
Brands are more than the sum of their brand elements – logos, colors, shapes, and the like. Brands are promises. Promises from a company to its customers that its products will deliver the value and experience customers expect. Today, digital is transforming enterprises across numerous industries. As companies become software-driven organizations, their brands transform into digital brands. But if brands are promises, then what do digital brands promise – and how do those promises differ from ...
Aug. 26, 2015 03:00 PM EDT Reads: 408
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advance...
Aug. 26, 2015 08:00 AM EDT Reads: 152
We chat again with Jason Bloomberg, a leading industry analyst and expert on achieving digital transformation by architecting business agility in the enterprise. He writes for Forbes, Wired, TechBeacon, and his biweekly newsletter, the Cortex. As president of Intellyx, he advises business executives on their digital transformation initiatives and delivers training on Agile Architecture. His latest book is The Agile Architecture Revolution. Check out his first interview on Agile trends here.
Aug. 24, 2015 07:15 AM EDT Reads: 484