Submit support requests and browse self-service resources.
Many digital transformation leaders are looking for ways to accelerate API adoption. As APIs become more popular, the pace of change is likewise picking up.
Why do APIs and API management matter? Because APIs are revolutionizing the world of IT. They make it possible for developers to easily connect applications across mobile, cloud, web, and back-end systems. From a business perspective, APIs are an amazing source of agility. However, APIs also create a host of new threats to compliance and security.
This blog post explores:
Specifically, we will explore how full lifecycle API management can mitigate the compliance risks inherent in APIs without dampening their potential to transform your business.
The technology industry has witnessed numerous advances in connectivity over the last several decades. From CORBA to microservices, each evolution in openness and integration capabilities has brought gains in agility.
Likewise, each shift has reduced integration complexity. Today, businesses are starting to see the remarkable potential for a new generation of simple, open, and flexible APIs to accelerate strategic business execution. APIs are a remarkable breakthrough in connectivity, enabling virtually any application to access the most sophisticated applications and complex data sets. A whole industry has emerged around making enterprise systems available to new applications using APIs.
Yet, these innovations in application-to-application integration create challenges to the software lifecycle. Likewise, they pose potentially serious ramifications for security and compliance.
Enterprises haven’t historically thought openly about access to their systems. Although, this is starting to change.
Why? The RESTful approach to APIs is simply too appealing. It can enable rapid-fire implementation of partnerships and operational plans. By convention, nearly all web APIs use the same structure and rely on a few accepted REST procedure calls. These include GET, POST, PUT and DELETE.
Consider a manufacturing business that sells products through a distributor channel. To increase their sales and cut customer support costs, the company publishes a RESTful API. This API allows developers at any one of hundreds of distributors to embed order placement instructions in their apps. The sketch below shows a simple reference architecture for this setup.
Using the RESTful API approach, each distributor can develop an app that allows customers to place orders that flow through to the manufacturer. The app can call the manufacturer’s API to PUT orders, GET order information, POST changes, and DELETE orders. The ERP system can use the API to transmit changes in purchase orders, refund information, and so forth.
Enterprise API Adoption PatternsDiscover four APIs usage models that are emerging as businesses revise their internal enterprise architectures so that they can address business needs with agility and efficiency.📕Get the White Paper
Discover four APIs usage models that are emerging as businesses revise their internal enterprise architectures so that they can address business needs with agility and efficiency.
📕Get the White Paper
With this example in mind, let’s turn to API risk. If you’re involved in enterprise IT, you might have looked at the image above thinking, hey, wait a minute! Are we saying external developers can code their way into your ERP system and create purchase orders? You may be wondering, where are the controls? As discussed below, full lifecycle API management can resolve your anxiety surrounding risk.
Compliance issues are a tangible example of risk. Before panic sets in, it’s helpful to situate compliance risk in the broader subjects of software lifecycle management and risk management. There is no one universal definition of risk management. But in general it is about ensuring risks to the business are identified and mitigated, including risks associated with compliance.
For every reward, taking some sort of risk is required. If the manufacturer in the example wants to sell products, they must build an inventory that may not sell. That is inventory risk. It may extend credit to distributors, which creates credit risk. It employs people who might get injured, creating risk in the form of human resources liability. No matter the size of your business, risk will be present. Likewise, your compliance with regulations must be accounted for across the enterprise. And more importantly, across your entire technology stack.
The fundamental challenge in making APIs work for business agility is to keep them lightweight and flexible while ensuring they remain compliant. This is no minor feat. Key to solving the problem is recognizing the importance of full lifecycle API management. COBIT recognizes this reality. This makes application lifecycle one of the IT control framework’s main enabling processes, as shown in the figure below.
At a high level, it’s possible to develop a set of API control objectives based on lifecycle specs and related factors. Any process that is subject to a compliance audit, which touches an API, should meet the following objectives:
API controls can also be too stringent. This is where the need for an API to be lightweight and flexible really becomes significant. If an organization locks down the API lifecycle and makes it difficult to introduce new versions or grant authorization to APIs, the business will suffer. APIs depend on their community orientation. And innovation demands some level of openness.
API management solutions are the mechanisms by which internal controls are implemented for APIs. API management solutions come in a variety of forms, but most give the organization the ability to provision APIs to developers in a controlled portal environment. An API platform should manage deployment and production, monitor usage, and secure API access. To enable control without losing agility, you need a solution that can manage the complete API lifecycle — like Akana.
All IT assets have a lifecycle. They’re planned, developed, put into production, monitored and eventually retired and replaced. APIs are no different. But the speed with which they are created and deployed coupled with the vast unknown potential pool of users, make them a special case for full lifecycle management.
The figure above shows the four elemental stages of the API lifecycle that need to be managed for compliance purposes. An API originates in a planning process that precedes development. The API is built by developers who either adapt existing applications and services or code the API from scratch.
After a test phase, the API is deployed into production and shared with app developers. The process is typically circular, with the community of app developers having advanced knowledge of new APIs that are in the development and launch pipeline.
All pieces of the API management process should connect to one another across the API’s lifecycle. Unfortunately, some API management solutions are relatively piecemeal in their approach. They contain loose components that can be deployed at various points in the lifecycle without coherent awareness of the overall process.
With this context in mind, let’s turn our attention to full lifecycle API management best practices. The first step is to plan.
For an API to enable agility and strategic business outcomes, its planning needs to be efficient and inclusive of all stakeholders. This requires balancing business needs with IT strategy capabilities. The API management solution ought to make everyone aware of the planning process and able to participate. Of course, it’s possible to bring API planning stakeholders together without an API management solution, but it’s not an efficient practice. Cobbling an API planning process together from divergent pieces can lead to agility-killing slowdowns, control errors, or both.
The next step is your build phase. The API management solution should ideally integrate with your development platform of choice. As each API is registered at birth so to speak, compliance outcomes are best when the following capabilities within the IDE itself. This can happen as a result of the API management solution’s automated integration with the underlying SCM. Likewise, integration with the runtime stack used to deploy and test the API should follow these steps:
API security issues pervade compliance in every phase of the API lifecycle. They are particularly relevant at the build and run stages. This is especially true when multiple versions of APIs are propagated to a diverse developer community. The API management solution needs to secure APIs, protect sensitive data, and allow access to authorized apps and users. The API management solution also needs to streamline security policy definition and enforcement throughout the process, including:
APIs in production present a number of challenges to IT operations managers. Unknown external users create unpredictable load management and quality of service issues. At the same time, the fast-moving version updates inherent in APIs make it difficult for IT ops to stay ahead of what’s happening. It’s a big negative for API compliance. The API management solution can address these challenges in the following manner:
This aspect is the most likely to be overlooked by enterprises. But building an API community is critical to innovating and creating new digital lines of business. While building an API community takes time, the benefits are countless.
API management solutions typically make some sort of community portal for use by API managers and app developers. The community is a connecting point where an organization can manage, share and promote its APIs in a secure and scalable environment. For ideal compliance, the community should integrate with all other phases of the API lifecycle. It enables the organization to control which applications can use the APIs and how much traffic they can consume through the following means:
Managing the API lifecycle and achieving compliance while realizing their agile business potential is no small feat. It’s all about making sure lightweight APIs serve business needs. You can achieve this by building APIs well and running with controls that are compliant but not overly restrictive. Making this happen involves selecting the right API management solution. This solution needs to work across each stage of the complete API lifecycle. If it can’t, the organization risks working on compliance in an incoherent fashion.
Stakeholders connected to the API must be able to communicate with one another through the platform. This includes people and entities that are external to the organization publishing the API. Full API lifecycle management is inextricably linked to attaining the strategic outcomes promised by APIs. They can achieve this while ensuring that compliance risks remain minimized.
As businesses want to further connect with partners and customers, API management is increasingly critical for digital transformation. Akana provides an end-to-end, full lifecycle API management tool for designing, implementing, securing, managing, monitoring, and publishing APIs.
It is well-suited for monumentally large enterprises on down to small federated API partner ecosystems. Akana can be deployed natively across on-premises and cloud, enabling customers to securely deploy an integrated no-code portal. In addition, Akana provides detailed business analytics to help you innovate.
Start Free Trial ▶️ Watch Demo First
This blog was originally published as a white paper in 2015. It has since been updated for accuracy and comprehensiveness.