How to Accelerate API Adoption

Many digital transformation leaders are looking for ways to accelerate API adoption. As APIs become more popular, the pace of change is likewise picking up.

Why do APIs and API management matter? Because APIs are revolutionizing the world of IT.  They make it possible for developers to easily connect applications across mobile, cloud, web, and back-end systems. From a business perspective, APIs are an amazing source of agility. However, APIs also create a host of new threats to compliance and security.

Specifically, we will explore how full lifecycle API management can mitigate the compliance risks inherent in APIs without dampening their potential to transform your business.

Why API Adoption Is Important

The technology industry has witnessed numerous advances in connectivity over the last several decades. From CORBA to microservices, each evolution in openness and integration capabilities has brought gains in agility.

Likewise, each shift has reduced integration complexity. Today, businesses are starting to see the remarkable potential for a new generation of simple, open, and flexible APIs to accelerate strategic business execution. APIs are a remarkable breakthrough in connectivity, enabling virtually any application to access the most sophisticated applications and complex data sets. A whole industry has emerged around making enterprise systems available to new applications using APIs.

Yet, these innovations in application-to-application integration create challenges to the software lifecycle. Likewise, they pose potentially serious ramifications for security and compliance.

Evolution of API Adoption

APIs are not new. In use for decades, they consist of libraries and protocols used as interfaces between software components. The most useful and modern APIs are web-based APIs that use simple standards-based languages such as JavaScript Object Notation (JSON) and representational state transfer (REST). In an enterprise setting, RESTful APIs are finding dozens of uses. Especially as far-flung developers use them to allow mobile apps to tap into corporate back end systems.

API Adoption In the Enterprise 

Enterprises haven’t historically thought openly about access to their systems. Although, this is starting to change.

Why? The RESTful approach to APIs is simply too appealing. It can enable rapid-fire implementation of partnerships and operational plans. By convention, nearly all web APIs use the same structure and rely on a few accepted REST procedure calls. These include GET, POST, PUT and DELETE.

Consider a manufacturing business that sells products through a distributor channel. To increase their sales and cut customer support costs, the company publishes a RESTful API. This API allows developers at any one of hundreds of distributors to embed order placement instructions in their apps. The sketch below shows a simple reference architecture for this setup.

Using the RESTful API approach, each distributor can develop an app that allows customers to place orders that flow through to the manufacturer. The app can call the manufacturer’s API to PUT orders, GET order information, POST changes, and DELETE orders. The ERP system can use the API to transmit changes in purchase orders, refund information, and so forth.

Enterprise API Adoption Patterns

Discover four APIs usage models that are emerging as businesses revise their internal enterprise architectures so that they can address business needs with agility and efficiency.

📕Get the White Paper

How to Adopt APIs Without the Risk

With this example in mind, let’s turn to API risk. If you’re involved in enterprise IT, you might have looked at the image above thinking, hey, wait a minute! Are we saying external developers can code their way into your ERP system and create purchase orders? You may be wondering, where are the controls? As discussed below, full lifecycle API management can resolve your anxiety surrounding risk.

Compliance issues are a tangible example of risk. Before panic sets in, it’s helpful to situate compliance risk in the broader subjects of software lifecycle management and risk management. There is no one universal definition of risk management. But in general it is about ensuring risks to the business are identified and mitigated, including risks associated with compliance.

Corporate Risk and Compliance in Context 

For every reward, taking some sort of risk is required. If the manufacturer in the example wants to sell products, they must build an inventory that may not sell. That is inventory risk. It may extend credit to distributors, which creates credit risk. It employs people who might get injured, creating risk in the form of human resources liability. No matter the size of your business, risk will be present. Likewise, your compliance with regulations must be accounted for across the enterprise. And more importantly, across your entire technology stack.

Balancing API Risk With Business Agility

The fundamental challenge in making APIs work for business agility is to keep them lightweight and flexible while ensuring they remain compliant. This is no minor feat. Key to solving the problem is recognizing the importance of full lifecycle API management. COBIT recognizes this reality. This makes application lifecycle one of the IT control framework’s main enabling processes, as shown in the figure below.

High Level Control Objectives for Full Lifecycle API Management

At a high level, it’s possible to develop a set of API control objectives based on lifecycle specs and related factors. Any process that is subject to a compliance audit, which touches an API, should meet the following objectives:

1. The API’s lifecycle should be subject to control so that only permissible versions are in production.

• At the planning stage
• At the development and test phases
• In production
• In retirement

2. Line-of-business leaders, IT managers, information security staff and compliance staff should have visibility into the state of the API.
3. While in production, APIs should be subject to authentication and authorization processes.
4. APIs should be monitored and throttled as per compliance requirements. This should happen both at the aggregate API level and on a consumer-by-consumer (i.e., app-by-app) basis.

The Countervailing Risk of API Lockdown

API controls can also be too stringent. This is where the need for an API to be lightweight and flexible really becomes significant. If an organization locks down the API lifecycle and makes it difficult to introduce new versions or grant authorization to APIs, the business will suffer. APIs depend on their community orientation. And innovation demands some level of openness.

How to Accelerate API Adoption

Accelerating API adoption is a critical part of any API strategy.

API management solutions are the mechanisms by which internal controls are implemented for APIs. API management solutions come in a variety of forms, but most give the organization the ability to provision APIs to developers in a controlled portal environment. An API platform should manage deployment and production, monitor usage, and secure API access. To enable control without losing agility, you need a solution that can manage the complete API lifecycle — like Akana.

All IT assets have a lifecycle. They’re planned, developed, put into production, monitored and eventually retired and replaced. APIs are no different. But the speed with which they are created and deployed coupled with the vast unknown potential pool of users, make them a special case for full lifecycle management.

The figure above shows the four elemental stages of the API lifecycle that need to be managed for compliance purposes. An API originates in a planning process that precedes development. The API is built by developers who either adapt existing applications and services or code the API from scratch.

After a test phase, the API is deployed into production and shared with app developers. The process is typically circular, with the community of app developers having advanced knowledge of new APIs that are in the development and launch pipeline.

All pieces of the API management process should connect to one another across the API’s lifecycle. Unfortunately, some API management solutions are relatively piecemeal in their approach. They contain loose components that can be deployed at various points in the lifecycle without coherent awareness of the overall process.

1. API Planning

With this context in mind, let’s turn our attention to full lifecycle API management best practices. The first step is to plan.

For an API to enable agility and strategic business outcomes, its planning needs to be efficient and inclusive of all stakeholders. This requires balancing business needs with IT strategy capabilities. The API management solution ought to make everyone aware of the planning process and able to participate. Of course, it’s possible to bring API planning stakeholders together without an API management solution, but it’s not an efficient practice. Cobbling an API planning process together from divergent pieces can lead to agility-killing slowdowns, control errors, or both.

2. API Development

The next step is your build phase. The API management solution should ideally integrate with your development platform of choice. As each API is registered at birth so to speak, compliance outcomes are best when the following capabilities within the IDE itself. This can happen as a result of the API management solution’s automated integration with the underlying SCM. Likewise, integration with the runtime stack used to deploy and test the API should follow these steps:  

• Show what APIs are available. This helps avoid the wasteful process of developing APIs that already exist.
• Create APIs with multiple interfaces using different standards including REST/XML, REST/JSON and SOAP with no extra development effort.
• Define and document APIs so developers can use them without burdening support resources.
• Support intermediation convert existing SOAP or plain-old-XML (POX) over MQ or JMS services into RESTful APIs with XML or JSON content.
• Provision and test. Expose sandbox and production endpoints for APIs to an intuitive approval process for granting apps access to each of the endpoints.
• Manage app-to-API connections. Automate and control the connections between apps and APIs.
• Map and manage API dependencies. Show where APIs are dependent on other system resources.

3. API Security and Versioning

API security issues pervade compliance in every phase of the API lifecycle. They are particularly relevant at the build and run stages. This is especially true when multiple versions of APIs are propagated to a diverse developer community. The API management solution needs to secure APIs, protect sensitive data, and allow access to authorized apps and users. The API management solution also needs to streamline security policy definition and enforcement throughout the process, including:

• Authentication Policy Options: Choose from multiple authentication schemes, standards, and token types to ensure that only valid users and applications get access to the APIs.
• Enterprise OAuth: Use existing enterprise security systems to create an OAuth authorization server so users can manage access rights for their own data.
• Advanced cryptography: Ensure the privacy of customer data with sophisticated encryption and signature capabilities.

4. APIs in Production: Overcoming Common Challenges

APIs in production present a number of challenges to IT operations managers. Unknown external users create unpredictable load management and quality of service issues. At the same time, the fast-moving version updates inherent in APIs make it difficult for IT ops to stay ahead of what’s happening. It’s a big negative for API compliance. The API management solution can address these challenges in the following manner:

• Monitor APIs, keeping an eye on traffic from individual apps. Get visibility into how an API or app is behaving. Understand how it’s being used.
• Troubleshoot, quickly identify and fix problems with APIs.
• Manage quality-of-service (QoS) for APIs. Manage quotas and service-levels for individual apps.
• The management solution should be able to ensure a promised level (SLA) of performance at scale while protecting internal applications for excessive load.
• Manage which applications can use APIs and how much traffic they can consume.
• Provision app-to-API in an organized, traceable workflow. Walk developers through a simple process with easy-to-understand approvals for getting access to APIs.

5. Building an API Community

This aspect is the most likely to be overlooked by enterprises. But building an API community is critical to innovating and creating new digital lines of business. While building an API community takes time, the benefits are countless.   

API management solutions typically make some sort of community portal for use by API managers and app developers. The community is a connecting point where an organization can manage, share and promote its APIs in a secure and scalable environment. For ideal compliance, the community should integrate with all other phases of the API lifecycle. It enables the organization to control which applications can use the APIs and how much traffic they can consume through the following means:

• App to API provisioning workflow: The community portal can walk developers through a simple process with easy-to-understand approvals for getting access to APIs.
• Manage Sandbox and Production Access: Allow easy access to sandbox endpoints for testing, with a rigorous process for getting approval to use a production endpoint.
• Facilitate legal agreement management: Require developers to accept legal terms for each API before their app is granted approval to access the API.
• Allow developers to negotiate: Specifically, a QoS policy for their apps with the API administrator.

👉 Become an Expert

Explore additional resources:

• API Basics
• API Strategy

Conclusion: The Key to API Adoption

Managing the API lifecycle and achieving compliance while realizing their agile business potential is no small feat. It’s all about making sure lightweight APIs serve business needs. You can achieve this by building APIs well and running with controls that are compliant but not overly restrictive. Making this happen involves selecting the right API management solution. This solution needs to work across each stage of the complete API lifecycle. If it can’t, the organization risks working on compliance in an incoherent fashion.

Stakeholders connected to the API must be able to communicate with one another through the platform. This includes people and entities that are external to the organization publishing the API. Full API lifecycle management is inextricably linked to attaining the strategic outcomes promised by APIs. They can achieve this while ensuring that compliance risks remain minimized.

Accelerate API Adoption with Akana

As businesses want to further connect with partners and customers, API management is increasingly critical for digital transformation. Akana provides an end-to-end, full lifecycle API management tool for designing, implementing, securing, managing, monitoring, and publishing APIs.

It is well-suited for monumentally large enterprises on down to small federated API partner ecosystems. Akana can be deployed natively across on-premises and cloud, enabling customers to securely deploy an integrated no-code portal. In addition, Akana provides detailed business analytics to help you innovate.

Start Free Trial  ▶️ Watch Demo First 

This blog was originally published as a white paper in 2015. It has since been updated for accuracy and comprehensiveness.