API Management Executive Insights

We are now living in an API-first world. To gather insights on the current and future state of API management, I asked IT professionals from 18 companies to share their thoughts.

You might also like:  The Future of API Management

Here’s who I heard from:

• Benoit Perrot, Director of Engineering, Algolia
• Paulo Michels, E.V.P. Engineering and Co-founder, ArcTouch
• Mike Schuricht, VP Product Management,Bitglass
• Ryan Breen, Director of API Management, Cimpress
• Jorge Rodriguez, S.V.P. Product Development, Cleo
• Nick Chernets, the Founder and CEO of DataForSEO
• Amrit Jassal, CTO and Founder, Egnyte
• Valery Novikov, Co-founder and CTO, FI.SPAN
• Brian Platz, Co-CEO of Fluree
• Manoj Chaudhary, CTO & SVP of Engineering, Jitterbit
• Derek Smith, CTO & Co-founder, Naveego
• Rob Whiteley, CMO, and Karthik Krishnaswamy, Senior Project Marketing Manager, NGINX
• Mark Cheshire, Director Product Management, Red Hat
• Cyril Nicodème, Founder, Reflectiv
• Chetan Conikee, Founder & CTO, ShiftLeft.io
• Idit Levine, CEO, Solo.io
• Marc MacLeod, Founder & CEO, Stoplight
• Rob Zazueta, Director of Digital Strategy, TIBCO

Here’s what they told us:

1. Companies are using APIs to access data, internal and external application development, and microservices development. With more data and data sources, companies are able to create discrete applications and data sets and expose them as a series of API-enabled services. APIs are used for all mobile development and quite a bit of web development. APIs are used for both internal and external development as companies realize the value of reusing code. APIs are powering the company’s product ecosystems. Legacy enterprises are breaking monolithic applications into microservices and APIs are the smallest unit of compute shared across monoliths, microservices, and serverless.
2. The most important elements of managing APIs are their protection, ease of use, analytics, and lifecycle management. It’s important to enforce security policy management while providing transparency. Rate limiting can control how many requests you have to handle and can prevent malicious actors from damaging APIs or preventing access by legitimate users. Provide a seamless and frictionless user experience. Every time you require users to make a change, they’ll ask themselves why they are working with you versus a vendor that gets things right from the beginning. Performance, reliability, and analytics are all important as is runtime, security policy management, telemetry, monitoring, and consistent performance. API lifecycle management consists of defining, publishing, securing, routing, mediating traffic, monitoring, and analyzing performance.
3. APIs have made application development easier and more creative; they have facilitated the decomposition of monolithic apps into microservices and led to the development of more powerful mobile apps. Developers can now focus on the core capabilities of the product they are building, leveraging best-of-breed building blocks for key, but not core, features. APIs reduce the complexity of the development process and enable developers to get closer to reusable code and components enabling them to take off-the-shelf feature capabilities to compose new use cases. Microservices are designed to fit and mirror good RESTful API design. The maturity of APIs and mobile development go hand-in-hand. APIs externalize redundant or complex parts of applications. Behind every mobile app is an API. The massive shifts we’re seeing on the infrastructure side, from Docker to Kubernetes, would not be possible without APIs.
4. Authentication is the most frequently mentioned way of securing APIs followed by rate-limiting and more broad-reaching solutions. Several contributors suggested focusing on authentication and authorization. Use OAuth and OAuth2 to communicate and secure communications between APIs. Some use one-time secure token management and certification-based authentication. Others recommended rate-limiting API calls to mitigate distributed denial of service (DDoS) attacks. Secure the APIs themselves by applying a rate-limiting policy that sets a threshold on the number of requests the API gateway accepts each second. Have a prescriptive approach. Think about how application identities are connected to user identities. Think about API security in its broadest sense beyond authentication to mitigate intrusion attempts. A multi-layer approach will include a web app firewall in a separate layer with Apache Mod security.
5. Consistent with expectations, API applications have a broad number of applications and industry use cases. Those mentioned more than once are the integration of business services and partners in industries like professionals services and transportation. Orchestrating real-time integration between endpoints to composing entire business solutions is a common use case. Perhaps a function of the breadth of use cases, the most common issues affecting APIs are broad and disaggregated as well with architecture, communications, complexity, and tools/standards all mentioned along with several others.
6. Concerns were equally broad though none stood out as being particularly problematic. They include lack of adoption of design-first methodology and the challenges of version-management.
7. The future of API management is identification and management of the full lifecycle and the continued adoption of microservices driven by APIs. Respondents see improvements in the lifecycle of APIs as organizations start treating APIs as products with product managers guiding the lifecycle. Ultimately, there will be an integrated approach to make it easier for the developer to design, implement, deploy, and managed automatically. Modernizing applications based on a microservices-based architecture is central to digital transformation initiatives. The greatest opportunity lies in API management of microservices. Solutions with small footprints that are flexible, portable, and can operate in any infrastructure. There is a huge trend toward service mesh. Take API management and bring it to every microservice. Ensure the ability for applications and microservices to talk to each other.
8. Developers need to keep themselves, and other developers in mind when managing APIs since developers will be the consumers. What do you want to accomplish with the API? Why would someone use the API? What are the use cases? Achieve a balance between efficiency and human readability. Think in terms of a broad range of consumers and reusability. Follow best practices for development including excellent documentation, understandable error messages, and predictable and consistent output and performance. Ensure consistency throughout the API ecosystem so consumers will feel like they’re using a consistent collection of interfaces.
9. Consider API management of microservices. 86% of enterprises expect microservices to be the default application architecture in five years. Build security into the architecture from the beginning. The only way security can keep pace with development is through automation. Developers need to consider the operational speed of their security investments. Look for repeatable processes that can be automated.

Further Reading

Keys to API Management

An Overview of APIs and API Management