DZone Research: Keys to API Management
The most important element of API management is security — including availability and access.
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of API management, we talked to 17 executives who are using APIs in their own organization, as well as helping clients use APIs to accelerate their digital transformation and the development of quality applications. We asked them "What do you see as the most important elements of managing and securing APIs?"
Here's what they told us:
- Emphasize the need to look at API management from the top down. Define the API against a business outcome. Implement the technology of your choice. Focus on hybrid API deployment model to be available in multiple data centers or clouds. The platform is a true hybrid – Oracle cloud, public cloud, expose to scale across multiple clouds. From design to deployment on Oracle cloud and distributed across multiple clouds with management, security, controlled access with analytic security policies. As APIs are used to get metrics on usage, latency, and Design through deployment.
- Secure your APIs. Understand an API can be abused just like an end website. The purpose is to give access to data at a high speed. An API is built to interact with scripts and browsers and can be a more efficient inroad. Less thought put into security when there really should be more. A lot of API management tools do not have security baked in.
- Making them secure. Having built API management tools, built out cataloging gateways, more and more are implementing their own developer portals like Uber, Visa, Starbucks. We need to start calling out API security as the first feature of an API management product. Containers and DevOps makes it easier to deploy code. Interface orientedness of an API has made implementation such that we need to pay attention to security aspects of the code. Security has to be front and center managing APIs going forward.
- Our API for customers uses OAuth as a service to secure their APIs. We understand their security assumptions. Developing APIs for who — internal versus external. 80% of hacks are from internal actors. Treat people as untrusted until otherwise.
- Performance, availability, reliability, usability offers SLAs for enterprise customers. Think about UI and UX. Web UI helps with signing up and reporting runs on top of API. Having easy to use API key management. Simple yet flexible. On backend have caching and monitoring and documentation (public and open source). Security is important. SOC2 Type 2 and GDPR compliant.
- Access. Expose internal workings of code and the feature set. If you don’t do it right, you can destroy or corrupt your environment. Take great care. APIs are a dangerous piece of code.
- We've taken the approach that API management platforms are about providing a common language where developers can interact with services. Think about API management as a way to create a level playing field. APIs are a consistent presentation for developers to create the most reuse possible. Unifying the developer experience so you don’t need to learn the difference between APIs – common capabilities within APIs. Make it as easy for developers to access products and services in a unified way.
- The most important elements of managing APIs include the ability to identify and control access, set policies and collect telemetry about a use of APIs.
- We are developing APIs ourselves. Our clients can but it’s beyond what we do. As cloud central service APIs can be very basic — all users are logged in. Now it's contextual as all people logged in on a particular device. Contextualized in the edge environment.
- The world of APIs is enabling risk professionals to publish APIs themselves and this can be like the wild west. Anyone can create and expose an API. Management needs governance around APIs. Financial institutions have governance, policies, and procedures in place. Help store documentation around the creation of the APIs at business logic so no external repository or documents management center.
- Follow a design-first approach. APIs have been around for 40 years. Today they are extremely prominent. You must think API-first as the number of devices, databases, and technology grows and APIs connect all of these. As devices and teams building software applications are growing start with API layer first and have front end and back end use the API for the ease of moving across devices and industries. Think about the difference between internal and external developer experiences. Start with API design first and then create implementation. This forces you to think about technical reasons for building an API and the business objectives – sustainability, ROI. It helps you focus on sustainability and consumer needs. Design first forces you to think about consumer needs, accountability, and ownership. Adopt a shift-left approach since people are moving faster testing needs to be done earlier in the SDLC.
- 1) Developer experience, documentation, how info presented, the way errors handled, consistency between APIs, developer is evolving. 2) Scalability, rise of microservices. In two years people will be building software by levering APIs – e.g., SendGrid and Strive. Scalable and trustworthy. Rely on it to build long-term software. 3) Support when implementing equally as important. Smart engineers to answer questions provide advice.
- 1) At the technical level think about functionality, active control, rate limits, analytics, secure credentials, documentation, updates, features around user management, different groups control rules around each, the design of the APIs, automation key if you change the backend code. 2) At the level above customers do internal using APIs to give ownership of various systems to teams. Each team is responsible for putting out the best API they can. External which partners and users really can focus on good outcomes.
- APIs that meet the requirements of all of the constituents from the non-technical to the technical. Easy to use drag and drop to build more complex and feature-rich using techniques for people who understand coding. Need tools to address analysts as well as coders.
- Whether public, private, or partner, APIs are being exposed. Creating an API program that meets the objectives of your business is key. It sounds simple, but the key use cases of the APIs and the business model for your organization should dictate the makeup of your API program. This includes how to manage an API throughout its entire lifecycle, from creation, publishing, governance, and bandwidth for scaling, authentication, performance analytics, and sunset.
- The most important element of managing APIs is a complete view of the API lifecycle, far beyond the simple access control and basic publish/subscribe commonly considered API Management. For an API provider, this includes planning an API program, then a complete pipeline of creation, testing, publishing, securing and managing APIs. As API consumers discover those APIs, build applications, and consume them at runtime, the providers must monitor the APIs’ health, performance, and business value, using that insight to improve both the technical and business aspects of their offering.
- There has been a lot of focus on managing the operations of APIs over the past 10 years thanks to API gateways and API portals. While those remain important elements of the overall API lifecycle management, they tend to become a commodity service as part of cloud infrastructure vendors’ offerings, such as AWS or Azure API Gateways. However, managing the growth in the number of API projects and team members within large organizations are now the most important topics covering API design and governance needs.
Here's who we talked to:
- Maxime Prades, Vice President of Product, Algolia
- Jaime Ryan, Senior Director, Product Management & Strategy API Management, CA Technologies
- Ross Garrett, VP Marketing, Cloud Elements
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product Outreach and Marketing, Distil Networks
- Oren Novotny, Chief Architect, DevOps and Modern Software, Digital Innovation, Insight
- Raj Sabhlok, CEO, ManageEngine
- Keith Casey, API Problem Solver, Okta
- Vikas Anand, Vice President Product Development, Oracle
- Mike LaFleur, Global Director Solution Architecture, Provenir
- Steve Willmott, Senior Director and Head of API Infrastructure, Red Hat
- Keshav Vasudevan, Product Marketing Manager, SmartBear
- Chris McFadden, V.P. of Operations, SparkPost
- Jerome Louvel, VP of Product Management, Talend
- Derek Birdsong, Product Marketing Manager, Connected Intelligence Cloud, TIBCO
- Setu Kulkarni, Vice-President of Product and Corporate Strategy, WhiteHat Security
- Roman Shaposhnik, Co-founder VP Product Strategy, and Vijay Tapaskar, Co-founder VP Engineering and Ops, Zededa
Opinions expressed by DZone contributors are their own.