DZone Research: The Future of API Management
Let's look at security as it relates to identity, access, and standards in the realm of API management.
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of API management, we talked to 17 executives who are using APIs in their own organization, as well as helping clients use APIs to accelerate their digital transformation and the development of quality applications. We asked them "What’s the future for API management from your point of view — where do the greatest opportunities lie?"
Here's what they told us:
Security and Access
- Think of API security like a web. Send data to who you want to make sure you're sending to who you think you are. Real user access. Mobile app user logging in. Some are selling data via an API with a legitimate key. Protect the information whether displayed via raw API, mobile or web page.
- Make it available but give different levels of access. It should be open and available to individuals versus everyone. Integrate and innovate.
- 10 years ago when SOAP and REST were being barely followed not following standards or principles. More standards and competition will weed out those who do not. Security and privacy will need stronger auditing of who uses, when and how. As building software becomes faster there will be more APIs talking to each other. Authentication requirements. First maturation around APIs.
- In the modern API world of REST HTTP, there are not that many problems or policy management needs. The greatest opportunity starts with the developers knowing what they need to do — start left, train the developer, certification, know how to write secure code. Will need an independent security standard for APIs. Document the security characteristics of the API. What are the security standards and characteristics?
- Identity and scope with limited access authorization by understanding the use cases you are designing for. Understand what you are trying to do before granting someone access.
- What I’d like to see — and what I think is coming — is greater integration with the Microsoft Intelligent Security Graph. There is a great opportunity for API management in helping defend against bad actors within a given system and reporting data that can help secure other systems. One of the goals of the Microsoft Intelligent Security Graph is to help tie together all of their different signals from different sources to expose and mitigate against advanced threats. API management would help provide additional signals to that system and can use signals of that system to both throttle or protect against bad use. We’re not there yet, but I’d be shocked if they’re not thinking about it.
- This new scale of API use, combined with the lack of experienced API engineers, the criticality and speed of change in organizations going through their digital transformation journey create a lot of pain points that traditional API management vendors are only addressing partially. The increasing number of business-critical use cases requiring access to core data from outside the organization — while ensuring end-to-end data security, compliance, and change management — will require a new generation of API platforms, more closely built within battle-tested data integration and governance solutions.
- API management and integration are coming together. We’re more of an integration player. As the world of integration becomes cloud and API based the two worlds merge together nicely. That’s the future. People will try to buy a solution that does both from a single vendor. Traditionally API management vendors would talk about integration – orchestration, workflows but designed as gateway product so it doesn’t make sense. Back away from that as a way to solve problems. Leverage tools that do both.
- Serverless and how API management becomes a service AWS offers. We could see ourselves moving away from Nginx to use something else like application load balancers. Having more repeatable patterns around AWS will be interesting.
- APIs are built into three levels of the platform: 1) edge data management; 2) APIs managing data at the sensor level with blockchain and security; and, 3) vertical-specific end application APIs.
- APIs will be ubiquitous people will stitch together business applications by calling out to APIs. For example, customers start exposing some sort of risk scoring a retailer could use. Not necessarily credit risk, could be fraud risk, other types of risk. A ubiquitous landscape of APIs. Stitch together best of breed applications that meet their need. There will be monetization of this. Ubiquity, sharing like Home Depot where you buy two by four and nails to build a shed. It will be the same for application development.
- Transitioning to autonomous capabilities using AI/ML self-driving, self-defining, self-healing?
- Having specific solutions for industries and use cases. Can happen to a larger extent e.g. PSD2 directive by the European Union for financial services opening the apps with APIs more visibility into what’s happening with data. Healthcare, social media, telecommunications all have opportunity and needs for tailored solutions. By 2020 seven unique devices per person. Having developer kits for IoT APIs. Get developers involved with IoT and APIs.
- A lot of great things happening. A lot of customers are using them. Getting to a reusable environment. A big change in containers and container management. Containers to deploy backend software has changed their development method. Start to see more API management within the container management service mesh (ISTIO) fine grain automatic form of API management between container clusters. Visibility into fine grain things.
- Simplification, automation, orchestration. On simplicity side rather than just look at as a coding problem we look at as a visualization problem, what applications are available in the enterprise, show integration points, drag and drop with no coding. Should happen with limited to no coding. If you can do that then the next step is to not even think of it as an API think of it as one fluid application or business process transparent to the business and the users. That’s where the automation comes into play. If you get it right, there shouldn’t be a need for additional technology in between.
- Event-driven APIs are the future of APIs. While protocols of the endpoints may come and go (REST vs. GraphQL vs. gRPC vs. websockets, etc.), a whole new world has been opened up by serverless compute and cloud-native architectures. IoT and Edge compute add yet another layer of opportunity to this for the event-driven space. Small-footprint API micro gateways (like open source Project Mashling) can enable data transfer, microservice and function execution, and analytics of devices and sensors on the edge, but only when triggered by an event. This enables highly distributed, yet highly integrated and cost-effective infrastructure for the digital enterprise.
- The greatest opportunities for API Management lie in the delivery of end-to-end use cases, from building microservices around data and application logic to testing, deploying and monitoring those APIs, to consuming those backend services via mobile and IoT clients, all with built-in security and complete DevOps integration. An application pipeline built around these modern architectures and patterns will provide incredible benefits to the velocity and adaptability of adopters, resulting in market differentiation and improved business outcomes.
Here's who we talked to:
- Maxime Prades, Vice President of Product, Algolia
- Jaime Ryan, Senior Director, Product Management & Strategy API Management, CA Technologies
- Ross Garrett, VP Marketing, Cloud Elements
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product Outreach and Marketing, Distil Networks
- Oren Novotny, Chief Architect, DevOps and Modern Software, Digital Innovation, Insight
- Raj Sabhlok, CEO, ManageEngine
- Keith Casey, API Problem Solver, Okta
- Vikas Anand, Vice President Product Development, Oracle
- Mike LaFleur, Global Director Solution Architecture, Provenir
- Steve Willmott, Senior Director and Head of API Infrastructure, Red Hat
- Keshav Vasudevan, Product Marketing Manager, SmartBear
- Chris McFadden, V.P. of Operations, SparkPost
- Jerome Louvel, VP of Product Management, Talend
- Derek Birdsong, Product Marketing Manager, Connected Intelligence Cloud, TIBCO
- Setu Kulkarni, Vice-President of Product and Corporate Strategy, WhiteHat Security
- Roman Shaposhnik, Co-founder VP Product Strategy, and Vijay Tapaskar, Co-founder VP Engineering and Ops, Zededa
Opinions expressed by DZone contributors are their own.