Executive Insights on the Current and Future State of API Management

This article is featured in the new DZone Guide to API Management: Comparative Views of Real World Design. Get your free copy for more insightful articles, industry statistics, and more!

To gather insights on the current and future state of API management, we talked to 17 executives who are using APIs in their own organization, as well as helping clients use APIs to accelerate their digital transformation and the development of quality applications. Specifically, we talked to:

• Maxime Prades, Vice President of Product, Algolia

• Jaime Ryan, Senior Director, Product Management & StrategyAPI Management, CA Technologies

• Ross Garrett, VP Marketing, Cloud Elements

• OJ Ngo, CTO, DH2i

• Reid Tatoris, Vice President Product Outreach and Marketing, Distil Networks

• Oren Novotny, Chief Architect, DevOps and Modern Software, Digital Innovation, Insight

• Raj Sabhlok, CEO, ManageEngine

• Keith Casey, API Problem Solver, Okta

• Vikas Anand, Vice President Product Development, Oracle

• Mike LaFleur, Global Director Solution Architecture, Provenir

• Steve Willmott, Senior Director and Head of API Infrastructure, Red Hat

• Keshav Vasudevan, Product Marketing Manager, SmartBear

• Chris McFadden, V.P. of Operations, SparkPost

• Jerome Louvel, VP of Product Management, Talend

• Derek Birdsong, Product Marketing Manager, ConnectedIntelligence Cloud, TIBCO

• Setu Kulkarni, Vice-President of Product and Corporate Strategy, WhiteHat Security

• Roman Shaposhnik, Co-founder VP Product Strategy, Zededa

• Vijay Tapaskar, Co-founder VP Engineering and Ops, Zededa

Key Findings

1. The most important element of API management is security —including availability and access. It's important to understand that an API can be abused just like an end-point, website, or application, but it requires different security protocols including controlling access through analytic security policies. API security should be the first feature of an API management product.

Documentation and standards are also needed around the creation of the APIs and the business logic so there is no need for an external repository or documents management center and so teams creating multiple APIs for the same organization can provide the same user experience (UX) across APIs.

2. APIs have made the creation of applications faster, resulting in more flexible applications, and have given developers the opportunity to reuse code. It's fundamentally easier and faster to create composite applications that pull in data capabilities from a wide range of sources. APIs allow developers to work across different platforms and enable the use of the microservices pattern from monolithic applications to individual elements using APIs to call between and enable microservices. Most APIs are being used by tens to hundreds of developers internally and thousands to millions externally.

3. OAuth is the most popular industry protocol for securing APIs. OAuth is the primary method of access control for delegated access to APIs. For instance, when you allow an app to log in using your Facebook identity, or get access to your photos on Instagram, there is a carefully controlled three-way handshake that allows you to grant permission to that app for a specific scope of access.A layered approach is recommended by several respondents along with good coding practices and standards, automated testing, pen testing, patch management, and regular audits through SOC2 and internal teams.

4. Real-world problems being solved by APIs run across multiple industries with airlines and airports being mentioned most frequently followed by financial services. Airlines are using API platforms to enable third parties to improve end-to-end customer travel experiences and focus on operational improvements, like flight operations automation and leveraging back office data more effectively in airport operations. The Amsterdam airport is using APIs to monitor applications to improve customer experience (CX).

5. The most common issues with API management are the lack of attention on security and thinking that APIs can be secured like applications. You cannot give access to just anyone, you must tighten access and authentication to the individual. Follow the security standards set by Google for APIs — SSO and REST. Put authentication in place with OAuth or Open ID.

6. Concerns around the current state of API management revolve around security and the consolidation of third-party tools. There is a lack of focus on security. A lot of customers useWAF or CDN, but these are not able to stop automated attacks. APIs are open to all kinds of malware, so every API needs to be certified as secure.

There is a lot of consolidation of tools and this will come at the expense of end-user experience. We will see movement from the core value of the tool to generate more revenue without regard to building and testing. This will hurt innovation as we've seen with databases.

7. The future of API management is around security as it relates to access and standards. More standardization will weed out those who are not following standards and principles. Security and privacy will be audited more thoroughly, and we will have independent security standards for APIs. There will be a greater focus on identity and limited access to APIs by understanding the use cases the APIs are being designed for.

Team collaboration is very important. There is a need for API governance that begins with the design itself and an API blueprint for developers working on APIs and delivering APIs that provide consistent rules of engagement. API platforms will help ensure consistency and compatibility.

APIs are becoming more focused on delivering a particular solution. Understand your use case and build the most elegant solution.

8. When managing APIs, developers need to think about security, purpose, and the end-user (i.e. other developers). Be aware of the security implications of what you are building. Think like a distributed systems' engineer. A key does not equal security because credentials can be stolen. APIs are not under attack any less than your site or applications; however, they do need a different type of security. Make sure you have continuous security monitoring. API security is actually more important than general web security.

Are you delivering an API that's fit for purpose? APIs are becoming more focused on delivering a particular solution. Understand your use case and build the most elegant solution. Know what you want the CX to be and focus on the technology solutions you want to provide. Think about the purpose of the API you are building, who will access it, and whether they are internal or external. People will use the APIs that give them access to the data or systems they want. Your API will be used for things you cannot predict —be prepared.

This article is featured in the new DZone Guide to API Management: Comparative Views of Real World Design. Get your free copy for more insightful articles, industry statistics, and more!