API Management

API Management is a current and major concern for French companies. But what is API Management? It deals with all issues related to API management by allowing the following :

- To expose and secure APIs in a quick and easy way

- Manage the developer community using onboarding process

- Promote APIs by facilitating their discovery and handling (API catalog, documentation, etc.)

- Control and monitor API consumption (analytics, etc.)

- Manage the API lifecycle

?

In practice, API management takes place in 2 distinct phases:

• Build phase: construction phase to manage the API lifecycle and consumer management
• Run phase: “production” phase which allows managing API security (authentication, Service Level Agreement, etc.)

These functionalities are generally offered by 2 different technical bricks:

• Gateway: Expose API proxies and perform all mediation processing including access management and authorization control.
• Supplier and Developer portal: Central point for API lifecycle management and gateway administration. and of communication between API providers and consumers. It must be thought through on?how to best take care of the developer experience.

However, the “developer portal” term is?old-fashioned : it would be better to?call it a transactional portal dedicated to developers and businesses

It is common for the Supplier & developer portals to be grouped together in one, but this responds well to two different needs, access to the different functionalities is managed by the roles / authorizations.

?

Creating APIs and managing APIs: two complementary issues to distinguish

If API Management solutions are essential to govern exchanges with your partners, it is necessary to identify their limits. An API Management solution is not made to create APIs but to drive their exposure! APIs must be created before being exposed ( it's?better when written down). Nor does an API Management solution have the objective of structuring or urbanizing your internal IS: the API Management solution thus exposes services that already exist within the information system.

Therefore, setting up an API Management solution alone is not enough to meet the challenge of “API-sation” of your Information System. Before moving forward on choosing an API Management solution, there are many questions you need to think about: What services do you need to expose? For what business needs? What is the expected level of granularity? How mature is your ecosystem? What KPIs would you like to track?

Additionally?you must also keep in mind that exposing all your services is of no interest! It is your needs or that of your partners that must frame your integration and APIs strategy.

It is only?once the first APIs are defined and available within your information system that an API Management solution will take on its full meaning. However, it is not necessary to have all APIs in place from the start: the process can very well be iterative! It is better to avoid the Big Bang effect.

?

How to secure APIs ?

One of the main roles of API Management solutions is to relieve?the backend developers part of the security aspects so that they can focus only on the business features they need to implement.

So when considering putting a brick of API Management within the company, one must immediately ask the question of how to secure APIs and manage the access of consumer applications and end users.

Despite the particularity of each company, particularly in its identity management, standards and norms exist and it is useful to adopt them as soon as possible.

The methods described below are the most common even though I will write?an article dedicated to?the question of how to secure APIs and we will see why the API management solution is not the only solution

- Basic authentication: based on a login / password. It is suitable for securing APIs that have a medium level of security and does?require end-user authentication.

- API Key authentication: based on a character string that uniquely identifies the consuming application. It is suitable for securing APIs that have a medium level of security and do not require end-user authentication.

- Certificate authentication: based on a client certificate and suitable for APIs that do not require end-user authentication but need to strongly secure the exchange between the provider and the consuming application.

- Authentication by JWT Token: It allows the secure exchange of tokens between several parties. This is the most suitable method for Rest APIs due to the resulting standards like OAuth2 and OpenId Connect.

API governance

Historically, APIs are a means of communication between two?types of?software (You know it I guess, don't you??). The Windows API is an example, it allows developers to create software with access to system files and services (we used to talk more?about Library and less about?API). For some time now, the most informed players like the web giants, they have gone beyond the technical framework and constitute a real nerve system by offering new business models and additional sources of income.

It is therefore essential to approach the subject of API Management from 2 points of view: from a technical (and security) point of view and from a governance point of view. Both are equally important .

This second point deserves special attention because of its complexity and especially its importance. It generally requires a specific organization involving mature actors on APIs and having functional and organizational skills.

This governance must manage the following main points:

- Monitoring the life cycle of each API from design to implementation.

- Monitoring of API consumers and their subscriptions to them.

- The definition of API standards and good practices.

- Management of the company's API heritage for its consistency.

- Acculturation and support for change of the various actors of the company (article about importance of training )

Choose your API Management solution

The API Management market grew rapidly in the early 2010s and continues to evolve at high speed. You have to take the time to choose your API Management solution. Several platforms are available on the market for use in SaaS or on-premise, each platform brings its own set of functionalities meeting different needs (types of exposure, monitoring, cache, PCI-DSS, mappping and transformation tool, etc. ).

The question that arises is: should you take a software solution publisher or develop your own API management solution? If the decision is to take a solution from a vendor, carefully study each solution to choose the one that best meets your business needs and that easily integrates into your ecosystem.

Several solutions are named as Leader in the Gartner??Magic Quadrant? for Full Life Cycle API Management. : Axway (French leader and premium API Thinking collective partner), Apigee, Mulesoft, IBM, Kong, Microsoft & Software AG.

These recommendations are broad guidelines to consider when you want to "API" your system. Seen from the start, the transformation seems deep and complicated. That said,?you should avoid wanting to prepare too much before taking the plunge by embarking on a global re-urbanization plan in order to define an IS with a full API from floor to ceiling without touching a line of code.

Start by identifying with the business an opportunity requiring the creation of a very limited API:

? Having a narrow perimeter in a business area that you know, because relying on this knowledge simplifies the design of services ( there's?nothing more dangerous than to define services blindly when we do not know how they will be used)

? Interest?as many types of consumers as possible. Involve these consumers in the design to increase the chances of arriving at a generic API with tailored and composable services rather than one shot and over-design.

Then roll out this MVP (Minimum Viable Product) into production using agile methods. This will validate your approach, and the selected API management platform.

?

Conclusion

API Management plays an important role in the digital transformation of companies. Its implementation can be complex due to the technical aspects that must be understood. It is also complex due to the multitude of actors involved.