Does my organization need API management? What to expect from it?

Photo by Myriam Jessier on Unsplash

Almost all organizations attempt to undertake digital transformation initiatives to improve their operations along various aspects such as delivery time, customer experience, costs, internal collaborations, etc. In order to become successful digital transformation, organizations need to automate their business processes as much as possible. These processes can be sales processes, internal procurement processes, employee on-boarding processes, shipment processes, etc. As such business processes consume services from internal entities (e.g. business units, data sources, branches, etc) as well as from external parties, all such services need to be available as APIs in order to be used by automated business processes.

Percentage of services available as APIs, directly impacts the percentage of operations that can be digitally transformed.

As this necessitates most of the critical business functions and data to be exposed as APIs, it is necessary to enforce a proper governance structure on all APIs. Such governance structure on APIs can be considered along multiple aspects:

• API security
• API usage control
• Governance of API creation process
• Governance of API consumption process
• API insights
• Centralized management of the API ecosystem

Implementation of this governance structure is essentially what we do with API management. Below, we will look at each of those aspects in bit more detail.

API Security

APIs exposed by an organizations may need to be accessed by multiple groups such as:

• General public (e.g. customers of a retail store, citizens using digital services offered by a government agency)
• Limited set of external groups (e.g. suppliers, audit firms, logistics companies)
• Internal entities of the organization (within the organization, access to some APIs may have to be restricted to certain business units, branches, user groups, etc)

A major function of API security is to limit APIs access only to such relevant groups. However, in order to control access, it is necessary identify who is trying to invoke an API. This process of API consumer authentication is another key area of API security.

Security policies applied for three APIs for different applications and users. E.g. API 2 can be accessed from App 2, but not from App 1. In addition API 2 limits access only to User 2 and User 3.

In addition to above aspects, there are many other areas we need consider in API security, which include:

• Incorporating users maintained in existing identity management systems and user bases into the API ecosystem
• Passing user information to backend systems in a secure manner
• Detect and block possible malicious content sent with API calls
• Enforce network level security to prevent possible exposure of internal systems

API Usage Control

Even after authentication and authorizing API consumers, it is usually necessary to control how APIs are accessed. For example, we may want to limit the number of API calls made to our key business services.

This type of API usage policies can be enforced at various levels:

• Restrict number of calls to an API
• Restrict number of calls to certain methods of an API
• Restrict number of calls that can be made by an application
• Restrict number of calls that can be made by a given user
• Restrict number of calls that can be made within a single session

Rate limiting policies applied to two APIs for different applications. E.g. Finance API allows 200 API calls per hour to be made from the internal portal, but only allows 20 API calls per hour from the company’s mobile app. At the same time, HR API allows 1000 API calls per hour from the same mobile app.

In addition, it may be necessary to restrict access to APIs to certain time periods, locations, user devices, etc, which also needs to be considered under API usage control.

Governance of API creation process

As we discussed earlier, APIs expose organization’s critical operations and data. Therefore, it is necessary to govern various aspects of API creation process, in order to ensure that all APIs are aligned with organizational policies. Controls that we can enforce for the creation process include:

• Who can publish APIs
• Who can view and edit APIs
• Which steps need to be followed for publishing an API
• Documentation that need to be associated with each API
• Whether or not an internal review is needed for an API
• Approval steps needed for publishing an API (e.g. API must be approved by team lead and head of business unit)
• How to maintaining multiple versions of APIs and facilitate smooth migration for consumers

Example governance policies applied for the API creation process. Relevant business data and documentation need to be associated with all APIs. In addition, any API published by the HR department has to be approved by the HR director. Currently, Finance department has published a new version of their API, so that both versions are available in the platform. However, according to the versioning policies of the platform, it may be possible to block any new users from viewing or using the old version.

API management platforms provide such governance features in an extensible manner as exact controls required and details of those controls are highly dependent on organizational policies.

Governance of API consumption process

Depending on an organization’s business model and scale, APIs may be consumed by a large number of internal and external entities. Therefore, a proper governance process also needs to be established to control different steps of the API consumption process. Under this, we can consider:

• How to onboard API users (e.g. self sign up, manually onboard each user after an off-line registration process)
• How to register consumer apps/systems in the API platform (which documents/details need to be provided, whether or not approval steps are required, etc)
• Who can view and consume APIs
• Which steps need to be followed for subscribing to an API
• Which usage quotas are available for different apps/systems
• How to upgrade/downgrade usage quotas

Again, API management platforms need to be flexible in this aspect as exact controls can vary.

Example governance policies applied to the API consumption process. When a new user signs up with the platform, associated policies check whether all required information is provided and trigger a management approval step. Similarly, whenever a new application is registered, all details will be validated and an approval task for the API owner will be triggered. In addition, API visibility controls are applied to different user groups, where Suppliers can only view the “Operations API” and audits firms can only view the “Finance API”.

API insights

Once most of the services are exposed as APIs and digital business processes utilize those APIs extensively, monitoring and analysis of API usage can provide valuable insights about the organization.

These can include..

• Usage amount of different APIs
• Apps/systems that use a given API
• Users who have used a given API
• All APIs used by an application
• Apps that depend on a given API
• Delays introduced by different APIs
• Variations of API usage over time
• Faults/errors caused by a given API

API insights dashboard provided in the Choreo iPaaS

Furthermore, it is possible to associate alerts with various API usage metrics, so that relevant users will be notified about critical events in the API ecosystem. E.g. API’s technical owner needs to be notified if an API causes a delay of more than 100 milliseconds.

Centralized management of the API ecosystem

It may be necessary to make APIs available to different consumer groups via multiple deployments, sometimes in different geographical locations. Such deployments could be..

• Separate API deployments for internal and external consumers
• Multiple API deployments across two or more data centers
• Separate API deployments in different states/countries to serve geographical distributed user bases

APIs deployed across such multiple deployments need to be centrally managed with centralized control over API creation, usage, policy enforcement, monitoring, etc.

Although this is not an exhaustive list, we tried to cover some key areas that an organization can expect from API management projects. Most API Management platforms provide support for these areas, although the level of support may vary. It is necessary to identify which areas and features are important for a particular organization and evaluate API management platforms against those.