Are the application architects and senior software developers on the IT team starting to feel like consumerization, mobile development trends and BYOD forces are causing their APIs to grow out of control? If they're thinking it, then it is probably happening, which means it's time to start putting some governance in place to deal with the API issue.
API governance is getting bigger
Governance is a complex and challenging area – now more than ever when so many applications run in the cloud and on mobile devices. Mike Amundsen (@mamund), Principal API Architect at Layer 7 Technologies, says a lot of people think too small when it comes to API and SOA governance. Access and endpoint security is only part of the picture. You also have to consider other questions:
- Who are your users and what are they using?
- How are they accessing your APIs?
- Which partners are driving a lot of traffic to your system?
- Which ones do you have SLAs with and what is the status of those agreements?
When you know what questions to ask, you can collect the data you need to iterate and improve your APIs. As APIs are deployed to the cloud and mobile, the stuff you track changes. You have a larger surface with more SOA endpoints. For example, in the past you might have created an API in house for internal use. But now, you might be deploying in the cloud for access by partners at distant geographic locations or even individual external developers at startup firms. A bigger space means more tools, which Layer 7 is happy to help enterprises select and implement.
BYOD solutions that put the enterprise in control
Consumerization and BYOD trends are prompting enterprises to make more and more APIs mobile-accessible. However, that doesn't mean an organization should let individual device users determine the security level of data by how difficult it is to guess their smartphone's password. Mark points out that enterprises actually have many options at their disposal to manage how data is accessed and used on employee-owned mobile devices.
- At the device level, data can be remotely removed if a phone or tablet is lost. Of course, this assumes the loss is reported promptly.
- The organization can use "sandboxes" that allow apps to run in a safe, protected environment where they do not affect (and are not affected by) other apps running on the same device. This is especially important when you don't know what apps employees might download and how these apps might interact with enterprise APIs.
- All devices can be routed through proxy tools. These scrub or protect company data so it can't be easily shared or exposed (either unintentionally or on purpose) via social media and other platforms.
- Finally, an enterprise can architect its own APIs to follow the rules and guidelines that support best security practices in the first place.
Find out what you don't know
Amundsen describes the assessment process during the typical client engagement as beginning with a set of questions. Each question helps illuminate what the company is trying to achieve. What tools do they have in place already? Do they have devices, users, or APIs they want to manage?
With this information, Layer 7 can offer the tools that will allow the client to find out what is really going on with their systems. That way, they aren't blindsided 6-12 months down the road when a hidden security issue comes to light. According to Amundsen, one of the most effective tools is the SecureSpan Gateway that lets you monitor, collect, inspect, export, and analyze all the data flowing through your network's web connection. Of course, SecureSpan is a Layer 7 technology, so Marc might be a little biased, but it is nevertheless one example of an excellent monitoring tools that can help organizations manage difficult tasks and provide insightful information Then, with this information, organizations can make informed decisions about what to change. Enterprise architects and senior software engineers don't have to worry about the expanding scope of API governance when they have the right implements to help whittle the challenge down to size.
Listen to Layer 7's Mike Amundsen talk to Cameron McKenzie about the ins and out of creating a beautiful software API: Effective API development: How to create a beautiful Java API