31 August 2020
What is an API?
API stands for Application Programming Interface, which is a software service that allows applications to talk to each other. For instance, each time you use an app like Facebook, send an instant message or check the weather on your phone, you’re using an API.
Adopting digital API strategies is crucial for every business to be competitive in the market and it greatly helps organisations to reduce costing, efficient usage of resources, better customer experience etc.
In Modern IT, APIs are the foundation for building and running digital processes from manual or non-digital.
Selecting the right set of API strategies help to achieve an organisation’s digital success, whereas inappropriate strategies lead to slowed or in some cases, reversed progress.
In this article, we’ll walk through some key strategies and recommendations for setting up an API Team, Platform, Architecture, Security, Governance, Documentation, Auditing, Delivery Pipeline and Metrics.
Setting up API strategies and teams
The API Team is the core of any new API initiatives. The main goal of the team is to do the API development and related activities, with a focus on enabling agile API development using the organisation’s design principles and guidelines. A successful API Team consists of the following roles:
- API Team Leader: This person will lead the API Team. They should be a businessperson managing a technical product. Also, think of their APIs as products and iterate them based on feedback from their developer customers.
- API Architect: This person guides the creation of initial APIs, as well as the development and testing of best practices for API design. An architect can also join in development.
- API Analyst: This person is responsible for reaching out to the consumers of API products. They support the developers, monitors their progress, answers their questions, and brings feedback to the rest of the API team and the business.
- API Developer: Should know what modern app developers want and need in order to produce great apps quickly from a set of intuitive, highly consumable APIs. They need to be well-acquainted with the API platform in order to implement the proper security, traffic management, and other policies that secure and scale the APIs as per the organisation’s standards.
Instead of having many siloed API teams, a central team is the best way to start for most organisations. The API development skills should become universal throughout the company. When many developers are skilled at creating and consuming APIs, the organisation gains benefits in terms of faster development time and market agility.
Selecting an appropriate API platform
An API platform is a system for efficiently and effectively managing APIs. Its features span design and development, publishing and operations, monitoring and analysis.
API platforms help enterprises grow networks of APIs and consumers. It enables the secure sharing of data and services by policies and other components, helps developers to adapt quickly to the API environment and start benefiting from networks.
Selecting an appropriate platform saves time and reduces, below are the recommended factors to be evaluated when selecting an API platform:
Capability analysis helps to understand whether the API platform will meet the requirements. Before choosing the right API platform, detailed capability analysis is a must.
Platform reliability refers to the quality of the software being brought into the organisation; hence vendors platforms and services should be carefully analysed for any reliability issues as one of the key factors.
Cost of installing and running a platform should be estimated prior. This helps organisations to plan and budget for the platform’s capital and operational costs. Many types of licensing options are available, different vendors will have their own model of licensing and terms. For example, open source, core based, API based or number of API calls based. Each licensing model will have its own costing model.
- Ease of use:
The API Platform will be used by different users like developers, Admin, Analysts, API managers, Consumers, Partners etc. Easy of use should be evaluated from different user perspective to ensure the appropriate platform is chosen.
- Simple Implementation:
Implementation methods (On-prem, hybrid, cloud and software as a service) vary from vendor to vendor. Some platform implementations require infrastructure to be set up, others provide software as a service (SaaS). To save cost and time, consider things like existing systems, current and future API requirement, data compliance etc.
- Ease of integration:
API services connect with different systems to fetch and process data. There may be different systems like ERP, ITSM, Data Lake and IoT Devices enabled via APIs as a service. Integrating these systems should be straight forward and quick.
- Performance and scalability:
Platform performance and scalability are vital in deciding the success of the API Program.
- Maintenance and support:
Platform installation is once-off but the maintenance and support activities are ongoing at regular intervals. There are many things to be considered like patching, support contracts, SLAs for tickets etc.
- Data compliance:
Large organisations are present in multiple countries, while moving the data from one country to another, the information that moves across countries must be compliant within their boundary data privacy acts. Failure to do so results in fines and other legal actions against the organisation. Therefore, careful consideration must be given for how well the platform and other features complies with the data privacy acts in different countries.
Some of the leading API Platforms include:
Architecture style selection
There are many architecture styles available for designing APIs but choosing the right architecture solves the most experienced integration problems and helps to build API Networks quicker.
The API-led connectivity approach is one of the most popular architectural styles that evolved from traditional SOA (service-oriented architecture). This approach packages underlying connectivity and orchestrates services as easily discoverable and reusable building blocks, exposed by API. Also, this approach splits the building blocks into three layered components as depicted in the image below:
- System / Core Layer: All underlying IT architectures are core systems of records. Often these systems are not easily accessible due to connectivity concerns. These APIs are used to hide the complexity from the user to access underlying systems of record and exposing that data. For example, ERP systems, databases, sales and order processing system etc.
- Process / Integration Layer: All underlying business processes that interact and shape data should be strictly encapsulated independently of the source systems from which the data originates, as well as the target channels through which that data is to be delivered. For example, in a purchase order process, there is some logic that is common across products, geographies, and retail chain
- Experience / Edge Layer: Data is consumed by different channels, each of them wants the same data in a different form. For example, POS systems, e-commerce sites, and mobile shopping applications may all want to access the same customer information fields, but each will require that information in very different formats.
The three-layered structure allows for a seamless flow of data from systems of record to new experiences and allows for the reusability of assets rather than point-to-point connections. This approach provides a distributed and tailored approach to architecture, greater flexibility through loose coupling, and deeper operational visibility into what is being built.
In a digital business, APIs are the reusable interfaces that expose data for web, mobile, cloud and IoT based applications, hence it becomes a target for hackers. Securing API is mandatory for preventing malicious attacks on, or misuse of the APIs.
API security relies heavily on authentication and authorisation. Authentication is the first step in API security. It refers to verifying that the client application possesses a safe identity and can use the API. Authorization is a subsequent step that involves making the determination of what data and actions an authenticated application can access while interacting with the API.
In addition to properly implementing a secure authentication and authorisation system, APIs should be developed with other protective features to reduce the system’s vulnerability to malicious attacks during API calls. Below are some recommended protective features:
- OAuth / Token implementation
- IP Whitelist / Blacklist
- JSON Threat Protection
- XML Threat Protection
- Rate Limiting and Throttling
Guidelines to define governance
Governance is not a nice-to-have but rather a must-have. Governance at different stages of API lifecycle provides the following benefits:
- Protection for organisations from security and compliance risks.
- Standardisation on each aspect of the API and application life cycle.
- Optimisation of shared tasks across different teams.
- Minimisation of errors and an increase in efficiency in development, deployment, and release process.
- Acceleration of software delivery speed.
The primary goal of API governance is consistency which intends to save time and money. Below are the key factors that should be considered while defining governance:
- Make policies separate from API and kept in a central place to be used across APIs
- Contract request and approval process should be consistent and reusable
- Standardising API using defined style guidelines
- Versioning of APIs which helps to keep track of and maintain different versions
- Deprecation policy
- Automated documentation and tracking processes
- Service discovery portal process
Key documentation that should be covered
Well-documented APIs help users to quickly adapt and understand the API functionalities and improve reusability. Regardless of API’s functionalities, there are some basic documents that should be included:
- API Summary:
The summary helps API Consumers to understand what API does, who should use it, and why they should use it. This high-level understanding is important to the consumer for them to quickly grasp the complete API service.
- An Authentication Scheme:
The authentication part of the documentation should clearly explain to the consumer what kind of authentication is being used and how to get access to it. Some of the authentication methods commonly used, include basic, Bearer token, API keys enforcement and Oauth.
Endpoints are the communication channel between two systems, hence endpoints should be clearly documented for different environments like Development and Production.
- HTTP / HTTPS Protocol:
This portion of the documentation explains what kind of protocol is being used (HTTP / HTTPS) in API. If needed, there is a manual SSL certificate installation required by the consumer.
- URI Definition:
URI definition helps the consumer to understand the URI (Uniform Resource Identifier).
- Method Descriptions:
Human readable method description explains to the consumers what the method does and it contains request and response model types.
- Requests Structure and Examples:
This documentation step explains the details of the request model, what the parameter fields are and what the data types are.
Regular audits are essential to make sure the APIs are being developed and governed as per the organisational standards. The audit process should be conducted in a regular interval, once every 3 months or every 6 months based on the organisation’s audit policy.
Having a checklist of standards, processes and governance to validate helps the auditor to complete the audit process faster. Here are the key checklist areas to validate against:
- Development and Delivery Process
- Development standards and best practises
- API Security
- API Policies
Delivery pipeline setup
Building API networks as part of the digital transformation may require many APIs to be newly developed, migrated and enhanced, hence more APIs need to be built and deployed in various environments using the organisations’ API development life cycle and deployment processes.
As most organisations follow the agile approach as a development methodology to speed up delivery. Doing the build and deployment process manually would be unmanageable, time-consuming, error-prone and will require a greater number of resources to do the repeated tasks.
By automating the process using an available DevOps toolchain with proper controls in place, will help the organisation to avoid the pitfalls that come out of manual processes.
Below are the high-level steps to implement while setting up a continuous build and delivery pipeline for APIs:
Automated Build Trigger
- Code Quality Verification
- Automated Unit/Functional Testing
- Code Build and Package
- Publish Artifact to Repository
Automatic deployment trigger
- Dev Deployment
- Pre-Approval to QA
- QA Deployment
- Pre-Approval to PRD
- Production Deployment
Key Performance Indicator (KPI) metrics evaluate digital success. Hence, the right set of metrics need to be part of the evaluation.
However, some of the measures are ineffective. For example, the most common question management asks is the number of APIs in development. This kind of metric doesn’t add value to the KPIs.
These are the recommended metrics:
- API Delivery Speed
- API Onboarding Speed
- No of products sharing the APIs
- No of active consumers
- Cost reduction
- End-user experience
- API Traffic Growth
There are many factors that play different roles to achieve digital success, but APIs are the foundation. In this article we described the key API strategies which included setting up an API Team, Selecting API Platform, Architecture Style, Defining Governance, Security and Documentation, Guidelines for setting up the delivery pipeline, audit strategy and metrics. The recommendations made in this article will assist to build a better API environment for an organisation aiming to achieve digital success.
See our services to find out how Integrove can help you with your organisation’s digital transformation.