Managing a growing API portfolio

We have previously discussed the importance of APIs to the business and their place as layer 8 in the traditional technology stack. Today we are discussing the value of APIs and the ways in which business and technology use them.

This is not just about APIs being used to exchange data. Well-defined APIs describe processes, both business and operational, that can be automated and bring new efficiencies to the way we grow and run our business. Well-defined APIs are digital representations of the business and open up opportunities for new markets and business models.

This is important because the processes described by APIs (both business and operational) are tied to two very important concepts in the digital world: ecosystems and marketplaces.

It's not hard to see that much of the digital economy today is driven by APIs. APIs enable sellers to participate in marketplaces. These marketplaces are the shopping malls of the digital age, bringing together different sellers in a single, accessible location for the convenience of shoppers. Ultimately, this is made possible through APIs.

[[437581]]

Even outside of digital malls, there is a growing ecosystem that enables independent businesses to participate in the digital economy. Delivery services, transportation, and restaurants are all increasingly using APIs to become part of a digital ecosystem that enables consumers to purchase and pay for goods and services with their phones from the comfort of their homes.

According to our estimates, the number of APIs worldwide (public or private) is approaching 200 million.

APIs are also growing at an exponential rate within the enterprise. Whether it is to enable infrastructure as code or automate development and deployment pipelines, or as the primary means of integration between microservices, monoliths, and mobile phones, APIs are proliferating at an astonishing rate.

While this is all good news, enabling businesses of all sizes and shapes to participate in the digital economy, it can also have consequences if APIs are not viewed as strategic assets.

Managing a growing API portfolio

As APIs continue to grow in popularity, it will become increasingly difficult for enterprises to effectively manage and control them. There are multiple considerations where governance is needed, including:

Version management. This includes APIs becoming obsolete over time. Mismatches in API versions and functionality can lead to disrupted processes and poor customer experiences. Failed transactions due to outdated APIs provided to financial institutions, including payment processors, can result in denial of access when persistent failures of the called code are flagged as fraudulent. Supply chain breakdowns can wreak havoc on service reliability, subsequently negatively impacting the entire business.

APIs are contracts, and as such, both consumers and providers have designated responsibilities. Enterprises need to explicitly manage API versions with an eye toward clear communication, and if rollout of updates takes a significant amount of time, the ability to support multiple versions simultaneously is required. Clear documentation and communication are critical to the success of API ecosystems and markets.

Access Control. The ability to accurately identify the user of an API is critical to protecting against fraud and abuse. This is especially important in ecosystems where communication is application-to-application, such as payment processing for retailers and marketplaces. APIs are called by applications and their processing is managed by applications, so the question is no longer, “Is the user a machine,” because of course it is. The question is, “What does this user’s behavior tell me about their intent — is it abuse or fraud or legitimate?”

Enterprises need to modernize their API security approaches and incorporate modern and adaptive security methods, including behavioral analytics and content inspection. New methods that allow for access and invocation of APIs based on the risk associated with the user, beyond identity, will be key to solving this problem at scale.

Password management. Password management is not unique to APIs, but its importance is magnified by the reliance of API vendors on tokens and keys to establish permissions to call APIs. The challenge of managing these passwords is magnified by the increasing number of digital services that span multiple channels—from mobile to web, across multiple backend applications, and in multiple locations—from cloud to data center to edge. Too often, passwords are compromised in “no-brainer” situations.

As an industry, we have been relying on legacy technologies to establish identity and determine access to nearly all resources. As the number of APIs and the users calling them continues to increase, the number of tokens and keys that must be managed will become unmanageable. Dynamic authentication and authorization will be needed to eliminate the use of "hard-wired" credentials, keys, and tokens to manage access to APIs.

The API-driven economy relies on API governance

The term governance is often associated with security, but in reality API governance is the practice of establishing frameworks and guardrails that improve the development and operation of APIs. This includes version management and documentation as well as more security-related practices.

It’s those practices that matter. No single tool can manage an ever-growing portfolio of APIs, nor can any single tool tame the ever-growing beast that is API sprawl. Practice and the determination to put the right tools, frameworks, and safeguards in place will enable organizations to increase their share of the growing digital economy and move quickly and securely.