Also see: Top API Management Tools
Application programming interface (API) management concerns how businesses use, develop, track and build their APIs, and the degree to which those APIs are effective. API management enables businesses to bridge legacy systems with modern applications, allowing their legacy systems to talk to the cloud without modification or migration. Additionally, API management tools monitor – from security to analytics – how a company connects with numerous third party technology offerings.
Efficient and secure API management is essential for today’s companies, as the API becomes an ever more important technology for connecting the many applications that comprise contemporary IT. Indeed, the market is growing rapidly for API management tools – and is forecast to continue growing as API management gets increasingly challenging.
API management is also growing due to the rise of hybrid cloud, as on-premise private cloud systems need to connect to public cloud resources from providers like AWS and Microsoft Azure. API management allows traffic monitoring of individual applications, vital for traffic between the cloud and on-premise data centers.
The global market for API management software has seen remarkable growth as the API has taken a foundational role in enterprise IT.
Understanding the API and its Management
As IT professionals know, an application programming interface (API) is a set of protocols, tools, and subroutines used to build connective links between components of software programs. They can be used at any layer, from the Web down to an application or operating system.
Among the challenges of API management is the complexity of the many interlocking elements.
API Management: Security to Analytics
An API Management solution should contain full lifecycle management of API usage, provide a complete end-to-end set of services that simplify access to enterprise data, and streamline app building. Under that are a multitude of components, including:
APIs can be an attack point for malicious actors, who in some instances exploit API vulnerabilities using reverse engineering and other nefarious techniques. APIs can also be vulnerable to DDoS attacks. Indeed, security experts know that API attacks are commonplace and can result in data breaches. Consequently, API security involves monitoring and controlling an API at various vectors, including for privacy.
The challenge for API security is a company can only secure its own APIs, not those from third parties (but these APIs from external sources must be monitored). That means a system linked together by myriad APIs – as most enterprise deployments are – has any number of potential points it must focus on securing.
Design and Catalog
This is the central API Management solution component. It is a central repository for all available APIs and categorized as REST or WSDL and by different formats. It should be a place for easy API search and discovery, both APIs in development and in use.
The need for a catalog is critical. Developers need a central place to find APIs to use, along with the documentation to use the API. You create a catalog by discovering and identifying all of the APIs in your organization, then organize them into a catalog that works for your organization. You want APIs to be easily and readily found and used. If you aren’t making APIs to be used then why have them.
Any third-party API provider that doesn’t use a gateway should be avoided at all costs. The API Gateway is the core API Management solution component with a secure gateway that proxies the API traffic. API gateways take the requests from the clients, then routes them to the appropriate microservice with request routing, composition, and protocol translation.
That means navigating the microservices to determine the best path, and it also means helping tunnel through firewalls and other security layers securely. So a gateway is vital to safe interactions.
In addition to managing secure connections, an API gateway acts as a conductor to requests, taking multiple requests from the client and turning them into just one, thus reducing the round trip traffic between client and application.
You should operate an API developer portal just like an application development portal and for the same reasons: to encourage your developers to create, discover, consume, build, and test APIs. You can run a portal internally and then make the APIs available externally, just as the cloud IaaS/PaaS providers do.
API developer portal are usually built on a standards-based CMS portal with management, check in/check out, documentation, search, read, try and use capabilities. They also include FAQs, articles and message forums for the internal and external developer communities. They usually have separate access between internal use and external use as well.
Monetization is, of course, the process of generating revenue from a product or service. In this case, your APIs. Amazon and other companies monetize their APIs for their IaaS/PaaS services and many more.
You should work out a healthy business model as you are developing your APIs so as to provide a guide for your monetization goals. If an API is a source of revenue then you need to keep that API running, which is a separate effort from the API’s development.
Some APIs are made available for free, usually as a loss leader of sorts to bring in customers or just to offer basic functionality. When you get into pricing models, there are several to choose from:
- Multiple tiers of paid access
- A pure consumption model
- Pay-as-you-go or pay-per-use
- Unit-based, where the customer gets X number of uses and the option to buy more if they wish
Just as analytics can help a company better identify problem spots in their network or find more customers, analytics can help with API management. Through analytics, you can track usage metrics in a variety of ways, like by region or user type, improve your API performance, find out who is using it best and who is not, attract the right app developers, troubleshoot problems, and make better business decisions related to your API program.
There are several analytics programs for API management, like AWS CloudTrail, Google Apigee API Platform, Azure API Management and smaller players like MuleSoft and DreamFactory.
Public vs. Internal APIs
In developing and making APIs publicly available, you need to define at the start whether an API will be internal and inward-facing or external and outward-facing. This will impact how you build the API.
Internally-facing APIs don’t get as much attention as outward-facing APIs for obvious reasons. The outward-facing APIs have to be hardened against attacks and the integrity of data protected. A lot of developers assume that APIs are inherently more secure behind the firewall, and they are both right and wrong.
The main advantage of private APIs is they can significantly reduce the development time and resources needed to integrate internal IT systems. You can reuse them for multiple application projects and get them rolled out faster with this pool of internal assets.
External APIs, on the other hand, are exposed to the wider population of Web and mobile application developers. These are the ones more likely to be monetized and therefore are perceived as more valuable. They have extra requirements not needed in internal APIs, like security mechanisms, fees and Service Level Agreements (SLAs).
Challenges of API Management
Planning is required before you begin API coding, to determine your priorities and more effectively manage your API. Overall, the criteria can be divided into three main groups:
1) Strategic Attractiveness
- What would be the impact of securing the business objectives or client requirements?
- What improvements can be expected should these APIs be implemented vs. staying on the established course?
2) Readiness to Execute
- Examine your company’s current technical situation and determine if new infrastructure is needed.
- What APIs are already available to can solve your problems?
- Are more IT, legal, or management personnel needed to ensure the strategy’s success?
3) Essential Questions Before Launch:
- Where to begin, based on business need.
- How should the API team be structured?
- What metrics should be tracked?
- How do you ensure the APIs actually deliver business value and agility?
- Which business units within the company own which APIs?
- Do I have the talent in-house to make this happen, is training needed, or do we need to hire new people?
API Management Platforms
Naturally, an API management platform is the foundation of API management. API management platforms perform a broad array of functions, including analytics, usage reporting, API key and authorization management, live updated documentation, and billing and payment management.
Among these critical tasks, an API management platform protects the back-end of a service from being overloaded by too many queries, both intentional (through a Denial of Service attack) or unintentional (heavy use). Developers use API management platforms like Mashery, Apigee, and Layer 7 to ensure services aren’t taken down for whatever reason.
One way an API management platform works is to limit the number of queries for each customer per second or per day. A DoS attack sends queries at overwhelming speed, causing the overload. API management platforms block that by making sure users are not able to make more requests than the API can handle.
API Management Tools
API management tools are built to help with the design, development, deployment, and maintenance of APIs easier and more efficient. They are in many ways to APIs what a software development kit (SDK) is to application development, handling a variety of features and functions for the entire development process. This includes:
- Design and development – the core of API management
- Documentation: This is especially important for outward-facing APIs
- Deployment: Handles on-premises and cloud, public and private
- Developer engagement: Again for outward-facing APIs for third-party use.
- Analytics: So you know how people are using your API to adjust accordingly
- Traffic management
There is a very wide range of API management platform and tools, including catalog tools. Among the notable ones:
Amazon API Gateway: A fully managed service, Amazon’s API platform enables developers to publish and monitor APIs in a highly scalable manner. This is a robust solution, able to handle a massive level of APIs calls concurrently.
Google Apigee: Provides a range of services, from free API tools to enterprise-scale API management solutions both in the cloud or on-premises. Works with Google Cloud and support’s GCP’s areas of emphasis, like big data predictive analytics and AI.
Microsoft Azure API Management: Geared toward Microsoft environments both on-premises and on its Azure service. Covers management, provides a developer portal, documentation, security management, performance management, statistics and analytics.
IBM API Connect: IBM’s solution supports on-premise and cloud hosted and is oriented toward enterprises/very large firms. Since IBM acquired Red Hat, it now owns Red Hat 3Scale, which supports a wide range of customers from startups to enterprises with a focus on hybrid platforms.
Oracle API Manager: Supports both APIs and SOA environments for both modern and legacy systems, including Oracle’s own SOA products.
WSO2: The most widely used open source solution and considered one of the most complete solution today. It offers API integration, management, identity and mobile development in public, private clouds, and hybrid implementations.
TIBCP’s Mashery: An API management solution is aimed at monetization of APIs by helping customers build profitable platform strategies, ensuring fast, reliable API access and facilitating relationships with its network of developers.
CA API Management: Heavily enterprise directed with on-premises and cloud deployment solutions with full security management, performance management, mobile API gateways, mobile optimization and developer portals.