An emerging strategy for effectively managing mobile devices lies in addressing the application programming interfaces...
(APIs) used to feed them information. That strategy shifts the focus of management from a webpage orientation towards a rich set of APIs that can be accessed by a wide variety of mobile applications, according to Roberto Medrano, chief technology officer of SOA Software Inc., a Web tools vendor. Towards that end, organizations need to think about API lifecycle management to govern the underlying infrastructure.
APIs exist as a way to provide information and to enhance an organization's own development efforts. Organizations need to think about API version control and legacy asset support, Medrano said. They also need to consider global governance of use policies and integrated security as key aspects to API lifecycle management. Any deficiency in any of those areas can impact application performance and availability, as well as increase risk exposure to data integrity, confidentiality and system reliability.
One reason APIs are exploding today: the growth of mobile devices and applications. A governance model is in place for a service-oriented architecture (SOA), but organizations often miss out on using it for APIs as well, Medrano said.
APIs: A different twist on services
Services are typically built on top of monolithic apps that might offer thousands of services. Organizations break up applications up so they can reuse services for other apps.
APIs are a more recent phenomenon. The concept of APIs has been applied previously for managing traditional computer applications, but the newer generation of APIs are mainly representational state transfer (REST)-based, and work over the Web. These are better-suited for mobile applications -- a factor that has helped to drive their growth.
Right now, API use remains small in the overall scheme of things. But as this area continues to grow, it will require improved lifecycle management and governance. That, in turn, affects how organizations manage APIs, the different versions of APIs, and the promotion of APIs from development through testing and production.
APIs and services rely on different protocols and behave differently, as well. APIs are becoming popular primarily due to the explosion of mobile application development. Because mobile devices tend to have limited capabilities, developers need to think about creating applications that can consume simple services that are Web- or JSON-based. Many old SOA concepts apply to APIs, too. There is nothing essentially different about them, other than that they are simpler and, in more cases, externally facing. A developer community needs to test them out and document them, as well.
Governance best practices are often enforced by the need to maintain regulatory compliance. Many companies have policies in place to keep sensitive application data on-premises. Some of them have full control for compliance where the data is only used by on-premises applications. Large enterprises would like have a need to manage the data shared outside of internal company applications.
There are four roles involved in API management: a business manager than needs an app or API; the developers that create the APIs; the individuals that run APIs; and the people responsible for promoting the APIs for developers. Each role has a different focus on the API structure.
The glue that binds
Among the biggest challenges of good governance is the fact that large enterprises have a set of disparate components, such as .NET, Java, and open source. Currently, there's no way to change these into a homogenous infrastructure. As a result, plenty of mediation needs to occur.
Organizations may face a mixture of different types of authentication and security infrastructure, as well, which will also need some kind of glue between them. By focusing on the APIs, organizations can greatly simplify the management of information sent to mobile applications and their users.
"A lot of people don't understand the security aspects of APIs," Medrano said. In the heterogeneous environment, the client might support Security Assertions Markup Language (SAML) tokens, while the back end servers are Microsoft-based.
The APIs could be receiving exposure to Platform as a Service applications, mobile devices, sensors, and other types of devices. The main issues that occur with APIs and services surround authentication and authorization. A less-prominent issue is the potential for SQL injections, which can also create security risks for APIs.
The first step: Think about authentication and authorization. When a user is calling out to an API, the app itself needs to be authorized.
With large payloads going through firewalls, hackers also might use the APIs to launch attacks such as an SQL injection.
Take control of the API lifecycle
Managing the complete lifecycle of APIs -- from planning through creation and deployment -- is important. The four steps in good API management include planning, development governance, operational governance, and the sharing of APIs with authorized developers.
Organizations often rush to create an API without lifecycle management or governance, Medrano said. Then when it comes to versioning, they face some serious issues. The main problem: When organizations try to get things out quickly, they often do so without taking the time to think about good governance. As API usage grows and deployment matures, organizations need to think about the management of the different versions of APIs, which can provide multiple hooks into an organization's data infrastructure.
The API's lifecycle should be controlled so only permissible versions are in production at the various stages: planning, development, production and retirement. In addition, key stakeholders -- such as line-of-business managers, IT managers, information security staff, and compliance staff -- should have visibility into the state of the API. They should always be confident that they're looking at the correct version. In addition, APIs should be subject to authentication and authorization processes to protect enterprise IT assets from misuse, threats to availability, or breaches of privacy.
How Red Hat squeezes API management into containers