deep-dive: rethinking governance in an api-first world
TRANSCRIPT
Deep-Dive: Rethinking Governance in an API-First WorldChris von See�Subra Kumaraswamy
Slideshareslideshare.com/apigee
Apigee Communityhttps://community.apigee.com
YouTube�youtube.com/apigee
2
Subra Kumaraswamy
@subrak
Chris von See
@apigee
3
Today’s presenters
Why do organizations have “governance”?
Why do organizations have “governance”?
• improved categorization and management via metadata, to support resource reuse, track API/service characteristics, support impact assessment, etc.
• verification that business value is being realized in a way that matches expectations• verification of compliance with procedures and rules • review and approval of changes that impact multiple teams or systems• verification of conformance to software best practices• compensation for past experiences in inflexible design or poor-quality delivered software• contract and process compliance for outsourced development, operations• make it easy to assess blame
5
Not all governance is “bad governance”, but…
6
One of the major issues of B2B integration and partner/community-based application development in the past was not only that we gave developers specific limited building blocks but also a set of very rigid interfaces. When combined with tight governance (GRC), security and unreasonable restrictions, essentially it gave the developer community a steel cage to build things inside. This used to allow no leeway, no room for imagination, and certainly thinking out of the box was verboten….
“Source: http://www.wired.com/2013/12/how-apis-fuel-innovation/
Why “project-based funding” stifles innovation
7
!No experimentation.
Image sources: http://ilcoccodimamma.com/products/big-58.jpg, http://musicconsultant.com/site/uploads/2011/01/plan.jpg, http://c8.alamy.com/comp/EEW664/cartoon-of-business-meeting-with-chart-showing-inconsistent-results-EEW664.jpg
No planning. No consistency.
8
APIs are about “co-creating value”.
Can governance and innovation co-exist?
9
APIs and “systems of engagement”
10 http://blogs.forrester.com/ted_schadler/12-02-14-a_billion_smartphones_require_new_systems_of_engagement
Digital Value ChainExposure / “Systems of Record”Consumption / “Systems of Engagement”
A framework for governance based on creating digital value
Design for the developerIntuitive, functional interfaces that encourage exploration,
innovation and delightful consumer experiences
Build for the API TeamConsistently repeatable processes
that �reinforce reusability, enhance
reliability and �validate business value
Operate for the consumerProvide consistent, measurable
“always on” performance in a secure environment
“Agile” governance
• Incremental assessment of business value and functional approach while the work is being done, not after
• Earlier course correction when APIs deviate from standards or regulatory requirements
• More rapid reaction to changing markets and requirements
• Testing during the development process helps to catch cross-system incompatibilities as APIs evolve
13
Image source: http://sdc.net.au/media/1189/agile_lifecycle_large.png
Design and prototyping at the API layer
14
or
Design and prototyping at the API layer
15
+ +
API definition Policies Mock back-end system
Mock Data Store
Data store
Connections/Social
Users and Devices
Location queries
Preventing “API sprawl” with discoverable interfaces
• Reuse at the API level is supported by clean, well structured documentation that allows someone to find out If a given function has already been implemented
• Reuse at the API component level is supported in the same way it is with any software system
• Metadata in documentation, combined with search, enables categorization that supports impact assessment
• API Product metadata also makes it easy to determine what’s internally consumable vs. externally consumable
16
Governance in the software development life cycle: It’s all about automation.
17 Source: https://upload.wikimedia.org/wikipedia/commons/e/e8/Gears.JPG
Everything is Available via a Management API
• 250+ Management APIs to manage the entire platform• Use DevOps tools to automate API activation, deactivation, promotion, etc.
Building the optimal API Program process
Source: http://www.collab.net/solutions/devops
Operational governance is about…• Security: Who has access to the API management system? How do I control service
access? How can I protect my organization from threats?
• Measurement: How available are my services, and how well are they performing? How do outages or slowness affect my business? Am I getting the value I expected?
• Service management: How can I throttle usage if needed? How do I plan for future service requirements?
• Change management: What code is deployed now, and how do I evolve services as my needs change?
• Problem determination: How do I find and fix problems in a high-volume, high-availability production environment?
20
Security at All Points of Engagement
21
Backend
P A I
API TeamAPIsDevelopersAppsUsers
Mutual TLSIP Access Control
RBACAD / LDAP
AuditLogical Separation
QuotasSpike Arrest
Threat ProtectionIntrusion Detection
Bot DetectionDDoS
Access�Block
RevokeSSORBAC
API keyOAuth2
Mutual TLS
OAuth2MFA
Federated LoginIP Access Control
API Identity Governance
Govern
App IdentityProv/
DeprovRun-time Policies
User Identity
RBAC
Audit
Deploy/Monitor/
Verify
22
App Identity Key and Distribution þSecurity & Access Control Policies – Threat Protection, Authentication, Authorization, Transport level security
þ
User Identity for API services þRBAC for Mgmt users and Developers þAudit Mgmt activities þDeploy and Monitor Access control policies þ
Visibility brings understanding, which drives action
23
Diagnosing problems in production
• Built-in trace gives you deep insights into each step in an API proxy: contextual variables, execution time, fault details, etc.
Take Aways…• Governance can be beneficial for a variety of reasons. Excessive governance or project-
based funding, however, can impact an organization’s ability to innovate and to stay competitive in the marketplace.
• To facilitate innovation and accelerate value creation, governance for “systems of innovation” should be treated differently than governance for “systems of record”.
• An agile approach leveraging prototyping and development at the “system of innovation” – the API layer - enables you to move rapidly to identify, validate and act on new initiatives, and to introduce heavier-weight governance only when absolutely needed.
• Building a software development life cycle around a highly automatable API platform can accelerate the pace of innovation by eliminating or replacing slower governance processes.
• Robust security, monitoring, management and problem determination features enable easy and effective operational governance.
25
Questions?
Thank you
Material and stuff to read• http://www.programmableweb.com/news/governance-vs-innovation-do-they-have-to-be-
enemies/2013/02/27• http://www.wired.com/2013/12/how-apis-fuel-innovation/• http://apievangelist.com/2013/02/27/what-is-a-better-word-for-governance-when-it-
comes-to-apis/• http://blog.cobia.net/cobiacomm/2013/04/09/application-services-governance/• http://weareinnovation.org/2014/02/27/open-innovation-vs-governance-the-api-equation-
to-business-agility/• http://servicetechmag.com/I86/0914-1
28