API Management. What financial and public sector customers require. NOW.

Agenda

API Economy

API for Banks

API for Public Institutions

Differences SOA vs. API

3scale API management Platform & Architecture

Demo

The API Economy

Importance of APIs Your company’s brand to the marketBridge between IT & business concernsCore for business successGrowth drivers – API EnterpriseMobile: 54% ecommerce sales (Forrester)B2B: 2016 50% of B2B collab. via APIs (Gartner)IOT: $7.1 trillion by 2020 (IDC)You’re not aloneExpedia: $4B revenue from APIseBay: 60% listings via APIs

The API Economy?What we need to create

API We need

The most popular APIs:

Who needs API?

Cross industries

Mobile Appssecurityauthentication & authorizationSLA

Brand Awareness digital channels

Bank & Finance

PSD2 XS2ANew offerings:

new channel for e-commerce(loans & credits for on-line shopping)loyalty programs

Insurance:new channel for partners & clientson-line paymentsinsurance for travel, shopping & delivery

Public & Government

Open dataSmart CitiesPublic services

On the top strategic level of your customers Digital Agenda & Digital Transformation

The API Economy

New initiatives & legislations

Bank & Finance: PSD2 XS2A Open Bank Project

Public Sector: OpenData & Open API

Banks & Finance

Open Bank Project

Open Bank Project

10

PSD2

“Whenever a bank has to deal with external parties, security is quite rightly at the forefront of their thinking. And when this interaction with third parties can take place without specific bilateral contracts and jointly developed integration, it is even more critical. Under the XS2A service requirements, European banks must create an API structure that any company registered with a ‘competent authority’ and with the consent of the bank customer, can tap into to provide a service. 88% of respondents feel strongly that security around their data integration points is a major concern. […]My observation is that it is important for banks to see the API framework, their API strategy and their APIs as business issues, business decisions and business architectures and not as some obscure technology problem to be solved in the bowels of the IT department. This new approach means shifting to components and networks and APIs connecting everything in anorganisation, not simply adding an API layer on top of customer interfaces.”REPORT ON A SURVEY BY FINEXTRA AND FIS

“Banks will be required to provide API access to customer accounts […] This will require bank investment in application service governance and API management. For example, most financial institutions will need to build or buy an API management gateway and create new APIs to provide access to customer accounts.”USE PSD2 TO ACCELERATE OPEN BANKING, GARTNER

11

PSD2

Why 3scale for PSD2?

12

Strong authentication methods required on the electronic payment transaction channel

Various OAuth scenarios supported for application authentication

PSD2 opportunities 3scale platform

XS2A requires end users authentication, 2FA and user consent OpenID authentication is supported

PSD2 allows TPP to monetize different scenarios and interactions

Monetization module highly configurable and with a number of integrations already

PSPs must establish an operational risk management framework and provide the regulator with an assessment of the risks and the adequacy of their controls

3scale will provide upon request Security Incident Report, without delay

Public Institutions

© 2015 IBM Corporationhttps://en.wikipedia.org/wiki/Open_API#/media/File:Open-APIs-v5.png

1. [4] They are free for anyone to use. Open APIs are available to use by all developers.2. They are typically backed by open data.[5] Open data is freely available for everyone to use and republish as they wish,

without restrictions from copyright, patents or other mechanisms of control. An Open API may be free to use but the publisher may limit how the API data can be used.

3. They are based on an open standard.

Open Data & Open Api

© 2015 IBM Corporation

Open Data RULES

Open public data to citizens

Without registration and restrictions

Collected at the source

On-line & for free

Machine processable

https://opengovdata.org

https://opengovdata.io

http://www.wroclaw.pl/open-data/

http://www.danepowarszawsku.pl/

http://opendata.bcn.cat/opendata/en

https://data.lacity.org/

https://data.london.gov.uk/

© 2015 IBM Corporation

Open Data vs. Open API

≠Fully Machine processablePartially/Not Machine processable

{"$type":"Tfl.Api.Presentation.Entities.RouteSearchResponse, Tfl.Api.Presentation.Entities","input":"victoria","searchMatches":[{"$type":"Tfl.Api.Presentation.Entities.RouteSearchMatch, Tfl.Api.Presentation.Entities","lineId":"victoria","mode":"tube","lineName":"Victoria","lineRouteSection":[{"$type":"Tfl.Api.Presentation.Entities.LineRouteSection, Tfl.Api.Presentation.Entities",

"routeId":1230,"direction":"inbound","destination":"Brixton Underground Station","fromStation":"Walthamstow Central Underground Station","toStation":"Brixton Underground Station","serviceType":"Regular","vehicleDestinationText":"Brixton Underground Station"},{...}

Source:https://blog.tfl.gov.uk/2015/10/19/unified-api-part-3-rot-routes-of-things/

Who else?

Superheroes already have

SOA vs. API

SOA

Mostly for internal usage → Possible to estimate no of callsUsually SOAP based → Well described, but fattySOA Governance implemented → Not easy to modifyImplementation focus on re-usage → Complicated, many params etc.

API

Mostly for external usage → Hard to estimate no of callsMostly REST based → Well described (swagger), skinnyNo governance → Easy to modifyFocus on easiness of usage → Easy to understand, many simple APIs

≠Everything Should Be Made as Simple as Possible, But Not Simpler

Albert Einstein

Challenges of API

Unknown number of developers → Does my infrastructure is well prepared?

Unknown number of calls/requests → Am I ready for huge load?

How to identify and authorize requests? → Should I use Identity management?

How to communicate with developers? → Can I create different levels/groups of developers?

How to monetize API? → How to create free and paid API?

Challenges

Unknown number of developers → I need SLA between me & developer

Unknown number of calls/requests → I need throttling functionality to protect back-end

How to identify and authorize requests? → I need to integrate with 3rd party IM systems

How to communicate with developers? → I need developer portal to share docs&info

How to monetize API? → I need billing functionality with invoicing & payments

3scale

I need SLA between me & developer → 3scale supports application plans, developers can subscribeto one of offered application plans (contract)

I need throttling functionality to protect back-end → 3scale supports limits and can throttle requests above threshold to protect back-end against overloading

I need to integrate with 3rd party IM systems → 3scale can be integrated with IM via OAuth 2.0

I need developer portal to share docs & info → 3scale has developer portal with self registration functionality or by invitation only

I need billing system with invoicing & payments → 3scale monetization module (billing+invoicing&payments)API can be used free of charge or paid

The 3scale Platform

Full control of your APIsNow and into the future

Control– Security– Key Management– Rate Limiting– Policy Enforcement– App & User Management– Provisioning

Flexibility– Distributed– Multi-Department– Multi-Environment– Highly Scalable– Powerful APIs– Webhooks

Visibility– Analytics– App Tracking– User Tracking – Traffic Alerts– Engagement– Developer Support

The 3scale API Platform

Your content, data & services

Your API

Traffic Management

Access control & security

API contracts & rate imits

Analytics & reporting

Developer portal & docs

Billing & payments

Developers

Customers

Mobile Apps

Affiliates

Partners

Internal Projects

Flexible Distributed Control

Modular

No single point of failure

Cloud access

Highly scalable

No lock-in factor

Possibility to enhance the product using publicly available resources

No product specific language required

Many information resources available Component Technology

Front End Ruby on Rails

Gateway NGINX, Lua

Back End Ruby, Sinatra, Redis

Open Source technologies

THE API MANAGEMENT STACK

The 3scale API Management Stack

Security & Access Control

Your API Security Authenticate and restrict access to your APIs. Protect backend services.

Multiple authentication mechanisms

Can be combined with IP / Domain referrer whitelisting

Authenticate traffic

Restrict by policy

Drop unwelcome calls

Protect backend services

Generate overage alerts

Impose rate limits

– API Key – App ID / App Key – OAuth 2.0

API Contracts, Throttling & Rate Limits

Partner Ecosystem

• Allow/restrict access

to your API end points

along with rate limits

• Rate-limit account,

user and end-point

level

• Allow/restrict access

to your API end points

along with rate limits

• Rate-limit account,

user and end-point

level

API ServicesAPI Services

Rate LimitsRate Limits

PricingPricing

END POINT A END POINT B

X CALLS / MINUTES Y CALLS / DAY

FREE $X PER MONTH $Y PER CALL

Application #1Application #1

Application #3Application #3

INTERNAL TEAMS

STRATEGIC PARTNERS

DEVELOPERS

Application #2Application #2

Reports & Analytics

APIs as a Business

Developer Portal

PRE-INTEGRATED PAYMENT GATEWAYS

PACKAGING, BILLING & PAYMENTSSetup pricing rules. Invoice every month. 100% PCI compliant.

MULTIPLE PRICING RULES

• ONE TIME PAYMENT• FIXED RECURRING MONTHLY

FEE• VARIABLE RECURRING

MONTHLY FEE• COST PER UNIT• TIERED PRICING

BILLING CYCLES

• INVOICES ISSUES ON A MONTHLY BASIS

• 2 BILLING OPTIONS: • PREPAID (FIXED FEES

CHARGED BEGINNING OF MONTH, VARIABLE FEES CHARGED END OF MONTH)

• POSTPAID (ALL FEES CHARGED AT THE END OF THE MONTH)

NO CREDIT CARD DETAILS STORED ON 3SCALE INFRASTRUCTURE

Where API is...

Cross industries

Mobile Appsecurityauthentication & authorizationSLA

Brand Awareness digital channels

Bank & Finance

PSD2 XS2ANew offerings:

new channel for e-commerce(loans & credits for on-line shopping)loyalty programs

Insurance:new channel for partners & clientson-line paymentsinsurance for travel, shopping & delivery

Public & Government

Open dataSmart CitiesPublic services

On the top strategic level of your customers Digital Agenda & Digital Transformation