deep-dive: rethinking governance in an api-first world
TRANSCRIPT
![Page 1: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/1.jpg)
Deep-Dive: Rethinking Governance in an API-First WorldChris von See�Subra Kumaraswamy
![Page 2: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/2.jpg)
Slideshareslideshare.com/apigee
Apigee Communityhttps://community.apigee.com
YouTube�youtube.com/apigee
2
![Page 3: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/3.jpg)
Subra Kumaraswamy
@subrak
Chris von See
@apigee
3
Today’s presenters
![Page 4: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/4.jpg)
Why do organizations have “governance”?
![Page 5: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/5.jpg)
Why do organizations have “governance”?
• improved categorization and management via metadata, to support resource reuse, track API/service characteristics, support impact assessment, etc.
• verification that business value is being realized in a way that matches expectations• verification of compliance with procedures and rules • review and approval of changes that impact multiple teams or systems• verification of conformance to software best practices• compensation for past experiences in inflexible design or poor-quality delivered software• contract and process compliance for outsourced development, operations• make it easy to assess blame
5
![Page 6: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/6.jpg)
Not all governance is “bad governance”, but…
6
One of the major issues of B2B integration and partner/community-based application development in the past was not only that we gave developers specific limited building blocks but also a set of very rigid interfaces. When combined with tight governance (GRC), security and unreasonable restrictions, essentially it gave the developer community a steel cage to build things inside. This used to allow no leeway, no room for imagination, and certainly thinking out of the box was verboten….
“Source: http://www.wired.com/2013/12/how-apis-fuel-innovation/
![Page 7: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/7.jpg)
Why “project-based funding” stifles innovation
7
!No experimentation.
Image sources: http://ilcoccodimamma.com/products/big-58.jpg, http://musicconsultant.com/site/uploads/2011/01/plan.jpg, http://c8.alamy.com/comp/EEW664/cartoon-of-business-meeting-with-chart-showing-inconsistent-results-EEW664.jpg
No planning. No consistency.
![Page 8: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/8.jpg)
8
APIs are about “co-creating value”.
![Page 9: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/9.jpg)
Can governance and innovation co-exist?
9
![Page 10: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/10.jpg)
APIs and “systems of engagement”
10 http://blogs.forrester.com/ted_schadler/12-02-14-a_billion_smartphones_require_new_systems_of_engagement
![Page 11: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/11.jpg)
Digital Value ChainExposure / “Systems of Record”Consumption / “Systems of Engagement”
![Page 12: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/12.jpg)
A framework for governance based on creating digital value
Design for the developerIntuitive, functional interfaces that encourage exploration,
innovation and delightful consumer experiences
Build for the API TeamConsistently repeatable processes
that �reinforce reusability, enhance
reliability and �validate business value
Operate for the consumerProvide consistent, measurable
“always on” performance in a secure environment
![Page 13: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/13.jpg)
“Agile” governance
• Incremental assessment of business value and functional approach while the work is being done, not after
• Earlier course correction when APIs deviate from standards or regulatory requirements
• More rapid reaction to changing markets and requirements
• Testing during the development process helps to catch cross-system incompatibilities as APIs evolve
13
Image source: http://sdc.net.au/media/1189/agile_lifecycle_large.png
![Page 14: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/14.jpg)
Design and prototyping at the API layer
14
or
![Page 15: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/15.jpg)
Design and prototyping at the API layer
15
+ +
API definition Policies Mock back-end system
Mock Data Store
Data store
Connections/Social
Users and Devices
Location queries
![Page 16: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/16.jpg)
Preventing “API sprawl” with discoverable interfaces
• Reuse at the API level is supported by clean, well structured documentation that allows someone to find out If a given function has already been implemented
• Reuse at the API component level is supported in the same way it is with any software system
• Metadata in documentation, combined with search, enables categorization that supports impact assessment
• API Product metadata also makes it easy to determine what’s internally consumable vs. externally consumable
16
![Page 17: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/17.jpg)
Governance in the software development life cycle: It’s all about automation.
17 Source: https://upload.wikimedia.org/wikipedia/commons/e/e8/Gears.JPG
![Page 18: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/18.jpg)
Everything is Available via a Management API
• 250+ Management APIs to manage the entire platform• Use DevOps tools to automate API activation, deactivation, promotion, etc.
![Page 19: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/19.jpg)
Building the optimal API Program process
Source: http://www.collab.net/solutions/devops
![Page 20: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/20.jpg)
Operational governance is about…• Security: Who has access to the API management system? How do I control service
access? How can I protect my organization from threats?
• Measurement: How available are my services, and how well are they performing? How do outages or slowness affect my business? Am I getting the value I expected?
• Service management: How can I throttle usage if needed? How do I plan for future service requirements?
• Change management: What code is deployed now, and how do I evolve services as my needs change?
• Problem determination: How do I find and fix problems in a high-volume, high-availability production environment?
20
![Page 21: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/21.jpg)
Security at All Points of Engagement
21
Backend
P A I
API TeamAPIsDevelopersAppsUsers
Mutual TLSIP Access Control
RBACAD / LDAP
AuditLogical Separation
QuotasSpike Arrest
Threat ProtectionIntrusion Detection
Bot DetectionDDoS
Access�Block
RevokeSSORBAC
API keyOAuth2
Mutual TLS
OAuth2MFA
Federated LoginIP Access Control
![Page 22: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/22.jpg)
API Identity Governance
Govern
App IdentityProv/
DeprovRun-time Policies
User Identity
RBAC
Audit
Deploy/Monitor/
Verify
22
App Identity Key and Distribution þSecurity & Access Control Policies – Threat Protection, Authentication, Authorization, Transport level security
þ
User Identity for API services þRBAC for Mgmt users and Developers þAudit Mgmt activities þDeploy and Monitor Access control policies þ
![Page 23: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/23.jpg)
Visibility brings understanding, which drives action
23
![Page 24: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/24.jpg)
Diagnosing problems in production
• Built-in trace gives you deep insights into each step in an API proxy: contextual variables, execution time, fault details, etc.
![Page 25: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/25.jpg)
Take Aways…• Governance can be beneficial for a variety of reasons. Excessive governance or project-
based funding, however, can impact an organization’s ability to innovate and to stay competitive in the marketplace.
• To facilitate innovation and accelerate value creation, governance for “systems of innovation” should be treated differently than governance for “systems of record”.
• An agile approach leveraging prototyping and development at the “system of innovation” – the API layer - enables you to move rapidly to identify, validate and act on new initiatives, and to introduce heavier-weight governance only when absolutely needed.
• Building a software development life cycle around a highly automatable API platform can accelerate the pace of innovation by eliminating or replacing slower governance processes.
• Robust security, monitoring, management and problem determination features enable easy and effective operational governance.
25
![Page 26: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/26.jpg)
Questions?
![Page 27: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/27.jpg)
Thank you
![Page 28: Deep-Dive: Rethinking Governance in an API-First World](https://reader033.vdocument.in/reader033/viewer/2022052509/55d0a58fbb61eb6e598b46a9/html5/thumbnails/28.jpg)
Material and stuff to read• http://www.programmableweb.com/news/governance-vs-innovation-do-they-have-to-be-
enemies/2013/02/27• http://www.wired.com/2013/12/how-apis-fuel-innovation/• http://apievangelist.com/2013/02/27/what-is-a-better-word-for-governance-when-it-
comes-to-apis/• http://blog.cobia.net/cobiacomm/2013/04/09/application-services-governance/• http://weareinnovation.org/2014/02/27/open-innovation-vs-governance-the-api-equation-
to-business-agility/• http://servicetechmag.com/I86/0914-1
28