To realize the true benefits of an “API-first” approach and the efficiencies that an API platform can bring, organizations should view governance from a fresh perspective. In this webcast, we will explore new approaches to API governance, including: - best practices to help organizations scale their API program - how governance can enable security and compliance - how to execute API governance throughout design, implementation, and runtime operations Listen to the podcast version here: http://bit.ly/1hjO74T Watch the full recording here: http://youtu.be/HKmw9gfMOxE

1. Deep-Dive: Rethinking Governance in
an API-First World
Chris von See
Subra Kumaraswamy

2. Slideshare
slideshare.com/apigee
Apigee Community
https://community.apigee.com
YouTube
youtube.com/apigee
2

3. Subra Kumaraswamy
@subrak
Chris von See
@apigee
3
Today’s presenters

4. Why do organizations have “governance”?

5. Why do organizations have “governance”?
• improved categorization and management via metadata, to support resource reuse, track
API/service characteristics, support impact assessment, etc.
• verification that business value is being realized in a way that matches expectations
• verification of compliance with procedures and rules
• review and approval of changes that impact multiple teams or systems
• verification of conformance to software best practices
• compensation for past experiences in inflexible design or poor-quality delivered software
• contract and process compliance for outsourced development, operations
• make it easy to assess blame
5

6. Not all governance is “bad governance”, but…
6
One of the major issues of B2B integration and partner/community-based application
development in the past was not only that we gave developers specific limited building
blocks but also a set of very rigid interfaces. When combined with tight governance (GRC),
security and unreasonable restrictions, essentially it gave the developer community a steel
cage to build things inside. This used to allow no leeway, no room for imagination, and
certainly thinking out of the box was verboten….
“
Source: http://www.wired.com/2013/12/how-apis-fuel-innovation/

7. Why “project-based funding” stifles innovation
7
!No experimentation.
Image sources: http://ilcoccodimamma.com/products/big-58.jpg, http://musicconsultant.com/site/uploads/2011/01/plan.jpg, http://c8.alamy.com/comp/EEW664/cartoon-of-business-meeting-with-chart-showing-inconsistent-results-EEW664.jpg
No planning. No consistency.

8. 8
APIs are about “co-creating value”.

9. Can governance and innovation co-exist?
9

10. APIs and “systems of engagement”
10
http://blogs.forrester.com/ted_schadler/12-02-14-a_billion_smartphones_require_new_systems_of_engagement

11. Digital Value Chain
Exposure / “Systems of Record”Consumption / “Systems of Engagement”

12. A framework for governance based on creating digital value
Design for the developer
Intuitive, functional interfaces
that encourage exploration,
innovation and delightful
consumer experiences
Build for the API Team
Consistently repeatable processes
that
reinforce reusability, enhance
reliability and
validate business value
Operate for the consumer
Provide consistent, measurable
“always on” performance in a secure
environment

13. “Agile” governance
• Incremental assessment of business
value and functional approach while
the work is being done, not after
• Earlier course correction when APIs
deviate from standards or regulatory
requirements
• More rapid reaction to changing
markets and requirements
• Testing during the development
process helps to catch cross-system
incompatibilities as APIs evolve
13
Image source: http://sdc.net.au/media/1189/agile_lifecycle_large.png

14. Design and prototyping at the API layer
14
or

15. Design and prototyping at the API layer
15
+ +
API definition Policies Mock back-end system
Mock
Data
Store
Data store
Connections/
Social
Users and
Devices
Location
queries

16. Preventing “API sprawl” with discoverable interfaces
• Reuse at the API level is supported by clean, well structured documentation that allows
someone to find out If a given function has already been implemented
• Reuse at the API component level is supported in the same way it is with any software
system
• Metadata in documentation, combined with search, enables categorization that supports
impact assessment
• API Product metadata also makes it easy to determine what’s internally consumable vs.
externally consumable
16

17. Governance in the software development
life cycle: It’s all about automation.
17
Source: https://upload.wikimedia.org/wikipedia/commons/e/e8/Gears.JPG

18. Everything is Available via a Management API
• 250+ Management APIs to manage the entire platform
• Use DevOps tools to automate API activation, deactivation, promotion, etc.

19. Building the optimal API Program process
Source: http://www.collab.net/solutions/devops

20. Operational governance is about…
• Security: Who has access to the API management system? How do I control service
access? How can I protect my organization from threats?
• Measurement: How available are my services, and how well are they performing? How
do outages or slowness affect my business? Am I getting the value I expected?
• Service management: How can I throttle usage if needed? How do I plan for future
service requirements?
• Change management: What code is deployed now, and how do I evolve services as my
needs change?
• Problem determination: How do I find and fix problems in a high-volume, high-availability
production environment?
20

21. Security at All Points of Engagement
21
Backend
P
A I
API TeamAPIsDevelopersAppsUsers
Mutual TLS
IP Access Control
RBAC
AD / LDAP
Audit
Logical Separation
Quotas
Spike Arrest
Threat Protection
Intrusion Detection
Bot Detection
DDoS
Access
Block
Revoke
SSO
RBAC
API key
OAuth2
Mutual TLS
OAuth2
MFA
Federated Login
IP Access Control

22. API Identity Governance
Govern
App
Identity
Prov/
Deprov
Run-time
Policies
User
Identity
RBAC
Audit
Deploy/
Monitor/
Verify
22
App Identity Key and Distribution þ
Security & Access Control Policies – Threat
Protection, Authentication, Authorization,
Transport level security
þ
User Identity for API services þ
RBAC for Mgmt users and Developers þ
Audit Mgmt activities þ
Deploy and Monitor Access control policies þ

23. Visibility brings understanding, which drives action
23

24. Diagnosing problems in production
• Built-in trace gives you deep
insights into each step in an
API proxy: contextual
variables, execution time, fault
details, etc.

25. Take Aways…
• Governance can be beneficial for a variety of reasons. Excessive governance or project-
based funding, however, can impact an organization’s ability to innovate and to stay
competitive in the marketplace.
• To facilitate innovation and accelerate value creation, governance for “systems of
innovation” should be treated differently than governance for “systems of record”.
• An agile approach leveraging prototyping and development at the “system of innovation” –
the API layer - enables you to move rapidly to identify, validate and act on new initiatives,
and to introduce heavier-weight governance only when absolutely needed.
• Building a software development life cycle around a highly automatable API platform can
accelerate the pace of innovation by eliminating or replacing slower governance
processes.
• Robust security, monitoring, management and problem determination features enable easy
and effective operational governance.
25

26. Questions?

27. Thank you

28. Material and stuff to read
• http://www.programmableweb.com/news/governance-vs-innovation-do-they-have-to-be-
enemies/2013/02/27
• http://www.wired.com/2013/12/how-apis-fuel-innovation/
• http://apievangelist.com/2013/02/27/what-is-a-better-word-for-governance-when-it-
comes-to-apis/
• http://blog.cobia.net/cobiacomm/2013/04/09/application-services-governance/
• http://weareinnovation.org/2014/02/27/open-innovation-vs-governance-the-api-equation-
to-business-agility/
• http://servicetechmag.com/I86/0914-1
28