API Management and Integrated SOA Governance


Published on

API Management how it extends Integrated SOA Governance

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • by 2015, APIs will become primary delivery channel for business services to mobile devices, appliances and partner applications.
  • PaaS = Environment for building and Deployment Apps + Cloud Characteristics
  • Accountability ability to define contracts as policies  and enforce them in runtime and ability to monitor transitions  and generate reports for audit,  improves accountability. Self-Service contract establishment. Design time Impact Analysis for change management.  Visibility End-to-End visibility, transaction tracking and root-cause analysis. Monitoring, Metering and Metrics. Runtime Impact Analysis  Control Policy/contract driven access control. Governance policies for change management and life-cycle managementRole based delegation and self-service brings operational efficiency without losing control. Agility – [Self-Service providesOperational Efficiency & Agility]Delegated and role based administration enable distributed management across a large enterprise.Delegated authority and multiple roles involvement vs. dependency on sing role for day-to-day operational activities. Increased Organizational Agility and Reduced IT Burden.Seamless integration between design-time and runtime aspects deliver automation with minimal manual intervention.Change management - Make sure that agility doesn’t come at the cost of stability by effectively managing change across SOA assets and services and APIs.Cloud Centric (Native) What is Cloud Native Platform means? Distributed/Dynamically Wired – find services even when they move, self-recovery from service disruption. Elastically Scalable – scale up and down as needed. Multi-tenant -Vertical isolated, controlled resource sharing governed by a contract. For maximizing resource sharing. 1st Gen: Machine per Tenant  2nd Gen: VM per Tenant  3rd Gen: Tenant sharing same Container(PaaS) with a (service)contract driven resource allocation. Self-Service – full-service  self-service model. De-centralized creation and management of tenants. Automated governance with delegation and role-based administration. Lower the operational cost and time to deliver new applications.Monetization – Metered and billed granularly. Pay of just what you use.
  • Consumerization & Mobile EnablementLeverage Existing Enterprise Resources for APIs - Build your APIs using existing enterprise services and assets to bring APIs to market more quickly and cost effectively.Increase Operational EfficiencyCapacity and Availability Management - Plan and manage throughput and availability to ensure that you deliver the performance and service levels your customers expect without risking internal system overload.Root cause Analysis - Track transactions from the API where they enter your business to the back end services and applications that process them so you can quickly find and fix problems.Impact Analysis - Understand the relationships between your business systems and applications, SOA assets and services, APIs and your customers and partners.  This way you will know the potential impact of any changes you plan to make before you make them.End-to-end Security - Use the appropriate security models and standards for services and APIs even if they are different.  Use the SOA Software product set to enable end-to-end security mediation and integration with enterprise security systems.Agility Change management - Make sure that agility doesn’t come at the cost of stability by effectively managing change across SOA assets and services and APIs.
  • According to Gartner API Management and SOA Governance are converging into a consolidated space called Application Services Governance.The diagram above shows how API Management relates to SOA Governance.  As you can see SOA Governance includes lifecycle governance and run-time management, API Management adds community management and leverages a lot of the run-time capabilities and some of the lifecycle capabilities of SOA Governance.Leverage SOA as the foundation for Enterprise APIs. Application Service Governance : Integrate, Mediate, Govern and Publish Integrate and mediate legacy applications that were written for different protocols and data formats Govern services with throttling, message level security, tokenization, content attack prevention, and authentication, authorization and audit controls Publish APIs and manage internal or external developers
  • throttling of API calls based on identities, location and service level
  • APIs have their own lifecycle, independently from the back-end service they rely on
  • The life cycle of a service comprises of the following two phases:Design phase: The service architecture team identifies an organization's business needs and models a number of services and application interfaces to support those needsRun-time phase: The services modeled using the catalog of business needs are used as a roadmap for service creation and exposed as run-time offerings within the organization.
  • A successful API ecosystem has several key players, scenarios, and outcomes - API creators create an API, Publishers prepare it for community usage, Application Developers/Partners discover APIs, subscribe, and start using them in their applications. Once these applications are installed for end users, usage of those applications invoke APIs underneath. This brings about the opportunity to collect statistics on API usage. These statistics make up the dashboard of your business through APIs. For example tracking for higher usage numbers would be a reason to starting thinking about scaling. Depending on the business value delivered, authentication needs of an API can vary as well.Over time APIs will evolve from creating newer, better versions to finally reaching end of life. Similar to how a product is managed, APIs once published should be carefully managed and monitored. Integrated API Management is designed to fully support such an ecosystem and is constantly evolving to serve more niche endpoints
  • SLM is similar to ALM dPaaS (development Platform as a Service) : Agile DevOps -(e.g., CloudForge/TeamForge from CollabNet, IBM Jazz, Test Harness, Maven, Chef and Puppet etc)  ALM to DevOps: Orchestrate and govern the entire software delivery process; collaborate across the enterprise.What is DevOps?DevOps = Dev + Ops : The integration of software development with operations to enable the rapid delivery of new capabilities
  • Visibility and Traceabilityend-to-end Transaction Monitoring—plus AlertingTo provide business transaction assuranceSOA Monitoring and Alerting from Progress Actional http://www.progress.com/en/Product-Capabilities/transaction-monitoring-alerting.html
  • API Management PlatformGatewaythrottling of API calls based on identities, location and service level aPaaS e.g., Cloud Foundry iPaaS e.g., WSO2dPaaS (development Platform as a Service)Agile DevOps -Test Harness, Maven, Chef and Puppet
  • Complex mediation is often not applied within the API gateway. SOA infrastructure often already includes an Enterprise Service Bus that can effectively apply message transformation, protocol switching, credential mediation, and content routing. By decoupling complex mediation from the gateway, teams can readily scale the infrastructure and independently and separately evolve a standard, simple API from complex, back-end implementation services. An API and SOA deployment architecture may mirror the figure above.
  • API Management and Integrated SOA Governance

    1. 1. Integrated SOA Governance
    2. 2. Why API Management matters?Strategic enterprise benefits with APIManagement
    3. 3. HTML5, Proxy and APIs -The NewThree Tier Architecture
    4. 4. ObjectivesResourcepooling•Multi-tenancy•Resource utilization•Shared, virtual infrastructure•InteroperabilityOn-demandself-service•Fine-graded metering•Billing & reporting•Flexibility workload assignment•Standard service offerings•Quick deployment and automationRapidElasticity•Stateless services•Rapid provisioning•Flexible topology•High Quality of ServiceSaaS delivery model(pay per use)
    5. 5. Traditional vs. New SOA ModelCloudCentricAccountability[Contracts/SLAs]Visibility[Analytics]Control[Governance]Agility[Self-ServiceprovidesOperationalEfficiency & Agility]
    6. 6. Driving Force behind API ManagementSaaS-style delivery model for API Services•AaaS: Providing API’s as a Service•Access services on any device from anywhere at any time•Self-Service shifts IT centric model to a delegated administration methodology•Monetization – usage based chargebacks•Multi-tenancy for Service Layer – Prevent single tenant monopolizing resources•Analytics-as-a-Service: To offer Next-generation analytics/Big Data as API•Low TCO and high ROICloud Service Brokerage(CSB) Infrastructure for Healthcare Integration•Essential for Health Information Exchange(HIE), EMR/EHR projects to facilitate secureinformation exchange between disparate organizations across boundaries.•API Marketplace to browse API Catalog, subscribe APIs, establish contracts(SLA)•Customization – Implementing unique services or capabilities beyond the originalservices•To apply cross-cutting concerns like security, privacy, QoS, policies and mediationswithout impacting upstream and downstream systems.
    7. 7. Driving Force behind API Mgt (Cont’d)Consumerization & Mobile Enablement•To support Bring Your Own Device (BYOD) programs and Mobile DeviceManagement(MDM)•To modernize services for mobile consumption [Cache, Compress, Pagination,Pre‐fetch content, WAN optimization - chatty to chunky interfaces]•To secure REST APIs: Map Web SSO and SAML to mobile‐friendly OAuth, OpenIDConnect and JSON Web tokens•To adapt Mobile App Paradigm by leveraging existing Enterprise AssetsIncrease Operational Efficiency•Fully integrated API Mgt Suite (Turnkey solution that includesDevelopment, Runtime and Operational governance capabilities)•Reduce IT burden – Delegated, role-based administration via 24/7 self-serviceportals vs., dependency on limited IT resources•High visibility with real-time dashboards for Root Cause Analysis•Impact Analysis for Change Management•Elastic Scalability – Scale-out / Auto-Scale all components
    8. 8. Integrated SOA Governance• Policy Enforcement[Contracts/SLAs]• Mediations[Protocol, Identity, Format]• Access Control[ACL, OAuth, API Keys]• Metering [audit, usagetracking ]GatewayOperationalManagementLifecycleManagementAPIManagementService Virtualization[customizations]• Life-cycle Management[service & policy assets]• Governance[Compliance & Approvals ]• Metadata[repository & registry]• Transaction Tracking[ Operational Responsiveness]• Root-cause Analysis[Exception Management ]• Centralized Management[Cluster-wide Configuration ]• Business Activity Monitoring[real-time business visibility]• API Catalog [Discover APIs]• Reports [Analytics]• Contracts [SLAs]• Self-Service[Developer On-boarding, Key delivery, Approvals & API AccessProvisioning]Traffic-shaping
    9. 9. how API Management relates to SOAGovernance?Gartner’s : Application Services Governance
    10. 10. GatewayService Virtualization for exposing on-premise and external APIs as servicesAuthentication and Access Control, enforcing OAuth or API key access on inbound RESTful requests andproxy these to internal services, Credential Mapping, Identity PropagationData Format Mediation, with support for conversion of unstructured, semi-structured and structuredXML data into RESTful API responsesProtocol Mediation across a wide range of protocols including SOAP, JMS, MQ, FTP(S), Raw TCP, andcustom protocolsContent Attack Prevention, including support for XML and HTTP level content threats, denial of servicesupport and policy-based input validation.SLA Management and Rate Limiting, including support for identity based metering of API calls andexternalized policies that enforce a consistent quota across a cluster of gatewaysPolicy Engine, with support for service composition, orchestration - conditionals and looping, responsecaching, pagination expressed as policy, not code
    11. 11. API GatewayGreater flexibility for changing policy requirementsConsistent processing across multiple servicesOn-demand API customizations for individual client needs
    12. 12. API ManagementAPI Product Management, API packaging of existing services as productsDeveloper on-boarding and registrationPortal administration and content management systemReporting and analytics for API usage and latencyDeveloper facing services catalogDeveloper enablement tools, such as IO docs, which provide mock-responses fortesting APIsAdmin tools, to allow administrators access to developer approvalsCommunity tools, such as forums, blogs and application galleries
    13. 13. Collaboration between Roles
    14. 14. Service Lifecycle Management(SLM)Lifecycle Manager•[Service & Policy assets, Service Level Agreements (SLAs)]Development Governance•[SDLC - DevOps, Versioning and Change Management ]DevOps Forge•[Test Harness, Self-Service, Continues Integration , Configuration and deployment automation …]Change Governance & Release Management•[Compliance & Quality Management , Approval Workflow and Notifications]Relationship Tracking•[Design Time Impact Analysis]Metadata•[Federated Repository & Smart End-Point Registry]
    15. 15. SLM - 3 Rings Of FunctionalitySOA SLM• Life-cycle management• Control–Approval Workflow• Governance policySOA repository• Asset metadata• Asset storage and reference• Service version managementService registry• Runtime service lookup• Runtime policy lookup• UDDI interface
    16. 16. Service vs. API Lifecycle
    17. 17. DevOps- Service Lifecycle ManagementProject and TeamManagementSoftwareDevelopmentWorkflowGovernance andComplianceDevelopment ToolsIssue TrackingSource ControlContinuous BuildContinuousIntegrationTest HarnessContinuous Delivery(Configuration Mgt)ContinuousPerformanceManagementMetadataRepositorydPaaS/DevOps - development Platform as a Service
    18. 18. DevOps: Test-Driven Development +Continues Integration + CPM
    19. 19. Operational ManagementTransaction Tracking[Operational Responsiveness]Root-cause Analysis[Exception Management ]Centralized Management[Cluster-wide Configuration ]Business ActivityMonitoring [real-timebusiness visibility]
    20. 20. Operational Management
    21. 21. Operational ManagementCapacity and Availability Management – Plan and manage throughput andavailability to ensure that you deliver the performance and service levels yourcustomers expect without risking internal system overload.Root cause Analysis – Track transactions from the API where they enter your businessto the back end services and applications that process them so you can quickly findand fix problems.Impact Analysis – Understand the relationships between your business systems andapplications, SOA assets and services, APIs and your customers and partners. Thisway you will know the potential impact of any changes you plan to make before youmake them.End-to-end Security – Use the appropriate security models and standards for servicesand APIs even if they are different. Use the SOA Software product set to enable end-to-end security mediation and integration with enterprise security systems.
    22. 22. AppDeveloperServiceDeveloperInternal RESTfulServicesSOAP WebServicesLegacy Services(AS400, Mainframe )Data AccessServicesInternal PaaSAPIsExternal SaaSAPIsService VirtualizationAuthentication andAccess ControlData Format MediationProtocol MediationContent Attack PreventionSLA Management, Rate LimitingLightweight ESB: ServiceOrchestration and CompositionAPI Product ManagementDeveloper On-boardingPortal AdministrationReporting and AnalyticsAPI MonetizationDeveloper Facing Service CatalogDeveloper Enablement ToolsAdmin Tools & Community Tools On-Demand Self-Service: API Key Mgt…Centralized Management[Cluster-wide Configuration]Root-Cause Analysis[Exception Management]Transaction Tracking[Operational Responsiveness]Business Activity Monitoring[real-time business visibility]SLA Management [SLA Monitoring and Alerts]Lifecycle Manager[Service & Policy assets]Development Governance[SDLC & Versioning]DevOps Forge - Test Harness, Git…Change Governance[Compliance & Approvals]Relationship Tracking [Impact Analysis ]Metadata [Federated Repository & Registry]ServiceAdministratorIdentity & Access ManagementIT CommandCenterService #1Service #2Service #3ConsumersRESTOAuthFacadeSOAPSOAP,JMS,FTPWS-TrustEnterprise DepartmentsWebApps
    23. 23. API and SOA Deployment ArchitectureAPI Consuming applicationAPI Interface exposed by API GatewayService virtualization, composition andorchestration hosted by Enterprise Service BusAtomic Business Services hosted byapplication server, business process server
    24. 24. API Best Particles
    25. 25. Evolve to Cloud Services Brokerage (CSB)Cloud Service Brokerage (Healthcare Service Hub)Enterprise Service BrokerageEnterprise API ManagementAPIGatewayAPIBrokerAggregate–Integrate–CustomizePartnerDeveloperPortalInternalDeveloperPortalAPIProviderPortalAPIBrokerPortalOwnAPIs3rd-PartyAPIs