by 2015, APIs will become primary delivery channel for business services to mobile devices, appliances and partner applications.
PaaS = Environment for building and Deployment Apps + Cloud Characteristics
Accountability ability to define contracts as policies and enforce them in runtime and ability to monitor transitions and generate reports for audit, improves accountability. Self-Service contract establishment. Design time Impact Analysis for change management. Visibility End-to-End visibility, transaction tracking and root-cause analysis. Monitoring, Metering and Metrics. Runtime Impact Analysis Control Policy/contract driven access control. Governance policies for change management and life-cycle managementRole based delegation and self-service brings operational efficiency without losing control. Agility – [Self-Service providesOperational Efficiency & Agility]Delegated and role based administration enable distributed management across a large enterprise.Delegated authority and multiple roles involvement vs. dependency on sing role for day-to-day operational activities. Increased Organizational Agility and Reduced IT Burden.Seamless integration between design-time and runtime aspects deliver automation with minimal manual intervention.Change management - Make sure that agility doesn’t come at the cost of stability by effectively managing change across SOA assets and services and APIs.Cloud Centric (Native) What is Cloud Native Platform means? Distributed/Dynamically Wired – find services even when they move, self-recovery from service disruption. Elastically Scalable – scale up and down as needed. Multi-tenant -Vertical isolated, controlled resource sharing governed by a contract. For maximizing resource sharing. 1st Gen: Machine per Tenant 2nd Gen: VM per Tenant 3rd Gen: Tenant sharing same Container(PaaS) with a (service)contract driven resource allocation. Self-Service – full-service self-service model. De-centralized creation and management of tenants. Automated governance with delegation and role-based administration. Lower the operational cost and time to deliver new applications.Monetization – Metered and billed granularly. Pay of just what you use.
Consumerization & Mobile EnablementLeverage Existing Enterprise Resources for APIs - Build your APIs using existing enterprise services and assets to bring APIs to market more quickly and cost effectively.Increase Operational EfficiencyCapacity and Availability Management - Plan and manage throughput and availability to ensure that you deliver the performance and service levels your customers expect without risking internal system overload.Root cause Analysis - Track transactions from the API where they enter your business to the back end services and applications that process them so you can quickly find and fix problems.Impact Analysis - Understand the relationships between your business systems and applications, SOA assets and services, APIs and your customers and partners. This way you will know the potential impact of any changes you plan to make before you make them.End-to-end Security - Use the appropriate security models and standards for services and APIs even if they are different. Use the SOA Software product set to enable end-to-end security mediation and integration with enterprise security systems.Agility Change management - Make sure that agility doesn’t come at the cost of stability by effectively managing change across SOA assets and services and APIs.
According to Gartner API Management and SOA Governance are converging into a consolidated space called Application Services Governance.The diagram above shows how API Management relates to SOA Governance. As you can see SOA Governance includes lifecycle governance and run-time management, API Management adds community management and leverages a lot of the run-time capabilities and some of the lifecycle capabilities of SOA Governance.Leverage SOA as the foundation for Enterprise APIs. Application Service Governance : Integrate, Mediate, Govern and Publish Integrate and mediate legacy applications that were written for different protocols and data formats Govern services with throttling, message level security, tokenization, content attack prevention, and authentication, authorization and audit controls Publish APIs and manage internal or external developers
throttling of API calls based on identities, location and service level
APIs have their own lifecycle, independently from the back-end service they rely on
The life cycle of a service comprises of the following two phases:Design phase: The service architecture team identifies an organization's business needs and models a number of services and application interfaces to support those needsRun-time phase: The services modeled using the catalog of business needs are used as a roadmap for service creation and exposed as run-time offerings within the organization.
A successful API ecosystem has several key players, scenarios, and outcomes - API creators create an API, Publishers prepare it for community usage, Application Developers/Partners discover APIs, subscribe, and start using them in their applications. Once these applications are installed for end users, usage of those applications invoke APIs underneath. This brings about the opportunity to collect statistics on API usage. These statistics make up the dashboard of your business through APIs. For example tracking for higher usage numbers would be a reason to starting thinking about scaling. Depending on the business value delivered, authentication needs of an API can vary as well.Over time APIs will evolve from creating newer, better versions to finally reaching end of life. Similar to how a product is managed, APIs once published should be carefully managed and monitored. Integrated API Management is designed to fully support such an ecosystem and is constantly evolving to serve more niche endpoints
SLM is similar to ALM dPaaS (development Platform as a Service) : Agile DevOps -(e.g., CloudForge/TeamForge from CollabNet, IBM Jazz, Test Harness, Maven, Chef and Puppet etc) ALM to DevOps: Orchestrate and govern the entire software delivery process; collaborate across the enterprise.What is DevOps?DevOps = Dev + Ops : The integration of software development with operations to enable the rapid delivery of new capabilities
Visibility and Traceabilityend-to-end Transaction Monitoring—plus AlertingTo provide business transaction assuranceSOA Monitoring and Alerting from Progress Actional http://www.progress.com/en/Product-Capabilities/transaction-monitoring-alerting.html
API Management PlatformGatewaythrottling of API calls based on identities, location and service level aPaaS e.g., Cloud Foundry iPaaS e.g., WSO2dPaaS (development Platform as a Service)Agile DevOps -Test Harness, Maven, Chef and Puppet
Complex mediation is often not applied within the API gateway. SOA infrastructure often already includes an Enterprise Service Bus that can effectively apply message transformation, protocol switching, credential mediation, and content routing. By decoupling complex mediation from the gateway, teams can readily scale the infrastructure and independently and separately evolve a standard, simple API from complex, back-end implementation services. An API and SOA deployment architecture may mirror the figure above.
API Management and Integrated SOA Governance
Integrated SOA Governance
Why API Management matters?Strategic enterprise benefits with APIManagement
HTML5, Proxy and APIs -The NewThree Tier Architecture
ObjectivesResourcepooling•Multi-tenancy•Resource utilization•Shared, virtual infrastructure•InteroperabilityOn-demandself-service•Fine-graded metering•Billing & reporting•Flexibility workload assignment•Standard service offerings•Quick deployment and automationRapidElasticity•Stateless services•Rapid provisioning•Flexible topology•High Quality of ServiceSaaS delivery model(pay per use)
Traditional vs. New SOA ModelCloudCentricAccountability[Contracts/SLAs]Visibility[Analytics]Control[Governance]Agility[Self-ServiceprovidesOperationalEfficiency & Agility]
Driving Force behind API ManagementSaaS-style delivery model for API Services•AaaS: Providing API’s as a Service•Access services on any device from anywhere at any time•Self-Service shifts IT centric model to a delegated administration methodology•Monetization – usage based chargebacks•Multi-tenancy for Service Layer – Prevent single tenant monopolizing resources•Analytics-as-a-Service: To offer Next-generation analytics/Big Data as API•Low TCO and high ROICloud Service Brokerage(CSB) Infrastructure for Healthcare Integration•Essential for Health Information Exchange(HIE), EMR/EHR projects to facilitate secureinformation exchange between disparate organizations across boundaries.•API Marketplace to browse API Catalog, subscribe APIs, establish contracts(SLA)•Customization – Implementing unique services or capabilities beyond the originalservices•To apply cross-cutting concerns like security, privacy, QoS, policies and mediationswithout impacting upstream and downstream systems.
Driving Force behind API Mgt (Cont’d)Consumerization & Mobile Enablement•To support Bring Your Own Device (BYOD) programs and Mobile DeviceManagement(MDM)•To modernize services for mobile consumption [Cache, Compress, Pagination,Pre‐fetch content, WAN optimization - chatty to chunky interfaces]•To secure REST APIs: Map Web SSO and SAML to mobile‐friendly OAuth, OpenIDConnect and JSON Web tokens•To adapt Mobile App Paradigm by leveraging existing Enterprise AssetsIncrease Operational Efficiency•Fully integrated API Mgt Suite (Turnkey solution that includesDevelopment, Runtime and Operational governance capabilities)•Reduce IT burden – Delegated, role-based administration via 24/7 self-serviceportals vs., dependency on limited IT resources•High visibility with real-time dashboards for Root Cause Analysis•Impact Analysis for Change Management•Elastic Scalability – Scale-out / Auto-Scale all components
how API Management relates to SOAGovernance?Gartner’s : Application Services Governance
GatewayService Virtualization for exposing on-premise and external APIs as servicesAuthentication and Access Control, enforcing OAuth or API key access on inbound RESTful requests andproxy these to internal services, Credential Mapping, Identity PropagationData Format Mediation, with support for conversion of unstructured, semi-structured and structuredXML data into RESTful API responsesProtocol Mediation across a wide range of protocols including SOAP, JMS, MQ, FTP(S), Raw TCP, andcustom protocolsContent Attack Prevention, including support for XML and HTTP level content threats, denial of servicesupport and policy-based input validation.SLA Management and Rate Limiting, including support for identity based metering of API calls andexternalized policies that enforce a consistent quota across a cluster of gatewaysPolicy Engine, with support for service composition, orchestration - conditionals and looping, responsecaching, pagination expressed as policy, not code
API GatewayGreater flexibility for changing policy requirementsConsistent processing across multiple servicesOn-demand API customizations for individual client needs
API ManagementAPI Product Management, API packaging of existing services as productsDeveloper on-boarding and registrationPortal administration and content management systemReporting and analytics for API usage and latencyDeveloper facing services catalogDeveloper enablement tools, such as IO docs, which provide mock-responses fortesting APIsAdmin tools, to allow administrators access to developer approvalsCommunity tools, such as forums, blogs and application galleries
DevOps- Service Lifecycle ManagementProject and TeamManagementSoftwareDevelopmentWorkflowGovernance andComplianceDevelopment ToolsIssue TrackingSource ControlContinuous BuildContinuousIntegrationTest HarnessContinuous Delivery(Configuration Mgt)ContinuousPerformanceManagementMetadataRepositorydPaaS/DevOps - development Platform as a Service
DevOps: Test-Driven Development +Continues Integration + CPM
Operational ManagementCapacity and Availability Management – Plan and manage throughput andavailability to ensure that you deliver the performance and service levels yourcustomers expect without risking internal system overload.Root cause Analysis – Track transactions from the API where they enter your businessto the back end services and applications that process them so you can quickly findand fix problems.Impact Analysis – Understand the relationships between your business systems andapplications, SOA assets and services, APIs and your customers and partners. Thisway you will know the potential impact of any changes you plan to make before youmake them.End-to-end Security – Use the appropriate security models and standards for servicesand APIs even if they are different. Use the SOA Software product set to enable end-to-end security mediation and integration with enterprise security systems.
API and SOA Deployment ArchitectureAPI Consuming applicationAPI Interface exposed by API GatewayService virtualization, composition andorchestration hosted by Enterprise Service BusAtomic Business Services hosted byapplication server, business process server
Evolve to Cloud Services Brokerage (CSB)Cloud Service Brokerage (Healthcare Service Hub)Enterprise Service BrokerageEnterprise API ManagementAPIGatewayAPIBrokerAggregate–Integrate–CustomizePartnerDeveloperPortalInternalDeveloperPortalAPIProviderPortalAPIBrokerPortalOwnAPIs3rd-PartyAPIs