In our last blog, we argued that a compelling developer experience is key and that a well-designed developer portal can facilitate that. But what about governance, control, guidance and security? Here’s how you get started.
If data is the new oil – what are the oil pumps?
APIs provide standardized, open access to an application service or a data set. In doing so, they help you to…
… monetize your services and capabilities by externalizing them
… leverage valuable pieces from others to create your product instead of building everything on your own
… simplify your application portfolio
… become more flexible in accessing existing and new application services
Make sure you have well maintained oil pumps
Basically, APIs can serve as the pumps that help you access your data oil. It is evident that such a powerful tool requires careful management. A managed API not only has a strong value proposition with a defined target audience and a well-documented and well-designed interface, but it also is under appropriately enforced IT and business governance, hence, control. If the right decisions can’t be easily made and enforced, the open and dynamic nature of APIs is compromised. What is the point of having design, deployment and documentation guidance if no one actually follows that guidance?
Here are the four components of successful API governance:
1. As an API provider, minimize the burden on your developers and still ensure operationally efficient and secure externalization of your capabilities
⦁ Gather statistics about API consumers, the APIs and the developer portal, e.g. track who is calling what
⦁ Take care of appropriate API versioning from inception (initial concept) to definition (detailing and shaping) to development (early versions on development environments, production) and to retirement (sun-setting)
⦁ Set the terms and conditions under which the API can be consumed
⦁ Define the target audience that the API will be shared with
⦁ Define and track key metrics to know whether the API is succeeding in its objectives
⦁ Craft security and traffic policies to protect the infrastructure from malicious attacks or overload, particularly concerning runtime
2. As an API consumer, do not give up the responsibility for your product and its underlying components
⦁ When the consumed APIs are your own, maintaining integrity is relatively easy. Otherwise, diligently assess the security and reliability of external APIs, e.g. by monitoring their present and past behavior
⦁ Ensure that the API is properly authenticated, and authorization is in place
⦁ Check if the API is commercially attractive and fits your business model
⦁ Assess the potential API usage in terms of the experience your end users will have
3. Incentivize your developers by means of leadership and policies to comply with your guidance
⦁ Lead by example and make it easy to follow: Provide blueprints of what you want your developers to do, give examples, craft checklists and reusable packages etc.
⦁ An incentive does not necessarily have to be money: Showcase the work of developers with positive conduct, encourage them to play an active role. On the other hand, refuse to accept behavior that does not contribute to your governance efforts
4. Enforce and enable compliance by means of technology
⦁ Interlink your API governance and developer portal. The portal allows developers to register, subscribe as well as view and create applications but it can also enable stakeholder-level overview, ease of compliance and reporting
⦁ One critical factor is to have a single point to manage policies and enforcement
⦁ APIs can be managed as a product through API management platforms that take care of versioning, scalability, quality, and monitoring of actual use – see the following figure for examples
In a nutshell: Governance done right is the glue that holds your API strategy together
Yes, successful API governance sounds heavy-weight. But, leadership, self-service, and automation make all the difference and are key for both developer experience and secure interfaces led by policies rather than ad-hoc decisions. The key lies within selecting the right API management partner for your business.
Closely related to the abovementioned success factors is the question of how to monetize and measure the valuable APIs that you offer. More on this in our fourth blog post!