In the current frenzy over AI there has been lots of debate on the overhyped predictions that AI could make almost half of today’s jobs obsolete. The release of chatGPT has accelerated this conversation so obviously I was keen to find out if the work we do here at Excelsa could easily be replicated by the latest and greatest stochastic parrot. While the results were superficially impressive, they simply reflected the standard thinking around API architecture that any vendor in the Gartner Magic Quadrant would list as the required capabilities for successfully deploying API’s in your organisation.
The results include the usual functionality to design, develop, test and deploy API’s, in addition to operation capabilities such as monitoring and versioning of the API’s, rudimentary security controls such as identity and access management, and advanced features such as an API Portal to support documentation and developer access. What this reflects is the prevailing mindset that API’s are simply another form of integration technology to be used by highly skilled people who have the required knowledge and expertise. It echoes the sales pitch that all you need to implement an ‘API strategy’ is a leading vendor’s API Manager and an agile based software development methodology.
We have discussed previously how this approach ignores the role of API’s in driving digital transformation. To realise benefits such as increased customer engagement, new business channels and reduced operating costs the API’s your company builds need to be actually used, as widely and as often as possible, and in a secure and scalable fashion to avoid operational and reputational risks to your business. The challenge is that most of the ‘leaders’ in the API Management space have created their product to serve the needs of those who build these digital services. As a result these products either lack the capabilities required to drive consumption of APIs; or else they are implemented but in limited ways. As Uri Sarid, the former CTO of MuleSoft has noted, the #1 source of friction for APIs is getting access to them. At Excelsa, in our work with many diverse clients, we have identified that in order to remove this friction a new reference architecture is required, to ensure that it becomes trivial to find, purchase and consume API’s in a secure manner. This reference architecture absolutely includes the capabilities described by chatGPT (or Gartner),, but crucially extends them in three key areas required to ensure that your API’s are successfully adopted and provide value to your organisation.
From a portal to an API Storefront
A standard API portal may be an adequate solution when the consumers of your API are internal developers only. The limitations become apparent, however, when organisations are trying to attract external consumers of API’s, whether it be to their partners, suppliers, or other government agencies. Third-parties generally require more than just documentation and access keys. They will expect detailed product and pricing information such as bundling and product tiers; analytics to monitor their API usage, costs and billing information; self-service capabilities to manage their subscriptions and scale up or down their API usage. Operationally they will want to be able to log support tickets, and access help when required. In other words, they expect the same services they receive from their cloud provider such as AWS or Azure, or have come to expect from e-commerce storefronts like Shopify. Standard API portals lack this key functionality so we often advise clients to consider supplementing their API Management platform with a monetisation solution such as hypercurrent.io.
Trust is a zero-sum game
It used to be that one of the hardest aspects to advise clients on was the topic of security and zero-trust architectures. Not that clients would argue, or not accept the need for it, but motivating them to actually implement a zero-trust approach was difficult. They would promise to get around to it but invariably another functional requirement would come in and that would take priority. They would also be swayed by their API Management vendor and their claims to offer an in-built security solution, such as authentication, authorisation, tokenisation and encryption. Combined with policy management, this does provide a layer of protection for API’s deployed with an API Gateway. Yet as recent data breaches have demonstrated, unless security is built into the infrastructure of your API platform then relying on developers to apply the right security policies or use an API Gateway can be a flawed assumption. APIs have become an ideal target for threat actors due to their vulnerability as the large numbers and scale of API cyber incidents have shown. These incidents have resulted in financial losses of billions of dollars, leakage of millions of customers personal information, and the stability and integrity of critical applications and systems being compromised. Even if used as intended, API gateways simply weren’t designed to stop today’s sophisticated API attacks. Features such as access controls, block lists, and message filtering provided by API gateways only offer partial protection. We advise our clients to consider a holistic security solution, such as ammune.ai, that automatically deploys threat protection to ensure a zero-sum approach rather than relying on it to be specified for each API.
Cloud Native API Management
Having been an architect and technology buyer for over 20 years I have learnt many lessons when it comes to buying software. One of these is to not simply pick simply what is listed in the top right of any magic quadrant or leader in an analyst report. While helpful these reports can often be behind major shifts in the marketplace. One such shift is to cloud-native architectures, that provide built-in internet scalability and high availability, with lower resource use to ensure that costs scale in line with the usage (and therefore realised value) and your API’s.Most of the ‘leader’s’ as defined by the analysts built their products long before cloud native architecture became the norm and their products and pricing are reflective of this, with software that is optimised for on-prem infrastructure and licencing models that are rigid. It was a conversation I did not enjoy having with my clients when at Mulesoft. They would ask us to support their innovation strategy, which leveraged cloud infrastructure to auto-scale and shutdown under-utilised services and we only offered core based licensing and fixed term contracts. At Excelsa, because of the increasing cloud-first approaches we are seeing organisations start to differentiate between different types of APIs and recognise that a single API Management platform may not always be able to satisfy all requirements especially when looking at the different requirements for internal APIs, external APIs and potentially even event based APIs as Kafka based streaming services become more mainstream. One vendor we would recommend that our clients explore is gravitee.io built using a cloud-native architecture.
We will have more to say shortly on each of these aspects of the new reference architecture model including a more detailed discussion of some emerging leaders in each identified sector. While Excelsa will proudly remain technology agnostic within our advisory service offerings, we also get asked often by our clients to provide examples of technologies that fit our reference architecture. The ones listed above we believe are currently ‘best-in-class’ and therefore can be a useful starting point for organisations looking to enhance their API capabilities. This certainly doesn’t mean this is the only technologies we would recommend (for example we are also excited to see what the new venture from ex-CTO of Mulesoft will realise). Rather it aims to provide a starting point for business owners and architects alike that has already been validated by Excelsa.
Hopefully, this blog has provided a few insights that readers could not simply get from typing in “outline a reference architecture for API’’s” into chatGPT. If you find that your organisation has not realised the benefits of their investments in API’s, then hopefully the new reference architecture outlined above should provide a starting point to focus on driving consumption of their API’s, in a secure and scalable way. This architecture, as part of a well formed API program, will enable companies to drive digital transformation and remain competitive in a challenging business climate.
- Business Insights: By understanding who is using your API and how they are using it, you can gain valuable insights into customer behaviour and usage patterns. This can help you to improve the customer’s experience, identify new business opportunities, develop new products or services, and make more informed business decisions.
Knowing who is using your published API is critical to ensuring the security, performance, and reliability of your API. It also provides valuable insights that can help you to improve your business operations and drive growth. Therefore we need a KYC approach for API owners as they attract users of their services and through the lifecycle of their APIs. Borrowing from the approach that banks take