APIs are an incredibly valuable tool for modern IT — they unlock data, increase agility, encourage innovation, and speed time-to-value. A strategic approach to APIs is vital to your business.
1. Plan for positive ROI
Think about creating a broad pool of resources generic enough that they can be applied to different projects. Reusing capacity improves efficiency and effectiveness while reducing costs and increasing the potential return from projects.
Action Item: Pick “low hanging fruit” with the support of the right executive champions — projects that create the most significant benefit in the least amount of time. Not only will these projects deliver a quick win and help improve the organization's performance, but they will also subsidize the infrastructure that can then be deployed elsewhere and on other projects.
2. Build governance as you need it
Governance is a balancing act. While it is clearly essential to have oversight for projects, roles, and budgets, it’s challenging to wrap distinct parameters around projects when the organization is in such a state of flux. The fine line is to have enough governance processes in place to ensure control but not so many that creating products or services is slowed down.
Action Item: The key to ensuring lightweight yet robust governance is to make a broad API catalog accessible via a self-service API portal. While the initial project may have no critical need for a catalog and portal, thinking about it from the outset enables you to address governance in the context of the broader API strategy.
3. Ground the cloud
While many think a successful API strategy rests on moving everything to the cloud, the reality is different. On-premises is not going away for many good reasons. Instead, focus on wrapping applications in an API-enabling layer that allows them to readily talk to the outside world while still running on traditional infrastructure and architectures.
Action Item: Create a common API layer that can traverse the cloud, on-premises, and mobile devices and applications. This enables you to turn existing systems into broadly consumable APIs (and the reverse). Reusing these elements in subsequent projects will reduce long-term costs and help you achieve a more compelling ROI story to help build your case for future projects.
4. Get a clear view of performance
The distributed nature of modern technology makes it all the more critical to ensure good monitoring is in place — both business-centric and technical.
Action Item: Extract business-level metrics directly from API traffic and feed them into the relevant platforms. End-to-end visibility is critical here; it is only through integrating multiple data sources that you will gain a clear view.
5. Ensure a positive user experience
Suppose you have an API-driven application comprising many different components, each communicating via various APIs. In that case, there is a significant risk of service degradation or even service outages. When this happens, you face unhappy users and potential SLA penalties.
Action Item: To provide a positive user experience and satisfy your formal SLAs, you need a clear picture of the expected service levels for different parts of the platform. This means putting processes and technologies in place to allow business and technical users to measure, monitor, and act on changes in performance.
6. Conduct regular audits
Audit. It’s one of the most dreaded terms in your IT department, but it also has an upside. By regularly conducting an audit, whether for internal security requirements, external regulatory requirements, or even a one-time investigation of suspicious activity, you can ensure services are used correctly, by the right people, and for the right purposes.
Action Item: Whether you see auditing as an opportunity or a burden, it is generally a core, nonnegotiable requirement for your API platform. Make sure you can capture audit trails and then further mine your audit data to gain insights that become more valuable over time.
7. Make security a feature, not a barrier
Today, there is no red or green zone. Enterprise IT extends beyond on-premises infrastructure and the firewall to the cloud, mobile devices, IoT, and various internal and external user communities. There is no clear place to draw the line. Many of the integration points that are crossing the traditional firewall boundaries are APIs.
Action Item: Incorporate security at the infrastructure level using an API gateway to control access and protect data as it flows to and from the cloud. By securing the data, you can meet high-level security and privacy requirements across a modern architecture that reaches multiple cloud services. The same concept applies to securing mobile and IoT APIs.
8. Avoid an identity crisis
Users are now accessing services that span on-premises to the cloud, with various interfaces, including mobile. These users mustn't be forced to sign into each service individually. It’s not only inconvenient, but they will also be tempted to use the same password everywhere, which creates a serious security issue if that password is compromised.
Action Item: Use new identity standards such as OAuth 2.0 to address this problem by implementing identity federation and single sign-on at the infrastructure level. In addition to enabling single sign-on, identity federation provides a security benefit by delivering varying degrees of authorization based on user or provider preferences.
9. Separate policy management
Exposing services as APIs makes them easier to manage but also requires policies to be separate from the APIs. This is because policy enforcement will apply independently for each API, depending on who uses it and in what context or application.
Action Item: Define and enforce policies as higher-level rules that analysts and business stakeholders can understand. They must also be flexible enough to be driven by data, roles, API usage, and other attributes. Otherwise, policies will take too long to build and change and lengthen API deployment times.
10. Use throttling and quota management
When you open up transactions supported by internal systems to the outside world, you can easily see a 4-5x annual growth in transaction volumes, which can overwhelm your existing infrastructure if you don’t plan for it.
Action Item: Apply rules for tiered access levels to an API, such as “Only 10,000 requests per day” or “1,000 API calls per second.” Hand-in-hand, quota management and throttling meet all the prerequisites for API usage monetization.
Learn about API Management Pricing.
