Forrester Research calls the application programming interface the poster child of digital transformation. Indeed, everybody from Adidas to Campbell’s Soup is now talking about – and using – APIs.
As the importance and number of APIs grow, so does the need to build, ensure compliance for, and manage them. In fact, the rise of the API has led to the creation of an entirely new product category known as API management. Akana is among the players in the API management space.
We recently interviewed Ian Goldsmith, Akana’s vice president of product management, to learn more about APIs and why the company elected to participate in the All About the API event, which takes place later this month in Las Vegas. Here’s what he had to say.
What new business opportunities are being driven by the growth of the so-called API economy?
Goldsmith: There is no simple answer to this. APIs provide opportunities and threats galore across a range of markets and applications. Think about the emergence of the web in the ‘90s; companies started out publishing marketing information, rapidly moved to supporting customer-facing transactions, and then very quickly spawned entire new industries, and transformed or disrupted old industries.
All modern web and mobile apps are built on APIs, and the ways in which companies communicate with each other are increasingly being API driven.
For some specific examples, we have a lot of customers in the banking and financial services space [that] are using APIs to modernize, innovate, integrate and rationalize their applications. One bank in particular published a developer portal with a set of well-considered APIs to enable internal and external developers to build apps to create better end-customer experiences. Many large banks are facing the competitive threat from FinTech companies, and are choosing to create their own FinTech friendly communities driven by APIs to stave off this threat.
We also see a lot of API activity in the IoT realm. One large industrial customer of ours has built a platform for the collection and publication of agronomic data, allowing farmers to upload and store data about their fields and crops, and share this data with agronomic analysis applications that can help them optimize their yield and efficiency.
Is there a market for APIs you would consider the low-hanging fruit? Which markets are the next to leverage APIs extensively?
Goldsmith: We have a recent blog post on this very topic. In summary, the markets that are ripe for API-driven disruption are:
• Regulated industries, specifically banking, financial services, and insurance, and health care;
• The Internet of Things space, which is highly distributed, and automation driven; and
• Startups, or companies with no technology debt.
What are the major challenges API developers face?
Goldsmith: API developers face challenges in three main areas, in addition to delivering an API that offers real value to users, of course.
• Security – especially the balance between au/az and entitlements, threat protection, cryptography, complexity of implementing OAuth, JWT, etc.;
• Management – monitoring, traffic shaping, and QoS management; and
• Documentation/publishing – how to create good docs and how to publish and market the API.
Who within an organization should businesses target when marketing their APIs?
Goldsmith: This is an interesting question because there are really two very distinct audiences for APIs. The API must appeal to developers by being well documented, well structured, having good support, and being easy to use and reliable, etc. Business also have to market their APIs to other business constituents to ensure that developers use existing APIs rather than building everything themselves. This means talking to business leaders (CIOs and CFOs), marketing (CMOs) and people in product management.
How do you measure the ROI of an API?
Goldsmith: I’ll turn this question around and ask: How do you measure the ROI of a website? Ask Blockbuster, Tower Records, Borders and other companies that have disappeared in favor of online competitors. APIs will open new opportunities and will defend against disruption. It is not optional to expose APIs.
Who is responsible for security? Is API security more challenging than securing other applications, hardware and networks?
Goldsmith: API security falls under the purview of the CISO, as does all information security. Developers, testers and operations staff are all responsible for API security. API security does introduce some new threats in addition to the OWASP Top 10 threats that apply to web security in general. That includes things like JSON hijacking, XML and JSON schema attacks, bot attacks, etc. New challenges abound because there exists a wealth of new security standards like OAuth, JWT, JOSE and more, each of which introduces complexity, and complexity tends to open up threat opportunities.
Which is better, SOAP or REST?
Goldsmith: Here’s a question that could start some bitter debate. In theory, SOAP may be better for some applications that have strong transactionality and reliability requirements, and possibly for some security constructs (message element level encryption and signature, for example). This is because the WS-* standards have addressed all these things over the years. The problem is that these very standards make implementing these advanced use cases very difficult, especially if interoperability is important. Introducing this complexity introduces risk. In general, the RESTful world has found more modern and often easier ways to solve these issues, e.g. OAuth, JOSE, and the simple use of https to address the majority of the security concerns. The lightweight approach of RESTful services has a lot of advantages, but it does require the architectural discipline to ensure an effective implementation.
How often are APIs changed or updated? How is this accomplished while ensuring minimal disruption to users and their customers?
Goldsmith: Often (every couple of weeks in an agile realm), but rarely in a way that renders them not backward compatible. The second half of the above sentence is very important. Read it again and again. Stick to it.
What kind of standardization is still needed to drive successful mass development and adoption of APIs across verticals?
Goldsmith: Across verticals we have a pretty good set of standards at this point. HTTP (including HTTP/2), JSON, OAuth, JWT and JOSE all provide a solid communication and security framework. These standards all continue to evolve.
The more interesting question is about what’s happening within verticals where it’s about FHIR (health care), PSD2 and XS2A (BFSI), MQTT (IoT) and other industry-specific initiatives, in many cases fueled by government mandates.
How important is it to build an ecosystem around your API(s)?
Goldsmith: The viral nature of a large community will drive success – your community becomes your marketing engine for your API. Ideally, the API will be self-supporting via a community of developers; your community becomes your support team, considerably reducing your own costs to maintain and support your customers.
Can an API program succeed without an ecosystem?
Goldsmith: Sure it can, but it’ll cost you a lot more to market and support it. Also, don’t forget that ecosystems can, and should, exist inside your company as well as externally.
What differentiates one ecosystem from another?
Goldsmith: There are really no common ecosystems across APIs from different companies. Sure, there are catalogs like ProgrammableWeb, but that’s really not an ecosystem. Generally, ecosystems form around a single API, or set of common APIs from one company (think developer.twitter.com). These ecosystems are really differentiated on 10 major themes: Number one is the value of the API, and numbers two through 10 are the user experience. Ok, so that’s only two themes, but I think my point is made. It’s all about user experience.
Why should attendees at All About the API make sure to attend your session and visit the Akana booth?
Goldsmith: Because there’s a lot of meaningless blather about APIs, and I’ll cut through all that and provide an honest and accurate assessment of where things are. People who attend my talk will come away with a much clearer understanding of what they need to do to succeed, and maybe just as importantly, what they must not do in order to avoid failure.
Executive Editor, TMC
A rapidly increasing need for APIs and similar measures is expected to drive big gains in this market through 2021.
Doug Waller of Flowroute will be taking part in a panel at the All About The API event, collocated with ITEXPO, to discuss common mistakes that occur …
Google has teamed up with H&M's digital fashion house Ivyrevel to use its Awareness API in a unique way. The duo wants to digitally design customized …
Open source has become an integral piece of every developer's arsenal. The power of the community, the wisdom of many, and the ability to hook into va…
Google's in an interesting place with Hangouts and chat with both the enterprise and the consumer. One thing is clear - what it's doing with Hangouts …