You Have APIs — Why Aren’t You Managing (all of) Them?
By John Rethans
As I work with customers around the world and across verticals, I’m struck by a common pattern: many savvy business people and technologists grasp the value of the new application programming interfaces (APIs) they’re creating for external ecosystem use cases, such as providing partners access to data or functionality, but they often see both the APIs they already have and those they build for internal use in a different light — not as software products that let developers leverage digital assets but simply as part of the tangle of corporate backend systems and middleware.
This is a problem.
Most businesses already have hundreds if not thousands of APIs. The issue isn’t whether your business is building APIs — it is: APIs for customer experiences, APIs to execute your transactions, APIs to let partners access your digital assets, and many more. As you read this, your organization’s analysts are speccing them, your architects are designing them, and your developers are building them. The issue is what you’re doing with all these APIs and whether you’re properly managing and supporting them.
Whether internal or external-facing and whether they already exist or are being built for new use cases, all APIs represent potential sources of leverageable value in terms of data or process, opportunities to improve developer productivity, and surface areas that can make your enterprise either more or less secure.
In other words, the idea that external and internal APIs or greenfield and legacy APIs should be handled differently is mistaken: all APIs encapsulate core parts of your business, and that means all APIs should be managed — that access to them should be controlled; that their use should be monitored, analyzed, and secured; etc. To do otherwise is to risk leaving money and insight on the table or leaving an entryway into your enterprise unguarded.
APIs represent your business
Let’s double click into the idea that APIs represent your business, regardless of whether they’re serving data to external partners and customers or being harnessed for purely internal use cases.
APIs underpin the systems that run websites, mobile apps, e-commerce engines, partner portals, and voice and connected car experiences, among others. They drive digital interactions around a business, and they often power the products, services, and digital assets that companies offer to customers and partners. The resiliency, stability, and agility of your business in many ways relies on your APIs — often not just one, but many of them. Focusing on some while excluding others may hurt your organization.
At many businesses, for example, too many APIs are created and forgotten, leading to the needless recreation of those APIs by future teams. New APIs for partners may be given their due emphasis as software products, but old APIs and APIs built for internal use cases receive inconsistent attention, if any. Most business leaders understand that APIs enable companies to give ecosystems of partners access to digital assets at infinite scale — but they often don’t appreciate that APIs can provide the same efficiencies to ecosystems of internal teams. Failure to manage all APIs can undermine the ability to continually and cohesively leverage the business capabilities many APIs represent — and the efficiency of the enterprise can suffer as a result.
You should ask yourself if your APIs are discoverable by internal teams so they can be reused for future projects. Do you have tools to iterate on APIs so they’re more useful to developers or to bundle several APIs into a product that meets the needs of a given initiative? Are you monitoring your APIs, and if so, can you track performance throughout the value chain, from the backend systems to which APIs provide access all the way to the end users whose experiences API calls create? If an internally-used API is providing extreme value and may be a candidate for externalization, does your organization have the monitoring and analytics capabilities to recognize the opportunity?
Cloud-native architectures are driven by APIs
Many enterprises have decades’ worth of legacy systems and integrations that support core business processes and store data at the heart of their competitive advantage.
Businesses increasingly place these legacy systems behind APIs so those systems can interface with other systems that were architected differently. This approach enables companies to more easily adopt multi-cloud and hybrid strategies, such as software in one cloud communicating with software in another cloud or in an on-premises system. APIs are often critical to allowing old and new systems to drive value together.
Some APIs used in new cloud architectures may be internal-facing while some may power partner and end user experiences — but they all need to be managed. When businesses modernize for the cloud, for example, many decompose monolithic applications into microservices managed by a service mesh and exposed by APIs so that given components of these applications can be individually updated, deployed, and moved among hosting environments. Without API management to provide visibility into how the APIs exposing legacy systems are being used, a company may lack the insight to make strategic decisions about when and how to upgrade legacy systems.
The transition to a modern technology stack does not happen overnight, so if your business is planning its evolution, you may want to focus first on systems that drive value to customers, and pass all API traffic — whether from an old API or a new one, and whether from an external call or an internal one — through a management platform. This enables you to create analytics so you can not only better understand demand for and performance and usage of your digital assets but also leverage this data to plan your app modernization efforts.
APIs are the doors to the enterprise
Every API is an opportunity to either make your enterprise more secure or for bad actors to break in. Why would a business take the time and care to secure new APIs from attack but leave legacy APIs vulnerable?
Remember, both greenfield and legacy APIs encapsulate your business. This means they are effectively doors to the enterprise — and those doors should have locks. To protect your APIs and make them reliable digital assets, you need to apply authentication, monitoring, and traffic management across the entire portfolio.
Too many organizations fail to understand how and by whom APIs are being used, which can cause these enterprises to learn of security weaknesses, threats or breaches only after the damage is already done. Robust API management can provide the visibility, control, and security needed to defend every API from malicious threats. Greenfield or legacy, internal or external, APIs are the doors to your business, and no door should be neglected or left unlocked.
All APIs need management
When executives discuss their API strategies, it’s easy for them to focus on finding one magical API that will stimulate external ecosystem participation. External APIs and ecosystems are important — but if you are over-indexing on only a sliver of all possible API use cases, you’ll leave value on the table.
Instead, we on Google’s Apigee team recommend that organizations step back and remember that you probably have hundreds or thousands of APIs already, and that each one is a potential opportunity to make the business more efficient and productive, to gain new insights into how the business operates, and to protect the organization from security threats.
[Interested in more tips for managing APIs and driving digital business? See Apigee’s new ebook, “The API Product Mindset.”]