An emerging strategy for effectively managing mobile devices lies in addressing the application

programming interfaces (APIs) used to feed them information. That strategy shifts the focus of
management from a webpage orientation towards a rich set of APIs that can be accessed by a wide
variety of mobile applications, according to Roberto Medrano, chief technology officer of SOA
Software Inc., a Web tools vendor. Towards that end, organizations need to think about API lifecycle
management to govern the underlying infrastructure.
APIs exist as a way to provide information and to enhance an organization's own development
efforts. Organizations need to think about API version control and legacy asset support, Medrano
said. They also need to consider global governance of use policies and integrated security as key
aspects to API lifecycle management. Any deficiency in any of those areas can impact application
performance and availability, as well as increase risk exposure to data integrity, confidentiality and
system reliability.
One reason APIs are exploding today: the growth of mobile devices and applications. A governance
model is in place for a service-oriented architecture (SOA), but organizations often miss out on using
it for APIs as well, Medrano said.
APIs: A different twist on services
Services are typically built on top of monolithic apps that might offer thousands of services.
Organizations break up applications up so they can reuse services for other apps.
By focusing on the APIs, organizations can greatly simplify the management of information sent to
mobile applications and their users.
APIs are a more recent phenomenon. The concept of APIs has been applied previously for managing
traditional computer applications, but the newer generation of APIs are mainly representational state
transfer (REST)-based, and work over the Web. These are better-suited for mobile applications -- a
factor that has helped to drive their growth.
Right now, API use remains small in the overall scheme of things. But as this area continues to grow,
it will require improved lifecycle management and governance. That, in turn, affects how
organizations manage APIs, the different versions of APIs, and the promotion of APIs from
development through testing and production.
APIs and services rely on different protocols and behave differently, as well. APIs are becoming
popular primarily due to the explosion of mobile application development. Because mobile devices
tend to have limited capabilities, developers need to think about creating applications that can
consume simple services that are Web- or JSON-based. Many old SOA concepts apply to APIs, too.
There is nothing essentially different about them, other than that they are simpler and, in more cases,
externally facing. A developer community needs to test them out and document them, as well.
Governance best practices are often enforced by the need to maintain regulatory compliance. Many
companies have policies in place to keep sensitive application data on-premises. Some of them have
full control for compliance where the data is only used by on-premises applications. Large
enterprises would like have a need to manage the data shared outside of internal company
applications.
There are four roles involved in API management: a business manager than needs an app or API; the
developers that create the APIs; the individuals that run APIs; and the people responsible for
promoting the APIs for developers. Each role has a different focus on the API structure.
The glue that binds
Among the biggest challenges of good governance is the fact that large enterprises have a set of
disparate components, such as .NET, Java, and open source. Currently, there's no way to change
these into a homogenous infrastructure. As a result, plenty of mediation needs to occur.
Pro+
Features
Enjoy the benefits of Pro+ membership, learn more and join.

E-Handbook
Cloud computing applications force attitude adjustment in the enterprise
Organizations may face a mixture of different types of authentication and security infrastructure, as
well, which will also need some kind of glue between them. By focusing on the APIs, organizations
can greatly simplify the management of information sent to mobile applications and their users.
"A lot of people don't understand the security aspects of APIs," Medrano said. In the heterogeneous
environment, the client might support Security Assertions Markup Language (SAML) tokens, while
the back end servers are Microsoft-based.
The APIs could be receiving exposure to Platform as a Service applications, mobile devices, sensors,
and other types of devices. The main issues that occur with APIs and services surround
authentication and authorization. A less-prominent issue is the potential for SQL injections, which
can also create security risks for APIs.
The first step: Think about authentication and authorization. When a user is calling out to an API, the
app itself needs to be authorized.
Secondly, the user needs to be authorized to access the API. These could use LDAP, single sign-on
or Active Directory. They might also invoke new authorization standards like OAuth, or OpenID.
With large payloads going through firewalls, hackers also might use the APIs to launch attacks such
as an SQL injection.
Take control of the API lifecycle
Managing the complete lifecycle of APIs -- from planning through creation and deployment -- is
important. The four steps in good API management include planning, development governance,
operational governance, and the sharing of APIs with authorized developers.

George Lawton asks:
Are APIs part of your strategy for managing mobile
devices?
2 Responses
Join the Discussion
Prev
1. 1
Next
Organizations often rush to create an API without lifecycle management or governance, Medrano
said. Then when it comes to versioning, they face some serious issues. The main problem: When
organizations try to get things out quickly, they often do so without taking the time to think about
good governance. As API usage grows and deployment matures, organizations need to think about
the management of the different versions of APIs, which can provide multiple hooks into an
organization's data infrastructure.
The API's lifecycle should be controlled so only permissible versions are in production at the various
stages: planning, development, production and retirement. In addition, key stakeholders -- such as
line-of-business managers, IT managers, information security staff, and compliance staff -- should
have visibility into the state of the API. They should always be confident that they're looking at the
correct version. In addition, APIs should be subject to authentication and authorization processes to
protect enterprise IT assets from misuse, threats to availability, or breaches of privacy.