API Governance

Risk and Control Consideration

“Governance should make it easy for people to do the things the right way and hard for
people to do things the wrong way.”
 API Governance Framework
Provides a governance framework (ring fence) where each team can operate in an agile manner and deliver
solutions in line with the organizational Risk Appetite.
Lifecycle
Vision & Strategy Management

Discovery
1. API Organization 4. Technology & Platforms
a. Guiding Principles a. Services Gateway Catalogue
b. Business Road-mapping & Inventory Business Process b. Services Registry & Catalogue
c. Funding Model & Monetization Architecture c. Information Model Versioning
d. Operating Model d. Development Model (Int. & Ext.)
e. Roles & Responsibilities e. Best Practices
Authentication
f. Decision Rights f. Reference Architecture Blueprint
g. Syndication Model API Consumers i. Conceptual & Logical Layers
g. Sustainment Entitlements
h. API Ownership & Accountability
i. Define metrics h. Containerization
j. Lifecycle Management
Discovery

API Providers API Ownership

2. Policies, Procedures & Standards Data

a. Operating Model 5. Vendor Management
a. 3rdParty API Vendor Relationships
Standards
b. Roles & Responsibilities
c. API Ownership & Accountability Services Layer b. Data Ownership & Privacy
d. Best Practices c. Legal Implications Data
e. API Development Guidelines Ownership
f. Cataloging & Classification
g. API Ontology API Lineage
Services Platform
Controls
6. Change Management
3. Risk Controls a. Business Impact & Readiness
a. Regulatory Compliance Risk
b. IT Operations
b. Information Security Controls Foundational Ownership
c. Stakeholder Management
c. Risk Adjudication Infrastructure d. Communication & Training
d. API Controls Frameworks e. API Market Place Updates Deviation
e. Controls Automation CI/CD
f. Continuous Controls Monitoring Process

2
 API Governance Operating Model
Notional Functional Organization to enable the success of the API strategy.

Stakeholders &
1 Executing Steering
Committee
API Organization Set Vision & Strategy
Team
Guiding Principles, 4 Technology & Platforms
Roadmaps,
Lifecycle Management Technology Enablement &
Foundational Services

API
2 Lifecycle
Policies, Procedures, 5
& Standards
Vendor
Operating Model
Management
Platform and Runtime Vendor
Relationships

3
6
Change
Risk Control &
Management
Security
Governance, Controls, Business Impact, Change
1st Line of Defense & Communications

3
 Notional API User Community
User Community Interactions. API Governance needs to account for the different types of interaction
scenarios and related to controls in each scenario and interaction point.

(Partners & Trusted

Developer)

API Consumers
Internal

API Developer. Other 3rd Party API that

API Developers will incorporate 3rd Party APIs
Systems and App will consume
API into their Code base.

API Producers

Mobile Platform
Users who consume and
incorporate API data into their App
Development

API
Eco-system
API Consumer
3rd Party Consumer
• Internal Developers
• Partner Developers
• External Developers

4
 API Power Plant Analogy – Vision of what we need to build and govern…
APIs provide a simplified standard interface for users to access the power of Citi through foundational
architecture and processes.

Abstracts Simple
Complexity for Standard
the User Interface

Monetization
Metering
Elasticity

Security

Controls

5
 API and Business Process Context
There is a risk that organizations incorrectly treat APIs as independent entities; APIs should be
identified and created within the context of a business process.

APIs help the business process

of the organization

6
 1.0 API Organization
An API organization is needed to address the following:

a. Guiding Principles: The guiding principles guide the development of an API organization to measure the effectiveness
of APIs. Questions related to “what quantifiable business value, pricing model?” Guiding API producers to assess
regulatory & reputational impact, reusability, naming convention, information model, standards based. Enable users
to understand the business process to be enabled. Define common traits so that teams are not re-inventing the wheel
repeatedly.
b. Business Road Mapping & Inventory: Creates a multi-year roadmap with quarterly goals and update. Create
execution plan with checkpoints to align with roadmap. Incorporate input from Stakeholders and Steering Committee.
Identify Assets that really matter both from a Business Value perspective and Risk perspective
c. Funding Model & Monetization: Translate Roadmap to funding model and monetization model for internal and
external consumers. Do we have a model to capture the end to end lifecycle of the APIs? APIs provide a single end
point and a splintered funding model can risk the success of APIs strategy.
d. Functional Team Operating Model: Create and manage the Citi API Functional Team model and interactions (Slide #
3). Update functional changes and ensure communications and updates between groups.
e. Roles & Responsibilities: Clearly outline and help manage the roles and responsibilities of Citi API ecosystem.
f. Decision Rights: Formalized decision-ing rights as to who or what group that decides on make or break call.
g. Syndication Model: Model for teams to pool resources, funding and shared model to API management - e.g. APIs can
aggregate data from multiple distributed systems and data; this will bring to light support and issue ownership
implications.
h. API Ownership & Accountability: Translate/personalize the change to the impacts within their function/LOB. They are
also the advocate - the go-to person within their function/LOB to understand the changes.
i. KPI and Metrics Definition: Create KPIs to quantify business value and metrics that organizations can use measure
progress.
j. Lifecycle Management: In reference to Slide #3, own the “dashboard” around the management, care and feed of the
end of the end lifecycle of the APIs.

7
 2.0 Policies, Procedures & Standards
Responsible for Policy Creation, Procedure Documentation, and Standardization….

a. Operating Model : Do we have a set of questions that will guide the development of APIs and measure the
effectiveness of APIs? For e.g. what is the business value and does it provide measurable business value? What is
the regulatory impact, reputational impact? Develop naming conventions, informational model & standards. Which
business processes do they enable?

b. Roles & Responsibilities : Assign and identify roles and responsibilities within the API ecosystems within the context
of the operating model.

c. Best Practices : Translate Roadmap to funding model and monetization model for internal and external consumers.
Do we have a model to capture the end-to-end lifecycle of the APIs? APIs provide a single end point and a
splintered funding model can risk the success of APIs strategy.

d. API Development Guidelines & Cookbooks.: Create API Development guidelines for the Business (Product
Owners) and Development teams to build API using a standard Reference Architecture. Cookbooks outline step-by-
step details on how to build APIs in a consistent model and ensure multiple teams can be leveraged to source and
build APIs.

e. Cataloguing & Classification: Similar to a book library, create the process to catalogue and classify the different
types of APIs (business, infrastructure, partner etc.) based on a standard taxonomy. Ensure meta-data exists for
ease of discovery and re-use.

f. API Ontology Model: Building upon taxonomy we have a need to create an Ontological Model for APIs and their
semantic relationships and dependencies.

8
 3.0 Risk Controls
The 1st line of defense to help drive compliance and assure that necessary controls are in place…

a. Regulatory Compliance: Understand the regulation implications of creating APIs. This is especially important when
we start exposing APIs as public or partner end-points.

b. Security Controls : Information Security guidelines and standards to ensure secured, auditable and hardened APIs
in line with the Security Standards.

c. Risk Adjudication: As multiple teams and groups build APIs, act as the arbitrator and adjudication agent to assign
Risk from an enterprise perspective in line with organizational risk appetite.

d. API Controls Framework: Develop Controls Framework that is based on the API architecture.

e. Risk Controls Automation CI/CD: Build time injection of Compliance controls within the CI/CD process during the
API build process.

f. Continuous Controls Monitoring: Operational Monitoring of APIs during run-time: metrics gathering, analytics,
monetization and value measurement.

9
 4.0 Technology & Platforms
Foundational Technology Platforms that and architecture to enable the organization to realize API
a. Technical Stack: Provide Technical Reference Architecture and stack to jump-start API development.

b. Lifecycle Management: Foundational technology to enable Lifecycle management as outlined through the API
Organization functional stream.

c. Service Gateway: Gateway infrastructure to create secure API end points for managing consumers and producers.

d. Service Registry & Catalogue: Registry for API and cataloguing method, naming conventions, policy management

e. Information Model : Determine and publish a industry based Information Model that is line with Citi Data Standards.

f. Development Model (Internal & External): Create environment for development and publishing of APIs, keeping in
mind the different interaction paradigms. Manage a developer community to ensure API adoption and contribution.

g. Technology Best Practices: Knowledge base of best practices to capture best practices and lessons learned. How
do we build effective APIs?

h. Reference Architecture Blueprint: Layered Reference Architecture that illustrates a multi-tier architecture e.g.
Process Layer, Conceptual Layer, Logical Layer, Services, Platforms etc.

i. Sustainment: Determine the process for sustainment of APIs based on SLAs. Sustainment should take into account
a distributed support model (e.g. when an API aggregates data from other APIs or data sources).

j. Containerization : Modular packaging of APIs and platform agnostic implementation (e.g. Docker)
10
 5.0 Vendor Management
Vendor Management for APIs create new interaction points with partners, development teams and internal
stakeholders….

a. 3rd Party Vendor Relationships:

a. API Vendors
b. Technology Vendors
c. Data Vendors

b. Data Ownership & Privacy : Who owns the data? In a distributed data model, APIs could aggregate or translated
data from various systems or perhaps consumed in various mobile apps. What happens when someone uses am
API to build a mission-critical app and the API breaks ?
a. Cross border movement of data: what are the implications of an API consumer from Europe using an API that
has data from the US? Privacy Laws are relative to the geography you are in.

c. Legal Implications : What are legal implications when APIs are consumed or produced in the API economy? How do
things work in a partnership model? What are the legalities around using APIs from the social media or open source
APIs?

11
 6.0 Change Management
Address API Changes and Business Impact…

a. Business Impact of Change & Readiness: CM Process and impact on business, controls…

b. IT Operations: Change Process centered around IT operations that support APIs.

c. Stakeholder Management: Managed changes to API Consumers, Vendors, Steering Committee, Business Owners,
Developer Community, Integrations.

d. Communication & Training: Communication Plan and forum for changes being made, sunset APIs, data quality and
training. Developer Training, API Community Support, market to deliver and create API eco-systems and build co-
brand and brand recognition.

e. API Market Places: API Content Management, Developer Communication, Partner Integration.

*Source : IBM API Reference Architecture

12
https://developer.ibm.com/apiconnect/documentation/api-101/ibm-reference-architecture-api-management/

13