Thanks to the good work of my colleagues Eve Maler and Jeffrey Hammond, we have a new Forrester Wave on API Management Platforms, including evaluations of Layer 7, Mashery, WSO2, Intel, IBM, Vordel, and 3Scale. I won't spill the beans on the leaders, but I will share some of their analysis with my own interpretation to explain why you must care. First, let's define API management platforms as:
Middleware that developers use to publish and configure interfaces and that applications use at runtime to connect to the data services they need.
Here's why API management platforms matter:
As you build mobile apps for customers, partners, and employees, you need apps that perform well over the last wireless mile. And that means you need a great, RESTful API that provides design-time and runtime access to data services hosted by your on-premises applications. Think of it as "cloud-connect" technology that lets the data inside your datacenter get out and back (securely) to the mobile app that needs it. As mobile apps get more and more transactional, the need for API management platforms will become even more critical.
You are just getting going on the number, breadth, and complexity of the data service APIs you will need to build and operate. As mobile apps get interesting, with transactions, integrated applications, and more and better content and collaboration, you will need solutions that handle all those integration points. Think of it this way: RESTful interfaces give you the means, but now you need a system to handle the sheer number of APIs you are and will be building.
I’ve previously written about how modern application architectures are shifting toward compositional, service-oriented architectures — “for real” this time. RESTful services using XML or JSON payloads proliferate because they’re easy for developers of omnichannel clients to use on virtually any device they need to support. It doesn’t matter if they’re building native apps in Objective C or hybrid apps with Cordova — if they can get an open web API call, it’s good enough to move forward.
This shift to web APIs and modern applications means that companies have to shift their API management strategy as well. They need to 1) create the web APIs and 2) create a life cycle to manage them. It’s this life-cycle element that’s conceptually distinct from traditional SOA governance solutions. For one thing, the services live on the open bus of the Internet and carrier networks. Another difference is that web APIs are increasingly made availabe to third-party developers. They may be part of a newly formed developer community, or they may support the growing number of digital agencies and mobile specialist firms that your company uses to supplement development projects. Security and access models are different (e.g., OAuth 2), provisioning access to APIs needs to support light-touch approval workflows, sandboxes where developers can test their calls are important, and analytics that detail call volume and how developers are using APIs are must-have capabilities. Above all, a developer portal that provides good documentation, example code, and quick time-to-value are important if you want to attract and keep developers.
Amazon Web Services (AWS) is great, but many of our enterprise clients want those cloud services and values delivered on premise, behind their firewall, which may feel more comfortable for protecting their intellectual property (even if it isn't). AWS isn't very interested in providing an on-premise version of its solution (and I don't blame them). Today's partnership announcement with Eucalyptus Systems doesn't address this customer demand but does give some degree of assurance that your private cloud can be AWS compatible.
This partnership is a key value for organizations who have already seen significant adoption of AWS by their developers, as those empowered employees have established programmatic best practices for using these cloud services — procedures that call AWS' APIs directly. Getting them to switch to your private cloud (or use both) would mean a significant change for them. And winning over your developers to use your cloud is key to a successful private cloud strategy. It also could double your work to design and deploy cloud management solutions that span the two environments.
Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene. I’ve written about OAuth in Protecting Enterprise APIs With A Light Touch. The cheat-sheet list I keep of major OAuth product support announcements already includes items from Apigee, Covisint, Google, IBM, Layer 7, Microsoft, Ping Identity, and salesforce.com. (Did I miss yours? Let me know.)
OAuth specializes in securing API/web service access by a uniquely identified client app on behalf of a uniquely identified user. It has flows for letting the user explicitly consent to (authorize) this connection, but generally relies on authorizing the actions of the calling application itself through simple authentication. So does the auth part of the name stand for authentication, authorization, or what? Let’s go with “all of the above.”
However, OAuth is merely plumbing of a sort similar to the WS-Security standard (or, for that matter, HTTP Basic Authentication). It doesn’t solve every auth* problem known to humankind, not by a long shot. What other IAM solutions are popping up in the API-economy universe? Two standards communities are building solutions on top of OAuth to round out the picture:
Two years ago, the OAuth API protection mechanism was a fairly well-kept secret. It actually won an award at the 2009 European Identity Conference for "best new/improved standard," but most people didn't seem to have figured out what it was good for yet; I felt like I was the only one even talking about it.
Fast forward a bit, when Facebook started using an early draft of OAuth 2.0 in its Open Graph-based platform, and then a bit more, when Twitter started requiring OAuth 1.0a use by third-party developers (known amusingly as the OAuthcalypse), turning off the HTTP Basic authentication option. And now we're in a world where cloud developers talk casually about the "open API economy" and the ease of getting work done by building RESTful apps, and OAuth is making star appearances in recent gatherings of influential software architects and developers I've attended, such as The Experts Conference and the Internet Identity Workshop.