Thanks to the good work of my colleagues Eve Maler and Jeffrey Hammond, we have a new Forrester Wave on API Management Platforms, including evaluations of Layer 7, Mashery, WSO2, Intel, IBM, Vordel, and 3Scale. I won't spill the beans on the leaders, but I will share some of their analysis with my own interpretation to explain why you must care. First, let's define API management platforms as:
Middleware that developers use to publish and configure interfaces and that applications use at runtime to connect to the data services they need.
Here's why API management platforms matter:
As you build mobile apps for customers, partners, and employees, you need apps that perform well over the last wireless mile. And that means you need a great, RESTful API that provides design-time and runtime access to data services hosted by your on-premises applications. Think of it as "cloud-connect" technology that lets the data inside your datacenter get out and back (securely) to the mobile app that needs it. As mobile apps get more and more transactional, the need for API management platforms will become even more critical.
You are just getting going on the number, breadth, and complexity of the data service APIs you will need to build and operate. As mobile apps get interesting, with transactions, integrated applications, and more and better content and collaboration, you will need solutions that handle all those integration points. Think of it this way: RESTful interfaces give you the means, but now you need a system to handle the sheer number of APIs you are and will be building.
Open Web developers tend to use a variation of the façade pattern for their applications but refine the pattern to focus on standard web formats and protocols and services delivered via the Web — so we refer to it as the open Web façade. Developers draw on three bodies of de jure and de facto standards to implement the open Web façade pattern:
Client standards. Application clients based on a body of emerging standards collectively labeled HTML5.
Service plane standards. A service plane that exposes interfaces using the REST pattern and resource-oriented architecture principles. These services are often called RESTful web services.
Virtual infrastructure standards. A highly virtualized server tier (often a public cloud service) that is easy to deploy initial solutions to but that is also able to scale up or down on demand to meet surges in capacity.
“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)
What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.