Welcome!

Apache Authors: Elizabeth White, Pat Romanski, Liz McMillan, Christopher Harrold, Janakiram MSV

Related Topics: @DevOpsSummit, Microservices Expo, @CloudExpo, Apache

@DevOpsSummit: Blog Feed Post

API Axes - Categorizing APIs By @Axway | @DevOpsSummit [#DevOps]

This week there has been a great discussion between David Berlind of ProgrammableWeb and Kin Lane of APIEvangelist.com

This week there has been a great discussion between David Berlind of ProgrammableWeb and Kin Lane of APIEvangelist.com, on the topic of categorizing Public and Private APIs. David quotes my ProgrammableWeb piece on Uber and ESPN, which talks about different API strategies, public and private. He makes some great points on the fact that many APIs are not fully public. I thought I'd expand on it here:

I believe there are two axes which can be considered:

First of all, let's look at API Exposure. The two categories are:
  • External : Able to be used outside the organization.
  • Internal : Used only inside the organization
Secondly, let's look at API Management. It may be one of three categories:
  • Open: Anybody can use the API, anonymously with no controls
  • Requires Registration: Has a public registration page ("API Developer Portal"), where developers can sign up for an API Key. Developers are identified with API Keys and usage is monitored accordingly.
  • "Dark" APIs: I first heard this term used by Anand Shamra from Cisco. I like the analogy with Dark Matter, which is all around us, but we don't see it. These are APIs without a public registration page. As an example, there is no public Pandora API, but hardware manufacturers such as Roku still can connect to Pandora via an API.
These axes are orthogonal. Using these axes, APIs divide into six categories. I've put them into a table below:


External
Internal
Open No registration required. Usually they take the form of read-only public data feeds. An example is the Nobel Prize API, which allows a developer to query information about Nobel Prize winners. Another example is the Massachusetts Roadway Events API. Open to all internal access, for example a Company Directory API. Note that API Management (specifically, an API Gateway/proxy) may still be used to monitor usage and protect against abuse such as data-harvesting.
Requires Registration Requires the developer to register, and may have an approval process before they gain access, e.g. the CVS Caremark API. Anyone can read the documentation, but developers have to register to use the API. These APIs may have a DaaS (Data as a Service) approach, like the Dun and Bradstreet D&B Direct API. Internal corporate API Developer Portals. Many large organizations use internal API Developer Portals to manage API usage across teams, which often include partners such as Systems Integrators. The general public cannot access the developer portal.
"Dark" No public developer page, and based on a business relationship. Often these take the form of B2B APIs between companies. An example is a 401.K provider which uses APIs to receive allocation amounts from its corporate clients, through an API Gateway. Inter-government APIs for sensitive intelligence data sharing also fit into this category. Developer access may be "by invitation only". These APIs often are use SOAP or XML because they are not designed for open use. e.g. manufacturing system APIs or drug-trial lookup APIs used in pharmaceutical companies. These often still take the form of SOAP Web Services since they have not been designed to encourage widespread developer access.


This is a fruitful area of debate, so I've anticipated some of the questions below:

Q&A:

Q: "Why not say 'Private' APIs instead of 'Dark' APIs?"
A: I feel that 'Private' has too much potential confusion with "internal".

Q: "Does 'open' mean there are no security or API management requirements?"
A: Since I work for an API Management vendor (Axway), you can expect me to answer "of course not!" here :-). But, realistically, if  an API is fully open to the world, that is all the more reason to ensure that it's not subject to misuse such as data-harvesting, denial-of-service, or attempts at application-layer attacks. You should also keen track of how its being used, using API usage analytics. In particular, internal "open" APIs are precisely the APIs which can be subject to internal attacks, often by attackers who get onto the internal network by (for example) compromising weak WiFi security. Access to these APIs must still be monitored and logged. Consider the example of Sony Pictures which, by some accounts, was the subject of an insider attack.

Q: "Could you not say that an API with an external developer portal is still an 'Open' API, because anyone can (at least in theory) use it once they are approved?"
A: In many cases, the API which requires registration is linked to a business relationship. For example, in the case of the D&B  API which has a "Data as a Service" model (which you can read about more in this account of our API Workshop presentation by D&B recently), the API is an important new revenue channel and access is metered by an API Gateway. Here I'm using "Open" to mean that anyone can access the API without any kind of registration.

Q: "Could you say that some internal APIs are only 'Dark' just because nobody knows they exist?"
A: Yes, and these are the wrong kind of Dark APIs. Wired Magazine has noted that "It is insanely easy to hack medical equipment" because many have "embedded web services that allow devices to communicate with one another and feed digital data directly to patient medical records." These are examples of internal APIs which Randy Heffner from Forrester has called "Product APIs". Do you know if devices on your network have product APIs? Are they protected? Do you even know about them? Could an attacker, who can get onto your network, misuse them?

Q: "With 'Deperimeterization', can you not say that 'Everything is an External API'"?
A: This week I visited a customer, a large pharmaceutical, which explained they have a fully "flat" network. However, they still use API Gateways to control access. It's all the more reason to have an API Management layer in place.

This is a hot topic, and I anticipate more debate on it! I suggest everyone follow @DBerlind and @Kinlane on Twitter to take part.

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

IoT & Smart Cities Stories
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San...