WSO2 has released a report titled, A Road to Success Without Compromise: Managing APIs and Identity Effectively (gated). It looks at the views of companies on API integration and customer identity and access management (CIAM). At 23 pages, it is a very accessible report that reveals some interesting numbers and views.
Over the last year, WSO2 has been refining its message around the need for a digital core to transform a business. According to Ricardo Diniz, Vice President & General Manager Europe, WSO2, “in order to deliver digital transformation, you need to have APIs, you need to have integration, and then you should have identity and access management.”
API usage has exploded over the past five years and brought with it a host of new challenges. Those include security, reliability, integration and manageability. There has also been a significant uptick in the use of open-source APIs, something the report highlights. It states that 87% of companies see significant benefits in open-source APIs.
However, that isn’t the complete story. The report also claims 74% of organisations do not have a fully rolled-out API strategy. It also states 88% accept the technology they use around APIs needs to improve.
Against this background, Enterprise Times spoke with Diniz to find out more about the report.
Governance is key to managing APIs?
As the use of open-source has exploded, we’ve discovered many popular open-source projects are maintained by very small teams. It creates pressure on them that causes problems, not least around security and vulnerabilities. We began by asking Diniz, how do we do a better job of verifying the open-source APIs that we choose? And how do we make sure that we keep them up to date?
Diniz has been talking to customers across Europe for the past few months to understand their API challenges. He believes that this is not just an open-source problem but one that affects all APIs.
The route to solving the problem, he says, is better governance. He said, “Everyone is talking about governance, and governance is not only on the IT side. It’s a combination between IT and business because they want to reuse those APIs across the business. One of the things that they need to focus on is to have governance behind those APIs.”
Interestingly, part of that governance is API asset management. Diniz went on to talk about the need to “find the APIs” and that this would show “which APIs are most used and which APIs are not so used.”
One reason why this makes sense from a governance perspective is better control over those APIs. Whether they be open-source or in-house APIs, documentation is often poor. As Diniz said, “Peer assessments help you understand what you want to achieve and document those APIs. They make sure that the whole ecosystem, which is internal and external sources, find the best data in order to use and create a new app and a new service.”
It’s a problem that Diniz says he hears from customers all the time. The lack of documentation and governance inhibits the use of APIs and slows down digital transformation.
What triggered the realisation that governance was needed?
There is a tendency to think people understand the need for governance across all areas of the business. That is not the case. In some cases, that governance is driven by regulators. In others, it is driven by the experience of a new CISO or another individual. We asked Diniz what drivers he was seeing when talking to customers.
Diniz commented, “Firstly, they failed the first time that they tried to implement it. It made them stop and look at what they needed to improve. It’s about lessons learned. As soon as you fail, you try to understand where you failed and try to improve.
“The second thing is they have many ERPs across the globe. They are trying to consolidate, and now they are trying to implement just one. Those particular processes, to try to procure or to try to find a newer ERP, puts data under the spotlight. They needed to document all their processes, not only APIs. They are trying to document that audit process, and they put API governance as part of the evaluation of the new ERP.
“Another aspect, especially for some public sector organisations in Italy and Spain, is monitoring. They launched APIs, now they are trying to evaluate each API and see which has been used the most and by whom. The second step now is to try to monetise those APIs.”
Where is API security?
Enterprise Times has spoken several times with WSO2 about APIs and API security. We asked, how many organisations start with security as a part of governance?
Diniz replied, “It’s a very good question. Security is part of the governance that I have seen during those conversations. There are CISOs sitting on the board nowadays so there has to be this conversation. It is not only IT security; security is part of the business.
“There is a saying that if you spend more than 10 seconds in order to capture a new customer in your data, you will lose that customer. What they are trying to do is implement a CIAM (Customer Identity and Access Management ) solution without compromising the business part of the conversation. You need to manage the identity of your customers, employees and partners, without compromising the business parts of it.”
APIs are a useful tool here. Increasingly many of those customer-facing systems are built and deployed quickly. Without APIs, this would not be possible, but because there is sensitive customer data involved, the APIs must be secure.
As Diniz goes on to say, “the main objective is to be secure without compromising the business. Employees, partners and users can access and be identified without taking so long in order to be authenticated.”
Enter the CIAM
One of the areas that the report looks at is CIAM. Diniz points out that this is not a simple process. Too many companies try and adapt their basic IAM solutions that often struggle to deal with internal needs. One of the challenges is that they are no longer just authenticating an individual, they are authenticating the application, the service and, importantly, their device.
Diniz pointed to some of the lessons that came out of a recent Gartner Symposium in Barcelona. Among the topics discussed by participants were security, 5G, remote working, and the expectation from employees that they want the same ease of use of applications as they get when using Amazon or Netflix. It is not just that those services and apps work well, they also authenticate the user for trusted transactions.
It is not just about simple authentication that companies should have in mind when choosing their CIAM solutions. Diniz says it must also be the “application that they use. For example, what should the dashboard be showing to those users? What is interesting? What is relevant for them? This is exactly what CIAM can do.” Diniz sees this as both a challenge and an opportunity. A challenge to get right but a huge opportunity to improve the customer experience.
Those organisations that are doing this well include mobile banking apps. They authenticate a customer’s device and the customer before connecting them to their account. In the majority of cases, this is done in under a second. Even when customers have to be passed to another financial institution, for example, authorising a payment to a credit card company, it happens seamlessly due to the way apps are written and the use of APIs.
It is not just banking organisations who are getting this right. Diniz points to Madrid, which is digitising all its public services. He revealed that everything from obtaining an ID to paying council tax is part of a city-wide app platform. The platform is underpinned by APIs that the city has written to make things easy for citizens. The next step is to monitor those services to see how long people spend using them to make them more efficient. It’s a model that other council services around Europe need to emulate.
How do we make APIs more effective?
One of the long-standing issues with exposing APIs is making them fit for purpose. Many internally written APIs can be large and complicated as they have evolved over time. We asked Diniz what is stopping companies from breaking their APIs down into much smaller APIs. After all, this would make them easier to manage, secure and govern.
Diniz said that this again comes back to how companies are going about their governance. He commented, “You need to have a clear strategy in terms of governance and monitoring those APIs. You have to know which APIs have much more relevance and are being used.”
Interestingly it comes back, again, to monitoring. It raises an interesting question as to how organisations are monitoring API usage and whether they can look at the granularity of what is used within an API. Without that ability to look at what elements are being used, it’s hard to see where the value is of breaking a large API into smaller APIs.
It also raises questions over organisations’ API First strategy. One large API that holds everything cannot be efficient. If you are an API First organisation, you need to look closely at how you restructure your APIs to make them best fit your goals.
Enterprise Times: What does this mean?
Becoming an API First organisation is essential for digital transformation. It helps expose systems and data to build out apps and services. What is clear from this report is that it is essential that organisations establish a proper governance process for their APIs.
In terms of security, it is not just about securing APIs from an IT standpoint. It has to look at the wider scope of what is considered identity, and that means devices and services as well as individuals. Security must also not inhibit the business, nor should it have any impact on customers.
Get all of this right, and organisations will reap the rewards from a trusted and reliable API environment.