What is API management?

Application programming interfaces (APIs) connect software applications and data sources to one another. They are therefore important elements not just of the IT landscape, but also of the broader business strategies they represent. An API might be the glue that holds a major product or business alliance together. Given the significance of APIs, it is wise to engage in proactive API management, which keeps APIs running reliably and securely.

API management is not a single workload. Rather, it is an area of practice within IT that incorporates many different tasks and processes. It spans API creation and API publishing—and continues through the full API lifecycle through retirement. API management also involves monitoring APIs for performance and adherence to service level agreements (SLAs).

Indeed, an API can be viewed as a contract, and the API management process may track whether an API is doing what the contract requires, e.g., providing 100 millisecond response times and so forth. An API management tool typically handles these tasks, as well as functions like API security policy definition and enforcement, API configuration management, and the analysis of API usage statistics.

Why are the benefits of API management?

To understand the benefits of API management, it helps to know the goals that IT organizations set for API management. Companies that develop and deploy APIs do so for the purpose of enabling broad, flexible application integration and related capabilities. They want the business benefits that arise from their investment in APIs. This invariably means wanting APIs that perform as expected and cause few security problems. In practical terms, this means governing their APIs.

One of the main benefits of API management, therefore, is the ability to operationalize any number of API governance and security policies. For example, if there is a corporate policy mandating the protection of personally identifiable information (PII), which is often a regulatory requirement, then API governance should ensure that any API that handles PII will do so with adequate protections in place, such as encryption.

API management offers the further benefit of API monetization. Some organizations look at APIs as products, rather than just bits of technology. They do this because an API may represent something of value to a paying customer. For example, if an API allows access to a stock market trading algorithm, investors might pay to use it. The API management platform can facilitate the usage agreement and related transactions.

API analytics, a subset of API management, give API owners insights into how well their APIs are performing. It provides data and reporting that shows if APIs are producing data of expected quality and responding to API requests in accordance with SLAs.

Agility is a further benefit of well-executed API management. The faster an organization can connect its applications and data sources to business partners and customers, the more agile it will be in the marketplace. Such agility is a tangible, desirable business outcome that is not easily achieved without API management.

The other benefits of API management have to do with efficiency. An effective API management tool, for instance, will make it possible to automate the many labor-intensive processes required to build and manage an API throughout its lifecycle. It will enable the automation of API provisioning and configuration, as well as API endpoint management and monitoring.

The API management tool generally sets up an API directory and developer portal, so developers and other stakeholders can quickly discover the APIs they need. This might also include a searchable repository of API documentation and any relevant legal agreements and SLAs.

Components of API management

The practice of API management incorporates a variety of components. Some, but not all of these are run from an API management platform. Most are not standalone solutions, either. They usually connect with other systems.

The components of API management map to the API lifecycle, starting with development. There will be tools devoted to developing the APIs themselves, as well as for connecting APIs with software in the DevOps process. An API developer portal contains documentation for APIs, along with onboarding processes and API administration features that developers need to connect their code with APIs. The portal may bring various people and corporate entities together in an API community that allows for sharing of information about APIs.

As APIs go into production, the API gateway emerges as the central component of most API management programs. At runtime, an API gateway is a unitary point of connection between APIs and their clients. It may cache APIs, making them available to API clients directly without having to ask the API for the data. In some cases, the API gateway enables the orchestration of multiple APIs, which may be necessary for putting business processes into operation.

An API gateway is also usually a centralized point for API policy enforcement. For example, if an API client has to be authenticated with an OAuth token, that token will be bound to the API request at the gateway. On a related note, the API gateway may provide for failover. If an API goes down, the gateway can automatically start routing requests to a second instance.

An API monitoring tool is another component of API management. Typically part of the API management tool, the monitoring tool stays on top of API performance in real-time, or near to it. It measures API response times and alerts admins if an API is failing its SLAs. The monitoring tool feeds data into the API analytics solutions, which is also a component of API management.

An API lifecycle manager, yet another component of API management, lets admins keep track of API versions. It facilitates workflows that ensure that the right version of an API is in use. The lifecycle manager also makes sure that out-of-date APIs are retired and don’t become “Zombie APIs” that no one knows about.

How does API management work?

API management works differently depending upon the use case. Take access control. Most of the time, an API is set up with limits on its accessibility. The API management tool can enforce the access control policies, e.g., use of certificates for authentication and “rate limiting” that sets the volume and pace of requests the API will handle before shutting off access.

How to choose the right API management tool

API stakeholders have their choice of API management tools. What makes for the right one? The best way to answer the question, arguably, is to look at the API functionality the tool makes possible, versus the characteristics of the tool itself. Yes, the API management tool needs to be a reliable, well-made piece of software. However, what’s more important is how well APIs function under its management.

For instance, does an API reliably respond to requests with the right data when it’s managed by a certain tool? Is it dependable, in terms of performance and availability. Can the API be used in an agile manner? Is API provisioning fast and accurate? Are the costs of running the API suitably low? These are all reflections on the quality of the API management tool. The best tool will be one that delivers desired outcomes.

How Noname Security integrates with your existing API management

Noname Security can handle the security components of API management. Noname Security Runtime Protection integrates with API management tools, but also with security solutions like web application firewalls (WAFs) and those offering security incident and event management (SIEM). It delivers real-time visibility into the ways that APIs are acting, in security terms. It can flag APIs whose misconfigurations will expose the enterprise to cyber risk. Once Noname Security Runtime Protection detects a configuration problem, it can proactively trigger manual, semi-automated, or automatic. It can use anomaly detection, real-time traffic analysis, or threat detection to determine if an API is vulnerable to attack or accidentally providing access to sensitive data.