Guide To Building an Enterprise API Strategy

We all remember the Jeff Bezos API injunctive of 2002:

“All teams will henceforth expose their data and functionality through service interfaces. There will be no other form of interprocess communication allowed. All service interfaces, without exception, must be designed from the ground up to be externalizable. Anyone who doesn’t do this will be fired.”

That’s a wonderful thing to say, yet a harder thing to do – safely. Managing one or two APIs takes work enough: Most organizations have APIs in the dozens, and enterprises can have up to hundreds. Let one fall through the cracks, and you’re sitting on a ticking time bomb.

Without a clear enterprise API strategy, bad things can happen. Neglected APIs turn into latent liabilities that sit silently on the system until an enterprising hacker finds them. By implementing the proper API hygiene measures now, organizations can make sure they’re capitalizing on the benefits – not the breaches – that come from leveraging an enterprise full of APIs.

The Importance of an Enterprise API Strategy

APIs are under attack, and threat actors go for the low-hanging fruit. By shoring up API management and defenses, businesses can make sure their APIs aren’t next on the list.

According to research by the API security firm Salt, attacks on APIs spiked in the latter part of last year, showing an increase of 400% over just months prior. A whopping 94% of Salt customer base survey respondents experienced some issues with their production APIs within the past twelve months, with the main culprits being vulnerabilities (41%), authentication problems (40%), and sensitive data exposure (31%).

An enterprise API strategy squelches these issues by stepping up engagement, oversight, and security controls so that companies can handle dozens – even hundreds – of APIs cleanly as they scale.

Types of Enterprise APIs

There are private APIs, which are created and deployed within the enterprise environment and enable collaboration between in-house services. There are public APIs, which support third-party interactions and allow external users to access internal resources. This would be the weather widget that can be embedded on a fitness tracker, a news app, or a daily feed.

Lastly, there are niche-specific APIs which vary by industry, such as ones specially crafted for retail, healthcare, financial services, and more.

The API Lifecycle

What is the purpose of an enterprise API strategy? To maintain and secure the various elements of the API lifecycle. Those elements are:

• Design | The business establishes why they need an API and what they need it to do.
• Development | Code the API based on the above specifications using programming languages such as Perl, Java, Python and others.
• Testing | The API is tested for functionality and security.
• Deployment | The API is deployed (made available for use) either internally or via public repositories.
• Depreciation | An API at the end of its use – usually replaced by a newer version – is ‘taken out to pasture’. It is key to remove the retired API from the ecosystem at this point as letting it languish could create unsafe ‘zombie APIs’.

Elements of a successful API strategy

While the API lifecycle is an integral part of any overall enterprise API strategy, it only represents one part. A well-run API strategy involves understanding all the components that make up an enterprise API ecosystem and having the technology to maintain them all properly and at scale. The other elements include:

1. API Developer Portal | This is where developers can ‘shop’ available APIs. It includes documentation, usage instructions, integration guides and often version status.
2. API Lifecycle Manager | Tools or capabilities that move APIs through the lifecycle process.
3. API Policy Manager | The policy hub that determines how an API operates: throttling limits, data flow, the rules for handling variables, and any out-of-the-box or custom policies.
4. API Analytics | This collects and reports on any API-related metrics, including trends, errors, uptime, availability, number of API calls, and so forth. 
5. API Testing Environment | A three-point inspection testing functionality (how it operates, handles errors, and secures itself), performance (how it works under pressure and various loads), and acceptance (can users get it to do what it says it will do).
6. API Gateway | This is an API’s API. It acts as a switchboard that connects APIs centrally so organizations can handle a large amount from one location. This is an amplified, enterprise-grade version of an API Proxy.
7. API Documentation | Documentation engines are the go-to guide for aligned information about the APIs in use and can be used to get multiple developers on the same page.

How to Measure Success

When an enterprise has successfully implemented their overall API strategy, it should be capable of doing the following:

• Discover when an API is interacting with another service and spot new APIs as they come online.
• Maintain the most updated API versions, eliminating zombie APIs.
• Provide deployment guidance and help teams move their services over to the new API.
• Flag potential API security issues within batches of calls and responses.
• Integrate with other software development toolkits for easier management.

And delivering the following benefits to the enterprise:

1. Compliance | A well-managed API is a compliant API.
2. Automation | By templatizing (correct) API creation, developers can spin up (safe) APIs faster
3. Analytics | Accurate data guides future API design.
4. Distribution | An enterprise-level strategy can lead to the creation of an API Developer Portal, making API acquisition faster and easier in the future.
5. Deployment | In a large organization, there’s no time to reinvent the wheel. Keeping API documentation with onboarding and integration guidance can make getting new APIs online that much smoother.

Building out an enterprise-grade API program takes a lot more work than just keeping up with a few APIs in an SMB. Different types are used (which requires different provisioning and maintenance skillsets), errors are harder to catch (given the vast array of integrations), and there are exponentially more to keep track of (hundreds instead of dozens).

Given the unprecedented rise in API attacks, it’s worth the extra effort for organizations to get it right. An enterprise API strategy today will ensure companies can continue to scale safely and securely tomorrow.

About Author

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.