IT FOCUS ON ENTERPRISE APPLICATIONS

READY YOUR ENTERPRISE

FOR THE API REVOLUTION

codeguru
eSecurity Planet

TM

<HTMLGOODIES/>
INFOSTOR

CONTENTS
This content was adapted from the CIO Insight, Enterprise
Networking Planet and eSecurity Planet websites. Contributors:
Aaron Sandeen, Phil Manfredi, Kiran Chinnagangannagari, Arthur
Cole and Paul Rubens.

02

Are CIOs Ready to Mine

the API Gold Rush?

05

Why APIs Are

08

Agents of Change
for Digitalization

Better Networking
Through the API

10

Do APIs Pose
a Security Risk?

Are CIOs Ready to Mine the API Gold Rush?

By Aaron Sandeen, Phil Manfredi and Kiran Chinnagangannagari

PIs are the new gold rush. And just like the California
gold rush 166 years ago, there will be winners and
losers. Fortunately, unlike that earlier push, luck isnt a
big part of the equation. Instead, CIOs who implement
a comprehensive strategy, encompassing the business,
technology and cultural requirements of the enterprise,
can successfully mine APIs to increase profitability, create
new business models and create closer, more productive
interactions with customers and partners.
We understand the opportunities and challenges of
adopting an API-driven business model first hand.
When the three of us began our journey as the IT
leadership team for the state of Arizona, we immediately
recognized the massive challenges we faced. The state of
IT was highly decentralized, the systems and data were
in silos, and little to no data sharing was taking place.
Budgets were tight, and only a fraction of the $23 billion
statewide budget was being spent on IT modernization.
We knew the state could not afford to continue this level
of inefficiency, so we defined our strategy, changed the
culture and then turned to technology to address these
challenges.

Back to Contents

Embrace change
Change is inevitable, especially in the context of
todays business environment. It is no secret that many
organizations face constant disruption, and only those that
embrace change and adapt will survive. It is no longer
sustainable for companies to allocate the majority of
their budget, resources and energy to simply running the
business. Instead, corporate leadership must maintain a
balance between running the business and changing it.
As Socrates so elegantly said, The secret of change is to
focus all of your energy on building the new.
In this context, the CIO represents a central agent in
initiating, maintaining and sustaining change. Automation
is great, but firms must invest in the tools to unlock
the enterprise data for the business to leverage it. The
enterprises that can successfully tap into the data and use
it to change the way it provides services to customers will
win the battle. So where do you start leading this charge?
Stop acting like a traditional CIO
Although this story is primarily focused on our recent
experiences with public sector, our private-sector research
and experience tells us that the majority of CIOs are

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

RE ADY YOUR ENTERPRISE FOR THE API RE VOLUTION

presented with the same challenges we faced.

The enterprise has spent years investing in a variety of
systems on which the business depends for its operations.
You, as the CIO, are responsible for ensuring the continuity
of those mission-critical systems. There are pockets of
innovation where business units are sharing data, but there
is no enterprise approach, and the integration is simply
one-off implementations. You, as the CIO, have been told
that leadership needs access to all the enterprise data,
and they need it today. And finally, the business is feeling
external pressures from new platform-based companies
(we like to call them next-generation giants) and needs
to become more nimble. And yes, you, as the CIO, have
now been tasked with solving that problem with the little
budget you have left.
As the CIO, your effectiveness in the organization will
come not from being a technology expert. It will not
come from being knowledgeable in the areas of scrum
or agile development. And it will not come from writing
and enforcing technology policies that simply slow down
the business. As the CIO, your effectiveness will come
from intricately understanding the enterprises business
and marketing objectives, while leveraging technology to
enable the enterprise to meet those objectives. In other
words, you must stop acting like a traditional CIO.
Align with the business and become a partner
Its true that APIs are at the heart of new business models
and ecosystems driving todays enterprises. However,
CIOs who want to transform their business using APIs
must go beyond the technology and start with strong
program management. First, clearly define, document and
communicate to the business how an API strategy and
program will help the organization meet its objectives.
Provide use cases of how APIs can allow the organization
to create new customer experiences, positively change
operational models, and frankly, disrupt how the
organization has always run its business. No tech-speak.
No architecture diagrams. No fancy mobile apps. Just
focus on business outcomes.
At the state of Arizona, there were pockets of innovation
happening within some agencies, but a major part of our
statewide strategy was to use APIs to enable the state
to change the way it provides services to its citizens,

Back to Contents

businesses and employees. We announced our Big Hairy

Audacious Goal (BHAG) as every service available to
every Arizonan, anywhere, any time. For the middle tier,
we outlined our plan to deploy an API-centric enterprise
services platform called the Arizona Enterprise Services
Platform (AESP). In addition, we defined a roadmap
to build an information hub that would allow citizens,
businesses and employees to get personalized information
from all state agencies in one place.
We soon realized that implementing the technology
would be the easy part. The real challenge was going to
be communicating the value of data sharing through APIs
while ensuring we had the right people, processes and
funding to make it a sustainable program.
Collaborate, prioritize and develop a plan
Once the business has bought in to your strategy,
collaborate (notice we didnt say have a meeting)
with the business to assess business risks, prioritize the
initiatives, develop a budget, and agree on a sustainable
action plan. Explain that in order to ensure transparency
and collaboration across the entire enterprise, you must
have total support from the leadership team. Then work
closely with them to develop a communication plan for
rolling out the API strategy across the enterprise.
This proved to be one of our biggest challenges at the
state. With a completely decentralized enterprise, it was
difficult to establish any sort of mandate to drive API
adoption. Instead, we often had to work with individual
agencies. For example, as an agency took on a new
project, our organization would insert itself into the project
approval process to explain the value to the enterprise if
it deployed the agencys services on the new platform and
exposed the data via our API store. Although we had some
success with this approach, we knew it was not going to
drive real change across the enterprise. We also needed to
change the culture.
Change the culture
Driving digital transformation requires everyone to
embrace a culture of inquiry and continuous process
improvement. Automating bad processes just gives you
faster bad processes. Instead, ask questions like: How
might we use APIs to create new customer experiences

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

RE ADY YOUR ENTERPRISE FOR THE API RE VOLUTION

and expectations? How can we use APIs to develop

innovative business and operational models? How can we
employ APIs to disrupt how a process has always been
done?
One of our inspirations has always been Peter Drucker,
an educator and author whose work greatly impacted
the business and culture foundations of the modern-day
corporation. Drucker was once quoted as saying, Culture
eats strategy for breakfast. This became our clarion call in
an attempt to change the culture at the state.
We turned to the private sector for examples of
organizations that deliver quality services to their
customers. One of the companies we researched was
Amazon, which started as a website for selling books.
However, around 2002, Jeff Bezos issued a mandate that
all internal teams must communicate with each other via
service interfaces, and all the interfaces must be made
available to the outside world. Although it took several
years for Amazon to complete the transformation, it
changed from an online bookstore to a powerful digital
platform.

Back to Contents

We turned to the head of our Digital Government

program to lead the change, and we jointly developed
a communication strategy. This small team became
the Center of Excellence for digital transformation and
began selling the API approach to the agency CIOs.
We empowered them and provided them with the time,
budget and tools they needed to drive the program. On
the other hand, we held them accountable for the success
(or failure) of the program. The terms APIs, enterprise
services platform, digital transformation, process
automation, and digital capabilities all became part of our
everyday language.
By the end of the year, the digital platform was deployed
in a private cloud and was being used by more than 75
agencies. Examples of API-driven services being leveraged
across the enterprise included agency websites, agency
directory, agency services, employee directory, corporation
information, and city and town information. The digital
transformation program continues to grow today.
After you have defined your digital strategy and have
begun to change the culture, then, and only then, should
you begin to look at technology.

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

Why APIs Are Agents of Change for Digitalization

By Aaron Sandeen, Phil Manfredi and Kiran Chinnagangannagari

hen establishing and implementing an API-focused

digital strategy it is important to first work with
business leaders to clearly define the corporate objectives,
assess business risks, prioritize transformational initiatives
and implement an action plan. Next, establish the culture
by ensuring top-down alignment, empowering your teams
and constantly challenging the way the company has
always run its business.
Then, and only then, is it time to look at technology.
Although API management was a key part of our overall
digital strategy at the state of Arizona, we recognized that
true digital enablement of the state required an enterprise
platform approach. In building an API-driven digital
platform using open-source technologies to enable an
organizations transformation, we learned many lessons.
We will highlight a few below.
Consider open source
Traditionally, government entities shy away from open
source solutions, primarily due to security concerns. At the
same time, these entities often face budget and resource
constraints. They are always being pushed to do more with

Back to Contents

less, and they struggle to maintain high levels of quality

service delivery as a result. Although private enterprises
appear to be less skeptical of open source in general,
there are still many organizations that do not yet consider
it an option.
However, there have been some major advancements in
open source solutions over the past several years. Some
large enterprises are doing millions of transactions daily on
open source technology stacks. Leveraging open source
technologies allows the organization to be more nimble.
The flexibility offered with open source allows enterprise IT
groups to experiment with different platform components
and tailor them to meet their specific needs.
Like many government entities, we faced budget
constraints at the state, so we began to research opensource enterprise platforms and solutions. We adopted
Drupal with its advanced functionality as the content
management system (CMS) for state websites. For a
middle tier, our research led us to the WSO2 enterprise
middleware platform as a suitable fit for our needs, since
the platforms products were multitenant, cloud-enabled
and built to work together.

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

RE ADY YOUR ENTERPRISE FOR THE API RE VOLUTION

Together, the open source solutions allowed us to improve

the quality and capacity of business services by making
core enterprise capabilities accessible via a flexible and
open platform. In addition, we avoided the traditional
costs associated with licensing fees, ultimately driving
down the overall costs of supporting the platform. We
were very impressed with the capabilities and scalability
of both Drupal and WSO2, which were critical to an
organization of our size.

also being built from scratch content management,

payment processing and system integration just to name
a few. The development and overhead costs required
to build and support these siloed solutions were not
insignificant. To reduce risk, the state needed to develop
standard enterprise capabilities, including a centralized
identity management solution, to ensure the long-term
sustainability of providing those services.
Take an MVP approach

Start with identity management

Whether controlling access to APIs, web portals, mobile
applications or enterprise services, identity management
is at the heart of ensuring the security of these assets.
Therefore, as you begin to build out an enterprise
digital platform, identity management including the
authentication, authorization and management of users
should be your highest priority.
More than likely, your enterprise has disparate identity
management solutions deployed across its systems and
services. This could be for a variety of reasons, such as the
need to help bridge the gap from legacy technology to
more modern services, or the completion of a merger or
acquisition requiring heterogeneous technologies to be
integrated to ensure the enterprise is secure. Regardless
of the drivers, you need a comprehensive identity
management solution that allows you to create a single
profile for each user in the enterprise.
Using a single registry of user identities with a centralized
management interface enables quick, easy provisioning
and deactivation of users. Single sign-on (SSO) eliminates
the need to enter a password each time users log in to a
resource, which saves around 20 seconds and increases
productivity. Additionally, SSO facilitates adoption, since it
reduces the barriers to using resources and applications.
Because SSO provides an easier way for users to
authenticate their identities, there are fewer help desk calls
for password resets, resulting in bottom-line savings. There
is also an improvement in reporting and monitoring, and
having a single repository for auditing and logging access
to resources provides streamlined regulatory compliance.
While at the state of Arizona, we recognized that identity
management was a digital capability many agencies
were building from scratch. Other capabilities were

Back to Contents

Digital platforms are the big ticket to innovative business

models. They can decrease time-to-market for new
products and services, reduce overall development costs,
increase security, remove the complexities of data sharing,
and potentially allow organizations to monetize their digital
assets. However, deploying an entire digital platform can
be a daunting task, especially if it is not architected in a
way that allows for adding capabilities over time.
The most effective way to begin transforming the business
is by taking a minimum viable product (MVP) approach.
In other words, do not try and build out the entire
horizontal base of the technology pyramid. Instead, focus
on building an end-to-end vertical sliver of the pyramid,
ensuring you can show value all the way from the systems
of record to the end user. It is absolutely critical to build an
MVP version of the front end as well.
To accomplish this however, you need a modular platform
that allows you to deploy capabilities as you require them.
And by using a comprehensive platform, you eliminate
many integration challenges caused by deploying
disparate technology. This will result in faster deployment
times and less demand on your developers.
Over several months, we deployed many of WSO2s
components and began to build out the cloud-based
Arizona Enterprise Services Platform (AESP). The initial
strategy was to leverage particular WSO2 products to
show value in the enterprise platform approach, specifically
the Identity Server, Data Services Server, Enterprise Service
Bus, Business Rules Server, and the API Manager. In
addition, we developed standard, mobile-ready themes
and began to migrate legacy agency websites to the new
platform to show value to leadership.

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

RE ADY YOUR ENTERPRISE FOR THE API RE VOLUTION

Employ API management as a digital enabler

Weve looked at some of the business and technology
strategies that feed into the organization harnessing APIs.
Now lets take a closer look at the management of those
APIs.
API management is an enabler for process automation and
digital workflows. What are normally manual processes
can be streamlined by leveraging the digital assets from
various parts of the organization. By standardizing on
one system of record and giving the enterprise access to
those records via an API, you ensure faster and consistent
delivery of that information to your customers, regardless
of the delivery channel.
As an example, the Arizona Department of Environmental
Quality (ADEQ) was performing manual verification of
an entitys corporation status. Through the integration
between ADEQ and the Arizona Corporation Commission
(ACC), ADEQ was able to leverage APIs from ACC to
automate the validation process. The end result was the
reduction of the overall processing timeline from several
days to mere seconds.

any time. External pressures, such as the explosion of

platform-based competitors, are disrupting your industry
and forcing you to change. And the business is frustrated
because IT cant move quickly enough to deliver the
capabilities needed to provide quality services to its
customers.
APIs have captured the imagination of enterprises as an
agent of change. But the most important agent of change
will be you. Technology is important, but it truly is all about
the customer experience. There is tremendous value in
the data stored in your enterprise systems, but only with
the right digital capabilities can you extract the value from
it. With a comprehensive digital transformation program
established, and a digital platform capable of providing
the flexibility the business needs, you can be successful.
Change is inevitable. Are you ready for a transformation?

API management also gives the enterprise the flexibility

to future-proof the overall digital platform ecosystem.
By providing a single interface to a particular service
and masking the back-end complexities, the service
could be enhanced or replaced without impact to the
front-end applications. In addition, APIs can support any
unanticipated future uses by making the service readily
available as the enterprises needs change.
For example, as part of our digital transformation initiative
at the state, we had an immediate need to replace the
legacy payment processing system. In doing so, we
architected the solution so that agencies could leverage
the new payment processor via a single API. If at any
point in the future, the state determines the need to add
more payment processing capabilities, or to replace it
with another solution, there will be minimal impact to the
applications.
Change or be changed
With the consumerization of IT, your customers are
demanding access to your services anywhere, and at

Back to Contents

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

Better Networking Through the API

By Arthur Cole

oftware architectures are much easier to manage and

manipulate than hardware. So it stands to reason that
software defined networking (SDN) will prove to be orders
of magnitude more flexible and scalable than todays
hardware-based infrastructures.
But while many tech watchers laud the idea of the
programmable network, it bears noting that it still requires
a fair amount of legwork to first build an abstract network
and then perfect it to the point that simple code can
produce the desired network environment for one set of
applications without fouling things up for others.
This is where the art of API management comes in. The
market for API management tools is already approaching
the $3 billion mark, according to Forrester, even though
most organizations have barely begun to experience all of
the ramifications of a coordinated, programmable network.
Issues like user definition, resource access, process
coordination and countless others will have to be hashed
out before the abstract network can begin to function in a
coordinated manner.

Back to Contents

Some organizations are farther along on the journey than

others, according to Mike Vizard writing for Channel
Insider. While most firms are looking to SDN as a means
to manage complex networks at scale, others are utilizing
REST APIs to expose server, storage and network resources
to developers and even applications themselves. This
effectively creates a headless services environment, since
it bypasses the typical dedicated user interface. The
challenge will be maintaining a cohesive API architecture
as data environments start to crawl across the cloud, where
they could encounter a variety of proprietary networking
operating systems, like JunOS, or the emerging Linuxbased distributions that are taking shape.
In fact, one of the leading open communities, the Open
Networking Foundation, is working aggressively to define
the interface for key traffic flows, which will focus largely
on the northbound interface (NBI).The group is readying
a number of conceptual proofs and technology trials that
will allow developers to test NBI code against prevailing
open APIs while at the same time ensuring its compatibility
with the more mature southbound interface (SBI). This will
provide a robust foundation for leading open network
solutions like OpenFlow, the Open Network Operating
System and Open Daylight to support higher-order

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

RE ADY YOUR ENTERPRISE FOR THE API RE VOLUTION

networking applications like real-time media for both SDN

and NFV architectures.
One sign of the growing importance of Dev/Ops and API
management is the degree to which even large networking
platform vendors are cozying up to the developer
community. Huawei is the latest to host its own developer
conference, where executive director Ryan Ding not only
highlighted the companys prowess in the cloud, Big
Data, IoT and SDN, but also rolled out plans for the eSDK
development platform featuring remote labs, corporate
funding of development efforts, dedicated certification
programs and even marketing support. The program
is built around the LEADS concept, which stands for
Lab-as-a-service, End-to-end development resources,
Agile processes, Dedicated online support and a Social
engagement platform known as the Developer Zone.

Back to Contents

If all goes according to plan, the enterprise will no longer

actively manage its network infrastructure directly, but
guide its utilization through network APIs. This is a pretty
dramatic shift from what we have now, and it will require
new tools and new skillsets to be successful.
Right now, the focus is on getting the technology in place.
But before an enterprise gets too dependent on SDN, it
might want to take a moment to consider how this new
environment will operate, and who will be responsible for
what in order to provide the advanced functionality that
users are expecting.

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

Do APIs Pose a Security Risk?

By Paul Rubens

ood security has never been more important, yet

attack surfaces have ballooned over the past few
years. One reason: APIs.
Ten years ago enterprises built monolithic enterprise
software applications with a limited number of (relatively)
easy-to-secure interfaces. Now, however, developers break
applications down into separate services and publish the
functionality of their applications as Web APIs that access
systems of record.
APIs are accessed by a huge variety of client devices
from traditional desktops to mobile devices, smart
televisions, game consoles and even nodes in the Internet
of Things.
What we have seen is applications being broken down
into micro-services, and when you do that you are creating
many more interfaces and exposing those interfaces. So
of course the attack surfaces are much larger, said Subra
Kumaraswamy, head of product security at Apigee, a
California-based API security platform vendor. Hackers
no longer attack one application; they can look at lots of
services. So there is a bigger risk that they can get access
to data.

10

Back to Contents

Theres no doubt APIs present a real security risk, and

that hackers steal data by exploiting them. For example,
earlier this year hackers stole sensitive tax information from
over 100,000 taxpayers using the IRSs Get Transcript
API which was hurriedly shuttered once the breach was
discovered.
APIs and looking the other way
APIs present an extra headache to organizations because
of their power, Kumaraswamy said. Before, hackers had
to sit behind a console and try different things to find
vulnerabilities. But because APIs are programmable,
they can program attacks. They can write a system that
automates their attacks and tries different things.
APIs have become a significant part of initiatives seen
as money-making operations, which has led many
organizations to adopt a look the other way attitude
when it comes to security, he added.
APIs are often made as part of an initiative like mobile,
and businesses measure success by user engagement
or user adoption, Kumaraswamy said. Sometimes that
means they dont pay attention to the security aspects

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.

RE ADY YOUR ENTERPRISE FOR THE API RE VOLUTION

of the API. Businesses need more agility, and security

sometimes comes second.

policies to be applied to them in a systematic and unified

way.

Can API security products help?

They can also help avoid uncontrolled API sprawl, which

results when APIs are created in different parts of the
organization by different developer groups, without any
consistent approach to security. In addition, they can help
prevent APIs from being abandoned and forgotten about
rather than retired securely.

Some businesses are belatedly waking up to the API

security problem, and a growing number of companies
now offer API security products to help minimize the
attack surface presented by APIs. The application services
governance and API management market was worth
around $618 million in 2014 ($155 million in the cloud),
according to Gartner.
The market is still relatively immature, though, and
Kumaraswamy estimates only 5 percent to 10 percent of
organizations offering APIs use such products.
How can an API security product help?
In very general terms, API security platforms can:
Help expose systems of record and other systems and
applications securely through APIs via the consistent
application of policies (e.g., about authentication)
Help onboard and manage in-house and third-party
developers so they can create applications using those
APIs
Allow you to choose which apps, developers and
partners can access which APIs
Help secure your data in accordance with regulatory and
other requirements
Gartners Paolo Malinverno categorizes the functionality
that API security products supply into broad areas:

Planning and design

Implementation
Basic and advanced deployment and running
Versioning and retirement

Effectively then, they offer API management over the entire

lifecycle of an API, from inception to retirement.
All about API management
In terms of general functionality, many API security
products are actually API management products that bring
APIs under centralized control and allow security and other

11

Back to Contents

When you have visibility into your APIs throughout

your organization, you can then put controls in place,
Kumaraswamy said. You might decide that a certain
API should only be exposed to in-house developers, not
external, third party ones. If you dont have visibility, you
cant see who is accessing what.
If you have API sprawl, that is also bad. API management
ensures that you have consistency and you dont
duplicate stuff, he added. For example, if you have five
departments that use five different authentication methods
for your APIs, thats not consistent. A management product
lets you enforce two-factor authentication if thats what you
want. You can drag and drop a policy and secure all your
APIs in one shot.
API managements future
At the moment, few companies offer APIs to sensitive
information and therefore may need API security products,
said Gartners Paulo Malinverno. But ultimately the rise in
popularity of APIs may end up killing the market for these
types of API security products, he believes.
APIs are going to be everywhere. API management
still has three or four more years, but eventually it will
become part of a bigger product like general application
management, he said.
Thus, the market will inevitably consolidate further, with
independent vendors probably being acquired by larger
enterprise software vendors, Malinverno said.
Its not over for API security software quite yet, though,
and leading enterprise software vendors in the field
include both well-known names and smaller API security
specialists.

Ready Your Enterprise for the API Revolution 2016 QuinStreet, Inc.