Get started Bring yourself up to speed with our introductory content.

APIs offer a new approach to managing mobile devices

George Lawton explains why APIs are an emerging strategy for effectively managing mobile devices.

An emerging strategy for effectively managing mobile devices lies in addressing the application programming interfaces (APIs) used to feed them information. That strategy shifts the focus of management from a webpage orientation towards a rich set of APIs that can be accessed by a wide variety of mobile applications, according to Roberto Medrano, chief technology officer of SOA Software Inc., a Web tools vendor. Towards that end, organizations need to think about API lifecycle management to govern the underlying infrastructure.

APIs exist as a way to provide information and to enhance an organization's own development efforts. Organizations need to think about API version control and legacy asset support, Medrano said. They also need to consider global governance of use policies and integrated security as key aspects to API lifecycle management. Any deficiency in any of those areas can impact application performance and availability, as well as increase risk exposure to data integrity, confidentiality and system reliability.

One reason APIs are exploding today: the growth of mobile devices and applications. A governance model is in place for a service-oriented architecture (SOA), but organizations often miss out on using it for APIs as well, Medrano said.

APIs: A different twist on services

Services are typically built on top of monolithic apps that might offer thousands of services. Organizations break up applications up so they can reuse services for other apps.

By focusing on the APIs, organizations can greatly simplify the management of information sent to mobile applications and their users.

APIs are a more recent phenomenon. The concept of APIs has been applied previously for managing traditional computer applications, but the newer generation of APIs are mainly representational state transfer (REST)-based, and work over the Web. These are better-suited for mobile applications -- a factor that has helped to drive their growth.

Right now, API use remains small in the overall scheme of things. But as this area continues to grow, it will require improved lifecycle management and governance. That, in turn, affects how organizations manage APIs, the different versions of APIs, and the promotion of APIs from development through testing and production.

APIs and services rely on different protocols and behave differently, as well. APIs are becoming popular primarily due to the explosion of mobile application development. Because mobile devices tend to have limited capabilities, developers need to think about creating applications that can consume simple services that are Web- or JSON-based. Many old SOA concepts apply to APIs, too. There is nothing essentially different about them, other than that they are simpler and, in more cases, externally facing. A developer community needs to test them out and document them, as well.

Governance best practices are often enforced by the need to maintain regulatory compliance. Many companies have policies in place to keep sensitive application data on-premises. Some of them have full control for compliance where the data is only used by on-premises applications. Large enterprises would like have a need to manage the data shared outside of internal company applications.

There are four roles involved in API management: a business manager than needs an app or API; the developers that create the APIs; the individuals that run APIs; and the people responsible for promoting the APIs for developers. Each role has a different focus on the API structure.

The glue that binds

Among the biggest challenges of good governance is the fact that large enterprises have a set of disparate components, such as .NET, Java, and open source. Currently, there's no way to change these into a homogenous infrastructure. As a result, plenty of mediation needs to occur.

Organizations may face a mixture of different types of authentication and security infrastructure, as well, which will also need some kind of glue between them. By focusing on the APIs, organizations can greatly simplify the management of information sent to mobile applications and their users.

"A lot of people don't understand the security aspects of APIs," Medrano said. In the heterogeneous environment, the client might support Security Assertions Markup Language (SAML) tokens, while the back end servers are Microsoft-based.

The APIs could be receiving exposure to Platform as a Service applications, mobile devices, sensors, and other types of devices. The main issues that occur with APIs and services surround authentication and authorization. A less-prominent issue is the potential for SQL injections, which can also create security risks for APIs.

The first step: Think about authentication and authorization. When a user is calling out to an API, the app itself needs to be authorized.

Secondly, the user needs to be authorized to access the API. These could use LDAP, single sign-on or Active Directory. They might also invoke new authorization standards like OAuth, or OpenID.

With large payloads going through firewalls, hackers also might use the APIs to launch attacks such as an SQL injection.

Take control of the API lifecycle

Managing the complete lifecycle of APIs -- from planning through creation and deployment -- is important. The four steps in good API management include planning, development governance, operational governance, and the sharing of APIs with authorized developers.

Organizations often rush to create an API without lifecycle management or governance, Medrano said. Then when it comes to versioning, they face some serious issues. The main problem: When organizations try to get things out quickly, they often do so without taking the time to think about good governance. As API usage grows and deployment matures, organizations need to think about the management of the different versions of APIs, which can provide multiple hooks into an organization's data infrastructure.

The API's lifecycle should be controlled so only permissible versions are in production at the various stages: planning, development, production and retirement. In addition, key stakeholders -- such as line-of-business managers, IT managers, information security staff, and compliance staff -- should have visibility into the state of the API. They should always be confident that they're looking at the correct version. In addition, APIs should be subject to authentication and authorization processes to protect enterprise IT assets from misuse, threats to availability, or breaches of privacy.

Next Steps

How Red Hat squeezes API management into containers

Dig Deeper on Mobile infrastructure and applications

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Are APIs part of your strategy for managing mobile devices?
APIs connect our customers via our enterprise application platform with the services that they need with virtually little time and at a lower price. In addition, we continue to integrate new applications to stay on the cutting edge of technology for our clients.
Thanks for sharing, TomG275. We certainly have seen APIs help people gain better and cheaper access to services, particularly in the mobile space. I'll bet adoption will continue to grow, over the next few years.
Great article. Very interesting.

However, there are some points that could need clarification/correction:

"...creating applications that can consume simple services that are Web- or JSON-based".

Web and JSON here are used as if they were two different things that could serve the same purpose, which is misleading at best. They are completely different things and are by any means mutually exclusive.

"With large payloads going through firewalls, hackers also might use the APIs to launch attacks such as an SQL injection"

Large payloads and firewalls have nothing to do with an SQL injection attack. In any case, they could be more related to DOS attacks. SQL injection is prevented in code by properly validating/sanitizing data sent to the API (in this case). If code is written correctly, it prevents SQL injection attacks regardless of the traffic amounts/payload.