May 30th, 2012

Where Did Siri Go?

IBM Versus SiriRecently, there’s been some media focus on the limits of BYOD, especially relating to businesses disallowing certain smartphone features. This article on IBM’s somewhat restrictive BYOD guidelines mentions outright bans on technologies like Dropbox and Siri. As an ex-IBM employee, a geek in a partner-facing technical role and a smartphone user, I’m particularly intrigued by the lines drawn by corporations in cases like this.

As the variety of available business apps and mobile devices continues to grow exponentially, enterprises will find it increasingly difficult to place such rigid limits on BYOD. Employees are already beginning to feel entitled to use apps that make them more efficient. In some case this may mean that employees will knowingly use banned apps. If businesses want to avoid this kind of insubordination, they will have to work with their employees, not against them.

One part of the solution is a focus on education rather than overly-strict technological bans. Another is embracing the concept of BYOD rather than fighting it. For instance, many of our customers provide their own apps to run on employee-owned devices. We focus on providing these customers with solutions that allow them to make BYOD secure and manageable, without having to ban apps or impose invasive mobile device management software.

The rest of the solution will come from Cloud and mobile vendors taking steps to make their technologies more enterprise-friendly. This means, for example:

  • Apple will need to recognize its prevalence in the enterprise market and take steps to certify iCloud and Siri for business use.
  • Google Drive and Microsoft SkyDrive will need to deliver terms of service that assuage fears rather than fostering them.

No one has all of the answers yet and I suppose you can’t blame IBM for a cautious approach but the most successful BYOD initiatives are likely going to be those that are flexible enough to avoid alienating employees. How else will we know what happens when Siri is asked to open the pod bay doors?

May 28th, 2012

Gluecon 2012

Gluecon LogoGlue Conference, aka Gluecon, is such a refreshing event – filled with API and application developers, not a single suit in sight, demo pods, hackathons, spheros etc.

APIs are popping up everywhere and creating amazing integration possibilities. One of the coolest demos I saw at Gluecon was Ducksboard’s dashboard service, which lets you create your own monitoring dashboard using a library of widgets for existing social and Cloud providers. You can even create your own widget and have your own data pushed to it via an API endpoint created just for you, on the fly – so sexy!

Thanks to everybody who came to my presentation Making Sense of API Access Control. I hope this shed some light on how to leverage OAuth for controlling access to REST-based APIs. A lot of the new APIs I discovered this week could certainly use some help in that regard. API key authentication in HTTP basic without password has its limitations. The slides from Making Sense of API Access Control are embedded below.

May 24th, 2012

Forrester, ProgrammableWeb & Swagger: Upcoming Webinars

Layer 7 Webinars and Tech TalksThese are eventful times for Layer 7, with staff-members appearing at trade shows across North America and Europe. Notably, our CTO Scott Morrison has been undertaking what he’s termed his APIs, Cloud & Identity Tour. Somehow, Scott is also finding time to take part in a couple of the company’s upcoming Web seminars.

On May 29, he’ll be presenting our latest Tech Talk Tuesday meet-up, titled Swagger, WADL & API ‘Scriptions. This interactive session will take a look at the relative merits of different standards for creating formalized, machine-interpretable API descriptions. For full details on how to view and join in with this event, visit the Tech talk Tuesday page.

The following day, Scott will be reprising the recent webinar Identity, Access & Privacy for the New Hybrid Enterprise, featuring Eve Maler of Forrester Research, Inc. This is a special live presentation for the Asia/Pacific region (at 11am Sydney time/9am Singapore time). For more information, take a look at the webinar registration page.

Scott gets a break when Product Manager Dana Crane takes over webinar duty on June 5 for Getting Your API Discovered: The Secret to API Promotion, featuring ProgrammableWeb Founder John Musser. This session will explore a range of best practices for building a community of API developers. Registration is open now and you can click here to sign up.

May 23rd, 2012

Public APIs, Private APIs

Publish-a-Private-API-VideoWhen talking about API management, the first thing that comes to mind is a public API, one that is open for anybody to consume, provided a certain level of registration. Obviously, the most famous APIs are the public ones, potentially known to anybody. However, such APIs only represent a small subset of all APIs that need to be managed. Many APIs that we encounter in the field are set up in such a way that their consumption is restricted to a specific group of developers. This happens for various reasons. Some talk of public and private APIs, others use the terms open and closed to represent the same distinction.

Most of the time, even public APIs start off as private APIs – as part of their development lifecycle. Until an API has been fully tested and is ready to be launched, it remains private and only accessible to its internal developer base. The ability to “flick the switch” on an API, to make it jump from a staging mode to a live mode, is an essential feature of an API management infrastructure.

Then there are APIs that are never meant to be public in the first place. Most APIs actually fall under this category. Many enterprises that are moving forward with API management are exposing APIs privately – for example, to facilitate the creation of custom mobile apps for their employees, in order to tap into the BYOD trend. Those APIs are intended to be consumed by their own developers, contractors and sometimes partners.

The Layer 7 API Portal is geared towards managing APIs that are either public or private and lets API managers control which developers are made aware of which APIs. This lets you have a single point of management for all APIs, regardless of their target audience. By default, only public APIs are visible on the API Portal.

A series of tutorial videos for the API Portal product has recently been posted on our YouTube channel. As it happens, one of videos is called Publish a Private API and it’s embedded below.

May 18th, 2012

The Secret Lives of REST APIs

Written by
 

Netflix APIThe recent enterprise acceptance of lightweight REST-based protocols for exposing data and application assets as APIs has been due, in large part, to the simplicity of the resulting interfaces. This simplicity means there is little barrier to entry for developers wishing to consume these APIs in applications built for mobile, Web, desktop, Cloud and gaming platforms. However, as this article from Netflix’s Daniel Jacobson reveals, simplicity can’t be the only goal when designing an API. Flexibility, scalability, optimization, orchestration and adaptation are just a few of the features required in a successful API infrastructure.

At Layer 7, our enterprise customers build incredibly elegant API platforms using our API management technology. Our solutions recognize that one size does not fit all and we provide the tools to adapt to changing requirements without re-architecting new APIs from scratch. Though we certainly support the simple “large number of known and unknown developers” use case Jacobson describes – with robust, scalable technology deployed on a wide variety of hardware, virtual, software and Cloud platforms – we can also address the specific concerns raised by the variety of devices and environments in Netflix’s ecosystem.

Message size, structure and delivery constraints due to device variation represent a large part of the problem. Layer 7 Gateways support the relevant formats and transports and can perform message transformation and protocol mediation on the fly. Policy-based configuration enables custom “virtual” APIs tailored to each device, community of developers or calling application. These format and behavioral changes can be explicit or can be triggered by user identity, app permissions, message content or transaction metadata. Even more complex mediations, such as REST exposure of internal SOAP-based assets, are simple to configure and help to reduce re-implementation costs.

Interaction models can also be optimized and tailored to the calling platform. Composition of comprehensive document-based APIs from multiple backend calls can reduce chatty client interactions. Conversely, small messages from memory-constrained devices can be aggregated into larger, less frequent backend calls. Mobile traffic can be optimized using persistent HTTP(S) connections and over-the-wire compression. And content can be cached at any level of granularity, using an in-memory cache like Terracotta, to reduce the number of calls to the application backend.

As director of one of the world’s most broadly adopted public APIs, Jacobson’s most profound observation is that “public APIs are waning in popularity and business opportunity and… the internal use case is the wave of the future.” API infrastructure needs to support everyone – open API developers, internal coders, contracted development teams and partner groups – especially as mobile workforce enablement and BYOD gain popularity. Layer 7 solutions allow enterprises to make that distinction clear through public vs. private APIs, configurable classes of service and role-based access control.

Jacobson mentions several piecemeal solutions that he and others have attempted to compile into a working platform but notes that those approaches still fall short. Providing an enterprise-grade REST API is no simple feat and it’s great that the truth of the matter is starting to come out. The benefits of a successful API strategy are numerous and well-documented. Layer 7 is the only vendor providing an API management solution that incorporates all the basic necessary functionality and much, much more.