April 25th, 2014

The Importance of Context to Mobility

Written by
 

Mobile ContextMy grandfather has a bumper sticker on his pickup truck that says “He who dies with the most toys, wins.” Since my world revolves more around API Management than collecting die-cast models of John Deere tractors, I have my own version of the saying – “He who has the most context wins.” Context has always been an important part of managing data or applications, but the proliferation of enterprise B2E (business-to-employee) and B2C (business-to-consumer) mobile apps has significantly increased the need for context-based policy.

The Layer 7 family of API Gateways has always been good at context. Not only does a Gateway have access to the full request and response content, it can also access header content (from a wide variety of protocols) and transaction metadata (latency, source information etc.) Then it adds in user credentials and attributes retrieved from the request and backend identity management systems. These inform decisions around access control but also around traffic routing, prioritization, rate limiting, quota fulfillment etc.

However, mobility introduces a few new entities to the equation, all of which have to be taken into account for ideal contextual decision-making. The first is familiar: users; but mobile users might have additional attributes that come into play. Phone number and email become more important, since they provide other connection points accessible to the user on the same device (smartphone, tablet etc.) The inclusion of social login – available in the 2.1 release of our Mobile Access Gateway – provides social graph information that might also have relevance when deciding how a user request should be processed.

The second entity providing contextual attributes is the app itself. An app ID or API key can tie an application back to the developer who created it. Signer information, permissions and other internal details can give context around existing app security. The Mobile Access Gateway can collect some of this information using our Mobile SDK and more data can be gathered via integration with CA (or third-party) MAM and MDM products.

The third important entity is the device itself. Not only can APIs be tailored to return data structures specific to a screen size or even a specific device type but behavior can also be tracked to a single device ID to analyze the risk involved. There might be more risk delivering sensitive data to a family iPad than there would be on a personal smartphone – or to a phone in an airport rather than a laptop in the office. This level of risk (and the associated response) increases dramatically when interacting with an unlocked device rather than one locked down by corporate security policies.

In my new role across the CA Securecenter product line, I’ve focused quite a bit on the integration of Layer 7 with other CA products. The result has been a flood of new contextual information with which to make richer decisions. Gathering risk profiles from CA RiskMinder or data categorization from CA DataMinder provides an even stronger understanding of who is trying to access what, from where. And the decision made from this context doesn’t necessarily have to result in a thumbs-up or thumbs-down; with CA AuthMinder, suspicious requests can simply require an additional level of authentication.

Every industry has its own variables, vulnerabilities and potential optimizations. Our goal is to give customers the right context with which to make the best decisions for their specific use cases. Our rich interface management capabilities and strong integrations with other proprietary and standards-based mobile technologies give us the best palette of access control and policy options in the API Management industry. In a world where context is king, we’re continually fighting for that crown.

April 24th, 2014

SDKs Work Until They Don’t

SDKs and APIsOver the last couple of months, I’ve had many great opportunities to road test my findings on SDKs vs. APIs, with a wide variety of audiences – at our API Academy Summits in New York and London, on tour with the Nordic APIs team in Stockholm and Copenhagen and at my most recent API Workshop in Istanbul. Given the apparent relevance of the topic and the lively discussions I’ve had around it, I’d like to take this opportunity to summarize some of the insights and recommendations that have come up.

If you’ve been following our blog, you will remember that I started this topic with the observation that leveraging an API increasingly seems to involve using an SDK rather than the API itself. I followed up with a post talking about my decidedly mixed experiences of trying to use SDKs. My own experiences inspired the headline of this post: SDKs work until they don’t.

So, what are the main motivations to invest in an SDK, from an API-provider perspective?

  • Simplifying API design by extracting business logic into the client
  • Maximizing scalability by exploiting client-side processing
  • Empowering developers to leverage the API more quickly
  • Presenting an optimized client from a target-platform perspective (e.g. for mobile connectivity or constrained hardware)
  • Providing a strongly-typed presentation of the API in a variety of programming languages

Let’s contrast all this with the main drawbacks of SDKs:

  • Picking which platforms, languages and frameworks to support – some of your target developers are going to end up disappointed
  • Relying on third-party frameworks – any developer who has to integrate with two or more APIs leveraging the same framework at different version levels is bound to experience some headaches, for example
  • Adding carry-on weight of unused functionality to the application
  • Incurring long-term support costs for the SDK

But to me, the biggest risk of a SDK-first approach lies in making API design an afterthought. We have come to this point in the API evolution because pragmatic REST introduces just enough constraints to force us to think about how we can abstract the underlying business asset into a resource-based model restricted to CRUD-style interactions. An SDK-first approach might tempt us to go back to a RPC-style API design mirroring the backend implementation, resulting in all the inherent integration complexities we had with Web services.

So, if and when you decide on a SDK, keep the above in mind. You might still come to the conclusion that you need an SDK in order to quickly onboard developers or provide the best client for your API but at least you will be able to consciously weigh the benefits against the drawbacks.

If you want to dig more deeply into the subject, I can highly recommend the following podcasts, articles and blog posts, which helped greatly in forming my own opinions:

April 17th, 2014

Next API Tech Talk: Linked APIs

Linked APIsThe challenges faced by today’s software architects go far beyond the familiar. “Big Data” means more than managing petabytes of data – it requires dealing with data-sets that span organizational boundaries. Likewise, the term “distributed system” no longer refers to just a multi-tier architecture or cloud deployment – it usually involves the connection of non-heterogeneous systems across multiple organizations.

On Thursday April 24, I’ll discuss these challenges as part of Layer 7’s latest API Tech Talk. I’ll be using this opportunity to explore how architects can leverage “linked APIs” to handle Big Data sets and distributed systems that cross organizational, technological and cultural boundaries, breaking through data silos in order to better integrate information. Interested? Just add the Tech Talk to your calendar and go to api.co/L7live at 9am PDT (12pm EDT) next Thursday.

I’ll also be taking your questions on linked APIs, Big Data, distributed systems, open source and anything related, so please don’t hesitate to join in. You can submit your questions now by email or you can chat with me or tweet them at me on the day. This will be my first Tech Talk since joining the Layer 7 API Academy and I’m really, really looking forward to a lively discussion. See you on April 24!

April 10th, 2014

Upcoming Talks at MobileWeek 2014 in NYC

Written by
 

MobileWeek 2014I will be attending MobileWeek 2014 in New York City next Monday, April 13. I’ll be at the conference all day, so drop by and say hello. Part way through the day, I’ll  deliver a two-minute lightning talk on mobile authentication, followed by a panel on enterprise mobile security and scalability.

The lightning talk is at 12:25 pm:

How to Make Mobile Authentication Dead Easy
Are your developers struggling to integrate mobile apps and enterprise data? They shouldn’t be! In just two minutes, learn the easiest way to get end-to-end security between your mobile apps and the enterprise — all without using a VPN.

It must be easy if I can cover it in only two minutes!

The panel, scheduled to start at 1:10pm (an odd time, so keep an eye on the clock), will include participants from Hightail and will be moderated by Geoff Domoracki, who is one of the conference founders:

The Mobile Enterprise: Productivity, Security & Scalability
We hear terms like “mobile enterprise” and “mobile workforce” but how far are we towards creating an enterprise work environment that enables real-time communication beyond geographic boundaries — freeing the employee to work from his phone anywhere in the world? This panel will explore the opportunities and challenges around the emergence of a “mobile enterprise” where sitting at a desk in the office is becoming more and more outdated. How do you share documents, secure data, prove identity and geo-collaborate in the new mobile enterprise?

Overall it looks to be a good day. New York is a hotbed of mobile development and I’m looking forward to meeting lots of interesting people.

See you at MobileWeek!

April 4th, 2014

API Academy Goes to Asia

API Academy in AsiaStarting April 4, I’ll be on the road for close to two weeks. Along the way, I will have the honor of bringing the API Academy message of developer-focused, enterprise-scale API design and implementation to the cites of Seoul, Tokyo and Singapore. In each of these cities, we’ll be hosting a free half-day seminar covering some of the most popular topics the API Academy’s private, onsite training offers to companies the world over.

I will also have the chance to do some additional presentations and make new connections while on this trip. As much as I enjoy the workshops, it is the chance to connect with people I’ve only known online and to meet new ones that really makes these trips a great experience.

WWW 2014 in Seoul
While in Seoul, I will have the honor of presenting a peer-reviewed paper to the WS-REST2014 workshop, which is part of the World Wide Web Conference in Seoul. It is not often that I get the opportunity to speak at events of this caliber and I am also looking forward to catching up with several people who work on W3C projects – people I rarely get to meet in person.

There will also be an informal meet-up in Seoul on the evening of April 8 near the COEX complex where the WWW 2014 event is to be held and not far from the API Academy public workshop on the April 9. I don’t have all the details yet and promise to post them as soon as I have them.

RESTful Web APIs in Tokyo
I am very excited to announce that I will be attending a RESTful Meetup in Tokyo the evening of April 12. This was organized, in part, by a group of people who have also been hosting a bi-weekly reading group for the book RESTful Web APIs.

This group popped up last year to allow people to come together and translate the English-language edition of RESTful Web APIs in “real time” by taking turns reading the content and then discussing it as a group. Leonard Richardson and I are very grateful for this kind of enthusiasm and I am looking forward to meeting some of the people behind this cool project.

Singapore
I will arrive in Singapore on Monday, April 14 and don’t have any additional meetups scheduled yet. If you’re in Singapore and want to set up something, ping me and let’s see if we can get something going while I am in town for the public workshop on April 15.

Okay, Let’s Go!
The chance to visit customers, developers and designers in Seoul, Tokyo and Singapore really has me energized. If you’ve not yet signed up for one of the public workshops, please do. And come up and tell me “hello”. I’d love to hear about what you’re working on and how the API Academy can learn from your experience and help you reach your goals for building great applications for the Web and the enterprise.

(This post was originally published on my personal blog.)