“The Facebook Connect model is real, it’s powerful and now it’s everywhere. Large volumes of accurate information about individuals can now flow easily through user-authorized API calls. Zero Trust requires initial perfect distrust between disparate networked systems but are we encouraging users to add back too much trust, too readily? What are the ways this new model can be used for ‘good’ and ‘evil’ and how can we mitigate the risks?”

On Thursday May 17 at 9am PDT, I will be delivering a webinar on API identity technologies, once again with Eve Maler from Forrester. We are going to talk about the idea of zero trust with APIs, an important stance to adopt as we approach what Eve often calls “the coming identity singularity” – that is, the time when identity technologies and standards will finally line up with real and immediate need in the industry. Here is the abstract for this webinar:

“Identity, Access & Privacy in the New Hybrid Enterprise: Making Sense of OAuth, OpenID Connect & UMA
In the new hybrid enterprise, organizations need to manage business functions that flow across their domain boundaries in all directions: partners accessing internal applications; employees using mobile devices; internal developers mashing up Cloud services; internal business owners working with third-party app developers.

Integration increasingly happens via APIs and native apps, not browsers. Zero trust is the new starting point for security and access control and it demands Internet scale and technical simplicity – requirements the go-to Web services solutions of the past decade, like SAML and WS-Trust, struggle to solve.

This webinar from Layer 7 Technologies, featuring special guest Eve Maler of Forrester Research, Inc., will:

Many people are familiar with Layer 7’s industry-leading security functionality, so it’s no surprise that I’d recommend using our Gateway technology to protect connections from on-premise infrastructure to off-premise Cloud services. The flexibility of deployment options we offer makes it possible to create a network of secure on- and off-premise endpoints to meet the most stringent requirements. This covers security but what about availability?

People seem to be less familiar with Layer 7’s routing capabilities. Our Gateway technology is optimized to perform flexible, content-based routing with negligible impact on overall transaction times. In the context of the Cloud, this means that traffic proxied by a Layer 7 Gateway can be re-directed using intelligent algorithms and even dynamic, state-based awareness. This routing capability, which I call “API-aware traffic management”, brings huge benefits in ensuring availability when connecting to multiple API instances – on-premise, off-premise, in multiple Clouds… anywhere on the hybrid network.

I’ll be discussing this topic in detail at the upcoming Cloud Expo 2012, June 11-14 in New York City. This promises to be a great event, so I hope you can make it and attend my discussion!

API monetization comes in the form of two very distinct opportunities. First, companies like Elastic Path are creating new revenue opportunities for themselves by opening up their information assets via APIs. Second, some companies are charging third-parties for the use of particularly valuable APIs, creating even more revenue opportunities.

To learn more and throw some questions at our API monetization experts, just visit the Layer 7 Facebook page at noon EDT on May 15 and click the Livestream icon. If you don’t have Facebook, simply click here to watch directly through Livestream. You can submit questions on Facebook or through Twitter, using the hashtag #layer7live.

CIOs have started to recognize that – with BYOD gaining strength – mobile is coming to business, like it or not. The many CIOs who came by our booth all seemed determined to address the issue head-on. For some, this will mean developing apps in-house; for others, enabling third-party app developers. In either case, the key to success will be publishing secure, robust APIs.

Publishing mobile APIs raises various questions for CIOs. Some of the questions we heard in Vegas are external corollaries of challenges we’ve been solving for years (“How do I expose a REST API when my data is delivered via SOAP services?”) Others are completely new (“What happens when someone with our app on their personal smartphone leaves the company?”)

These issues also arose during an interesting session called “Navigating the Mobile Shift.” At this session, after some input from Forrester analysts, everyone split into groups for brainstorming on problems (and solutions) in specific categories. When each group presented its findings, security and governance questions were at the top of every list.

These forum participants aren’t from mom-and-pop startups – they’re with large enterprises that have serious security, governance, performance and scalability concerns. Helping enterprises address these concerns for API-based integrations is Layer 7’s core business, so we’ll be eagerly following future developments in enterprise mobile enablement and BYOD.

Fortunately, people have gotten a lot more tech-savvy in the last decade, partly due to the proliferation and success of well-known tech companies like Apple, Google and Oracle. So when two of those companies get into a huge legal battle over an acronym (in this case, “API”) that’s little known outside technical circles, I welcome attention from mainstream society.

For the last two years, Oracle and Google have been involved in a protracted battle over the APIs for (and resulting implementation of) some Java functionality re-used in the Android mobile operating system. Yesterday marked the first real verdict in the case – in the first of three parts, Google was dealt a minor blow in regards to copying nine lines of code.

Major media outlets have oversimplified the ruling but the real test is yet to come. In a few weeks, the judge will rule on whether APIs are copyrightable. With APIs fast becoming the core means for communicating enterprise data across organizational boundaries, this could have serious implications for enterprise architects.

For example, our partner Eucalyptus Systems implements Amazon Web Services APIs to manage private Cloud infrastructure. A ruling that APIs are copyrightable would have put that usage in jeopardy, if Eucalyptus hadn’t recently announced an agreement with Amazon. Vendors reusing the VMware vCloud API would be in a similar predicament.

Layer 7’s API management products govern interfaces across a variety of message types and transport protocols, so we’re technically agnostic. But we’re intrigued to see APIs being discussed in the mainstream media and we’ll be following the case closely. For more analysis and daily coverage, Groklaw has great recaps. It’s like a geeky version of a TV court procedural.

It will be interesting to see whether or not big enterprises buy into this “21st century mainframe” concept but what’s clear is that enterprises now want to migrate critical workloads to the Cloud, en masse. To realize the true benefits of Cloud, many of these workloads will have to be running off-premise. But since many will remain on-premise, enterprises will be relying on hybrid Cloud infrastructure for their most significant IT services.

Security remains a major area of concern for organizations looking to leverage the Cloud. Increasingly, availability and reliability are also significant concerns, particularly since Amazon has had a few outages recently. In addition to addressing these concerns, enterprises are evaluating how they can optimize processing volumes to get maximum cost benefit from their Cloud deployments.

Please join me at the Cloud Expo, June 11-14 in New York, where I’ll be discussing solutions for each of these considerations. Hey, we should have blue skies by then!

Time for another Tech Talk Folks. API developer management. During this interactive one-hour event, we’ll be discussing how enterprises can attract, engage and manage developers for their open APIs.

Open APIs allow enterprises to build communities of third-party developers around their applications and data. But many enterprises struggle to ensure developers actually use these APIs to build apps that deliver real value.

On Tuesday May 1 (add to your calendar) we’ll be offering real-world developer management strategies that will help you get maximum benefit from your APIs.

So be sure to come to the Layer 7 Facebook page at 9am PDT.

How to Attend:

Just visit the Layer 7 Facebook page at 9am PDT on May 1 and click the Livestream icon.

Don’t have Facebook? Simply click here to watch directly through Livestream.

Submit questions on Facebook or use the Twitter hash-tag #layer7live

How to Submit Questions:

On Facebook

•    Click on the Livestream PLAY button to join the stream
•    Click the red “Check in to Chat” button to submit questions

On Twitter
•    Tweet questions with the hashtag #layer7live

Guest Expert: Dana Crane

As Product Manager for Layer 7′s API Portal, Dana Crane sets the direction of the company’s newest product.
His involvement in creating this product has given him deep insight into what it takes to build active developer communities around open APIs.
Dana holds a BSc from the University of Toronto and a diploma in hard knocks from the Internet boom.

Add to Your Calendar

Up to this point, apps have focused mainly on consumers. But with the BYOD (“bring-your-own-device”) movement’s unstoppable momentum driving mobile devices into the center of the enterprise IT landscape, there is a growing need for enterprise apps that give employees the user experience they are used to with consumer apps. That means a decent chunk of the $3.8 trillion spent on enterprise IT this year could be heading to mobile app developers like you.

Building mobile apps for the enterprise is going to create some new challenges, though. Perhaps most significantly, you will be much more reliant on enterprise data and applications. That’s going to mean a lot of work integrating the functional requirements for your apps and even more work nailing down the non-functional areas like security, scalability and availability. Nevertheless, these challenges are well worth accepting, given the stakes.

The good news is that Layer 7 will be out there making things easier for you. We help enterprises expose data and applications as RESTful APIs, significantly simplifying integration with mobile apps. Additionally, our API Portal product helps developers discover and get maximum value from enterprise APIs. It’s an exciting time for mobile developers and we’re excited to be laying the foundation upon which a generation of enterprise apps will be built.

But what about the other ones? The ugly and bad ones? This is where developers could use some guidance.

Truth is, good API design isn’t really hard but it’s not easy. One thing I point people to is Leonard Richardson’s Maturity Model for REST, which Martin Fowler explores in his blog. Now I’m not a REST purist by any means – I’m as guilty of quick-and-dirty HTTP tunneling hacks as the next guy – but when you see the maturity phases laid out so succinctly, you can’t help but be inspired to move toward more “resourceful” thinking and maybe even learn to love HATEOS. Part of good API design is knowing what you should aspire to – and Richardson’s model is much more concise and accessible than Fielding’s thesis.

Another good source of advice is Joshua Bloch’s superb Google TechTalk How to Design A Good API & Why it Matters. Bloch wrote what is arguably the most important book about Java ever written and indeed his talk is about APIs using Java as the model. But don’t let that deter you. Virtually everything Bloch discusses is as relevant to RESTful JSON-style APIs as it is to Java. Follow his advice, transpose it to your language of choice, frame it with an understanding of where you want to land in the maturity model for REST and you will end the day with great APIs.

Everything in technology goes through cycles. If you stick around long enough, you begin to see patterns emerge with an almost predictable regularity. I actually find this comforting; it suggests we’re on a path of refinement of fundamental truths that date back in a continuous line though Alan Kay to Turing and beyond.

The wrong way to react to technology cycles is with the defensive-and-crusty “this is nothing new kid—we did it back in ’99 when you were stuck in the womb.” Thanks for nothing, Grandpa. A better approach is to recognize the importance of new energy and momentum to make great things happen.

The cycle that really excites me now is the new rise of the developer. Trying my best not to be crusty, there is a palatable excitement and energy out there that really does feel like it did in 1999. After years of outsourcing, after years of commoditization, developers matter again. A lot. It’s like the world has rediscovered the critical importance of this fundamentally creative endeavor.

This is a golden age of technology and possibility, one that is being driven by new blood and newer technology. The catalyst is the achingly perfect collision of Cloud, mobility and social discovery with APIs, node.js, Git, NoSQL, HTML5, massive scalability… (I really could go on and on here).

Most of all, I’m excited by movements like Codecademy. This simple idea perfectly reflects the tenor of the time in which we live. People are no longer afraid of making things easy. The priesthood is gone; coding is now confident and mature.

I’ll be talking more about these topics – and the important role APIs play – in an upcoming webinar I will be delivering with James Governor, co-founder of RedMonk. This is the analyst firm that truly is at the heart of the new developer movement. I hope you can join us Thursday, April 19 at 9am Pacific. This one is going to be good.

Click here to register for the webinar: Developers, Deveopers, Developers - Why API Management Should be Important to You featuring RedMonk