Calling all Enterprise Architects, Application Architects and Senior Developers! For our next API Tech Talk, we’ll be discussing Enterprise Mobility & BYOD live on March 26 at 9am PST. My special guests will be Layer 7 VP of Client Services Matt McLarty and Product Manager for Mobile Leif Bildoy.

The BYOD movement seems to be changing the hardware landscape permanently and it’s showing no signs of slowing down. Naturally, this presents both opportunities and challenges. Security managers within the enterprise have less control then ever. “Anywhere access” has blurred the lines of what used to be called the corporate network perimeter.

So what are CIOs and CTOs specifically worried about with BYOD? Well for one, mobile devices can easily go missing while containing sensitive data and employers often cannot even assess the impact of data security breaches from compromised devices. But locking down employees’ personal devices is generally not an option.

So how can enterprises re-assert control over their data assets while still allowing employees to use their own smartphones as they choose? We’ll be discussing this and other questions during out live, interactive Q&A. So, be sure to clear your calendar and join in the discussion on March 26 at 9am PST.

Here’s How to Join the Discussion
Make sure you click Add to Calendar to get the event details and a reminder in your calendar. Then, on the day of the event, click here to join:

• layer7.com/live

To ask questions, you can:

• Tweet using the tag #Layer7Live
• Email techtalk@layer7.com
• Post a message on Facebook

Numerous measurements exist for APIs. On the technical level, these metrics are fairly well understood. However, on the business level, there is a great deal of confusion over how the effectiveness of an API program can be accurately measured.

Layer 7’s March 14 webinar, ROI for APIs – which will feature input from TechCrunch and AT&T – should help to clear up some of this confusion. In particular, the webinar will focus on how hackthons can be used to gather valuable data for API ROI measurement.

How you measure your API ROI will depend on the purpose your APIs play in the greater business picture. Therefore, to provide a little primer for the webinar, I thought it would be helpful to give examples of a few API business models and how they might generate revenue.

• Per API Call
  Text messages sent via an API are billed at $0.01 per message
• Per API Payload
  Voice transcriptions via an API are billed at $0.01 per word
• Transactional Revenue
  An API call delivers a purchase
• Firehose API
  A monthly subscription provides unlimited API access
• Platform API
  An existing SaaS platform provides an API for partner integrations

To learn more, register for the webinar – ROI for APIs: Using Hackathons to Evaluate Your API Program featuring TechCrunch and AT&T.

The recent Mobile World Congress event in Barcelona reminded us about the growing importance of APIs to the telecommunications sector. Telco was actually one of the first sectors to show an interest in APIs but most carriers have still not taken full advantage of the opportunities presented by APIs and some have got their fingers burned trying to court the long tail of third-party app developers.

Still, with Web and mobile technologies creating competition from outside the telco sector, carriers need ways to quickly adapt to technological change – and APIs provide the perfect solution. APIs allow telcos to open up their services for efficient repurposing by internal developers and partner organizations, creating opportunities for being quick to market with innovative new offerings.

Layer 7’s latest eBook 5 Ways Every Telco Can Benefit from APIs provides an overview of how carriers can realize these opportunities. If you visited the Layer 7 booth at MWC, you might have picked up the print version of this handsome document. If not, don’t hesitate to download the electronic version.

John Chambers, CEO of Cisco, just published a good blog entry about the potential for change caused by universal connectivity – not just of our mobile gadgets but of pretty much everything. Recently, much has been said about the so-called “Internet of Things” (IoT), of which Cisco is expanding the scope, going so far as to make a bold estimate that 99.4% of objects still remain unconnected. This, of course, is great fodder for late-night talk show hosts. I’ll leave this softball to them and focus instead on some of the more interesting points in Chambers’ post and the accompanying white paper.

It strikes me that there might be more to Cisco’s “Internet of Everything” (IoE) neologism than just a vendor’s attempt to brand what still may be a technology maverick. Internet of Everything sounds so much better than the common alternative when you append “Economy” to the end – and this is how it first appears in Chambers’ post. And that’s actually important because adding economy in the same breath is an acknowledgement that this isn’t just marketing opportunism as much as a recognition that, like mobility, the IoE could potentially be a great catalyst for independent innovation. In fact, Cisco’s white paper really isn’t about technology at all but is instead an analysis of the market potential represented in each emerging sector, from smart factories to college education.

It is exactly this potential for innovation – a new economy – that is exciting. The combination of Mobile Access and APIs was so explosive precisely because it combined a technology with enormous creative potential (APIs) with a irresistible business impetus (access to information outside the enterprise network). The geeks love enabling tools and APIs are nothing if not enabling; mobile just gives them something to build.

I0E, of course, is the ultimate business driver and –  with APIs as the enabler – it equals opportunity of staggering proportions. Like mobile before it – and indeed, social Web integration before that – IoE will come about precisely because the foundation of APIs already exists.

It is here where I disagree with some IoT pundits who advocate specialized protocols for optimizing performance. No thank you; it isn’t 1990 and opaque binary protocols no longer work for us, except when streaming large data sets (I’m looking at you, video).

Security in the IoE will be a huge issue and Cisco has this to say on the topic :

“IoE security will be addressed through network-powered technology: devices connecting to the network will take advantage of the inherent security that the network provides (rather than trying to ensure security at the device level).”

I agree with this because security coding is still just too hard and too easy to implement wrongly. One of the key lessons of mobile development is that we need to make it easy for developers to automatically enable secure communications. Take security out of the hands of developers, put it in the hands of dedicated security professionals and trust me, the developers will thank you.

As IoE extends to increasingly resource-constrained devices, the simpler we can make secure development, the better. Let application developers focus on creating great apps and a new economy will follow.

Are you a token distributor? If you provide an API, you probably are.

One thing I like about tokens is that, when they are compromised, your credentials are unaffected. Unfortunately, it doesn’t work so well the other way around. When your password is compromised, you should assume the attacker could also get access tokens to act on your behalf.

In his post The Dilemma of the OAuth Token Collector and in this twitter conversation, Nishant Kaushik and friends comment on the recent Twitter hack and discuss the pros and cons of instantly revoking all access tokens when a password is compromised.

I hear the word of caution around automatically revoking all tokens at the first sign of a credential being compromised but in a mobile world where user experience (UX) is sacred and where each tapping of a password can be a painful process, partial token revocation shouldn’t be automatically ruled out.

Although, as Nishant suggests, “it is usually hard to pinpoint the exact time at which an account got compromised”, you may know that it happened within a range and use the worst case scenario. I’m not saying that was necessarily the right thing to do in reaction to Twitter’s latest incident but only revoking tokens that were issued after the earliest time the hack could have taken place is a valid approach that needs to be considered. The possibility of doing this allows the API provider to mitigate the UX impact and helps avoid service interruptions (yes, I know UX would be best served by preventing credentials being compromised in the first place).

Of course, acting at that level requires token governance. The ability to revoke tokens is essential to the API proviver. Any token management solution being developed today should pay great attention to it. Providing a GUI to enable token revocation is a start but a token management solution should expose an API through which tokens can be revoked too. This lets existing portals and ops tooling programmatically act on token revocation. Tokens need to be easily revoked per user, per application, per creation date, per scope etc. and per combination of any of these.

Are you a token distributor? You should think hard about token governance. You also think hard about scaling, security, integration to exiting identity assets and interop, among other things. We cover these issues and more in our new eBook : 5 OAuth Essentials for API Access Control.