August 1st, 2014

Balancing Security & Developer Enablement in Enterprise Mobility: Gartner Catalyst 2014

Gartner Catalyst San Diego 2014It’s that time of year again… time for another beautiful late-summer Gartner Catalyst conference in America’s Finest City: San Diego. Aside from being my hometown, the reason San Diego is so great is that it has balance. The warm sun is balanced by the cool ocean breeze, the strong business climate is balanced by the laid-back surf culture and the delicious fish tacos are balanced by a cold Corona. Balance makes everything better. Maintaining this balance is just as important when you’re talking about mobile strategy for your enterprise; that’s why I’ll be presenting a talk titled Balancing Security & Developer Enablement in Enterprise Mobility at Catalyst.

Enterprise IT security departments have always had a somewhat adversarial relationship with application developers, even when the applications ran entirely within the intranet. Now that internal data and applications are being exposed to employees, partners and customers through a whole new breed of mobile apps, these teams could potentially clash even more often. Security architects are more concerned than ever about core principles and security standards while developers are more focused than ever on providing incredible user experience rather than worrying about internal restrictions.

I’ll be discussing how these two groups – enterprise and security architects on one side and mobile app developers on the other – can accomplish the same goals. CA’s Layer 7 API Management solutions enable the enterprise to enforce the latest security specifications to the letter, protecting against malicious (or even accidental) threats to critical systems. But at the same time, they enable mobile app developers to very quickly consume the appropriate data through secure APIs, without having to implement the client side of those cutting-edge security standards. Stop by my talk on August 12 at 12:45pm to get the details or come by the Layer 7 booth (#113) to talk in more depth about how we can bring balance to your workplace.

 

June 27th, 2014

Drones, Phones & Pwns:
The Promise (& Dangers) of IoT APIs

DroneEarlier this month, CA Layer 7 participated in yet another great conference – this time, it was QCon New York. As a three-time QCon attendee, I have always really appreciated the level of technical knowledge displayed by attendees. At this show, it’s rare that I have to explain the basics of APIs; most attendees are already using APIs in some form or another. And even though many of them are very hands-on developers, they are savvy enough to realize when it is and isn’t appropriate to “build it yourself.”

Many of my conversations began with, “We’re exposing APIs but we don’t have a good way to manage our developer community.” Even more interesting were the ones which began, “We built our own API Management layer but it doesn’t…” There was a wide array of endings to that sentence, including “scale well,” “provide any real security” and “help our developers build applications quickly.” Security was an especially common theme as these folks are smart enough to realize they are not primarily experts at implementing OAuth-based access control or protecting APIs against structural or content-based threats. They’d rather let Layer 7 worry about the implementation and simply configure which options are relevant to their applications. And, of course, many examples of app hacks, data breaches and identity theft are in the news these days; nobody wants their company to be the next victim.

Aside from being a common theme in discussions at the show, maintaining security and privacy in an increasingly interconnected world was the theme of my talk, titled Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs. In the first half, I discussed the recent transition of drones from military/intelligence use cases to commercial/personal use and talked about some of the cool technologies already being enabled by these and other data-gathering “things”, such as our phones. I used personal examples to show how my life and the lives of many others are made more pleasant and efficient by this connectivity and data aggregation. After delving into the broad range of use cases made possible by the Internet of Things, it was time to take a look at the other side of the coin.

The second half of my presentation was about the darker side of all the personal data flowing around the Internet and the leaking/sharing/exposure that happens with or without our awareness. I tried not to mention obscure exploits that are unlikely to ever be used; instead, I used real-world examples of glaring privacy holes in devices and apps that we use every day. Rather than simply fear mongering, I tried to make a point about the trust that people – myself included – place in the companies and entities around them. And I followed up those bits with some advice about what we can do to make our future a little less frightening.

The reaction to my presentation was pretty surprising. Even amongst a very technical audience, I still had people approaching me all day afterward, explaining that I had scared them so much they weren’t ever going to look at their phone/car/gaming console/app the same way again. For those that were already familiar with some of the examples I had given, it provided a great conversation starter about security and what sort of cultural shifts will be required to alleviate some of the more pervasive issues.

These are the types of conversations we like to have with our customers – realistic assessments of the risks and challenges encountered by enterprises opening their data and applications to customers, partners and employees, followed by specific discussion of solutions. Considering the interest our customers are showing in these discussions, we’ve decided to do an encore presentation of my conference talk for a larger audience. I’m excited to announce the Layer 7 webinar Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs will be held on July 23 at 9am Pacific Time. Registration is now open.

Sign up for the webinar >>

June 26th, 2014

APIs in the Connected Car: APIdays San Francisco

APIdays SFToday, I’m going to share some rather opinionated thoughts about APIs and the connected car. My opinions on this subject sprang from a combination of real-world experience plus (informed) speculation and came together as I prepared a talk for APIdays San Francisco.

The connected car is widely recognized as a game changer for the automotive industry. Experts all agree that just selling cars is a thing of the past. Mobility, connectivity and in-car user-experience will be leading decision considerations for car sales. Right now, automotive manufacturers, content providers and app developers are all competing to take a leading role in the connected car space. This is a matter of survival. Winners of the competition will be richly rewarded; the losers may sink into oblivion.

Car manufacturers seem understandably determined to dominate the connected car space. But this space is inherently shared with device manufacturers, content providers and app developers. Take away any one participant and you no longer have a sustainable ecosystem. If the automotive sector is not prepared to work with and accommodate the needs of other stakeholders, then no one will win. There are three things the industry can do to make things significantly better right away.

1. Implement a Standard Hypermedia Type for Automotive APIs
Right now, every car manufacturer wants to do its own thing and sees originality as a key to differentiation. This is a fallacy. There are way too many car manufacturers for content providers and app developers to keep up with the variety. Some have suggested that all manufacturers should just deploy Android as the base OS. I personally doubt they will all be able to agree on something as fundamental as the core OS. We should shoot for something much more realistic.

This is where hypermedia comes in. The most distributed system ever built — the World Wide Web — uses a hypermedia type (HTML) as its engine. There is a great opportunity to create a hypermedia format for car APIs that will energize the space just like HTML did for the Web. I believe this format could be based on an existing, generic type such as: Uber, HAL or Siren. This would be similar to the way the Collection.Document type was created for the news media industry, based on Collection.json.

2. Adopt a Standard API Security & Identity System
The prospect of connected cars getting hacked creates enormous anxiety. But connected car security can be addressed quite simply by adopting a security framework based around compartmentalization and standards-based access control.

In this context, “compartmentalization” means that core functions of the vehicle should be highly guarded. Specifically, no third-party app should have access to core driving functions like handling and braking. Meanwhile, a standards-based access control framework like OAuth will provide secure, granular access to specific system features. This would be similar to the way mobile apps currently ask for access to other parts of the device (GPs, contacts etc.)

3. Enable App Developers
Currently, only the lucky few are able to develop apps for connected cars. Generally, these are app vendors that have formal partnerships with car manufacturers. In most cases, developers can’t even get access to API documentation without a group of lawyers signing stacks of papers. The connected car space will not develop if it remains a tightly-held, closed system. On the contrary, manufacturers must build developer communities by providing the things that developers require: documentation; self-service portals; sandboxes; SDKs etc.

But That’s Not All
These are three immediate steps that can be taken to improve the connected car space significantly but as the space develops, we will have to focus not only on immediate requirements but also on the big picture. The connected car is a special case of the Internet of Things (IoT). The context of IoT is different enough that it requires a fundamentally different approach to system design and architecture. Hopefully, I will be able to delve into this context more in future.

Another aspect of the big picture is a good deal simpler: fun. If this space is going to develop as it should, manufacturers will have to make it fun for developers to experiment with the potential of automotive connectivity.

So, have fun out there!

June 5th, 2014

The Need for Secure APIs in Retailing

Secure API RetailApplications in today’s retail industry are highly distributed and are generally connected by proprietary protocols. But trends toward expanding geographic distribution are driving increased demands for integration — and these demands are driving a greater use of application programming interfaces (APIs) in retail.

Retailers worldwide are under tremendous pressure to innovate faster and cycle through inventory as quickly as possible. Also, aggressively managing inventory supply chains is increasingly challenging because consumers have online access to competitive retail Web sites and can easily purchase products elsewhere.

“Showrooming” — the practice of examining merchandise in a traditional brick-and-mortar retail store but then shopping online to find a lower price for the same item — is placing increased margin pressure on retailers, particularly in countries like the US that have relatively low shipping costs.


Read more: 5 Simple Strategies for Securing APIs


Retailers are responding by accelerating inventory churns by gaining product visibility on partner Web sites and maximizing exposure of available inventory. The ability to quickly implement secure APIs that enable innovative merchandising opportunities and aggressive supply chain management can make the difference between success and failure in a highly competitive market.

Customers expect retailers to always have items they want in stock. For example, a customer who wants a sweater in a certain size and color will just shop elsewhere if that exact sweater is not available when he or she wants to buy it. Brand loyalty and repeat business are hurt by a failure of any link in the supply chain. APIs and the ability to accelerate integration with partner systems help retailers not only to increase merchandising opportunities but also to gain greater visibility over purchasing patterns and supply chain demands.

APIs can have an even greater impact on retail markets with products that have shorter shelf lives. While the clothing markets are aggressively deploying APIs, so too are retail markets that rely on perishable products, such as the food industry. Obtaining food products when needed and minimizing spoilage requires an information-centric approach to supply chain management. Food service retailers and grocery stores both depend on real-time information about product availability. In this context, innovative APIs into third-party applications can provide a competitive advantage.

To see the long-term potential of APIs in retailing, I think we can take a look at industries such as online gambling. The gambling industry is a tremendously aggressive consumer of APIs. In locations where it’s legal, large bookmaking organizations compete to quickly introduce opportunities for people to bet on everything from sports to political races or the national budget. Online betting companies develop games or set up innovative new betting scenarios to captivate retail customers and APIs allow them to retail new services out very quickly, to keep customers engaged.

For multi-channel retailers, it’s only natural to want to give customers immersive shopping experiences across not only brick-and-mortar storefronts but also Web, mobile and social media channels. These online experiences are increasingly location-specific and contextualized to each shopper’s identity and buying history. APIs provide the means for ensuring consistent shopping experiences across multiple retail channels.

Retailers are increasingly seeking to engage buyers everywhere they might be, whether online or in-store. They are looking for ways to deliver immersive commerce experiences — including consistent content, promotions and rewards —  across multiple channels. Retailers want to tailor these experiences to buyers’ enhanced identity information. Achieving all this requires the ability to:

  • Expose content, commerce, loyalty and promotion functions as APIs
  • Integrate APIs from third-party affiliates, mobile apps, social networks, geolocation services, customer data sources and ad networks
  • Resolve and reconcile a buyer’s identity across online channels
  • Simplify mobile notifications.

Having the toolset to manage APIs is essential. The CA Layer 7 API Management Suite provides all the API creation, integration and orchestration features necessary to meet context-aware, multi-channel retail merchandising objectives. By adopting proven policies and procedures for ensuring secure APIs, retailers can aggressively scale their online merchandising initiatives and potentially reach more customers with innovative offers of products and services.

May 21st, 2014

The Increasing Impact of APIs on the Digital Marketplace

Written by
 

The Increasing Impact of APIs on the Digital MarketplaceFor years, organizations connected distributed applications using increasingly complex protocols. But as the principles of the World Wide Web rapidly penetrated the business world, IT organizations began to realize that many of the concepts, infrastructures and protocols that enable the infinite scalability of the Web could be applied to enterprise application development. Enter the application programming interface (API).

Business needs are driving enterprises to open their data and applications more to partners, developers, mobile apps and cloud services. APIs provide a standardized way to open up information assets across the Web, mobile devices and the cloud. However, to make API information sharing safe, reliable and cost-effective, enterprises must deal with critical security, performance management and data adaptation challenges.

The API can be used as a lingua franca of modern computing, allowing the enterprise to selectively open up applications in order to create value. It is not a coincidence that the API movement has grown in importance as a new generation of coders has come of age – a generation that values simplicity and getting the job done.

The complexities valued by the previous generation of developers are giving way to developers more focused on lowering the barriers to entry and on improving the accessibility of information while ensuring the security of critical enterprise resources. APIs allow developers to greatly simplify integration.

APIs open up new opportunities for executives to evaluate business information resources in order to build value for the enterprise by creating services that others can consume. For example, the New York City Subway System opened up APIs so that developers could build apps exposing train status information. The Metro Transit Authority (MTA) recognized that its core business was transportation, not app development, so it didn’t try to build smartphone apps but instead exposed its core information systems through APIs that allow developers to create apps which provide consumers with updated transit information.

The MTA is leveraging information in existing systems in order to allow developers to build apps that create more informed consumers, who are presumably becoming more reliant on public transportation. This strategy is allowing the New York MTA to provide better transportation through APIs and cities like Washington DC are similarly opening up their APIs to make transportation easier for their citizens. By understanding consumer needs for better and timelier transportation information and filling those needs by opening up APIs to the development community, transportation providers are building more loyal customers.

Understanding the opportunities to capitalize on APIs is crucial and many companies are turning to their marketing departments for direction on API strategies. To their credit, marketing professionals are often forward-looking and trend-driven and many have been monitoring API advances and seeing the business opportunities potentially enabled by API adoption. They are well positioned to evaluate available data within business applications in order to determine what information the organization should make available in a safe and secure manner to create value for the enterprise.

Once the APIs are developed, the ability to promote available APIs among the development community is essential for gaining acceptance and adoption. Organizations need the ability to market their APIs to create interest within the development community. To obtain maximum value from APIs, enterprises need ways to attract, onboard and manage developers.

The CA Layer 7 API Management Suite provides enterprises with a comprehensive set of solutions that externalize APIs in a secure, reliable and manageable way. It includes the CA Layer 7 API Portal, which allows the enterprise to deploy the infrastructure to monetize APIs, advertise them and create communities around them. This allows organizations to capitalize on the increasing impact APIs are having on the digital marketplace and to build and manage secure APIs that create increased value for the enterprise.