July 17th, 2014

API360 Summit – Washington, DC

API360Since the API Academy was founded two years ago, we have had the pleasure of helping numerous organizations and industry leaders succeed with their API programs. Through this experience, we have learned at least as much as we have taught – and we recognize that continuing this collaboration is vital to furthering the field of API strategy and design. Also in this time, we have observed a growing recognition that a holistic approach to APIs is needed in order to achieve maximum benefit.

With all of this in mind, we are pleased to announce our API360 Summit series. These complimentary one-day summits will bring together industry leaders to examine APIs from every possible perspective: business and innovation; architecture and design; applications and trends. Most importantly, these events will provide attendees with up-to-date, actionable information they can start using as soon as they walk out the door at the end of the day.

Our first API360 Summit will take place on September 12 at the Newseum in Washington, DC. We will be featuring a range of speakers with first-hand experience of how APIs are impacting organizations across the public and private sectors. There will also be panel sessions examining pertinent topics like using APIs in open government and exposing APIs to external developers. And there will be plenty of opportunities for interaction and discussion.

For more information and free registration please visit the API360 site.

July 15th, 2014

Beyond the CMS

NPR BuildingOn April 22, 2011, I was in Washington, DC, preparing to start my new job at NPR. At that point in my life, this was pretty much my dream job, so I was very excited and a little nervous. I did a lot of thinking that night and the conclusions I came to eventually became the basis of NPR’s technology strategy. I recently had a chance to share my thoughts from that night as part of a talk at the Integrated Media Association’s iMA 2014 conference. Here are the edited highlights.

The basic premise I started from was that all content management systems are fundamentally broken. This may sound a little harsh but I feel able to say it because I’m part of the problem – I’ve built content management systems for organizations across the public and private sectors, so I’m pretty well placed to tell you that no available CMS platform is architected for what publishers – particularly news outlets – truly need.

Most content management systems were designed years ago, for a much simpler world. We now live in an incredibly fragmented and complex world. Any piece of content tends to be sourced from a variety of places and published across a range of old and new media channels. Throughout this complex process, everything has to work seamlessly. The margin for error during breaking news or major events is pretty much zero.

In this context, what do publishers actually need from a CMS? They need:

  • An easy way to connect with many news sources
  • The ability to push content across a variety of channels
  • Guaranteed availability and scalability

So, how do we build a CMS that actually addresses these needs? To my mind, the solution has three key components. First and foremost, the whole architectural approach must be based on APIs. Second, it must specifically use hypermedia APIs and finally, the APIs must be what I’ve been calling “linked APIs”.

1. APIs First
APIs represent the only universal way to connect anything on the Web to any other online thing. Unfortunately, since we started the Web in a desktop-centric world, APIs were an afterthought. Historically, we used to build a Web site and then maybe also add an API, as a window into our content.

This is the wrong approach. Your Web site is just one of the destinations for your content. Increasingly, it’s not even the most important one, since mobile viewership is clearly on the rise. Don’t treat your Web site as special. All your content and functionality should be put into and delivered through APIs.

 2. Hypermedia
Publishers need things to just work. They don’t care about the technical details; they just can’t have their services go down at any time – so, scalability is paramount. And how do you ensure scalability? As I’ve pointed out before, the most scalable network ever created is the World Wide Web and the secret to the Web’s scalability is hypermedia.

Hypermedia is any type of content that not only carries data but also links to other documents. The hypermedia type that is most fundamental to the Web – and certainly the one we are most familiar with – is HTML. However, HTML was designed for human-centric Web sites, not for exchanging structured content via APIs.

There are, however, other hypermedia types that were designed for this very purpose. As a matter of fact, I was involved in the creation of a very robust one called Collection.Document, which was designed specifically for media organizations.

3. Linked APIs
Leveraging hypermedia as an integral part of interface design allows us to create “linked APIs”. Most current APIs are, at best, creating narrow windows into the solid walls of data silos. Even the most high-profile API will typically only provide access to a single corporate database. Hypermedia allows us to create links between these databases.

This will prove essential to the next generation of content management systems because linked APIs have the potential to give content publishers the freedom they want to seamlessly integrate content from diverse sources and push it across the full spectrum of online channels. As such, they could even come to represent the engine that drives press freedom into the coming decades. So, let’s get that engine cranking!

June 27th, 2014

Drones, Phones & Pwns:
The Promise (& Dangers) of IoT APIs

DroneEarlier this month, CA Layer 7 participated in yet another great conference – this time, it was QCon New York. As a three-time QCon attendee, I have always really appreciated the level of technical knowledge displayed by attendees. At this show, it’s rare that I have to explain the basics of APIs; most attendees are already using APIs in some form or another. And even though many of them are very hands-on developers, they are savvy enough to realize when it is and isn’t appropriate to “build it yourself.”

Many of my conversations began with, “We’re exposing APIs but we don’t have a good way to manage our developer community.” Even more interesting were the ones which began, “We built our own API Management layer but it doesn’t…” There was a wide array of endings to that sentence, including “scale well,” “provide any real security” and “help our developers build applications quickly.” Security was an especially common theme as these folks are smart enough to realize they are not primarily experts at implementing OAuth-based access control or protecting APIs against structural or content-based threats. They’d rather let Layer 7 worry about the implementation and simply configure which options are relevant to their applications. And, of course, many examples of app hacks, data breaches and identity theft are in the news these days; nobody wants their company to be the next victim.

Aside from being a common theme in discussions at the show, maintaining security and privacy in an increasingly interconnected world was the theme of my talk, titled Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs. In the first half, I discussed the recent transition of drones from military/intelligence use cases to commercial/personal use and talked about some of the cool technologies already being enabled by these and other data-gathering “things”, such as our phones. I used personal examples to show how my life and the lives of many others are made more pleasant and efficient by this connectivity and data aggregation. After delving into the broad range of use cases made possible by the Internet of Things, it was time to take a look at the other side of the coin.

The second half of my presentation was about the darker side of all the personal data flowing around the Internet and the leaking/sharing/exposure that happens with or without our awareness. I tried not to mention obscure exploits that are unlikely to ever be used; instead, I used real-world examples of glaring privacy holes in devices and apps that we use every day. Rather than simply fear mongering, I tried to make a point about the trust that people – myself included – place in the companies and entities around them. And I followed up those bits with some advice about what we can do to make our future a little less frightening.

The reaction to my presentation was pretty surprising. Even amongst a very technical audience, I still had people approaching me all day afterward, explaining that I had scared them so much they weren’t ever going to look at their phone/car/gaming console/app the same way again. For those that were already familiar with some of the examples I had given, it provided a great conversation starter about security and what sort of cultural shifts will be required to alleviate some of the more pervasive issues.

These are the types of conversations we like to have with our customers – realistic assessments of the risks and challenges encountered by enterprises opening their data and applications to customers, partners and employees, followed by specific discussion of solutions. Considering the interest our customers are showing in these discussions, we’ve decided to do an encore presentation of my conference talk for a larger audience. I’m excited to announce the Layer 7 webinar Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs will be held on July 23 at 9am Pacific Time. Registration is now open.

Sign up for the webinar >>

June 26th, 2014

APIs in the Connected Car: APIdays San Francisco

APIdays SFToday, I’m going to share some rather opinionated thoughts about APIs and the connected car. My opinions on this subject sprang from a combination of real-world experience plus (informed) speculation and came together as I prepared a talk for APIdays San Francisco.

The connected car is widely recognized as a game changer for the automotive industry. Experts all agree that just selling cars is a thing of the past. Mobility, connectivity and in-car user-experience will be leading decision considerations for car sales. Right now, automotive manufacturers, content providers and app developers are all competing to take a leading role in the connected car space. This is a matter of survival. Winners of the competition will be richly rewarded; the losers may sink into oblivion.

Car manufacturers seem understandably determined to dominate the connected car space. But this space is inherently shared with device manufacturers, content providers and app developers. Take away any one participant and you no longer have a sustainable ecosystem. If the automotive sector is not prepared to work with and accommodate the needs of other stakeholders, then no one will win. There are three things the industry can do to make things significantly better right away.

1. Implement a Standard Hypermedia Type for Automotive APIs
Right now, every car manufacturer wants to do its own thing and sees originality as a key to differentiation. This is a fallacy. There are way too many car manufacturers for content providers and app developers to keep up with the variety. Some have suggested that all manufacturers should just deploy Android as the base OS. I personally doubt they will all be able to agree on something as fundamental as the core OS. We should shoot for something much more realistic.

This is where hypermedia comes in. The most distributed system ever built — the World Wide Web — uses a hypermedia type (HTML) as its engine. There is a great opportunity to create a hypermedia format for car APIs that will energize the space just like HTML did for the Web. I believe this format could be based on an existing, generic type such as: Uber, HAL or Siren. This would be similar to the way the Collection.Document type was created for the news media industry, based on Collection.json.

2. Adopt a Standard API Security & Identity System
The prospect of connected cars getting hacked creates enormous anxiety. But connected car security can be addressed quite simply by adopting a security framework based around compartmentalization and standards-based access control.

In this context, “compartmentalization” means that core functions of the vehicle should be highly guarded. Specifically, no third-party app should have access to core driving functions like handling and braking. Meanwhile, a standards-based access control framework like OAuth will provide secure, granular access to specific system features. This would be similar to the way mobile apps currently ask for access to other parts of the device (GPs, contacts etc.)

3. Enable App Developers
Currently, only the lucky few are able to develop apps for connected cars. Generally, these are app vendors that have formal partnerships with car manufacturers. In most cases, developers can’t even get access to API documentation without a group of lawyers signing stacks of papers. The connected car space will not develop if it remains a tightly-held, closed system. On the contrary, manufacturers must build developer communities by providing the things that developers require: documentation; self-service portals; sandboxes; SDKs etc.

But That’s Not All
These are three immediate steps that can be taken to improve the connected car space significantly but as the space develops, we will have to focus not only on immediate requirements but also on the big picture. The connected car is a special case of the Internet of Things (IoT). The context of IoT is different enough that it requires a fundamentally different approach to system design and architecture. Hopefully, I will be able to delve into this context more in future.

Another aspect of the big picture is a good deal simpler: fun. If this space is going to develop as it should, manufacturers will have to make it fun for developers to experiment with the potential of automotive connectivity.

So, have fun out there!

May 9th, 2014

Trade Shows, Connected Cars & Secure APIs

API Events May-June 2014May and June are shaping up to be busy months here at Layer 7! We will be sponsoring and exhibiting at a number of leading industry events and our API Management experts will be speaking at several of these shows.

Notably, throughout the month of June, our speakers will be focusing on the “connected car” – a prominent Internet of Things use case. Below, I’ve provided a list of some upcoming shows that will have a Layer 7 presence. If you’re attending any of these events, take the opportunity to learn how secure APIs will be vital to enabling automotive connectivity. And be sure to stop by the Layer 7 booth to say “hi”!

For full details of our upcoming events, visit the Layer 7 Web site. And if you’d like to schedule a meeting with one of our experts at any of these shows, please reach out to us by emailing events@layer7.com.

Layer 7 events in May/June 2014: