Tuesday, February 24, 2015

Transforming an Industry Leader with APIs - Dun and Bradstreet with Axway API Management

I'm proud to say that Dun and Bradstreet, the leading credit information company in the world, are using Axway API Management for their D&B Direct API. In this video on the Axway site, Kamron Abtahi, DaaS Engineer at Dun and Bradstreet, talks about the success of their API. The D&B Direct API is one of the most widely-known financial services APIs, and a great example of API monetization, creating a new revenue channel based on an API. The API itself makes use of a full-featured API Portal at developer.dnb.com which documents their SOAP and REST APIs, including in-place sandbox testing.

All about the data

Dun and Bradstreet is a fantastic example of a data-driven organization. As Kamron explains in the video below, Dun and Bradstreet manages information on 235 million businesses which they watch globally. The D&B Direct API strategy is to liberate content and, through their API, to provide this data into their customers homegrown applications, CRMs, and ERP systems. This is in line with broad Data-as-a-Service (Daas) approach. Kamron puts it very well, saying their API is all about "Delivering global data in modern ways".

Take a look at the video at the link below, and feel free to reach out if you have any questions.

Saturday, February 7, 2015

API Axes - Categorizing APIs

This week there has been a great discussion between David Berlind of ProgrammableWeb and Kin Lane of APIEvangelist.com, on the topic of categorizing Public and Private APIs. David quotes my ProgrammableWeb piece on Uber and ESPN, which talks about different API strategies, public and private. He makes some great points on the fact that many APIs are not fully public. I thought I'd expand on it here:

I believe there are two axes which can be considered:

First of all, let's look at API Exposure. The two categories are:
  • External : Able to be used outside the organization. 
  • Internal : Used only inside the organization
Secondly, let's look at API Management. It may be one of three categories:
  • Open: Anybody can use the API, anonymously with no controls 
  • Requires Registration: Has a public registration page ("API Developer Portal"), where developers can sign up for an API Key. Developers are identified with API Keys and usage is monitored accordingly.
  • "Dark" APIs:  I first heard this term used by Anand Shamra from Cisco. I like the analogy with Dark Matter, which is all around us, but we don't see it. These are APIs without a public registration page. As an example, there is no public Pandora API, but hardware manufacturers such as Roku still can connect to Pandora via an API. 
These axes are orthogonal. Using these axes, APIs divide into six categories. I've put them into a table below:

OpenNo registration required. Usually they take the form of read-only public data feeds. An example is the Nobel Prize API, which allows a developer to query information about Nobel Prize winners. Another example is the Massachusetts Roadway Events API.Open to all internal access, for example a Company Directory API. Note that API Management (specifically, an API Gateway/proxy) may still be used to monitor usage and protect against abuse such as data-harvesting.
Requires RegistrationRequires the developer to register, and may have an approval process before they gain access, e.g. the CVS Caremark API. Anyone can read the documentation, but developers have to register to use the API. These APIs may have a DaaS (Data as a Service) approach, like the Dun and Bradstreet D&B Direct API.Internal corporate API Developer Portals. Many large organizations use internal API Developer Portals to manage API usage across teams, which often include partners such as Systems Integrators. The general public cannot access the developer portal.
"Dark"No public developer page, and based on a business relationship. Often these take the form of B2B APIs between companies. An example is a 401.K provider which uses APIs to receive allocation amounts from its corporate clients, through an API Gateway. Inter-government APIs for sensitive intelligence data sharing also fit into this category. Developer access may be "by invitation only". These APIs often are use SOAP or XML because they are not designed for open use. e.g. manufacturing system APIs or drug-trial lookup APIs used in pharmaceutical companies. These often still take the form of SOAP Web Services since they have not been designed to encourage widespread developer access.

This is a fruitful area of debate, so I've anticipated some of the questions below:


Q: "Why not say 'Private' APIs instead of 'Dark' APIs?"
A: I feel that 'Private' has too much potential confusion with "internal".

Q: "Does 'open' mean there are no security or API management requirements?" 
A: Since I work for an API Management vendor (Axway), you can expect me to answer "of course not!" here :-). But, realistically, if  an API is fully open to the world, that is all the more reason to ensure that it's not subject to misuse such as data-harvesting, denial-of-service, or attempts at application-layer attacks. You should also keen track of how its being used, using API usage analytics. In particular, internal "open" APIs are precisely the APIs which can be subject to internal attacks, often by attackers who get onto the internal network by (for example) compromising weak WiFi security. Access to these APIs must still be monitored and logged. Consider the example of Sony Pictures which, by some accounts, was the subject of an insider attack.

Q: "Could you not say that an API with an external developer portal is still an 'Open' API, because anyone can (at least in theory) use it once they are approved?"
A: In many cases, the API which requires registration is linked to a business relationship. For example, in the case of the D&B  API which has a "Data as a Service" model (which you can read about more in this account of our API Workshop presentation by D&B recently), the API is an important new revenue channel and access is metered by an API Gateway. Here I'm using "Open" to mean that anyone can access the API without any kind of registration.

Q: "Could you say that some internal APIs are only 'Dark' just because nobody knows they exist?"
A: Yes, and these are the wrong kind of Dark APIs. Wired Magazine has noted that "It is insanely easy to hack medical equipment" because many have "embedded web services that allow devices to communicate with one another and feed digital data directly to patient medical records." These are examples of internal APIs which Randy Heffner from Forrester has called "Product APIs". Do you know if devices on your network have product APIs? Are they protected? Do you even know about them? Could an attacker, who can get onto your network, misuse them?

Q: "With 'Deperimeterization', can you not say that 'Everything is an External API'"?
A: This week I visited a customer, a large pharmaceutical, which explained they have a fully "flat" network. However, they still use API Gateways to control access. It's all the more reason to have an API Management layer in place.

This is a hot topic, and I anticipate more debate on it! I suggest everyone follow @DBerlind and @Kinlane on Twitter to take part. 

Wednesday, January 28, 2015

All around the world - API Workshops for OAuth, Mobile, REST

Here at Axway, we regularly run API Workshops worldwide which bring together API practitioners in discussion, debate, and exposure to technologies such as OAuth 2.0, API developer portal design, and identity. And when we say "worldwide", we mean worldwide. To illustrate this, my colleague Philipp Schöne has created an interactive map on CartoDB of the API Workshops over the past year, with photos of each. All that's missing is a backing track of Daft Punk's "Around the World" :)

Each API Workshop has been eventful in its own way, and for example I recall the spirited debate on SOA and API Management, led by Kevin Kohut from Accenture and Randy Heffner from Forrester, at our API Workshop in Phoenix in September.

Here are other highlights I'd pick out:

Tuesday, January 27, 2015

Axway/Oracle/Vordel API Gateway specialist required in New South Wales, Australia

Readers of this blog might be interested is this position:

Tom Agar at Total Resource Solutions in Sydney, Australia, is currently recruiting an API Gateway Designer/Developer to join a large New South Wales organisation for an initial 6 month contract. The right candidate will have experience with the Axway / Oracle / Vordel API Gateway.

If this is of interest please get in touch ASAP with Tom Agar on 02 8705 8554 or via email at tom@totalresource.com.au for more information.

Monday, January 19, 2015

APIs for Integration with NASDAQ

The new Axway website is full of great nuggets of information. For example, check out this case study for integration with NASDAQ, using Axway's API Gateway. The customer is Storebrand, an insurance and savings company with 1.8 million customers in Norway and Sweden.
NASDAQ interface: For its private customers in Sweden, Storebrand implemented an SSO integration with NASDAQ, the largest U.S. electronic stock market, which lists 3200 companies and trades some two billion shares per day. The Axway API Gateway solution enables customers who are logged on to the Storebrand site to directly access NASDAQ and carry out trades.
Many people may not realize that API Management solutions can be used for Single Sign-On integration with services like NASDAQ, using technologies such as SAML, OAuth, and OpenID Connect. But, check out the Storebrand case study to see how this is done.