API Governance: How Important Is It for API Strategy? Gibson Nascimento July 21, 2020 API Governance – What Is It? API governance is just like any other IT area, where there is a need to understand the use of assets, regulate and manage standard rules, or define and validate security. It’s about identifying and managing design best practices, quality checks, documentation, security, auditing, and scrutinizing all aspects of the API lifecycle (similar to company governance protocols). A key area of API governance is appreciating the real impact of APIs. To do this, it’s necessary to analyze their usage. In the real world, most companies fail to complete full governance audits, resulting in security breaches and access control issues. This article discusses how API governance can prevent these issues from occurring. The Different API Governance Models There are different ways to define and apply governance to APIs. The most common models are centralized, decentralized, and distributed: Centralized Any architectural changes, from the implementation of new features to an application or introduction of new elements in the architectural landscape, are always reviewed and approved by a centralized team. Dependent upon the scale of the model adopted, this can result in the team becoming a bottleneck due to the high level of demands put upon them. Decentralized Similar to centralized, but with small teams having the autonomy to evaluate and validate certain aspects of the architecture, either for a particular application or a set of related applications. Although there are gains with this approach, the teams still need to follow agreed protocols to ensure major changes don’t impact their organization. Distributed This model introduces the concept of multiple teams, specialists in a set of products, and, therefore, responsible for them. Business knowledge and aspects of governance are crucial to ensure the right controls are in place. Adaptive Governance Adaptive governance is the ability to determine styles and governance controls necessary for different contexts of digital businesses. Business units may have varying needs when it comes to releasing digital products or even different environments to enable partners to develop and test their integration. Adaptive governance enables each business unit to define its workflows, the right level of controls for each step (including quality checks and policies), and the environments associated with the workflow yet connected to the same organization’s API gateway. A robust governance model has three key areas: control, agility, and autonomy. Control Governance to be applied based on rules and regulations defined by the company’s operating environment. Open Banking, GDPR, PCI-DSS are regulations that require certain levels of security or auditing are in place to maintain compliance. Agility Giving teams the ability to define and decide what rules best apply to their scenarios. Autonomy More common where a high-level of automation is in place and decisions can be made in real-time, especially when interactions happen at the machine-to-machine level. The closer a company gets to autonomy, the more mature and complex its governance becomes. Benefits of a Good Governance Strategy A robust governance strategy brings many benefits to an API program. Three key benefits include suitable controls, review cycles, and visibility. Let’s look deeper into these three key traits. Suitable Controls With quality API governance, suitable controls are in place and enforced when necessary, for example, with version management, access control, API auditing, and security. Defining and enforcing controls ensures key strategies are followed, for example, with version management. When new API versions are planned, there are clear steps to avoid breaking existing integration and replace old versions. It also ensures security mechanisms, such as threat protection and access controls, are in place and compatible with APIs in any environment. And in the case of regulated environments, such as PCI-DSS, it ensures the right levels of auditing and logs are added. Review Cycles A good governance strategy has review cycles to ensure the relevance of the process and compliance with new regulations, partner requirements partner, or other needs. Review cycles must be defined, ensuring the strategy remains relevant, and established mechanisms and controls are followed. Visibility Quality API governance brings greater transparency of APIs’ mechanisms and general usage, enabling improvement to governance strategy and APIs. Visibility has two elements: design and operational. The design focuses on understanding how the different initiatives, run by different parts of the organization, are adapting and adhering to the strategy (ultimately driving the review cycles). Operational identifies how APIs are used by different partners or integrators and the impact of an API in terms of volume, user numbers, and the different back-ends leveraged by the exposed services. Conclusion Defining an API governance strategy is not an easy task, especially when there are many factors to consider: the right model, priority levels for different elements, and various policies. Although several discussions will likely occur before the first version of the strategy is agreed upon, the end result will pay off. The APIs (and technically speaking), the whole API strategy, will be more mature and prepared for the challenges posed by the different markets out there. It’s about gaining the advantage of tools that identify design best practices and automate rule enforcement.