The concept of IT governance has grown in prominence over the past five to 10 years, driven by the need to comply with an ever-growing list of regulations around accountability, write Hitarshi Buch, senior architect, Connected Enterprise Services at Wipro and Satyanarayna Sunkara, principal consultant, Connected Enterprise Services at Wipro.
In addition, the importance of IT as a business enabler has been realised, and it has become essential to align IT strategy with business strategy and put methods into place to measure the effectiveness of IT. As a result of widespread adoption of service oriented architecture (SOA) in the recent past, a platform that enables platforms and systems to provide services to each other, governance of SOA has tended to be a primary concern for organisations.
However, with the rapid growth in both popularity and usage of a range of mobile devices, application programming interfaces (APIs), tools for developing software and integration thereof, have now become the new governance challenge. While SOAs and APIs are ostensibly very different, there are in fact several similarities between the two, which can be leveraged to adopt an effective, future-based governance approach.
APIs versus SOAs
According to the Magic Quadrant for Application Services Governance from leading analyst firm Gartner, “the use of Web APIs is increasing more than ever, generally supporting new sales channels through mobile applications”.
Mobile touch points will become the hub of future client relationships, and as a result organisations will see a new focus on building APIs. A governance mechanism is therefore essential to manage this proliferation.
In addition, organisations are targeting the developer community that creates third-party mobile applications by leveraging their APIs. This then builds capabilities for social integration of APIs. It is again essential to manage this and provide relevant metrics – another aspect of governance.
APIs are undoubtedly an emerging trend, however, over the past decade there has been a steady move within enterprises toward service orientation. As a result, SOA governance has been the focus.
According to the Wipro Technology Survey Q2 2014, 86% of Wipro customers have invested in various levels of SOA governance. Of significant concern to many organisations in light of this is how to obtain co-existence between API management and SOA governance, as well as whether managing APIs will require a revamp of the existing governance approach.
Comparing API and SOA governance
Creating the desired level of coexistence requires a seamless solution for governing both APIs and SOAs. In order to achieve this, it is important to first understand the similarities as well as the differentiators of API and SOA governance. SOA governance is used to manage enterprise-wide SOA services, while an API management platform governs the APIs published on the edge of the enterprise.
Effectively, APIs are a lightweight and simplified SOA service, an extension of SOA services, and therefore have similar lifecycle governance.
Other similarities include service dependencies – APIs are dependent on backend SOA services and can form part of the same service catalogue – as well as the requirement for capturing appropriate metadata, which is critical to both SOA services and APIs.
In addition, design methodology is similar, as the first approach of API is practically the same as the service modelling approach, which begins with service identification. Both SOAs and APIS also have common principles, including loose coupling, encapsulation, and reusability, and both require lean governance mechanisms so that productivity is not hampered.
Despite these similarities, APIs and SOAs are not the same, and the differences need to be noted. One of the key disparities between SOA services and APIs is that they have different stakeholders. SOA services cater to consumers and providers within the organisation, whereas APIs must cater to multiple delivery channels and are considered app developer-centric as opposed to integration centric. In addition, SOA services are typically represented as business functions, whereas APIs represent resources. The need to on-board app developers and manage API keys is exclusive to APIs, and API and app level usage statistics and productivity metrics are required at the API layer. API governance also tends to be more dependent on run-time policy to enforce security, rate plans and others, in the hopes of enabling monetisation at the edge.
A unified approach to governance
Since there are several overlapping capabilities required for managing both APIs and SOA services, there is a strong case for a unified approach to their governance. The key components of such a model include a common asset repository, metadata and lifecycle management, consumer and developer on-boarding, developer management, and analytics.
It is also important to adopt unified policy management, as both SOA services and APIs rely on run-time policies for ensuring non-functional requirements are adhered to. Therefore, policy definition and distribution is a critical feature, which can be converged to provide a common Policy Administration Point (PAP). External policy definitions can then be attached to SOA Services and APIs, which will be leveraged with the respective policy enforcement points (PEPs).
Further to this, a unified gateway is required. This is the run-time component used to expose service proxy endpoints, provide lightweight mediation and enforce run-time policies. Many organisations are already leveraging their existing gateway infrastructure in a unified manner to provision APIs and SOA services.
In conclusion
The synergies between the requirements of SOA governance and API management lend themselves toward the convergence of toolsets and capabilities around governance. This is something we will no doubt see emerging from vendors in the near future.
However, in the interim, there are several steps organisations can take to enable unified governance, including leveraging existing governance tooling to enable lifecycle management and common asset repository for both SOA Services and APIs.
In addition, utilising a common service and API gateway with appropriate considerations to capacity management and scalability, and building custom solutions to enable a federated approach for the disjointed capabilities related to policy management, analytics and developer portal, can be highly beneficial.
Unified governance allows for the seamless management of both APIs and SOA services within an enterprise. This approach will enable organisations to follow a clear roadmap that not only allows them to pursue tactical wins using APIs, but also leverage the tried and tested techniques of SOA governance.