5 Pillars of

API Management
Introduction: Managing the new open
enterprise
Realizing the Opportunities of the API Economy Meeting the Challenges of Secure, Manageable
Across industry sectors, the boundaries of the traditional enterprise API Publishing
are blurring, as organizations open up their on-premise data and APIs empower enterprises to quickly repurpose IT systems, add
application functionality to partner organizations, the Web, mobile value to existing offerings and open new revenue streams. It
apps, smart devices and the cloud. APIs (application programming should come as no surprise, though, that exposing on-premise
interfaces) form the foundation of this new open enterprise, systems via APIs also creates a range of new security and
allowing enterprises to reuse their existing information assets management challenges. The term “API Management” refers to
across organizational boundaries. a set of processes and technologies that have emerged in recent
years to help enterprises meet these challenges.

API Management solutions aim to make it simple for even the

most security-conscious organizations to open their information
assets for use by partner organizations, third-party developers,
mobile apps and cloud services, without impacting data security
or the performance of backend systems. Full-featured API
Management solutions also provide functionality for managing the
developers who build applications that leverage enterprise APIs.

02
Overview: 5 Pillars of API Management
Expose Enterprise Data & Functionality in API-Friendly Formats
Convert complex on-premise application services into developer-friendly RESTful APIs.

Protect Information Assets Exposed via APIs to Prevent Misuse

Ensure that enterprise systems are protected against message-level attack and hijack.

Authorize Secure, Seamless Access for Valid Identities

Deploy strong access control, identity federation and social login functionality.

Optimize System Performance & Manage the API Lifecycle

Maintain the availability of backend systems for APIs, applications and end users.

Engage, Onboard, Educate & Manage Developers

Give developers the resources they need to create applications that deliver real value.

03
Expose Enterprise Data & Functionality
in API-Friendly Formats
Convert complex on-premise application services into developer-friendly RESTful APIs

WHAT WHY HOW

Enterprise data and applications On-premise systems commonly The most effective API
typically comprise a rely on application services Management solutions include
complex web of standards, delivered in proprietary formats functionality for presenting legacy
protocols, programming too verbose to work efficiently via enterprise services as RESTful APIs.
languages and file formats. the Web or mobile apps.
Typically, this will involve
The first stage of API Application services associated using a SOA or API Gateway to
Management is presenting these with the common SOA (service automatically convert data from
diverse information assets in a oriented architecture) style the SOAP-based services into
format that developers can generally employ the SOAP RESTful APIs.
understand and leverage. protocol, whereas Web/mobile
devs rely on REST. To be truly effective, the Gateway
Commonly, this means publishing should make it possible to
application programming If APIs are not delivered in a efficiently compose RESTful APIs
interfaces that employ the REST format that internal and third- from “mash-ups” of multiple
protocol (“RESTful APIs”). party developers can easily existing application services.
leverage, they will not facilitate
the creation of any truly valuable
new applications.

Learn More: API Tech Talk: Simplifying REST Adaptation.

04
Protect Information Assets Exposed
via APIs to Prevent Misuse
Ensure that enterprise systems are protected against message-level attack and hijack

WHAT WHY HOW

Opening up enterprise information APIs are windows to applications and Arguably the key function of the
assets for use in new applications data, potentially providing hackers type of API Gateway mentioned
exposes them to many of the same with a view into the inner workings above is to inspect and filter all API
security threats that plague the of enterprise systems and a route to traffic to identify then neutralize
Web (e.g. viruses, DoS attacks). accessing those systems. common or emerging threats.

Additionally, APIs create a range of This creates the increased possibility To be effective, the Gateway should
new and unique security challenges that hackers will be able to steal be designed and certified to tackle
that go beyond what enterprises are confidential data, hijack public-facing message-level, API-specific threats
used to dealing with on the Web. interfaces for nefarious purposes or such as SQL Injection, Denial of
crash critical systems. Service attacks and viruses.
Perhaps the most essential function
of API Management is the creation Conventional online security The Gateway’s security functionality
of a security layer to ensure that solutions designed for the Web do and threat profiles should also be
hackers are unable to access, not cover all the potential threats easily updateable, to tackle new
misuse or attack exposed systems. created by API publishing, so specific types of threats as they emerge.
API security must be implemented.

Learn More: White Paper: Protecting Your APIs Against Attack & Hijack.

05
Authorize Secure, Seamless Access
for Valid Identities
Deploy strong access control, identity federation and social login functionality

WHAT WHY HOW

Any enterprise that wants to fully Access control is the cornerstone An API Gateway should feature
secure its APIs against attack of API security – the key is to out-of-the-box functionality for
must give developers a framework prevent unauthorized users from building an API-centric access control
for controlling how users access gaining inappropriate levels of infrastructure using key standards
enterprise assets via these APIs. access to enterprise assets. and existing resources.

This framework should balance OAuth is especially useful as it The Gateway should be able to
backend security with end user allows publishers to flexibly integrate seamlessly with leading
experience by leveraging key implement appropriate levels of IAM systems like CA SiteMinder®,
identity and access management security and federate identities Oracle Access Manager, Microsoft
(IAM) standards such as OAuth. from existing IAM systems and Active Directory and IBM Tivoli.
social accounts.
For the best balance, the framework It should also include configurable
should be able to use existing IAM Leveraging existing IAM templates for implementing access
infrastructure and allow end users infrastructure also cuts control, SSO and social login in
to gain access via enterprise single costs, reduces setup time typical use cases, based on OAuth
sign-on (SSO) or social logins. and maximizes long-term and other key standards.
manageability by preventing the
creation of identity silos.

Learn More: EBook: 5 OAuth Essentials for API Access Control.

06
Optimize System Performance &
Manage the API Lifecycle
Maintain the availability of backend systems for APIs, applications and end users

WHAT WHY HOW

API traffic must be dealt with The introduction of Web and An API Gateway should feature
efficiently to ensure applications mobile apps that leverage out-of-the-box functionality for
built against APIs work backend systems can lead to building an API-centric access
consistently and the performance sudden growth in IT traffic that control infrastructure using key
of backend systems is not can result in crashes and standards and existing resources.
compromised. consequent unavailability.
The Gateway should be able
Data from backend systems It is vital to optimize the flow of to integrate seamlessly with
must be delivered in lightweight API traffic, to ensure a satisfying leading IAM systems like CA
formats, optimized for and consistent user experience SiteMinder, Oracle Access
usage patterns and filtered for developers, users of API- Manager, Microsoft Active
appropriately. dependent apps and internal Directory and IBM Tivoli.
users alike.
For long-term application viability, It should also include
it is also necessary to carefully Managing the API lifecycle, configurable templates for
manage the lifecycle of APIs as meanwhile, is crucial to ensuring implementing access control,
they move through development, existing applications do not break SSO and social login in typical
testing and production. when APIs, clients and operating use cases, based on OAuth and
systems are updated. other key standards.

07
Engage, Onboard, Educate &
Manage Developers
Give developers the resources they need to create applications that deliver real value

WHAT WHY HOW

Much of the true value of an Developers are the lifeblood of For internal and external
organization’s APIs comes from any API publishing strategy. API developers alike, the most
the developers who build Web publishers need devs to create effective way to engage and
and mobile applications or apps that employees, partners and educate developers is through a
new enterprise systems against customers can actually use and branded, interactive online portal.
these APIs. benefit from.
This portal should make it
It is essential to target developers To get developers creating truly simple for developers to register
with the tools and materials they valuable applications, the publisher for APIs and access interactive
need in order to discover, learn must be able to attract talented documentation, sample apps,
about, try out and build apps developers and provide them with the code examples, testing tools and
against the organization’s APIs. tools needed to leverage the APIs. discussion forums.

These developers may be internal The more engaging and interactive Effective API Management
employees, partners, contractors or the tools provided by the API solutions include functionality
independent “long-tail” devs. Each publisher to enable and educate that makes it simple to build a
group will require a particular set of developers, the more useful the full-featured developer portal,
resources targeted at its needs. applications these developers pre-integrated into the API
deliver will be. Gateway.

08
Conclusion: Deploying a
Complete Solution for API
Management
With Web, mobile and cloud technologies becoming increasingly essential to how
the world does business, the API is emerging a key enabler for smart enterprises.
To realize the value of APIs and avoid the pitfalls of exposing enterprise systems,
it is vital to deploy technology that enables and simplifies key API Management
processes related to service composition, security, performance optimization,
lifecycle management and developer engagement.

The CA API Management Suite provides all the components required for effective,
enterprise-level API Management, including a range of API Gateways designed
to simplify all key API security and management processes. The CA Management
Suite also includes an API Portal for developer engagement and management and
an OAuth Toolkit for ensuring secure, standards-based access management for
enterprise APIs.

Additionally, the CA Management Suite offers:

• A choice of on-premise, cloud or hybrid deployments
• Military-grade data and application security
• Analytics on API usage
• Operations management that can span distributed datacenters and clouds
• Application adaptation and interface management with advanced SOA connectivity

09
About the CA API Management Suite
The API economy is exploding, mobile devices are proliferating In February 2013, the CA API Gateway was recognized as
across the workplace and large organizations are moving critical a Leader in the API Management space by top analyst firm
IT infrastructure to the cloud. This is creating the need for Forrester Research, in its The Forrester Wave: API Management
technology able to securely connect with external developers, Platforms report.1 The CA API Management Suite is a key
mobile apps and cloud services. CA Technologies is at the component of the solutions that CA Technologies provides
cutting edge of this red-hot market. for enterprises that need to secure and manage complex IT
environments to support agile business processes.
CA Technologies’ industry-leading Gateway products make
it simple for enterprises to share data with customers, mobile Learn more at ca.com/api.
apps and cloud services. Delivered as hardware networking
appliances, virtual appliances or as software, our products
are helping large organizations open up to the Web, mobile
networks and the cloud, without jeopardizing security or
performance.
1
Forrester Research, Inc., The Forrester Wave: API Management Platforms, Q1 2013, February 5, 2013

CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to
seize the opportunities of the application economy. Software is at the heart of every business, in every industry.
From planning to development to management and security, CA is working with companies worldwide to change
the way we live, transact and communicate – across mobile, private and public cloud, distributed and mainframe
environments. Learn more at ca.com.

Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for
your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides
this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringe-
ment. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption,
goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. The information and results illustrated here are based upon the speaker’s
experiences with the referenced software product in a variety of environments, which may include production and nonproduction environments. Past performance of the
software products in such environments is not necessarily indicative of the future performance of such software products in identical, similar or different environments.

CS200-86752