Turf wars; Who owns that API?
Interesting fact: The use of internal APIs will grow > 10% (2019 – 2022). The use of public APIs will grow with > 20% in the same period and the # of public APIs opened up to the outside world will almost double.[1]
APIs solve IT challenges varying from keeping older applications alive for a bit longer to opening up data, applications and systems for partners. APIs help governments interchange privacy sensitive data without the need to store local copies of that same data and applications can be enriched with functionality from commercially available external APIs.
With growth comes growth pains. Many organizations have been focused on creating the hundreds of APIs that were needed to speed up de modernization process, to integrate with partners or to get themselves ready to act as part of a supply-chain. Defining standards, securing the APIs, management & monitoring are often done by afterthought. And when organizations realize something has to be done the battles about ownership start.
Who actually owns an API? The team that created it? The development teams that use it? The security people who have to secure the access and the execution of the APIs? Or maybe the middleware team where everything ends up that doesn’t quite fit anywhere else? The question seems trivial until the auditors start asking questions like: Who can execute this API, what sensitive data does it access and is that data stored somewhere else once the API has delivered it? Is there a lifecycle management process and who knows exactly which APIs will be affected when something changes? Or: what open source components are used by which APIs?
APIs are now an integral part of the IT Infrastructure. Enterprise IT Governance demands that we exactly know what is happening to the key components that make or break our business processes and APIs are seen one of these key components. Slowly we see organizations realize that the use of APIs makes them more agile. They have created APIs to make legacy systems more easily accessible, to connect on-premise systems with cloud applications. Some are even more advanced and have created APIs that retrieve data from different sources and use business logic so App developers don’t have to be concerned with all that complexity. A true composable architecture!
API Management is no longer optional. All APIs should be created, stored, protected and managed with even more care than other IT components simply because they are, in many cases, the door to the outside world. A gate to exchange information with partners, customers or employees, but which CAN also be used by cybercriminals to access your mission critical systems and data. The number of API related attacks has increased with 286% (Q1/Q2 2022 ). Do you need another excuse to stop the internal fighting and simply create an API Management team who takes care of all this?
Marcel den Hartog is a Trend and Innovation Expert working for Enable U, The Digital Integration People. Enable U is a Dutch integration specialist with more than 17 years of experience in connecting applications and systems using digital integration technologies.
[1] Gartner® Report: Hype Cycle for APIs, 2022