API design, development and management tools are merging with SOA governance tools focused on governance, risk...
management and compliance (GRC), according to experts, and may be one in the same. Driven by the proliferation of APIs and the growing need to create easy interfaces to business applications, these merged API-GRC tools help developers create, publish, manage and promote the use of APIs. Whether used in the cloud or in a controlled, on-premises environment, GRC features make it possible to extend API functionality to a variety of computing platforms and devices.
Organizations need both tools created to deliver an API and services to implement the API. "Each has a different objective," said Gary Olliffe, research director at Gartner, Inc., based in Stamford, Conn. Services can be implemented in a number of ways, depending on the requirements for services, then exposed and managed through the API. "You don't have to manage it through an API management tool, but [do need] some form of mediation between the consumer and the provider," Oliffe noted.
Consumers don't need to know how the API or service is implemented; for example, the integration technology, data virtualization technology, Java frameworks, .NET or microservices. And because developers may switch from one technology to another to add capabilities, the tool used for building an API needs to be broad and flexible, while a tool for designing an API needs to relate to the API management technology, Olliffe said.
API tools with SOA governance inside
In Gartner's view, IBM and Oracle still have the best of the API design, development and management tools that are separate from SOA governance, according to Olliffe. IBM's API Management adds on to its DataPower Gateway, which encompasses APIs, SOA and cloud workloads, he noted. Meanwhile, Olliffe said Apigee Corp., Axway, Mashery Inc. and CA Technologies are more focused on API management than SOA.
Matt Brasierprincipal consultant at C2B2
However, while WSO2, MuleSoft Inc. and Apigee all offer API design tools, these are really monitoring and SOA GRC in disguise, according to Matt Brasier, principal consultant at U.K.-based C2B2 Consulting Ltd. "To me, they're the same products (with) the same features," he said, noting that it's often up to the vendor as to what the product that manages endpoints and SLAs is called -- API management or SOA governance.
Like the ubiquitous baby carrot, which is actually a whittled-down, full-size carrot with a different name, API design, development and management is rooted in SOA governance. "If SOA governance is the boring thing to do, call it an API management suite," Brasier said. "In practice, it's the same thing: assigning SLAs and monitoring discovery to endpoints."
Choose your tools wisely
Brasier advised developers looking at these tools to be aware of their capabilities to get the most out of them. "A lot can be very expensive for what they are," he said. If the SOA governance tools only monitor endpoint performance, for example, there are less expensive ways of doing so, without going all-in on a pricey tool suite, he added.
However, monitoring endpoint performance is critical for API management, and Brasier advised examining those tools if that's all the technology needed. For example, Oracle's Enterprise Repository may cost less than a full governance suite, but will monitor APIs, SOA projects and dependencies, he noted.
Gartner's Olliffe advised developers and architects to focus on where the value will come from with the purchase of one of these tools. "What questions do you want to answer by governing APIs?" he asked. For example, developers may want to know who is using the APIs, how much they're being used, what kind of service implementations are occurring, or how many conversions on the product line are being made because someone used the API. Identifying the metrics important to the organization as a whole will help developers choose the right tool, with the features and functions to properly handle APIs, he said.
Ultimately, choosing a tool for API design, development and management isn't that different from choosing any other tool for architecture and development. If the need is there, it's worth it to take a look at the offerings from vendors, as well as check what the open source world has to offer.
Find out how a lack of secure APIs can create IaaS risks
Have you used JSON for building APIs?
Tell us your best methods for testing APIs.