What is API governance?
API governance is the practice of applying rules and policies to your APIs and creating processes and standards to standardize various aspects of your API design, development, and delivery.
Traditionally, developers, engineers, and designers believe API governance slows things down.
Why do we need governance?
Let’s look at the growing complexity of what we have to contend with. With omnichannel experiences, for example, we’ve got evolving needs regarding how building API products is affected by the proliferation of platforms and devices. When we build applications, we need to build experiences for web-based applications, mobile applications, desktop applications, Smart TVs, AR/VR applications, and even vehicle infotainment applications.
We have the complexity of multi-cloud and multi-region days. It is reported that about 93% of businesses are already moving to multi-cloud architectures and deployments, and most organizations are leveraging public cloud and hybrid cloud providers. The factors driving this are technology options, organizations needing to save costs, and scaling their businesses and API services.
On top of that, you’ve got different architectural styles. So, we have different API styles – Graph QL, async API, varying coding standards, design patterns, etc.
Multiple product components are delegated to aspects of the requirements of your product, e.g., security or authentication, identity providers, etc. Developers also have to consider GitOps, CI/CD pipelines, multiple layers, and the complexity of the API stack.
You also have compliance to be built in—for example, data sovereignty needs. Different industry verticals have different compliance requirements. You have different interoperability and data standards to think about there when you’re delivering APIs.
We also need to support larger teams. Enterprise teams are working on different stages of product development in their own silos. They’re often running distributed runtime environments with APIs at different lifecycle stages. Some of the rules for those lifecycle stages can be completely different from one team to another. We also need to allow for flexibility of use case exceptions.
In addition, there are stakeholders, internal users, developers, DevOps engineers, API consumers, etc.
So, to summarize, in the face of all this complexity, APIs need to be compliant and built in a standardized way. We’ve to think of security, scalability, and stability. And underlying all that, we also need to think about the layer of observability, monitoring, and analytics.
The main activities of API governance are
- Quality Reviews
Standardization, driven by governance, helps us ensure that all APIs remain consistent, even when different designers and developers build them. So, API governance should be seen in this context as the development guardrails to bring consistency to the complexity outlined earlier. API governance is an enabler. It is about putting policies in place such that it is easy for people to do the right thing but hard to do the wrong thing.
The fact is that API governance aims to enable all stakeholders, but primarily API providers and consumers, to maximize the value of the built APIs. It also helps to ensure that APIs are consumable, understandable, easy to adopt, and will drive growth in usage.
In addition to standards, we need to look at product definition and security protocol implementation.
Building a robust governance plan
There are five aspects to building a robust governance plan
Access Control – Access can be set based on roles or attributes. Most organizations use a hybrid model based on the sensitivity of the data handled by the API.
Ongoing maintenance and enhancement – APIs sometimes need extending, modifying, depreciating, and retiring. We need to ensure change control and versioning. Backward computability is also an important aspect to be considered.
Compliance / Regulations – In multi-regional, multi-cloud environments, we must consider data sovereignty and how data is stored, managed, and processed. GDPR in Europe is a very good example of this. Compliance requirements and regulations vary across geographies, regions, and industries.
Reporting – We have to measure API product, performance, and value; the value derived to API consumers and also to the provider businesses. It’s also important to have a structure for auditing and ensuring a chain of compliance insights and trackable interactions.
Team Structure – It’s important for organizations to be clear about ownership of governance strategy and continuous updating of governance strategy. Equally important is getting internal buy-in and driving adoption to roll out consistent implementation across multiple developer teams where you’ve, got bigger organizations. You can have a centralized, top-down governance approach or a federated, distributed approach, where each team is responsible for compliance.
To conclude, API governance is important in a changing diverse technological world. You can use API management platforms to establish and monitor governance.