WEB Services is a relatively standard approach based on APIs. The API directly connects the underlying data so that the capabilities of a company's Web site, application, or internal system can be accessed and used by another company or multiple entities. This approach provides an excellent market delivery speed based on the concept of real-time innovation, but it needs to adopt a new standard for how to protect and manage APIs, and to be able to communicate among organizations at the Business-to-business gateway level.
How do APIs support business model innovation? The most obvious approach is to use a mashup of the sophisticated API platform (Google Maps and location-based services, for example). In addition, there may be less obvious ways to support the creation of a small number of Super APIs (Uber-apis) for enterprise applications to perform entirely new functions, such as extending market coverage through new channels. The two best known examples of mashups derived from enterprise-class APIs are Salesforce.com and DocuSign.
In any case, management, governance, and security of APIs in various technical platforms and domain entities must follow essentially the same policy, and must consider connectivity and transport protocols related to the corresponding application of the communication. The benefits of APIs become more pronounced when organizations need to share applications and data through the cloud or mobile platform. However, by invoking corporate data through APIs in a public/private cloud environment and failing to properly manage identities, access, vulnerabilities, and risks in the right place, these data sources are exposed to potential threats (see how to use a unified service gateway to manage and protect APIs). )
Here are some examples of technology-driven innovations that require the strictest Automation API security and compliance standards:
Retail market Services: Near-field communications (NFC) enables smartphones to interact with physical products through RFID. For example, Coca-Cola can generate a reward coupon on an airplane aisle for a consumer who clicks on the NFC feature on a smartphone. The ability to personalize this interaction relies on licensing and security certification of customer data-the case and many other NFC features will be implemented through a security-managed API, and the NFC APIs deployed in retail channels will need to follow the payment card Industry Data Security Standard (PCI DSS).
Digital video service: WEBRTC (real-time communication) is a new open source video standard developed by the consortium. WEBRTC enables browser applications to make video chats, voice calls, and point-to-point file sharing between each other without using a third-party media Player or plugin. These video applications pose a threat to existing real-time collaboration and communication standards, such as WebEx and Windows Media players, and they require secure transport and authentication to be performed by the API. For conferencing based applications, APIs will have to support properly licensed usage and reuse, privileged execution traffic through responsibility segmentation, and real-time code control.
e-Medical records services: EMR, which originates from government requirements and business needs, is widely known, and the widespread digitization of medical data will create opportunities for API-based services. For example, APIs can interact with personal medical files to improve the business and service of medical services. For example, a scheduling application will match the patient's personal medical needs with the available services and experts, or an SMS application that will alert the patient to the new information or check that the results have been generated. APIs interacting with EMR must adhere to the highest standards of data privacy and regulatory requirements.
Financial cloud services: more than 60% per cent of securities and commodity transactions now contain parts known as high-frequency Trading (HFT); For this industry, the analysis data obtained are valuable information sets based on transaction volume, success algorithm, price per volume and comparative analysis. For example, in a large organization, up to 10,000 professional employees may be using HFT technology, which requires visibility of the same data at the same time (the same data can be accessed simultaneously). The ultimate value of this type of data, the service platform, is a model risk management analysis of future trading opportunities. Therefore, the API must be as effective as other financial regulation technologies in protecting the underlying data.
Data-sharing Cryptographic services: one of the growing trends in the mid-tier and large enterprises is to hand over specific portions of their IT infrastructure to a public cloud service provider, such as Amazon Web Services (AWS). The interaction between enterprise computing, storage, and network clusters and the Amazon Elastic Cloud (EC2) is accomplished through communication between the enterprise and the EC2 APIs. However, underlying topology storage often uses an open standard such as Hadoop, so it is not always consistent with the data storage or data movement standards owned by an enterprise. For this reason, Enterprise API gateways need to coordinate the appropriate acceptable usage and data encryption standards in the cloud, as if the service were represented by the enterprise itself.
API Business Agility is a problem that both management and security are involved in. API managers must consider how much of the API governance can be automated to reduce potential coding errors. On the other hand, security issues are related to governance policies, data protection, and compliance, in compliance with all necessary mitigation measures to achieve optimal business agility. (For more in-depth analysis, see API Management and challenges in reality)
Data protection: Developers using APIs to access corporate files without authorization can pose a risk of damaging data integrity. Whether this behavior is malicious or accidental, once someone accesses the company's data through an API, it can cause changes to the data, resulting in an audit violation of data integrity such as financial transactions.
Compliance: Let's look at an example from a global manufacturer. The manufacturer has developed a system of ordering and trusts the system to report the amount of customer orders received to third party application developers. In this way, the manufacturer puts the accuracy of its financial statements into potential danger. In small "C" areas-compliance with internal controls and API governance-companies face the risk that their ERP systems may be compromised, which in turn affect data integrity and availability. In large "C" (external pressure compliance), the lack of control and API governance in the ordering system will lead to a company violating the Sarbanes-Oxley Act, which is aimed at internal controls to ensure the accuracy of financial audits.
Risk mitigation: Let's continue to take the top global manufacturer as an example, the uncertainty about who has access to back-end ERP systems and the correctness of the version of the API that is running will severely damage internal controls. For example, if a distributor can access a purchase order through an API and change its date--which is theoretically strictly prohibited in internal control--then control is flawed. The same risk will manifest itself in this process of control. Lack of proper governance APIs will undermine the integrity of tax data.
Therefore, proper governance involves developing a range of API control objects based on lifecycle and related factors, such as the role of key stakeholders in business and it (like ITIL for services and COBIT for processes). Any contact API that is subject to compliance design processes, such as internal or data privacy controls, should meet the following three key governance objectives:
The API lifecycle should be controlled so that only licensed versions are entered into the product: in the planning phase, in the development and testing phases, into the product and eventually out of the market.
Key stakeholders, such as line of business supervisors, IT managers, information security officers, and compliance auditors, should be able to see the current state of the API dynamically. Always make sure that what they see is the correct version in the right lifecycle environment.
APIs should be controlled based on validation and authorization processes to protect enterprise IT assets, avoid misuse, threats to availability, or violate privacy issues, and ensure compliance with monitoring and throttling of governance tasks.
See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/extra/