The challenges and opportunities of API governance in 2024

API governance due to the increasing risks is a topic that has gained significant traction in recent years, especially as organizations increasingly adopt digital strategies and integrate APIs into their operations. The conversation around API governance is not just about technology; it's about how organizations manage their applications and the practices they implement to maximize their investments in the API space.

To address this important topic, we recently hosted a fireside chat featuring industry experts: Bill Doerrfeld, tech journalist and Editor-in-Chief at the Nordic APIs blog, Erik Wilde, OAI Ambassador at the OpenAPI Initiative, and Antoine Carossio, CTO and co-founder at Escape.

You can watch the replay here:

Understanding API Sprawl and its implications

API sprawl refers to the rapid increase in the number of APIs within an organization, which can lead to challenges such as poor service discoverability, inconsistent API styles, and potential security vulnerabilities. This phenomenon is particularly pressing for organizations that have been developing and consuming APIs for years, possibly across large environments and through mergers and acquisitions.

The consequences of API sprawl can be severe, including shadow APIs, interfaces that remain active when they should be decommissioned, and a lack of proper documentation. Here is the spotlight on each of them:

1. Security vulnerabilities

One of the most significant consequences of API sprawl is the increased risk of security breaches. With a large number of APIs, some may lack proper security measures or become outdated, leaving them susceptible to attacks. This can lead to sensitive data leaks, unauthorized access, and other security incidents that can have severe repercussions for the organization and its users.

2. Increased complexity and maintenance costs

As the number of APIs grows, so does the complexity of the system. This can make maintenance more challenging and time-consuming, requiring more resources and increasing costs. It can also lead to difficulties in understanding the interactions between different APIs, which can cause issues in troubleshooting and debugging.

3. Poor developer experience

API sprawl can lead to inconsistencies in API design and documentation, making it harder for developers to understand and use them effectively. This can slow down development processes, reduce productivity, and lead to frustration among the development team.

4. Inefficient API reuse

With an excessive number of APIs, there's a higher likelihood of duplicating functionality. This redundancy means that organizations are not making the most of their existing APIs, leading to wasted resources and missed opportunities for efficiency.

5. Governance challenges

Managing a sprawling API landscape requires robust governance to ensure compliance with internal and external standards and regulations. Without proper governance, organizations may struggle to enforce policies, leading to inconsistencies and potential regulatory issues.

Insights from recent reports

Recent studies and reports have shed light on the extent of API sprawl and its implications. For instance, only 10% of organizations fully document their APIs, according to a 2023 report from Enterprise Management Associates (EMA). 

Escape's security team has also recently found 18,000 exposed API tokens in front-ends, including $20M in Stripe tokens that were easily accessible on the web and could have been used for the wrong purposes. This indicates a lack of control and oversight in API management.

These findings underscore the need for organizations to take API sprawl seriously and implement strategies to mitigate its risks. By investing in API governance, cataloging APIs, and adopting best practices for security and development, organizations can better manage their API portfolios and avoid the negative consequences of sprawl.

The role of governance in API management

Governance is about establishing policies, frameworks, and guardrails that go beyond individual management platforms. It involves documenting APIs thoroughly, tracking their life cycles, and ensuring that nothing is left exposed to unauthorized access. Proper governance can also enhance the developer experience by promoting consistency in API design and integration, leading to increased API reuse, better service discoverability, and overall cost savings for the organization.

The role of governance in mitigating API Sprawl

To address API sprawl, organizations must prioritize API governance. This involves creating a comprehensive inventory of all APIs, ensuring proper documentation, and implementing security measures to protect against threats. Governance also extends to the developer experience, promoting consistency across different APIs and making it easier for developers to integrate and reuse services.

I think it's mostly just showing that we have a scaling problem. I don't think that the problem is so much that we have too many APIs. I think is that our governance and management practices haven't quite caught up, - Erik Wilde

1. API cataloging and inventory

The first step in API governance is to catalog and inventory all the endpoints within an organization. This task can be daunting, especially for larger companies with a vast array of internal and external APIs. However, it's essential for understanding the full scope of an organization's API landscape.

2. Developer-centric approach

Once an organization has a clear view of its APIs, adopting a developer-centric approach is crucial. This can involve using Federated API management or placing APIs behind a gateway to involve developers in the governance and security process.

So governance that considers developer experience and improves it, I think can have at the end of the day not only security benefits but also cost reduction benefits because we've seen a lot of studies and theories out there on how developer experience reduces costs for the organization and improving employee satisfaction reduces churn, - Bill Doerrfeld

3. Focus on security

Security is a paramount concern in API governance. Organizations must test their APIs against common threats and implement runtime protection to detect and block malicious requests. AI can play a significant role in this area, analyzing patterns and sequences of requests to identify potential attacks.

The evolution of API governance practices

As the API space evolves, so do the practices around API governance. The market is gradually shifting towards federated API management, recognizing the need for decentralized governance with centralized oversight. This approach allows for more flexibility and adaptability within organizations, especially as they grow and change.

The concept of a "paved road" or a "similar hallways" approach is gaining popularity, where developers have a consistent and familiar experience when integrating with different services within the same organization. This consistency can lead to improved developer satisfaction and reduced churn.

The intersection of AI and API governance

Artificial Intelligence (AI) is poised to play a significant role in the future of API governance. AI can assist in runtime analysis, detecting patterns and potential attack scenarios that might be difficult to identify otherwise. It can also aid in API discovery, helping catalog APIs by analyzing a wide range of code repositories.

Moreover, AI has the potential to automate the generation of API contracts and specifications, as well as improve the developer experience by automating the construction of API requests. For example, AI-powered assistants can generate API requests in the developer's language of choice based on natural language questions.

The impact of organizational size on API governance

Let's delve into the impact of organizational size on API management. In our chat, we discussed Siemens as an example, and explored the influence of leadership directives, such as the API mandate attributed to Jeff Bezos, on shaping API strategies.

The Impact of organizational size on API management: The Siemens case

Siemens, a multinational conglomerate, reportedly employs a vast number of software developers, with figures reaching around 70,000.

"Siemens has 70,000 software developers, right? Just software developers. 70,000. So imagine. Right. Like how do you get 70,000 software developers to, to do what you want?" - Erik Wilde

The sheer size of the developer workforce presents unique challenges in API management:

1. Coordination and standardization

Coordinating API development and ensuring standardization across such a large number of developers is a monumental task. It requires clear communication, well-defined processes, and robust governance structures to maintain consistency and avoid duplication of efforts.

2. Governance and compliance

With a large organization, ensuring that all APIs comply with internal policies and external regulations becomes increasingly complex. Regulations are updated yearly and have serious financial implications (think PCI-DSS 4.0). The risk of non-compliance grows without a centralized approach to API governance.

3. Knowledge sharing and best practices

Disseminating knowledge and best practices across thousands of developers is challenging. It's crucial to have mechanisms in place, such as internal forums, documentation, and training programs, to ensure that all developers are aligned.

The Influence of leadership directives: The Bezos API mandate

The Bezos mandate, often referred to in discussions about API governance and digital transformation, was an edict reportedly issued by Jeff Bezos, the founder of Amazon, in the early 2000s. The mandate required that all teams within Amazon should expose their data and functionality through service interfaces, which would later be known as APIs. This directive was a key move in Amazon's transition to a microservices architecture, which allowed for greater scalability, flexibility, and innovation within the company.

The mandate included several key points:

1. All teams will henceforth expose their data and functionality through service interfaces.
2. Teams must communicate with each other through these interfaces.
3. There will be no other form of inter-process communication allowed: no direct linking, no direct reads of another team's data store, no shared-memory model, no back-doors whatsoever.
4. It doesn’t matter what technology they use as long as the service interface is externalizable.
5. All service interfaces, without exception, must be designed from the ground up to be externalizable.
6. Anyone who doesn’t do this will be fired.

The controversial aspect of the Bezos mandate are the challenges and costs associated with implementing such a sweeping change. While the mandate set a clear direction for service-oriented architecture within Amazon, it also required significant effort, reorganization, and investment to make it a reality.

Simply declaring an API-first strategy, as Bezos did, is not enough. Organizations must also consider the practical implications, including the need for proper funding, training, and support to enable teams to follow through on the mandate.

While the Bezos mandate was visionary and ultimately successful for Amazon, it may not be a straightforward path for other organizations. The transition to an API-first approach can be complex and resource-intensive, and it requires careful planning and execution. Moreover, the cultural and organizational changes necessary to support such a shift can be significant, and not all companies may be prepared to undertake them.

In summary, the size of an organization like Siemens presents unique challenges in API management, requiring careful coordination and governance. On the other hand, leadership directives, such as the Bezos API mandate, can significantly influence an organization's API strategy, leading to an API-first culture that promotes innovation and agility. However, such transformations require a long-term commitment and investment to ensure successful implementation.

The importance of organizational change and API champions

As we mentioned before, implementing effective API governance is not just about adopting new tools; it requires organizational change. Concepts like team topologies and platform engineering are becoming more prevalent, emphasizing the need for dedicated teams and roles to support API governance.

The idea of an API champion within teams is akin to the concept of security champions in the security field. These individuals promote best practices, documentation, and governance within their teams, helping to embed a culture of API-first thinking across the organization.

The Spotify model, which was once a popular topic of discussion in the tech industry, refers to the organizational structure that Spotify reportedly used to scale its agile practices. This model emphasized autonomy, communication, and alignment across different teams within the company. It's important to note that the Spotify model is not directly related to API governance, but it does offer insights into how cross-functional collaboration can enhance overall governance practices, including those related to APIs.

Key components of the Spotify model

The Spotify model consisted of several key components:

• Squads: These are small, cross-functional teams that work autonomously on a specific feature or product area. Each squad is responsible for the end-to-end delivery of their piece of the product.
• Tribes: A tribe is a collection of squads that work in related areas. The tribe helps facilitate collaboration and sharing of best practices among squads.
• Chapters: Chapters are groups of individuals with similar skills or roles, such as front-end developers or quality assurance testers, within the same tribe. They meet regularly to discuss their area of expertise and share knowledge.
• Guilds: Guilds are more informal, organization-wide communities of interest that span across tribes. They are open for anyone to join and focus on specific topics, such as web development or user experience.

Application of Spotify model to API governance

While the Spotify model itself is not a framework for API governance, the principles of collaboration and knowledge sharing it promotes can be beneficial when applied to API governance. For instance, an organization could create a guild focused on API best practices, where members from different squads and tribes can share insights on API design, security, and management.

Similarly, chapters could be leveraged to ensure that API standards and governance policies are consistently applied across different teams. By having a chapter of API experts or champions within each tribe, organizations can ensure that API governance is not an afterthought but an integral part of the development process.

The evolution of the Spotify model

It's worth noting that the Spotify model has evolved over time, and Spotify itself has acknowledged that the model was always a work in progress, subject to change as the company grew and learned. The same applies to API governance; it is not a static set of rules but a dynamic process that must adapt to the changing needs of an organization and the technology landscape.

While the Spotify model is not a direct solution for API governance, the collaborative structures it introduces can inspire organizations to create a culture that values and effectively manages their API ecosystems.

Conclusion

API governance is a multifaceted issue that encompasses security, developer experience, and organizational structure. As our technology continues to evolve, organizations must adapt their governance practices to manage their API portfolios effectively. By doing so, they can mitigate the risks associated with API sprawl, enhance the developer experience, and ultimately drive more value from their API investments.

Want to learn more?💡 Check out the following articles:

• What is API Sprawl? Understanding the growing challenge of 2024 and how to navigate it
• What is API discovery, and how does it work?
• Webinar Recap: Building your Product Security Roadmap