As a result of widespread adoption of Service Oriented Architecture (SOA) in the recent past, a platform that enables platforms and systems to provide services to each other, governance of SOA has tended to be a primary concern for organisations. However, with the rapid growth in both popularity and usage of a range of mobile devices, Application Programming Interfaces (APIs), tools for developing software and integration thereof, have now become the new governance challenge. While SOAs and APIs are ostensibly very different, there are in fact several similarities between the two, which can be leveraged to adopt an effective, future-based governance approach.
According to the Magic Quadrant for Application Services Governance from leading analyst firm Gartner, "the use of web APIs is increasing more than ever, generally supporting new sales channels through mobile applications". Mobile touch points will become the hub of future client relationships, and as a result organisations will see a new focus on building APIs. A governance mechanism is, therefore, essential to managing this proliferation. In addition, organisations are targeting the developer community that creates third-party mobile applications by leveraging their APIs. This then builds capabilities for social integration of APIs. It is again essential to managing this and provide relevant metrics - another aspect of governance.
APIs are undoubtedly an emerging trend, however, over the past decade there has been a steady move within enterprises toward service orientation. As a result, SOA governance has been the focus. According to the Wipro Technology Survey Q2 2014, 86% of Wipro customers have invested in various levels of SOA governance. Of significant concern to many organisations in light of this is how to obtain co-existence between API management and SOA governance, as well as whether managing APIs will require a revamp of the existing governance approach.
Creating the desired level of coexistence requires a seamless solution for governing both APIs and SOAs. In order to achieve this, it is important to first understand the similarities as well as the differentiators of API and SOA governance. SOA governance is used to manage enterprise-wide SOA services while an API management platform governs the APIs published on the edge of the enterprise. Effectively, APIs are lightweight and simplified SOA service, an extension of SOA services and, therefore, have similar lifecycle governance.
Other similarities include service dependencies - APIs are dependent on back-end SOA services and can form part of the same service catalogue - as well as the requirement for capturing appropriate metadata, which is critical to both SOA services and APIs. In addition, the design methodology is similar, as the first approach of API is practically the same as the service modelling approach, which begins with service identification. Both SOAs and APIS also have common principles, including loose coupling, encapsulation, and reusability, and both require lean governance mechanisms so that productivity is not hampered.
Despite these similarities, APIs and SOAs are not the same, and the differences need to be noted. One of the key disparities between SOA services and APIs is that they have different stakeholders. SOA services cater to consumers and providers within the organisation, whereas APIs must cater to multiple delivery channels and are considered app developer-centric as opposed to integration-centric.
In addition, SOA services are typically represented as business functions, whereas APIs represent resources. The need to onboard app developers and manage API keys is exclusive to APIs, and API and app level usage statistics and productivity metrics are required at the API layer. API governance also tends to be more dependent on run-time policy to enforce security, rate plans and others, in the hopes of enabling monetisation at the edge.
Since there are several overlapping capabilities required for managing both APIs and SOA services, there is a strong case for a unified approach to their governance. The key components of such a model include a common asset repository, metadata and lifecycle management, consumer and developer onboarding, developer management, and analytics.
It is also important to adopt unified policy management, as both SOA services and APIs rely on run-time policies for ensuring non-functional requirements are adhered to. Therefore, policy definition and distribution is a critical feature, which can be converged to provide a common Policy Administration Point (PAP). External policy definitions can then be attached to SOA Services and APIs, which will be leveraged with the respective policy enforcement points (PEPs).
Further to this, a unified gateway is required. This is the run-time component used to expose service proxy endpoints, provide lightweight mediation and enforce run-time policies. Many organisations are already leveraging their existing gateway infrastructure in a unified manner to provision APIs and SOA services.
The synergies between the requirements of SOA governance and API management lend themselves toward the convergence of toolsets and capabilities around governance. This is something we will no doubt see emerging from vendors in the near future. However, in the interim, there are several steps organisations can take to enable unified governance, including leveraging existing governance tooling to enable lifecycle management and common asset repository for both SOA Services and APIs.
In addition, utilising a common service and API gateway with appropriate considerations to capacity management and scalability, and building custom solutions to enable a federated approach for the disjointed capabilities related to policy management, analytics and developer portal, can be highly beneficial.
Unified governance allows for the seamless management of both APIs and SOA services within an enterprise. This approach will enable organisations to follow a clear roadmap that not only allows them to pursue tactical wins using APIs, but also leverage the tried and tested techniques of SOA governance.
