TFM spoke to TIBCO Mashery’s Rob Zazueta, Director of Digital Strategy, to go over the ins and the outs of API management – and how to make it an efficient success for your business.
If APIs are the connective tissue between applications, API management is the level of functionality that sits on top of an API, controlling the level of access a user has to it.
Offering an API or, indeed, several, is about getting most out of data you control. Says Zazueta: “A company publishes an API because they see opportunities available in exposing that data, instead of having it locked away behind a firewall. It’s not futureproof.” Companies sticking to the traditional, out-dated model are not participating in the modern data economy.
When it comes to APIs, Zazueta reminds us, “we’re really talking about web services APIs – data exchanged over the network. There are all kinds of ways of pumping big batches of files from one place to another. A lot of these ways are standardised but a lot are ad hoc.”
To illustrate this, imagine you have a partner business or someone internal (e.g. from your marketing department) who wants particular data – you might ask IT to write a script that serves that one person, but what happens when the next request comes? “Or the one after that?” quizzes Zazueta, “APIs are a consistent way to take that data, open it up and make it more flexible and secure so that when the next opportunity arises, I can confidently share data with that new person, in a way that they can use easily, that will not harm my system.”
Remarks Zazueta, “it’s not enough to say ‘here are my APIs, let’s put them out to the world’. To properly secure, scale and support an API programme, whether internally focused (e.g. custom tools for a marketing team) or externally focused (e.g. for partners or a public-facing app) an API management layer is a must.”
He recommends that tech buyers advise IT teams responsible for API development to “build the API, buy the API management solution. There are plenty of fantastic off-the-shelf management suites that will protect the APIs and deal with traffic management, among other things.” As well as Zazueta’s own company TIBCO Mashery, API management firms include Apigee, 3scale, Akana, Layer 7/CA API Management and Axway.
API management is all about careful, measured control, “so only the right people have access to the right data at the right time. One of the benefits is being able to expose data to the public, but in that case you want it to be a very small subset of data. To my marketing team however, I want them to be able to see information around sales, purchasing and customer details, for example.”
“With an API management suite I can set up separate data packages, each with their own keys and access. I can also see who is accessing what and what are they doing with it.”
The potential marketing value of APIs can be reach through asking a few key questions, says Zazueta: “What is your data worth? How can you leverage your data to generate more interest in your business and thus result in more sales?”
An IT team confident about its control over access to certain data can empower marketing teams (or cross-functional teams) to take the bull by the horns. Zazueta comments: “Backed up by well-designed, well-managed APIs, the marketing team itself might hire a developer (in-house or outsourced) to develop specific applications”, potentially easing the burden on the IT team, “for example a dashboard for my lead gen team to get the segmented data they need to craft marketing materials for specific audiences.”
Partnerships through APIs also see revenue-sharing opportunities arise from data-sharing opportunities.
“Prior to working at Mashery and TIBCO [which acquired Mashery from Intel in 2015],” continues Zazueta, “I worked at an email marketing company, targeting small business customers. One of our biggest partners was an event management company which helped users set up invites, manage RSVPs and payments. We exposed our API to them so that when somebody wanted to send out an invitation, they would use our system.”
This was a two-way street however: “When people RSVP’d through their system, we were able to access that through their API allowing us to create an email list that just targeted people who had RSVP’d.” Through this API exchange, Zazueta’s customers could create segmented email lists.
Are companies really able to keep data secure through APIs? “Absolutely,” asserts Zazueta. “Securing your data now is more crucial than it’s ever been. It seems, in the US at least, that things have died down a bit, but we were weekly hearing about some new massive data breach. I can’t think of an incident where that happened through an API.” If that had happened, he says, “it was not because of an API management system.”
API management tools are designed to mitigate as much of the risk as possible. “Security is all about authentication mechanisms,” he explains, “making sure that people sign up, they get the keys they need and they access only what they signed up for.” Most important is that they only have access to the data that you – the producer – have allowed them.
Traffic management is another area where API management comes into its own. Stealing data is one concern, with another being distributed denial of service attacks (DDoS): “That’s when your API starts flooding your server with traffic until it comes to its knees and screams for help. Good API management is going to lock down that traffic and make sure that you can’t send more than X number of requests per second, week or month.”
An important part of API design is how simple and easy it is to use. Zazueta suggests that if you already have an API, ask someone semi-technical (someone confident in using Excel but not a programmer) and ask them to try and sign up and make some data requests.
The ideal API, he says, “would allow anybody to immediately understand what the API is doing, how it works, just by visiting the page, signing in and running calls [asking for data] using the browser.”
Zazueta enthuses about the clarity of the Edmunds API for car retail site Edmunds.com, which has interactive documentation and is a good place to poke around.
API management matters because it encourages companies, in a controlled way, to extract value from the data they hold, rather than hoarding it. It’s difficult at the start for some people to imagine the creative ways that developers end up harnessing their APIs, but uses can range from the smallest in-house sales database tool to the most splashy mobile apps made available to the public.
Zazueta maintains that the most basic thing you can do with your APIs is connect them to existing marketing software like Marketo (the Marketo developers page covers APIs). “This allows me to perform segmented searches based on sales, purchases, demographics or analytics for instance. I can then use Marketo to send highly targeted emails to my customers, improving conversion.”
APIs done right – not the easiest thing to achieve first time round, says Zazueta – are good for business. Several McKinsey authors put it succinctly back in 2014:
“APIs represent an attractive source of potential new revenue for companies, and recent activity suggests companies have just begun to explore potential applications. As the app market’s precipitous growth suggests, companies that get it right will benefit handsomely by developing next revenue streams.”
Rob Zazueta is Director of Digital Strategy at TIBCO Mashery – www.mashery.com