api governance
TRANSCRIPT
API GovernanceRisk and Control Consideration
“Governance should make it easy for people to do the things the right way and hard for people to do things the wrong way.”
2
Lifecycle Management
1. API Organizationa. Guiding Principlesb. Business Road-mapping & Inventoryc. Funding Model & Monetizationd. Operating Modele. Roles & Responsibilitiesf. Decision Rights g. Syndication Modelh. API Ownership & Accountabilityi. Define metrics j. Lifecycle Management
API Governance Framework
2. Policies, Procedures & Standardsa. Operating Modelb. Roles & Responsibilitiesc. API Ownership & Accountabilityd. Best Practicese. API Development Guidelinesf. Cataloging & Classificationg. API Ontology
4. Technology & Platformsa. Services Gatewayb. Services Registry & Cataloguec. Information Modeld. Development Model (Int. & Ext.)e. Best Practicesf. Reference Architecture Blueprint
i. Conceptual & Logical Layersg. Sustainmenth. Containerization
Vision & Strategy
6. Change Managementa. Business Impact & Readiness b. IT Operations c. Stakeholder Managementd. Communication & Traininge. API Market Place Updates
5. Vendor Managementa. 3rd Party API Vendor Relationshipsb. Data Ownership & Privacy c. Legal Implications
Foundational Infrastructure
Services Platform
Services Layer
API Consumers
API Providers
Discovery
Catalogue
Versioning
Authentication
Entitlements
Discovery
API Ownership
Data Standards
Data Ownership
API Lineage
Controls
Risk Ownership
Deviation Process
3. Risk Controlsa. Regulatory Complianceb. Information Security Controlsc. Risk Adjudication d. API Controls Frameworkse. Controls Automation CI/CDf. Continuous Controls Monitoring
Business Process Architecture
Provides a governance framework (ring fence) where each team can operate in an agile manner and deliver solutions in line with the organizational Risk Appetite.
3
API Governance Operating ModelNotional Functional Organization to enable the success of the API strategy.
API Organization Team
Policies, Procedures, & Standards
Risk Control &Security
Stakeholders &Executing Steering Committee
Technology & Platforms
Vendor Management
Change Management
Set Vision & Strategy
1
API Lifecycle2
3
4
5
6
Guiding Principles, Roadmaps, Lifecycle Management Technology Enablement &
Foundational Services
Operating Model
Governance, Controls,1st Line of Defense
Platform and Runtime Vendor Relationships
Business Impact, Change & Communications
4
Notional API User CommunityUser Community Interactions. API Governance needs to account for the different types of interaction scenarios and related to controls in each scenario and interaction point.
API Developer. Other API Developers will incorporateAPI into their Code base.
(Partners & TrustedDeveloper)
Mobile PlatformUsers who consume andincorporate API data into their AppDevelopment
API Consumer3rd Party Consumer
API Eco-system
API Producers
API ConsumersInternal
3rd Party API thatSystems and App will consume 3rd Party APIs
• Internal Developers• Partner Developers• External Developers
5
API Power Plant Analogy – Vision of what we need to build and govern…APIs provide a simplified standard interface for users to access the power of Citi through foundational architecture and processes.
Simple Standard Interface
Abstracts Complexity forthe User
MonetizationMeteringElasticity
Controls
Security
6
API and Business Process ContextThere is a risk that organizations incorrectly treat APIs as independent entities; APIs should beidentified and created within the context of a business process.
APIs help the business process of the organization
7
1.0 API Organization
An API organization is needed to address the following:
a. Guiding Principles: The guiding principles guide the development of an API organization to measure the effectiveness of APIs. Questions related to “what quantifiable business value, pricing model?” Guiding API producers to assess regulatory & reputational impact, reusability, naming convention, information model, standards based. Enable users to understand the business process to be enabled. Define common traits so that teams are not re-inventing the wheel repeatedly.
b. Business Road Mapping & Inventory: Creates a multi-year roadmap with quarterly goals and update. Create execution plan with checkpoints to align with roadmap. Incorporate input from Stakeholders and Steering Committee. Identify Assets that really matter both from a Business Value perspective and Risk perspective
c. Funding Model & Monetization: Translate Roadmap to funding model and monetization model for internal and external consumers. Do we have a model to capture the end to end lifecycle of the APIs? APIs provide a single end point and a splintered funding model can risk the success of APIs strategy.
d. Functional Team Operating Model: Create and manage the Citi API Functional Team model and interactions (Slide # 3). Update functional changes and ensure communications and updates between groups.
e. Roles & Responsibilities: Clearly outline and help manage the roles and responsibilities of Citi API ecosystem.f. Decision Rights: Formalized decision-ing rights as to who or what group that decides on make or break call.
g. Syndication Model: Model for teams to pool resources, funding and shared model to API management - e.g. APIs can aggregate data from multiple distributed systems and data; this will bring to light support and issue ownership implications.
h. API Ownership & Accountability: Translate/personalize the change to the impacts within their function/LOB. They are also the advocate - the go-to person within their function/LOB to understand the changes.
i. KPI and Metrics Definition: Create KPIs to quantify business value and metrics that organizations can use measure progress.
j. Lifecycle Management: In reference to Slide #3, own the “dashboard” around the management, care and feed of the end of the end lifecycle of the APIs.
8
2.0 Policies, Procedures & Standards
Responsible for Policy Creation, Procedure Documentation, and Standardization….
a. Operating Model : Do we have a set of questions that will guide the development of APIs and measure the effectiveness of APIs? For e.g. what is the business value and does it provide measurable business value? What is the regulatory impact, reputational impact? Develop naming conventions, informational model & standards. Which business processes do they enable?
b. Roles & Responsibilities : Assign and identify roles and responsibilities within the API ecosystems within the context of the operating model.
c. Best Practices : Translate Roadmap to funding model and monetization model for internal and external consumers. Do we have a model to capture the end-to-end lifecycle of the APIs? APIs provide a single end point and a splintered funding model can risk the success of APIs strategy.
d. API Development Guidelines & Cookbooks.: Create API Development guidelines for the Business (Product Owners) and Development teams to build API using a standard Reference Architecture. Cookbooks outline step-by-step details on how to build APIs in a consistent model and ensure multiple teams can be leveraged to source and build APIs.
e. Cataloguing & Classification: Similar to a book library, create the process to catalogue and classify the different types of APIs (business, infrastructure, partner etc.) based on a standard taxonomy. Ensure meta-data exists for ease of discovery and re-use.
f. API Ontology Model: Building upon taxonomy we have a need to create an Ontological Model for APIs and their semantic relationships and dependencies.
9
3.0 Risk Controls
The 1st line of defense to help drive compliance and assure that necessary controls are in place…
a. Regulatory Compliance: Understand the regulation implications of creating APIs. This is especially important when we start exposing APIs as public or partner end-points.
b. Security Controls : Information Security guidelines and standards to ensure secured, auditable and hardened APIs in line with the Security Standards.
c. Risk Adjudication: As multiple teams and groups build APIs, act as the arbitrator and adjudication agent to assign Risk from an enterprise perspective in line with organizational risk appetite.
d. API Controls Framework: Develop Controls Framework that is based on the API architecture.
e. Risk Controls Automation CI/CD: Build time injection of Compliance controls within the CI/CD process during the API build process.
f. Continuous Controls Monitoring: Operational Monitoring of APIs during run-time: metrics gathering, analytics, monetization and value measurement.
10
4.0 Technology & Platforms
Foundational Technology Platforms that and architecture to enable the organization to realize API a. Technical Stack: Provide Technical Reference Architecture and stack to jump-start API development.
b. Lifecycle Management: Foundational technology to enable Lifecycle management as outlined through the API Organization functional stream.
c. Service Gateway: Gateway infrastructure to create secure API end points for managing consumers and producers.
d. Service Registry & Catalogue: Registry for API and cataloguing method, naming conventions, policy management
e. Information Model : Determine and publish a industry based Information Model that is line with Citi Data Standards.
f. Development Model (Internal & External): Create environment for development and publishing of APIs, keeping in mind the different interaction paradigms. Manage a developer community to ensure API adoption and contribution.
g. Technology Best Practices: Knowledge base of best practices to capture best practices and lessons learned. How do we build effective APIs?
h. Reference Architecture Blueprint: Layered Reference Architecture that illustrates a multi-tier architecture e.g. Process Layer, Conceptual Layer, Logical Layer, Services, Platforms etc.
i. Sustainment: Determine the process for sustainment of APIs based on SLAs. Sustainment should take into account a distributed support model (e.g. when an API aggregates data from other APIs or data sources).
j. Containerization : Modular packaging of APIs and platform agnostic implementation (e.g. Docker)
11
5.0 Vendor Management
a. 3rd Party Vendor Relationships: a. API Vendorsb. Technology Vendors
c. Data Vendors
b. Data Ownership & Privacy : Who owns the data? In a distributed data model, APIs could aggregate or translated data from various systems or perhaps consumed in various mobile apps. What happens when someone uses am API to build a mission-critical app and the API breaks ?
a. Cross border movement of data: what are the implications of an API consumer from Europe using an API that has data from the US? Privacy Laws are relative to the geography you are in.
c. Legal Implications : What are legal implications when APIs are consumed or produced in the API economy? How do things work in a partnership model? What are the legalities around using APIs from the social media or open source APIs?
Vendor Management for APIs create new interaction points with partners, development teams and internal stakeholders….
12
a. Business Impact of Change & Readiness: CM Process and impact on business, controls…
b. IT Operations: Change Process centered around IT operations that support APIs.
c. Stakeholder Management: Managed changes to API Consumers, Vendors, Steering Committee, Business Owners, Developer Community, Integrations.
d. Communication & Training: Communication Plan and forum for changes being made, sunset APIs, data quality and training. Developer Training, API Community Support, market to deliver and create API eco-systems and build co-brand and brand recognition.
e. API Market Places: API Content Management, Developer Communication, Partner Integration.
6.0 Change Management
Address API Changes and Business Impact…
*Source : IBM API Reference Architecture
13
https://developer.ibm.com/apiconnect/documentation/api-101/ibm-reference-architecture-api-management/