Will APIs Deliver the Ultimate Customer Experience?

APIs work to expose data, build modular apps and effect change in IoT.

In the application economy, most businesses understand the need to interact with customers via responsive websites, custom mobile apps and other user-friendly digital interfaces. To create digital experiences that make customers feel the business understands their needs, it is vital to identify who customers are and collect data on their purchases, interests and associations. And APIs are critical to capturing this information.

Deploying APIs that effect change—that alter the computing environment to ensure customers have the experience they expect with enterprise applications—is the logical next step. But many businesses are reluctant to take this next step because of the security and compliance implications. For example, how can API activity be audited for PCI or SEC/PRA compliance? What is needed is the ability to examine the implications of an API call and assess it according to business rules.

It is one thing to build applications that surprise and delight customers, quite another to ensure the underlying platform is able to deliver good user experiences every time, particularly as the potential user base size for these new applications is always uncertain. For many organizations investing heavily in the development of apps that actively drive the business forward, infrastructure performance management is a low priority and often treated as an insurance policy.

It is one thing to build applications that surprise and delight customers, quite another to ensure the underlying platform is able to deliver good user experiences every time.

— Glenn Weavind, Infrastructure Management, CA Technologies

A Solid Foundation for Apps

In practice, this means that, with project budgets depleted by development efforts, the business will adopt the cheapest infrastructure management offering that meets its mandatory requirements— often a cloud-based system. But it is a huge mistake to treat infrastructure management as a mere overhead. Without high-performing infrastructure, the customer experience with new applications will be poor and these apps will be rapidly forgotten or un-installed.

What has to change? Simply put, the business will need to adopt an organizational culture that recognizes infrastructure as a key component of the overall system that creates the kind of compelling applications needed to drive business and differentiate from the competition. In this context, everything changes—provisioning and infrastructure management will go hand-in-hand with the development effort.

At the same time, IT must take responsibility for delivering infrastructure management that is as efficient and cost-effective as the public cloud offerings commonly used in the “insurance policy” model of infrastructure management. IT in some organizations is responding to this with the software-defined data center (SD-DC), which is a re-creation of the processes already in place at the largest cloud service providers. In the SD-DC, APIs controls everything:

  • Cloning of virtual machines
  • Provisioning of network connectivity
  • Provisioning of storage
  • Management of load-balancers and other network function virtualization operations
  • Updating of firewalls to enable production traffic to reach the new virtual machines

These APIs are not simply windows to read-only data, in the way a transit authority might use an API to expose real-time information about train movements. By contrast, they change the computing environment—starting and stopping systems, controlling power and machines. These changes significantly disrupt the standard operational procedures that IT teams use to audit network activity in order to comply with regulatory requirements and internal security policies.

Validation, Automation and Protection

When humans implement systems, there is a separation of roles and experienced staff carefully consider the implications of the proposed actions. There are multiple opportunities for errors to be detected and for the appropriateness of any given action to be reviewed. So, in API-driven systems, every API call must be validated against something that can assess the implications of that call and its appropriateness at that moment

This API validation will require the implementation of software that can make automated decisions about what is acceptable based on business rules related to access policies, service roles and network locations. By implication, any call that does not comply should be rejected. Using software to implement business rules in this way is, to an extent, a familiar practice. For example, corporate procurement systems often have automated expenditure limits.

What is different about protecting APIs in the proposed manner is the subtlety of the operation—checking not merely syntax, authentication, budget limits and so forth but also but the rightness of the call, in real time. With the Internet of Things (IoT) using APIs to make control over the functionality of more and more everyday products available remotely online, this kind of granular validation will become vital.

For example, some thieves have become adept at gaining access to the security modules of connected cars in order to unlock and start vehicles without using the key or transponder. A better API protection mechanism would evaluate the API call to unlock the vehicle and recognise that, if the car has been deadlocked using its transponder or key, only a transponder or key unlock should be allowed and any software-based unlock call should be rejected.

This is not an entirely novel concept. Contemporary firewalls delve into the actual content of traffic attempting to traverse the barrier and reject packets that carry the wrong sort of content for the open port that is being used. However, it does not yet seem to be standard in API Management solutions and the lack of this capability may be hindering more widespread adoption of APIs that make changes in the real world.

Why API Validation?

Who would be interested in this level of API validation? Any business that needs to gain the efficiency, economy and effectiveness of APIs that effect change and make the IT world of servers, switches, routers and firewalls different. Service providers represent an obvious start—their entire business model runs on APIs but large enterprise customers can see the business and operational value of a working internal private cloud and some are driving towards this.

Would this approach deliver business value? The answer has to be an emphatic “yes”. By enabling IT to deliver scalable and reliable infrastructure, the applications that enterprises are making huge investments in are implemented on solid platforms that deliver the end-user experience that is so critical to business success and brand building. And the business can see that, by treating IT as an integral part of the business, it has empowered IT to deliver business value in return.

Sponsored by the Council for Technical Excellence (CTE).
Glenn Weavind
By Glenn Weavind | February 12, 2016

Make security a competitive advantage.

We’ll show you how to give users better, safer experiences.

See how >