Succeeding with an API Management project requires good discipline and following three major steps:
- a good preparation upfront – cf. API Management project kickoff checklist
- a detailed list of project specifications
- a good methodology to evaluate the different vendors.
We are focusing here on the second phase, which is the list of specifications for your API Management project. You will use this list to engage and discuss with the different API Management software vendors. Below are the 11 most important topics to address along with sample questions.
1. Digital Imperatives – Explain the business context of your project
- How can your solution help address the growing demands for our product portfolio and emerging Omni-channel presence?
- A critical business metric for us is Customer Retention. Challenged in a large part because of the web, it has become even more competitive. How can your solution help us provide an improved customer experience, through self-service and Customer Digital context?
- Reducing Partner Onboarding cost and complexity is a key Corp. mandate that helps ensure we are easy to do business with. How does your solution help us in this area?
2. Ease of Use – Go for a solution with an easy ramp-up
- Technical programming skills are getting harder to find, and are some of our most expensive costs relative to digital. How much technical programming expertise is required to leverage your solution?
- It is critical that your solution will participate in our ability to easily manage changes. Can the product be integrated into an existing Continuous Delivery/ Continuous Integration process, no matter which vendors we standardize on for our DevOps strategy?
- Complexity is something we try to avoid, but if we need to extend the capabilities of your solution to accommodate our architecture and integration requirements, how flexible is your solution to allow for this?
3. Security – Make security a mandate
- APIs require a large community involvement from developers, administrators, architects, security experts, etc. So, automation and self-service is a key initiative for our company to allow these communities to participate without over-complicating the ability to implement. How does your solution support this approach?
- Can your solution provide the following security controls, and if so, describe how: IP Whitelist; IP Blacklist; JSON Threat Protection; XML Threat Protection.
- Please describe your expertise with OAuth (including major customers you have supported).
4. API Management – Ask for the best
- It’s important to keep a separation between our API development, API management, and Policy Administration. How does your solution keep these safely apart?
- “In addition to REST, our company continues to support SOAP. How does your solution provide support for both?
- “What are your management capabilities to support digital communities based on their roles in the organization?”
5. Policy Enforcement – Anticipate your needs for advanced integration
- The ability to reuse policies can save our developers and administrators considerable time and complexity. So, with your solution can already-established policies be re-used? Provide examples.
- Can API behavior change dynamically based on factors such as user credentials, message header, and other variables?
- Can your solution allow field data mapping between JSON & XML without coding? Please describe.
6. Integration Extensibility – Don’t underestimate the complexity of your company
- Complexity is something we try to avoid, but if we need to extend the capabilities of your solution to accommodate our architecture and integration requirements, how flexible is your solution to allow for this?”
- Our company has an “API First” strategy and IT mandate. Which means, if we need to leverage our partners’ solutions as an ecosystem of capabilities – are there APIs exposed for your solution to allow us integration into existing software solutions and business processes?”
7. Monitoring report & Analytics – You can’t control what you can’t measure
- The solution should support near real-time anomaly analysis to determine sudden changes in behavior (e.g. sudden increasing or decreasing error counts, load, response times).
- What tools are available out of the box to do various kinds of trend analysis and inspection of anomalies?
- Based on API traffic flowing through the system what level of operational visibility can the solution provide?
- Is there an auditing of administrator activity?
8. Development – You will need customization sooner than expected
- Does your product provide the ability to create custom processes that can be packaged and re-used within the policy creation?
- Does your solution support Software Developers authenticating with their CUSTOMER username and password to perform the deployment?
- Can your solution very quickly rollback a deployment when incidents are encountered with API Endpoint due to the deployment of a badly-coded API Endpoint?
- Explain how your solution supports a full lifecycle for API including the deprecation of APIs without impacting production.
9. Mobile – Build for now and the future
- Our Mobile emphasis on user experience and good client design and development is paramount. How does your mobile API development tool support this?
- An architecture for elastic scalability: mobility guarantees anywhere, anytime demand for data and services. How does your solution support this methodology?
- The MBaaS solution should also provide a collection of out-of-the-box integrations for some of the most popular systems, both enterprise (Salesforce, Microsoft, Box, etc.) and public (Twitter, Facebook, PayPal, DropBox, etc.), as well as mobile-specific services such as push notification. How does your MbaaS solution support these?
10. Deployment scalability – Prepare for growth
- What deployment options are available?
- Describe how the product scales for on-premises or cloud implementation.
- The solution must support active/active clustering across multiple geographically-separated locations.
- Can the product be integrated into an existing Continuous Delivery/Continuous Integration Pipeline process?
11. Ease of Administration
- Does your solution provide a single console for managing gateways (multiple clusters) residing in different environments?
- Describe how the administration can be centralized.
- Do you have a graphical UI for developing policies and orchestration policy flows?
- Do you have the ability to integrate 3rd-party solutions without coding? How is this accomplished?