API Management: Security, Consumption, Governance
Key Points
- API management provides a centralized, scalable platform for building, publishing, and controlling enterprise APIs across multi‑cloud environments, handling access, usage analytics, and security policies.
- The “restaurant” analogy illustrates that an API acts like a menu and waiter, exposing only the needed functionality of complex backend services while shielding users from internal implementation details.
- In micro‑service architectures, individual backend services (e.g., contact and inventory databases) expose their own APIs, which are then consumed, combined, and re‑exposed by front‑end services such as shopping carts and checkout flows.
- An API management system adds value through core components—starting with the API gateway that sits between clients and backend services—to enforce policies, route traffic, and provide a secure entry point for all API interactions.
Sections
- Enterprise API Management Overview - Whitney Lee explains how enterprises can build, publish, and manage secure, consumable APIs across multi‑cloud environments, using a restaurant metaphor to illustrate API concepts.
- Core Components of API Management - The passage explains how exposing backend services via an API can be enhanced by an API management system, highlighting its four main elements—particularly the gateway for routing, security, and aggregation, and the developer portal for self‑service documentation and faster time‑to‑market.
- API Analytics & Portals in Practice - The speaker explains how automated API analytics and developer portals enable enterprises—such as banks using phone‑verification APIs and rideshare services with non‑relational databases—to monitor usage, monetize services, and streamline data modeling across teams.
- Engage, Subscribe, Earn Badges - The speaker thanks viewers, invites comments, requests likes and subscriptions, and promotes free IBM Cloud Labs for interactive Kubernetes training and badge acquisition.
Full Transcript
# API Management: Security, Consumption, Governance **Source:** [https://www.youtube.com/watch?v=fh3VaXLzH5Y](https://www.youtube.com/watch?v=fh3VaXLzH5Y) **Duration:** 00:10:02 ## Summary - API management provides a centralized, scalable platform for building, publishing, and controlling enterprise APIs across multi‑cloud environments, handling access, usage analytics, and security policies. - The “restaurant” analogy illustrates that an API acts like a menu and waiter, exposing only the needed functionality of complex backend services while shielding users from internal implementation details. - In micro‑service architectures, individual backend services (e.g., contact and inventory databases) expose their own APIs, which are then consumed, combined, and re‑exposed by front‑end services such as shopping carts and checkout flows. - An API management system adds value through core components—starting with the API gateway that sits between clients and backend services—to enforce policies, route traffic, and provide a secure entry point for all API interactions. ## Sections - [00:00:00](https://www.youtube.com/watch?v=fh3VaXLzH5Y&t=0s) **Enterprise API Management Overview** - Whitney Lee explains how enterprises can build, publish, and manage secure, consumable APIs across multi‑cloud environments, using a restaurant metaphor to illustrate API concepts. - [00:03:16](https://www.youtube.com/watch?v=fh3VaXLzH5Y&t=196s) **Core Components of API Management** - The passage explains how exposing backend services via an API can be enhanced by an API management system, highlighting its four main elements—particularly the gateway for routing, security, and aggregation, and the developer portal for self‑service documentation and faster time‑to‑market. - [00:06:28](https://www.youtube.com/watch?v=fh3VaXLzH5Y&t=388s) **API Analytics & Portals in Practice** - The speaker explains how automated API analytics and developer portals enable enterprises—such as banks using phone‑verification APIs and rideshare services with non‑relational databases—to monitor usage, monetize services, and streamline data modeling across teams. - [00:09:41](https://www.youtube.com/watch?v=fh3VaXLzH5Y&t=581s) **Engage, Subscribe, Earn Badges** - The speaker thanks viewers, invites comments, requests likes and subscriptions, and promotes free IBM Cloud Labs for interactive Kubernetes training and badge acquisition. ## Full Transcript
How can enterprises ensure
that their APIs are consumable, secure, and managed?
My name is Whitney Lee.
I'm a cloud developer here at IBM.
Before I answer that question,
please go ahead and hit that subscribe button.
API management is the process of building,
publishing, and managing APIs
across an enterprise and multi-cloud setting.
More than just a place for these APIs to live,
API management offers a centrally visible, scalable platform,
where enterprises can share and socialize their APIs
while ensuring controlling access,
collecting usage statistics,
and enforcing associated security policies.
So, what is an API?
A popular way to talk about what an API is is by using a restaurant metaphor.
So, let's think of a kitchen at a restaurant.
Now, there's a lot of complexity here.
There's what ingredients the kitchen uses?
Where they source those ingredients?
The personnel? The equipment?
But as a diner, all you need to know is what is on the menu.
So, in this analogy the kitchen would be an application or service,
and the menu would be an API definition.
And, once the diner knows what they want,
how do they communicate that?
Well, they do that through their waiter.
So, an API is like a waiter,
it's a way to interface with the application,
without understanding the complexity.
So, the user would make a request to the API,
some time would pass, and they would get what they asked for back.
Now where this analogy falls short
is that it is possible to supply information to an API.
So, imagine a restaurant where,
as a diner, you could supply some raw ingredients to your server,
and the server could use that in the kitchen
to affect what dish is coming back out to you.
So, let's talk about a retail application where APIs are used
to kind of give a sense of how they're used in microservices.
So, let's consider a contact information database,
and then that is going to expose information through an API,
and maybe there's an inventory database,
and these are backend services,
and then for front end, let's say we have a shopping cart,
and that will use our inventory, but not necessarily a contact information API.
Let's have a check out which will need both,
and then finally let's do reviews,
which might only need contact information,
not necessarily inventory.
So, these are consuming information from our backend services,
transforming it, and then exposing those results through their own APIs,
and these APIs up top are exposed to the public.
So, it's possible, too, to expose your backend service to the public
if you want with its own API.
So, if you wanted to create an API that lets your
users change their contact information directly, you can definitely do that.
So, an API management system,
how is that going to improve upon what's already happening here?
So, there are 4 core elements of an API management system.
So, the first one is going to be the gateway.
So, the gateway sits between the web client
and the systems and services that it's connected to.
So, the gateway is going to handle all routing requests.
It handles a data composition and protocol transformations.
In addition to that, the gateway handles security authentication and authorization,
and it can use state-of-the-art security like OAuth, OpenID, JWT.
The gateway also handles data aggregation,
so it receives one request from the web client
that may involve multiple services,
but then it will aggregate that and send it back as one response.
The next part of an API management system is a developer portal.
So, the developer portal is a self-service hub
where developers can go to browse access and share
API documentation.
So, if an API definition is like our menu,
this is like a menu of menus,
and this is going to really streamline communication between teams in an enterprise,
which results in faster time to market
and lower development costs.
This example has six APIs,
so you can imagine across an enterprise there could be hundreds or even thousands of APIs.
So, being able to centralize access to that is invaluable.
Next up, we have a lifecycle manager.
So, we can think of an API as a building block.
If you make an API and expose that for other people to use,
and they incorporate your API into their system,
they're trusting you to keep your part of their system healthy.
So, the life cycle manager will help you build, test,
on board, manage, and eventually retire your APIs.
You can manage your APIs every step of the way,
while ensuring adequate version control.
Last up is reporting and analytics.
API management solutions use synthetic monitoring
to watch each API's availability, response time, and overall health.
You can also incorporate analytics solutions
for automated recording over time.
So, these can be used to
diagnose and troubleshoot integration issues as they arise
and they can also help enterprises make better informed decisions
about their applications and services.
So, how how does this affect some real life scenarios?
So, let's consider banks and now they offer login through a mobile app.
That mobile app login requires two-factor authentication.
So, regular login plus a phone number verification.
So, a telecommunications company might build an API, build a service,
that verifies phone numbers and expose that service via an API,
and in that way they're able to monetize their existing data
and create an entirely new source of revenue.
So, they're going to use the reporting part of the API management
to be able to see who's using their new API, how it's being used,
and to set their prices and eventually collect money.
Or, let's consider a rideshare app.
That rideshare app,
let's say they decided to use a non-relational database for their back end.
They want to do this for scalability and flexibility,
but in practice communicating between teams can result in really messy data.
So, the the rideshare company can use the developer portal
to define objects like a car, a journey, a time slot,
and it can formalize the relationships between those objects,
and then communicate all of that with the developer portal,
and that's going to result in much more powerful data queries.
So, they can harness the flexibility and the scalability of a non-relational database,
while using the control of a more traditional relational database.
And, finally, let's consider a bank
that wants to offer third-party products and services to their clients.
They can do this by using the API gateway.
So, the API gateway is going to centralize access and security.
So, the user has a unified login experience
and then the bank can use internal APIS
to expose their customers to third-party products and services,
and then only share that information with the third parties if the customer agrees.
So, they're using the gateway to centralize access,
to aggregate data, so it presents a unified experience,
and they're also using the gateway to ensure their high security standards.
So, API management can be used by enterprises
to make sure their APIs are secure, consumable, and managed.
Thank you. If you have questions please drop us a line below.
If you want to see more videos like this in the future please like and subscribe,
and don't forget:
you can grow your skills and earn a badge with IBM Cloud Labs,
which are free browser-based interactive Kubernetes labs.