CITO Research

Advancing the craft of technology leadership

May 2012

Enterprise-class API
Patterns for
Cloud & Mobile

Sponsored by
Contents

Foreword: The API Is the New Website 1

Requirements for Enterprise APIs 2

Standards for Consuming and Exposing APIs 2

Enterprise-Class Security  3

Visibility and Control 4

The API Gateway: A Control Point for the App Economy 5

Gateway Usage Patterns 6

Supporting Partners with APIs and Web Services 6

Supporting Mobile Use of Enterprise Services 7

Controlling Use of Cloud Infrastructure as a Service (IaaS) 8

Controlling Use of Platform as a Service (PaaS) 9

Projecting Security Policy on (or Just Controlling) Data in the Cloud 10

Securing Cloud Applications (Software as a Service) 10

Monetizing an API 12

About The Contributors 13

 Enterprise-class API Patterns for Cloud & Mobile 1

CITO Research
Advancing the craft of technology leadership

Foreword: The API Is the New Website

by John Musser, Founder, ProgrammableWeb Of the dozens of categories and thousands of APIs
tracked by ProgrammableWeb, one of the fastest grow-
We live in an app economy. Increasingly, the primary dig-
ing categories is the enterprise category—businesses
ital mode of engagement between businesses and their
communicating with each other. One of the main rea-
customers, partners, and even employees is through
sons is the rapid adoption of cloud and cloud-based
apps. To deliver services via apps, most businesses de-
technologies within the enterprise, whether it’s through
velop application programming interfaces (APIs) that
the CIO’s office or through the side door. Cloud solutions
support machine-to-machine interactions over the Web.
are primarily integrated through APIs. Think of APIs as
Programmable Web has determined that there are more the “glue of software as a service (SaaS).” APIs are the way
than 5,000 APIs available on the Web today, up from near that data gets into and out of the cloud, and from enter-
zero in 2005. Growth has been exponential (Figure 1). prise to enterprise.

It’s only now that enterprises are learning best

practices for running and securing APIs. It’s not
enough to offer an API; it needs to be reliable,
scalable, and secure. Many enterprises don’t
really know how to offer APIs with the same
security and service level as their enterprise
applications.

Until now, the use of APIs grew organically

at the department level on an app-by-app,
partner-by-partner basis, with no enterprise IT
standards or architecture enforcement. This has
not changed, even as most companies have
adopted APIs.
Figure 1. APIs: Growth is accelerating (Source: Programmable Web)
The vast majority of developers today are trained
In many ways, APIs are the websites of this generation. and working in a lightweight, simple architectural style
In 1995, businesses were asking, “Why do I need a web- called REST (Representational State Transfer), which is
site?” By 2000, every business needed to say, “Of course ideal for the biggest sector of the app market, mobile
we have a website.” In 2007, everyone was asking, “What devices. But many of the first-generation APIs were writ-
is an API and why do I need one?” Now, the pressure is ten using SOAP (Simple Object Access Protocol) or other
on to say, “Of course we have an API!” Not only will every variations on web services. Enterprises offering APIs will
company eventually have an API; many of them will need to “speak” REST to the outside world in order to
soon have multiple APIs for different purposes. continue to grow (Figure 2).
 Enterprise-class API Patterns for Cloud & Mobile 2

CITO Research
Advancing the craft of technology leadership

Figure 2. REST versus SOAP: Simplicity wins again (Source: Programmable Web)

Requirements for Enterprise APIs

This CITO Research paper, with insight from Dan Woods, Salesforce.com. Here are just a few of the problems with
coauthor of APIs: A Strategy Guide (O’Reilly Media, 2011), this approach:
describes several API usage patterns. By adapting these • Security is commonly hard-coded per provider. The
patterns, enterprises will be able to follow best practices security protocols must be compatible for each rela-
in API security. Before covering these patterns, this sec- tionship. Each new hole in the enterprise security
tion describes enterprise architecture requirements for perimeter increases exposure to threats and vulner-
designing, building, managing, and protecting APIs. abilities. Also, many providers do not provide any
security, or only minimal security, at the network
Standards for Consuming and Exposing APIs
level. It is hard to find a provider that can support
In the early days, most APIs were built based purely on application-level security that meets enterprise-
SOAP standards. More recently, multiple standards have grade needs.
emerged, such as REST and JSON (JavaScript Object
• Each department maintains different financial,
Notation). Additionally, enterprises need to mediate be-
SLA, and technical support agreements with each
tween these standards and design patterns on the back
provider, which results in engineering building
end of their technology stack, which is not changing as
one-off solutions that do not share infrastructure.
quickly as the front end. Today, a typical organization
Maintaining multiple one-off solutions, with no
works with between 5 and 15 cloud providers. Any de-
common standards, becomes a major headache.
partment could write a connection to consume a cloud
service such as Amazon Web Services, Google Apps, or • Auditing is problematic, with no easy way to identify
redundant and critical services.
 Enterprise-class API Patterns for Cloud & Mobile 3

CITO Research
Advancing the craft of technology leadership

• The more APIs you consume, the more you have Enterprise-Class Security
to worry about management and compliance.
Enterprise-class security includes authentication, autho-
Compliance is a major issue if you are an insurance,
rization, and perimeter defense.
healthcare, financial, or banking company. You
need to implement proper policies for exposure, Authentication in APIs provides a way to ask the ques-
consumption, and availability of services based on tion: “Is the entity making this request really who they
the standard that you need to comply with (such as say they are?” OAuth is the predominant API authentica-
HIPAA, SOX, COBIT, PCI, and so on). tion model, used especially by organizations with APIs
associated with websites or mobile applications that
• Exposing an internal application may require medi-
require passwords.
ation with existing infrastructure, which is not nec-
essarily primed for communication on the open By creating a token that exists only during application
Internet. handshake, OAuth prevents password propagation
around the Internet. It is best suited for large groups
Individual applications are exposed on app servers
of unknown developers trying to access your API. It is
that may not be security-hardened or scalable. The mix
also lightweight and relatively easy to use; “new school”
of technologies in a large enterprise, from mainframe
developers are quickly becoming fluent in OAuth.
applications to web servers, all speak different lan-
guages and use different transport and security proto- Enterprise developers may be more familiar with
cols (see Figure 3). Commonly, management of API keys authentication mechanisms such as X.509 certificates,
presents the single biggest challenge for IT. Security Assertion Markup Language (SAML) and

Figure 3. Consuming APIs: A Wild West Approach

 Enterprise-class API Patterns for Cloud & Mobile 4

CITO Research
Advancing the craft of technology leadership

two-way Secure Sockets Layer (SSL), which are imple- firewalls, load balancers, and network connections
mented as part of web service standards colloquially based in large data centers. The cloud user is usually
known as WS- *. responsible for patching and maintaining the oper-
ating systems and application software. Providers
However, an authenticated client can still pose a threat.
bill IaaS services on a utility basis—cost reflects the
Attacks such as denial-of-service, code injection, mal-
amount of resources consumed.
ware, and data leaks must all be accounted for when
designing an enterprise API strategy. Tactics such as • Platform as a Service (PaaS): The cloud provider
data validation, input validation, pattern-based scan- delivers a computing platform that includes an
ning, heuristics, antivirus scanning, and malware scan- operating system, programming language execu-
ning can mitigate these threats. tion environment, database, and web server. In
some offerings, resources scale automatically to
Authorization provides a means of asking, “Is this entity
meet demand.
allowed to do what it is attempting to do?”
• Software as a Service (SaaS): Application software
The most prominent API authorization model is XACML is installed by cloud providers and cloud users access
(eXtensible Access Control Markup Language), which the software remotely. This “hands-free” approach
decouples authorization from the point of use (in other means the software can scale and apportion itself
words, the application itself ). With XACML, authoriza- according to demand without intervention by the
tion policies can be updated on the fly and affect all cli- user. Typically users do not manage the infrastruc-
ents immediately. ture or platform.
Perimeter defense must also be considered. Every time SaaS and PaaS providers are circumventing traditional
your data crosses the edge of an application, enter- enterprise architecture. Compliance and visibility has
prise firewall, or the cloud, a vulnerability is exposed. decreased. Simply put, your enterprise is likely already
Enterprise, cloud, and application edge security must be part of the app economy. The question is, how are you
built into any enterprise API scheme, as it provides the managing your API traffic? Do you have a control point
earliest form of detection. to manage that participation?

Visibility and Control Enterprise APIs are not science projects; they’re conduct-
ing enterprise-class business and require enterprise-
Most enterprises lack overarching visibility into and
class visibility and control. What path can enterprises
control of APIs. Departments often provision their own
take to prepare for secure use of APIs?
computing services from the cloud, frequently provided
via APIs. Typically, these services include the following
three major categories:
• Infrastructure as a Service (IaaS): Cloud provid-
ers offer physical and virtual machines, storage,
 Enterprise-class API Patterns for Cloud & Mobile 5

CITO Research
Advancing the craft of technology leadership

The API Gateway: A Control Point for the App Economy

The path to security, reliability, and scalability comes Gateways offer security architects and developers flex-
through an API gateway design pattern, typically instan- ibility for custom coding where needed and also provide
tiated by a network edge gateway software appliance, a way to apply security policy, routing, services, or out-
sometimes called a security or service gateway. An API of-the-box security functions such as encryption and
gateway acts as a control point between enterprise IT authentication.
infrastructure and the outside world accessed through • Global event visibility: Gateways can improve visi-
APIs, including the cloud. Functions of API gateways bility with dashboards that facilitate an understand-
may include: ing of incidents across APIs, such as coordinated
• Location virtualization: API Gateways allow you malware attacks. Gateways can be designed to track
to invoke services that run anywhere, any time and API service call activity for security event reporting
allow you to seamlessly move your services around or chargebacks. Since they intermediate all trans-
at will without affecting your infrastructure. actions as a proxy, API gateways supply rich audit
• Version control: API gateways provide API version trails, coordinated analysis, and detailed monitoring
control and abstraction. across previously siloed and separate department
implementations. Security Information and Event
• Centralized security and policy enforcement: API
Management (SIEM) capability is also provided, pro-
gateways centralize security and policy enforce-
viding real-time analysis of security alerts generated
ment, without having to hard-code security into
by network hardware and applications.
individual applications.

Figure 4. API gateways serve as an intermediary between the enterprise and external APIs
 Enterprise-class API Patterns for Cloud & Mobile 6

CITO Research
Advancing the craft of technology leadership

Cloud Service Brokers: A Role that Simplifies Consumption of Cloud APIs/Services

IT is evolving from an implementer of point-to-point integration and infrastructure for cloud services into an orchestra-
tor of services consumed by internal department-level developers. Today, your organization might be managing cloud
services from a dozen providers. Tomorrow, when this number explodes, point-to-point management of all of these
services, including billing, governance, security, and authentication, will not be a viable option.

Use of an API gateway delivers a key technology enablement platform so that your IT department can become what
Gartner Group calls a “cloud service broker” (CSB). Additionally, many third-party companies are becoming CSBs them-
selves to package and deliver services or integrations for vertical industries. Analyst consensus estimates that by 2015,
20% of all cloud services will be intermediated by CSBs. A cloud service broker is an emerging role for IT or intermediar-
ies, and an API gateway is the centerpiece technology platform that enables this usage model.

Gateway Usage Patterns

An enterprise API gateway can be advantageous in many frictionless an interaction as possible. To support auto-
contexts. This section describes several usage patterns. mated exchange of information and process integration,
many companies expose assets in the hopes of drawing
Supporting Partners with APIs and Web in more revenue, expanding their partner bases in the
Services process. One well-known use case is Netflix’s integra-
Business usage model: API gateways are most fre- tion with more than 200 hardware devices, from Roku to
quently used to ensure that two businesses have as Xbox, vastly expanding its subscriber base.

Figure 5. Supporting Partners Pattern

 Enterprise-class API Patterns for Cloud & Mobile 7

CITO Research
Advancing the craft of technology leadership

To successfully expose assets, legacy protocols need tential security holes very quickly. This contrasts tradi-
to be translated. Attempting to do this sequentially, tional partner integration, where partners were a mere
partner-by-partner, seriously inhibits scalability and handful.
time-to-market.
Mobile devices can bring potentially millions of mes-
API gateway solution: The API gateway mitigates risk sages a day from thousands of devices. You need a con-
by offering enterprise-edge security. In this model, the trol point to handle traffic and minimize impact on back-
REST API is exposed on the gateway, which can be on- end application servers—a type of “mobile middleware.”
premise in a secured DMZ or a virtual appliance in a
API gateway solution: The gateway maintains security
trusted network. REST requests are translated to SOAP
and manages volume and complexity as you expose
so that backend applications don’t have to be rewritten.
enterprise applications via mobility. The gateway man-
Security is enforced at the gateway, not on the backend.
ages perimeter defense, scanning messages for mali-
Supporting Mobile Use of Enterprise Services cious content. It also manages changes to mobile plat-
form APIs centrally. The gateway speaks REST and JSON,
Business usage model: In order to reach consumers
which, combined with the volume of API calls, demands
(and increasingly, partners and employees), you need
a responsive, scalable platform that can serve requests
mobile apps. A mobile API, however, can open up access
while maintaining the integrity of enterprise apps. In
to enterprise systems, which creates a security problem.
this use case, the gateway authenticates the client and
Via mobile device, anyone could send a function call
obtains authorization using OAuth. API responses are
directly into your enterprise. Worse, mobile devices are
typically sent as a JSON payload for native mobile appli-
mass-market devices, multiplying the number of po-

Figure 6. Mobile Use Pattern

 Enterprise-class API Patterns for Cloud & Mobile 8

CITO Research
Advancing the craft of technology leadership

cations, which interpret them into an object for use in the infrastructure can be managed from a central place. The
native mobile application programming environment. gateway can also act in a client capacity by securing and
mediating these REST API calls. The API gateway pro-
Controlling Use of Cloud Infrastructure as vides a façade or standard abstraction layer for develop-
a Service (IaaS) ers. This allows the enterprise to easily switch between
Business usage model: With service providers such as multiple cloud IaaS providers without expensive rip-
Rackspace or Amazon Web Services, your organization and-replace of custom code.
runs virtual machines (VMs) on hardware in third-party
The gateway can prevent VM creations or deletions from
data centers. Savings accrue because you can run ap-
rogue users or unauthorized users. Role-based rules can
plications on rented computing power without paying
help manage the sprawl of multiple VMs in the cloud
for on-premise resources. To offer more direct and rapid
for cost savings and provide audit controls on external
integration, these providers offer VM control via HTTP-
VM usage. Further, the gateway can interface with your
based API calls rather than through a web console.
enterprise LDAP, extending existing roles, and access
Simply put, they offer API controls for virtual machines.
control policies for provisioning new VM infrastructure,
These APIs allow administrators to apportion the infra-
without creating a need to twist your existing identity
structure devoted to a given enterprise application with
system to meet the whim of the cloud provider.
simple, easy to use REST function calls.
Without a gateway, setting up rules about who can set up
API gateway solution: The gateway lets organizations
or terminate a VM in the cloud becomes a custom devel-
take advantage of API controls for running VMs in the
opment project, done ad hoc, per provider. Terminating
cloud. The configuration of, and access to, cloud-based
a VM might lead to the loss of a vital business service.

Figure 7. Infrastructure as a Service Pattern

 Enterprise-class API Patterns for Cloud & Mobile 9

CITO Research
Advancing the craft of technology leadership

Adding a raft of unauthorized VMs to your cloud wastes API gateway solution: Using an API gateway for PaaS-
money. Without a gateway, IT must hard-code authenti- created applications offers better authentication and
cation tokens into every application it hosts in the cloud, encryption protection, including OAuth, SSL, shared
a barrier to the promised savings and efficiency of cloud secrets, or signatures. A gateway in a virtual form factor
computing. allows you to put your enterprise security policies in the
cloud.
Controlling Use of Platform as a Service (PaaS)
The gateway applies policies to data as it enters a hosted
Business usage model: Many enterprises are building
application or database, so your enterprise policies can
software as a service (SaaS) apps themselves, using PaaS
be protected while still gaining the advantage of a
providers such as Heroku, Force.com, and Engine Yard.
cloud-based deployment.
A gateway can secure, propagate, and manage these
apps. Building SaaS apps on PaaS providers’ platforms API gateways are available as cloud-based virtual
implies a heavy reliance on the providers’ security con- machines, which means the same cost savings offered
trols, which are generic to attract the widest customer by the cloud provider can be extended to the gateway
base, but often weak. There is no guarantee that enter- itself—and it will be operationally closer to the cloud
prise policies will work in a cloud-based app built on assets you create.
these platforms with their given toolsets.

Figure 8. Platform as a Service Pattern

 Enterprise-class API Patterns for Cloud & Mobile 10

CITO Research
Advancing the craft of technology leadership

Figure 9. Data in the Cloud Pattern

Projecting Security Policy on Data in the tifiable information (PII) or intellectual property. With
Cloud encryption, the enterprise keeps the keys and can deter-
mine how to protect data before it is sent to the cloud.
Business usage model: Many enterprise applications
now use data from a combination of internal databases The gateway can keep a copy of the API call before it’s
and data from cloud-based PaaS providers, such as Dun sent, in case the data payload doesn’t come back, by
& Bradstreet, Data.com, and Salesforce. When data is caching a copy in a secure area or database under the
split between the cloud and the enterprise, business risk enterprise’s control.
is increased because core business systems are exposed.
The gateway can abstract the interface to the cloud ser-
It’s vital that security and control mechanisms for exter-
vices so that authentication can be managed in a stan-
nally hosted data are as robust as those for on-premise
dardized way, regardless of the combination of methods
data. The enterprise application needs to authenticate
used by the cloud service.
itself to the cloud service using a method such as API
keys or shared secrets. Each cloud service is likely to use Securing Cloud Applications (Software as a
a variant of several of these methods. Service)
API gateway solution: The API gateway can manage Business usage model: Self-service is one of the big-
sharing of sensitive data between the enterprise and gest trends in today’s enterprise. Many popular business
cloud-based PaaS providers. The gateway can encrypt or services are offered in the cloud. However, resolving se-
tokenize portions of the data, such as personally iden- curity issues associated with these services may neces-
 Enterprise-class API Patterns for Cloud & Mobile 11

CITO Research
Advancing the craft of technology leadership

sitate expensive development on the provider side. The The gateway offers advanced, out-of-the-box security
multiple relationships between business users in de- features to improve the security posture provided by
partments have become a management nightmare for SaaS operators, which often lack these features. The
IT, which has no practicable way to enforce enterprise built-in security of a gateway saves tremendous amounts
policies in cloud-based apps hosted by third parties. of money and resources that would otherwise be spent
on patching the security holes left by SaaS providers.
API gateway solution: The API gateway is a valuable
architectural addition when Enterprises or Service An API gateway is a critical component that extends the

Figure 10: SaaS Pattern

Providers are building their own SaaS applications. It standard three-tier architecture for modern SaaS appli-
lets you scale your SaaS applications more easily while cations. Without a dedicated gateway, API channels and
protecting a wide range of clients, internally and exter- their accompanying security controls such as OAuth,
nally. Alternatives to this architecture place more soft- SAML, SSL, X.509 processing, or shared secrets become
ware development, security and performance burdens a custom coding project on top of the application
on the web server and application server tier, which are server. Worse, complex heuristics for malware scanning
really designed for end-user communication, not API and data leak protection cannot be easily added. Large
transactions.. SaaS applications that require security and enterprise-
grade security may benefit from a security gateway for
reduced coding time and increased performance.
 Enterprise-class API Patterns for Cloud & Mobile 12

CITO Research
Advancing the craft of technology leadership

Monetizing an API API gateway solution: An API gateway can provide

tracking, metering, auditing, and throttling for API-
Business usage context: Some enterprises generate
delivered services, helping enterprises get fine-grained
revenue by “monetizing” assets that did not formerly
analytics and meet service-level agreements (SLAs). API
carry a charge or whose characteristics change in the
gateways can track and meter user activity so subscrib-
app economy. This might include extending an existing
ers can be charged for content they consume. This can
service to a partner with which the enterprise plans to
also power analytics on customer behavior and improve
share revenue, charging customers per-use, or prevent-
future offers.
ing third parties from counterfeiting a product. For ex-
ample, the telecom industry is moving toward monetiz- API gateways can audit activity to ensure proper use. For
ing APIs. Right now, everyone pays a flat fee for voice example, a company running a news site may want to
and data services. In the future, telcos will use API ser- prevent copying and repurposing news content. They
vice calls as the basis for charging customers. API mon- can throttle data once certain thresholds have been
etization models are becoming a centerpiece for many crossed, protecting operational integrity. API gateways
vertical industries and an API gateway delivers a tremen- can also meter activity to support SLAs & prioritize traf-
dous “first mover-ready solution” advantage. fic. If you want to know how well your API is working, the
gateway can monitor the success rates of transactions,
amount of uptime, and so on.

This paper was created by CITO Research and sponsored by Intel & McAfee Cloud Security Platform

Sponsor: Intel & McAfee Cloud Security Platform

Intel & McAfee deliver a portfolio of client, network endpoint, and data center cloud security products that
are connected by a model of identity aware security. As users, data, and application services are exposed and
consumed to and from the cloud; we establish a layer of trust that spans hardware, software, and cloud traffic
channels. Technology enablement platforms include the McAfee Cloud Security Platform (Identity/SSO, API
Security, email, threat protection, DLP), Nordic Edge OTP (mobile strong authentication), Intel® Trusted Execu-
tion Technology (Data Center Root of Trust), and Intel® Identity Protection Technology (hardware assisted cli-
ent authentication).

About Intel®Expressway Service Gateway (Intel®ESG)

The API Gateway design pattern outlined in this paper can be implemented by deploying Intel®ESG as a soft-
ware appliance, virtualized appliance in the cloud, or as a tamper resistant hardware appliance form factor
with Common Criteria EAL L4+ certifications. Also, available as part of the McAfee Cloud Security Platform as
McAfee Service Gateway. Intel®ESG is a mature product offering that has been deployed widely by fortune
100 corporations, federal governments, and cloud providers to protect SOA, Cloud, and Hybrid service imple-
mentations. Intel®ESG has been ranked a “top developer focused product” by leading analysts and offers true
developer level customization & flexibility. For more, visit: cloudsecurity.intel.com or mcafee.com/cloudsecurity
for video white board tutorials, cloud powered trial evals, and our webinar series on API Management.
 Enterprise-class API Patterns for Cloud & Mobile 13

CITO Research
Advancing the craft of technology leadership

CITO Research
CITO Research is a source of news, analysis, research, and knowledge for CIOs, CTOs, and other IT and busi-
ness professionals. CITO Research engages in a dialogue with its audience to capture technology trends that
are harvested, analyzed, and communicated in a sophisticated way to help practitioners solve difficult busi-
ness problems.

About The Contributors

Dan Woods, Chief Analyst, CITO Research
Dan has written or coauthored more than 20 books about business and technology, ranging from books about ser-
vice-oriented architecture, open source, manufacturing, RFID, and wikis to the ideas driving the latest generation of
enterprise applications, particularly in the face of Web 2.0’s impact on the enterprise. Dan’s most recent book is APIs:
A Strategy Guide. Since July 2008, Dan has been writing a column for Forbes.com.

Andy Thurai, Chief Architect & CTO, Application Security and Identity Products, Intel
Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is respon-
sible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In
his role he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. Prior to this
role he has held technology architecture leadership and executive positions with L-1 Identity Solutions, IBM (Data-
power), BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, gover-
nance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.
He blogs regularly at http://www.thurai.net/securityblog on Security, SOA, Identity, Governance and Cloud topics.

Blake Dournaee, Product Manager, Intel Application Security and Identity Products
Blake is currently the product manager responsible for Intel© Expressway Service Gateway and an expert on API se-
curity. Blake was a specialist in applied cryptography applications at RSA Security. Blake is an established author who
wrote the first book on XML Security and co-authored SOA Demystified (Intel Press).

John Musser, Founder, ProgrammableWeb

John Musser is the founder of ProgrammableWeb.com, the leading online resource for mashups, APIs, and the web
as platform. During his 20-year career in software development he has shipped six award-winning software products
in three industries working with companies including Electronic Arts, Credit Suisse, MTV, and Bell Labs. He has taught
at Columbia University and the University of Washington and has written for a variety of technology publications on
software development, most recently as author of Web 2.0: Principles and Best Practices (O’Reilly Media).