SlideShare a Scribd company logo

5 Tips for Scaling API Governance

John Phenix, profile picture
John Phenix

John Phenix proposes automating API governance at HSBC to improve the developer experience and ensure consistency. He outlines five tips: 1) Govern only real risks, not preferences; 2) Ensure governance scales with development; 3) Shift governance left to catch issues earlier; 4) Transition from reviewing correctness to reviewing appropriateness; 5) Automate as much as possible while still involving people. Phenix advocates a hybrid centralized-federated model and using tools to automate reviews, integrate with CI/CD, and provide dashboards. Example rules cover security, operations, and style standards.

Technology
1 of 17
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Date: June 2020 Prepared by: John Phenix Chief API Architect, HSBC Commercial Bank Automating API Governance PUBLIC
1 1 HSBC - The World’s Leading International Bank 39million customers 3,900 offices 65 countries & territories Present in Reported Revenue $53.8bn 254PB of data Data Centres in 21 countries 96,600+ Servers $1.5 Trillion Daily payments processed 235,000 people around the world 46,000 IT Professionals $2.5bn Run / $3.3bn Change (cash) PUBLIC
2 Challenge PUBLIC How to make API governance an accelerator instead of a brake?
3 Apple’s iOS Standards and Governance platform produces a consistent, market leading App experience Why HSBC needs API Standards and Governance – an example from Apple PUBLIC
4 HSBC’s API Standards and Governance platform will produce a consistent, market leading API developer experience Why HSBC needs API Standards and Governance Governance PUBLIC Governance
5 Tip 1: What to Govern? PUBLIC Security Operations Reputation As little as possible!The minimum needed to deliver value and manage risks Tip 1: Focus governance on real risks rather than personal preferences
6 Comprehensive Tip 2: What does good look like? PUBLIC Scalable Consistent Evidenced Tip 2: Good governance scales to meet delivery cadence
7 Visibility Tip 3: Where to invest effort PUBLIC Tools Training Automation Tip 3: Shift left – make it easier to fall into success
8 Tip 4a: Pick your style - Centralised Small team(s) of API SMEs who manually review APIs. You can duplicate the ARB (API Review Board) in different geographies. Scalable Consistent Comprehensive Evidenced PUBLIC
9 Tip 4b: Pick your style - Federated API Champions from every region and major project to enforce standards locally and escalate non-compliance. Scalable Consistent Comprehensive Evidenced PUBLIC
10 Tip 4c: Pick your style - Automated Speed and safety at scale requires an automated approach. Scalable Consistent Comprehensive Evidenced PUBLIC
11 Tip 4c: Pick your style -– Hybrid Focus manual reviews on exceptions and qualitative analysis. Scalable Consistent Comprehensive Evidenced PUBLIC Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?”
12 Tip 5: How to automate Audit Trail API Engineers Governance Engineers Batch Rules Setup CI/CD Pipeline CAGE UI Repository Rules Lead Architects Certification Dashboard CAGE PUBLIC
13 Peer Reviews Tip 5: How to automate PUBLIC Building APIs Right Building the Right APIs Training Tip 5: Automate as much as you can, but you still need people
14 5 Governance Tips Q1: What to govern Q2: What does good look like Q3: Where to invest effort Q4: How to pick your style Q5: How to automate PUBLIC Tip 1: Focus governance on real risks rather than personal preferences Tip 2: Good governance scales to meet delivery cadence Tip 3: Shift left – make it easier to fall into success Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?” Tip 5: Automate as much as possible, but you still need people
15 Example Rules Security: • Sensitive info in query parameters • Standard headers • Security policies Operations: • Naming standard • Published to API Repository • Versioning • Check for duplicate APIs • Health endpoint Style: • camelCase, PascalCase and snake-case • Always return 2xx, 4xx and 5xx • Misuse of HTTP verbs • Plural nouns for resource collections • Example request and response schemas PUBLIC
16 PUBLIC

More Related Content

PPTX
Ex Libris REST API Governance Thresholds
joshmweisman
 
PPTX
API Governance – Modern API solutions in a digitalized world
BizTalk360
 
PPTX
API Governance in the Enterprise
Apigee | Google Cloud
 
PDF
API Governance
Sunil Kuchipudi
 
PDF
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays
 
PPTX
APIdays London 2019 - Selecting the best API Governance for your organisation...
apidays
 
PPTX
Monetizing on APIs with better API management and monitoring
Nuwan Bandara
 
PPTX
API Management Workshop (at Startupbootcamp Berlin)
3scale
 
Ex Libris REST API Governance Thresholds
joshmweisman
 
API Governance – Modern API solutions in a digitalized world
BizTalk360
 
API Governance in the Enterprise
Apigee | Google Cloud
 
API Governance
Sunil Kuchipudi
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays
 
APIdays London 2019 - Selecting the best API Governance for your organisation...
apidays
 
Monetizing on APIs with better API management and monitoring
Nuwan Bandara
 
API Management Workshop (at Startupbootcamp Berlin)
3scale
 

What's hot (20)

PDF
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
Sumanth Donthi
 
PDF
apidays LIVE Australia 2021 - SEEK: Establishing a new API integration platfo...
apidays
 
PDF
apidays LIVE Australia 2021 - APIs, open ecosystems, and the emerging future ...
apidays
 
DOCX
API Strategy in Cloud
PavanPardeshi1
 
PDF
apidays LIVE New York 2021 - Design-First: How to champion an API culture shi...
apidays
 
PDF
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case Study
WSO2
 
PDF
Effective API Governance: Lessons Learnt
Pronovix
 
PPTX
O'Reilly author webinar "APIs: A Strategy guide": Transforming Your Business...
Apigee | Google Cloud
 
PDF
apidays LIVE Paris 2021 - 5 Learnings Shaping Our View on the Future of APIs ...
apidays
 
PPTX
apidays LIVE New York 2021 - API Automation For DevOps at Scale by Rod Cope, ...
apidays
 
PDF
[apidays Live australia] Building a Sustainable Ecosystem with Open APIs for ...
WSO2
 
PPTX
Vizag Virtual Meetup #7: Trending API Topics for 2022
Ravi Tamada
 
PDF
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays
 
PPTX
apidays LIVE New York 2021 - API narrative: A true story of APIs and I by Div...
apidays
 
PDF
Explaining API Integration: How Does API Integration work?
DavidAltmen
 
PDF
apidays LIVE Hong Kong 2021 - Getting API Management adopted: the hearts and ...
apidays
 
PDF
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee | Google Cloud
 
PDF
INTERFACE, by apidays - Aligning teams and strategies behind API investment ...
apidays
 
PPTX
API Management Part 1 - An Introduction to Azure API Management
BizTalk360
 
PDF
INTERFACE by apidays - API Success: Running a Successful API Program by Nelso...
apidays
 
API Governance and GitOps in Hybrid Integration Platform (MuleSoft)
Sumanth Donthi
 
apidays LIVE Australia 2021 - SEEK: Establishing a new API integration platfo...
apidays
 
apidays LIVE Australia 2021 - APIs, open ecosystems, and the emerging future ...
apidays
 
API Strategy in Cloud
PavanPardeshi1
 
apidays LIVE New York 2021 - Design-First: How to champion an API culture shi...
apidays
 
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case Study
WSO2
 
Effective API Governance: Lessons Learnt
Pronovix
 
O'Reilly author webinar "APIs: A Strategy guide": Transforming Your Business...
Apigee | Google Cloud
 
apidays LIVE Paris 2021 - 5 Learnings Shaping Our View on the Future of APIs ...
apidays
 
apidays LIVE New York 2021 - API Automation For DevOps at Scale by Rod Cope, ...
apidays
 
[apidays Live australia] Building a Sustainable Ecosystem with Open APIs for ...
WSO2
 
Vizag Virtual Meetup #7: Trending API Topics for 2022
Ravi Tamada
 
apidays LIVE Paris 2021 - Beyond API Governance: Run your API org like a lean...
apidays
 
apidays LIVE New York 2021 - API narrative: A true story of APIs and I by Div...
apidays
 
Explaining API Integration: How Does API Integration work?
DavidAltmen
 
apidays LIVE Hong Kong 2021 - Getting API Management adopted: the hearts and ...
apidays
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee | Google Cloud
 
INTERFACE, by apidays - Aligning teams and strategies behind API investment ...
apidays
 
API Management Part 1 - An Introduction to Azure API Management
BizTalk360
 
INTERFACE by apidays - API Success: Running a Successful API Program by Nelso...
apidays
 
Ad

Similar to 5 Tips for Scaling API Governance (20)

PPTX
apidays LIVE LONDON - API Standards and Governance Platform by Nicoleta Stoica
apidays
 
PDF
INTERFACE by apidays 2023 - API Design Governance, Nauman Ali, Stoplight
apidays
 
PDF
apidays Singapore 2025 - From API Intelligence to API Governance by Harsha Ch...
apidays
 
PDF
Approaching APIs
Ross Singer
 
PDF
INTERFACE by apidays 2023 - Governance Doesn't Have to be a Dirty Word, Jason...
apidays
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PDF
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
 
PDF
API Governance and Monetization - The evolution of API governance
WSO2
 
PDF
apidays New York 2023 - Make API Governance work in your unified API Strategy...
apidays
 
PDF
Build, Test, Deploy: The Ultimate Handbook for Modern API Development
ScalaCode
 
PDF
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...
apidays
 
PDF
apidays Australia 2022 - API design challenges and making APIs your common la...
apidays
 
PDF
Mastering API Development: A Developer’s Roadmap for Success
jayshridalwi
 
PDF
The Future of API Management and the Impact of Platform Engineering - Kenn Hu...
Nordic APIs
 
PDF
Practical guide to building public APIs
Reda Hmeid MBCS
 
PDF
apidays LIVE Australia 2020 - Building the right API team for right now by Cl...
apidays
 
PPTX
apidays LIVE Singapore 2021 - Re-imagining the investment workflow using APIs...
apidays
 
PPTX
INTERFACE by apidays_Recommendations for API Governance and an API Economy Ce...
apidays
 
PDF
apidays New York 2023 - Governance Doesn't Have to be a Dirty Word, Jason Har...
apidays
 
PPTX
API_Strategy_Architecture_Development.pptx
JPrince9
 
apidays LIVE LONDON - API Standards and Governance Platform by Nicoleta Stoica
apidays
 
INTERFACE by apidays 2023 - API Design Governance, Nauman Ali, Stoplight
apidays
 
apidays Singapore 2025 - From API Intelligence to API Governance by Harsha Ch...
apidays
 
Approaching APIs
Ross Singer
 
INTERFACE by apidays 2023 - Governance Doesn't Have to be a Dirty Word, Jason...
apidays
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
 
API Governance and Monetization - The evolution of API governance
WSO2
 
apidays New York 2023 - Make API Governance work in your unified API Strategy...
apidays
 
Build, Test, Deploy: The Ultimate Handbook for Modern API Development
ScalaCode
 
apidays LIVE Paris 2021 - Low-Code API DevOps approach to API Lifecycle Manag...
apidays
 
apidays Australia 2022 - API design challenges and making APIs your common la...
apidays
 
Mastering API Development: A Developer’s Roadmap for Success
jayshridalwi
 
The Future of API Management and the Impact of Platform Engineering - Kenn Hu...
Nordic APIs
 
Practical guide to building public APIs
Reda Hmeid MBCS
 
apidays LIVE Australia 2020 - Building the right API team for right now by Cl...
apidays
 
apidays LIVE Singapore 2021 - Re-imagining the investment workflow using APIs...
apidays
 
INTERFACE by apidays_Recommendations for API Governance and an API Economy Ce...
apidays
 
apidays New York 2023 - Governance Doesn't Have to be a Dirty Word, Jason Har...
apidays
 
API_Strategy_Architecture_Development.pptx
JPrince9
 
Ad

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Cloud computing and distributed systems.
kkkkkhan
 

5 Tips for Scaling API Governance

  • 1. Date: June 2020 Prepared by: John Phenix Chief API Architect, HSBC Commercial Bank Automating API Governance PUBLIC
  • 2. 1 1 HSBC - The World’s Leading International Bank 39million customers 3,900 offices 65 countries & territories Present in Reported Revenue $53.8bn 254PB of data Data Centres in 21 countries 96,600+ Servers $1.5 Trillion Daily payments processed 235,000 people around the world 46,000 IT Professionals $2.5bn Run / $3.3bn Change (cash) PUBLIC
  • 3. 2 Challenge PUBLIC How to make API governance an accelerator instead of a brake?
  • 4. 3 Apple’s iOS Standards and Governance platform produces a consistent, market leading App experience Why HSBC needs API Standards and Governance – an example from Apple PUBLIC
  • 5. 4 HSBC’s API Standards and Governance platform will produce a consistent, market leading API developer experience Why HSBC needs API Standards and Governance Governance PUBLIC Governance
  • 6. 5 Tip 1: What to Govern? PUBLIC Security Operations Reputation As little as possible!The minimum needed to deliver value and manage risks Tip 1: Focus governance on real risks rather than personal preferences
  • 7. 6 Comprehensive Tip 2: What does good look like? PUBLIC Scalable Consistent Evidenced Tip 2: Good governance scales to meet delivery cadence
  • 8. 7 Visibility Tip 3: Where to invest effort PUBLIC Tools Training Automation Tip 3: Shift left – make it easier to fall into success
  • 9. 8 Tip 4a: Pick your style - Centralised Small team(s) of API SMEs who manually review APIs. You can duplicate the ARB (API Review Board) in different geographies. Scalable Consistent Comprehensive Evidenced PUBLIC
  • 10. 9 Tip 4b: Pick your style - Federated API Champions from every region and major project to enforce standards locally and escalate non-compliance. Scalable Consistent Comprehensive Evidenced PUBLIC
  • 11. 10 Tip 4c: Pick your style - Automated Speed and safety at scale requires an automated approach. Scalable Consistent Comprehensive Evidenced PUBLIC
  • 12. 11 Tip 4c: Pick your style -– Hybrid Focus manual reviews on exceptions and qualitative analysis. Scalable Consistent Comprehensive Evidenced PUBLIC Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?”
  • 13. 12 Tip 5: How to automate Audit Trail API Engineers Governance Engineers Batch Rules Setup CI/CD Pipeline CAGE UI Repository Rules Lead Architects Certification Dashboard CAGE PUBLIC
  • 14. 13 Peer Reviews Tip 5: How to automate PUBLIC Building APIs Right Building the Right APIs Training Tip 5: Automate as much as you can, but you still need people
  • 15. 14 5 Governance Tips Q1: What to govern Q2: What does good look like Q3: Where to invest effort Q4: How to pick your style Q5: How to automate PUBLIC Tip 1: Focus governance on real risks rather than personal preferences Tip 2: Good governance scales to meet delivery cadence Tip 3: Shift left – make it easier to fall into success Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?” Tip 5: Automate as much as possible, but you still need people
  • 16. 15 Example Rules Security: • Sensitive info in query parameters • Standard headers • Security policies Operations: • Naming standard • Published to API Repository • Versioning • Check for duplicate APIs • Health endpoint Style: • camelCase, PascalCase and snake-case • Always return 2xx, 4xx and 5xx • Misuse of HTTP verbs • Plural nouns for resource collections • Example request and response schemas PUBLIC