SlideShare a Scribd company logo

API Governance

Sunil Kuchipudi, profile picture
Sunil Kuchipudi

The document outlines an API governance framework consisting of 6 key components: 1) API Organization to establish guiding principles, roadmaps, funding models, roles and responsibilities. 2) Policies, procedures and standards for operating models, best practices and API development guidelines. 3) Risk controls for regulatory compliance, security controls and risk adjudication. 4) Technology and platforms including service gateways, registries and reference architectures. 5) Vendor management for 3rd party relationships and data ownership implications. 6) Change management to address business impacts, communications and API marketplace updates. The framework provides governance for API teams to deliver solutions within organizational risk appetite.

Technology
Related topics:
Financial Services Overview Cyber-Security Information Security
1 of 13
Downloaded 487 times
1
2
Most read
3
Most read
4
5
6
7
Most read
8
9
10
11
12
13
API Governance Risk and Control Consideration “Governance should make it easy for people to do the things the right way and hard for people to do things the wrong way.”
2 Lifecycle Management 1. API Organization a. Guiding Principles b. Business Road-mapping & Inventory c. Funding Model & Monetization d. Operating Model e. Roles & Responsibilities f. Decision Rights g. Syndication Model h. API Ownership & Accountability i. Define metrics j. Lifecycle Management API Governance Framework 2. Policies, Procedures & Standards a. Operating Model b. Roles & Responsibilities c. API Ownership & Accountability d. Best Practices e. API Development Guidelines f. Cataloging & Classification g. API Ontology 4. Technology & Platforms a. Services Gateway b. Services Registry & Catalogue c. Information Model d. Development Model (Int. & Ext.) e. Best Practices f. Reference Architecture Blueprint i. Conceptual & Logical Layers g. Sustainment h. Containerization Vision & Strategy 6. Change Management a. Business Impact & Readiness b. IT Operations c. Stakeholder Management d. Communication & Training e. API Market Place Updates 5. Vendor Management a. 3rd Party API Vendor Relationships b. Data Ownership & Privacy c. Legal Implications Foundational Infrastructure Services Platform Services Layer API Consumers API Providers Discovery Catalogue Versioning Authentication Entitlements Discovery API Ownership Data Standards Data Ownership API Lineage Controls Risk Ownership Deviation Process 3. Risk Controls a. Regulatory Compliance b. Information Security Controls c. Risk Adjudication d. API Controls Frameworks e. Controls Automation CI/CD f. Continuous Controls Monitoring Business Process Architecture Provides a governance framework (ring fence) where each team can operate in an agile manner and deliver solutions in line with the organizational Risk Appetite.
3 API Governance Operating Model Notional Functional Organization to enable the success of the API strategy. API Organization Team Policies, Procedures, & Standards Risk Control & Security Stakeholders & Executing Steering Committee Technology & Platforms Vendor Management Change Management Set Vision & Strategy 1 API Lifecycle2 3 4 5 6 Guiding Principles, Roadmaps, Lifecycle Management Technology Enablement & Foundational Services Operating Model Governance, Controls, 1st Line of Defense Platform and Runtime Vendor Relationships Business Impact, Change & Communications
4 Notional API User Community User Community Interactions. API Governance needs to account for the different types of interaction scenarios and related to controls in each scenario and interaction point. API Developer. Other API Developers will incorporate API into their Code base. (Partners & Trusted Developer) Mobile Platform Users who consume and incorporate API data into their App Development API Consumer 3rd Party Consumer API Eco-system API Producers API Consumers Internal 3rd Party API that Systems and App will consume 3rd Party APIs • Internal Developers • Partner Developers • External Developers
5 API Power Plant Analogy – Vision of what we need to build and govern… APIs provide a simplified standard interface for users to access the power of Citi through foundational architecture and processes. Simple Standard Interface Abstracts Complexity for the User Monetization Metering Elasticity Controls Security
6 API and Business Process Context There is a risk that organizations incorrectly treat APIs as independent entities; APIs should be identified and created within the context of a business process. APIs help the business process of the organization
7 1.0 API Organization An API organization is needed to address the following: a. Guiding Principles: The guiding principles guide the development of an API organization to measure the effectiveness of APIs. Questions related to “what quantifiable business value, pricing model?” Guiding API producers to assess regulatory & reputational impact, reusability, naming convention, information model, standards based. Enable users to understand the business process to be enabled. Define common traits so that teams are not re-inventing the wheel repeatedly. b. Business Road Mapping & Inventory: Creates a multi-year roadmap with quarterly goals and update. Create execution plan with checkpoints to align with roadmap. Incorporate input from Stakeholders and Steering Committee. Identify Assets that really matter both from a Business Value perspective and Risk perspective c. Funding Model & Monetization: Translate Roadmap to funding model and monetization model for internal and external consumers. Do we have a model to capture the end to end lifecycle of the APIs? APIs provide a single end point and a splintered funding model can risk the success of APIs strategy. d. Functional Team Operating Model: Create and manage the Citi API Functional Team model and interactions (Slide # 3). Update functional changes and ensure communications and updates between groups. e. Roles & Responsibilities: Clearly outline and help manage the roles and responsibilities of Citi API ecosystem. f. Decision Rights: Formalized decision-ing rights as to who or what group that decides on make or break call. g. Syndication Model: Model for teams to pool resources, funding and shared model to API management - e.g. APIs can aggregate data from multiple distributed systems and data; this will bring to light support and issue ownership implications. h. API Ownership & Accountability: Translate/personalize the change to the impacts within their function/LOB. They are also the advocate - the go-to person within their function/LOB to understand the changes. i. KPI and Metrics Definition: Create KPIs to quantify business value and metrics that organizations can use measure progress. j. Lifecycle Management: In reference to Slide #3, own the “dashboard” around the management, care and feed of the end of the end lifecycle of the APIs.
8 2.0 Policies, Procedures & Standards Responsible for Policy Creation, Procedure Documentation, and Standardization…. a. Operating Model : Do we have a set of questions that will guide the development of APIs and measure the effectiveness of APIs? For e.g. what is the business value and does it provide measurable business value? What is the regulatory impact, reputational impact? Develop naming conventions, informational model & standards. Which business processes do they enable? b. Roles & Responsibilities : Assign and identify roles and responsibilities within the API ecosystems within the context of the operating model. c. Best Practices : Translate Roadmap to funding model and monetization model for internal and external consumers. Do we have a model to capture the end-to-end lifecycle of the APIs? APIs provide a single end point and a splintered funding model can risk the success of APIs strategy. d. API Development Guidelines & Cookbooks.: Create API Development guidelines for the Business (Product Owners) and Development teams to build API using a standard Reference Architecture. Cookbooks outline step-by- step details on how to build APIs in a consistent model and ensure multiple teams can be leveraged to source and build APIs. e. Cataloguing & Classification: Similar to a book library, create the process to catalogue and classify the different types of APIs (business, infrastructure, partner etc.) based on a standard taxonomy. Ensure meta-data exists for ease of discovery and re-use. f. API Ontology Model: Building upon taxonomy we have a need to create an Ontological Model for APIs and their semantic relationships and dependencies.
9 3.0 Risk Controls The 1st line of defense to help drive compliance and assure that necessary controls are in place… a. Regulatory Compliance: Understand the regulation implications of creating APIs. This is especially important when we start exposing APIs as public or partner end-points. b. Security Controls : Information Security guidelines and standards to ensure secured, auditable and hardened APIs in line with the Security Standards. c. Risk Adjudication: As multiple teams and groups build APIs, act as the arbitrator and adjudication agent to assign Risk from an enterprise perspective in line with organizational risk appetite. d. API Controls Framework: Develop Controls Framework that is based on the API architecture. e. Risk Controls Automation CI/CD: Build time injection of Compliance controls within the CI/CD process during the API build process. f. Continuous Controls Monitoring: Operational Monitoring of APIs during run-time: metrics gathering, analytics, monetization and value measurement.
10 4.0 Technology & Platforms Foundational Technology Platforms that and architecture to enable the organization to realize API a. Technical Stack: Provide Technical Reference Architecture and stack to jump-start API development. b. Lifecycle Management: Foundational technology to enable Lifecycle management as outlined through the API Organization functional stream. c. Service Gateway: Gateway infrastructure to create secure API end points for managing consumers and producers. d. Service Registry & Catalogue: Registry for API and cataloguing method, naming conventions, policy management e. Information Model : Determine and publish a industry based Information Model that is line with Citi Data Standards. f. Development Model (Internal & External): Create environment for development and publishing of APIs, keeping in mind the different interaction paradigms. Manage a developer community to ensure API adoption and contribution. g. Technology Best Practices: Knowledge base of best practices to capture best practices and lessons learned. How do we build effective APIs? h. Reference Architecture Blueprint: Layered Reference Architecture that illustrates a multi-tier architecture e.g. Process Layer, Conceptual Layer, Logical Layer, Services, Platforms etc. i. Sustainment: Determine the process for sustainment of APIs based on SLAs. Sustainment should take into account a distributed support model (e.g. when an API aggregates data from other APIs or data sources). j. Containerization : Modular packaging of APIs and platform agnostic implementation (e.g. Docker)
11 5.0 Vendor Management a. 3rd Party Vendor Relationships: a. API Vendors b. Technology Vendors c. Data Vendors b. Data Ownership & Privacy : Who owns the data? In a distributed data model, APIs could aggregate or translated data from various systems or perhaps consumed in various mobile apps. What happens when someone uses am API to build a mission-critical app and the API breaks ? a. Cross border movement of data: what are the implications of an API consumer from Europe using an API that has data from the US? Privacy Laws are relative to the geography you are in. c. Legal Implications : What are legal implications when APIs are consumed or produced in the API economy? How do things work in a partnership model? What are the legalities around using APIs from the social media or open source APIs? Vendor Management for APIs create new interaction points with partners, development teams and internal stakeholders….
12 a. Business Impact of Change & Readiness: CM Process and impact on business, controls… b. IT Operations: Change Process centered around IT operations that support APIs. c. Stakeholder Management: Managed changes to API Consumers, Vendors, Steering Committee, Business Owners, Developer Community, Integrations. d. Communication & Training: Communication Plan and forum for changes being made, sunset APIs, data quality and training. Developer Training, API Community Support, market to deliver and create API eco-systems and build co- brand and brand recognition. e. API Market Places: API Content Management, Developer Communication, Partner Integration. 6.0 Change Management Address API Changes and Business Impact… *Source : IBM API Reference Architecture
13 https://developer.ibm.com/apiconnect/documentation/api-101/ibm-reference-architecture-api-management/

More Related Content

PPTX
How to Execute a Successful API Strategy
Matt McLarty
 
PPTX
Deep dive into Microsoft Purview Data Loss Prevention
Drew Madelung
 
PDF
The Path to Open Banking
MuleSoft
 
PPT
cyber security incident exercises TTX .ppt
ZharfanHanif
 
PDF
An Entry Point to Impactful Open Banking Architecture
WSO2
 
PPTX
Api types
Sarah Maddox
 
PPTX
Introduction to APIs (Application Programming Interface)
Vibhawa Nirmal
 
PPTX
API Governance in the Enterprise
Apigee | Google Cloud
 
How to Execute a Successful API Strategy
Matt McLarty
 
Deep dive into Microsoft Purview Data Loss Prevention
Drew Madelung
 
The Path to Open Banking
MuleSoft
 
cyber security incident exercises TTX .ppt
ZharfanHanif
 
An Entry Point to Impactful Open Banking Architecture
WSO2
 
Api types
Sarah Maddox
 
Introduction to APIs (Application Programming Interface)
Vibhawa Nirmal
 
API Governance in the Enterprise
Apigee | Google Cloud
 

What's hot (20)

PDF
Architecting an Enterprise API Management Strategy
WSO2
 
PPTX
API Strategy Introduction
Doug Gregory
 
PPTX
API Management in Digital Transformation
Aditya Thatte
 
PPTX
Guide to an API-first Strategy
Kellton Tech Solutions Ltd
 
PDF
Definitive Guide to API Management
Apigee | Google Cloud
 
PDF
API Management - Why it matters!
Sven Bernhardt
 
PDF
Effective API Governance: Lessons Learnt
Pronovix
 
PDF
How Secure Are Your APIs?
Apigee | Google Cloud
 
PDF
API Management Solution Powerpoint Presentation Slides
SlideTeam
 
PDF
Best Practices for API Management
WSO2
 
PPTX
APIdays London 2019 - Selecting the best API Governance for your organisation...
apidays
 
PPTX
API Management Within a Microservices Architecture
Nadeesha Gamage
 
PPTX
Api-First service design
Stefaan Ponnet
 
PPTX
What do you mean by “API as a Product”?
Nordic APIs
 
PDF
Introduction to Kong API Gateway
Yohann Ciurlik
 
PPT
API Management architect presentation
sflynn073
 
PPSX
APIs as a Product Strategy
Ravi Kumar
 
PPTX
API Management
Prolifics
 
PPTX
Driving API Economy with Apigee.pptx
ssuseree0a28
 
PPTX
Azure API Management
Daniel Toomey
 
Architecting an Enterprise API Management Strategy
WSO2
 
API Strategy Introduction
Doug Gregory
 
API Management in Digital Transformation
Aditya Thatte
 
Guide to an API-first Strategy
Kellton Tech Solutions Ltd
 
Definitive Guide to API Management
Apigee | Google Cloud
 
API Management - Why it matters!
Sven Bernhardt
 
Effective API Governance: Lessons Learnt
Pronovix
 
How Secure Are Your APIs?
Apigee | Google Cloud
 
API Management Solution Powerpoint Presentation Slides
SlideTeam
 
Best Practices for API Management
WSO2
 
APIdays London 2019 - Selecting the best API Governance for your organisation...
apidays
 
API Management Within a Microservices Architecture
Nadeesha Gamage
 
Api-First service design
Stefaan Ponnet
 
What do you mean by “API as a Product”?
Nordic APIs
 
Introduction to Kong API Gateway
Yohann Ciurlik
 
API Management architect presentation
sflynn073
 
APIs as a Product Strategy
Ravi Kumar
 
API Management
Prolifics
 
Driving API Economy with Apigee.pptx
ssuseree0a28
 
Azure API Management
Daniel Toomey
 
Ad

Similar to API Governance (20)

PDF
apidays Singapore 2025 - From API Intelligence to API Governance by Harsha Ch...
apidays
 
PDF
Understanding API Management from basic to advanced
vivekbagri7
 
PDF
apidays Australia 2023 - API Strategy In The Era Of Generative AI,Shreshta Sh...
apidays
 
PDF
Wso2 building-an-api-strategy-using-an-enterprise-api-marketplace
Tanjina Prema
 
PPTX
Managing API Management - Paul Dumas
Nordic APIs
 
PDF
API Management The Key to Seamless Digital Integration.pdf
shitolesonam7
 
PDF
Growth Hacking APIs (Nordic APIs conference 2014)
vameyer
 
PDF
API Management Explained: Key Benefits for Modern Enterprises
shitolesonam7
 
PPTX
Smartone v1.0
Jinyean Tan
 
PDF
API: Extracting Value
TrustRobin
 
PPTX
apidays LIVE LONDON - API Standards and Governance Platform by Nicoleta Stoica
apidays
 
DOCX
API Strategy in Cloud
PavanPardeshi1
 
PDF
apidays Helsinki & North 2023 - Business-oriented API products with APIOps Cy...
apidays
 
PPTX
RubiX ID - API management - Pim Gaemers
RubiX BV
 
PDF
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Tanjina Prema
 
PDF
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays
 
PDF
API Monetization
Capgemini
 
PDF
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Techwave Consulting
 
PDF
I am sorry Developer, your API just became a Product.pdf
Francisco Picolini
 
PDF
5 pillars of API Management
James Farley-Sutton
 
apidays Singapore 2025 - From API Intelligence to API Governance by Harsha Ch...
apidays
 
Understanding API Management from basic to advanced
vivekbagri7
 
apidays Australia 2023 - API Strategy In The Era Of Generative AI,Shreshta Sh...
apidays
 
Wso2 building-an-api-strategy-using-an-enterprise-api-marketplace
Tanjina Prema
 
Managing API Management - Paul Dumas
Nordic APIs
 
API Management The Key to Seamless Digital Integration.pdf
shitolesonam7
 
Growth Hacking APIs (Nordic APIs conference 2014)
vameyer
 
API Management Explained: Key Benefits for Modern Enterprises
shitolesonam7
 
Smartone v1.0
Jinyean Tan
 
API: Extracting Value
TrustRobin
 
apidays LIVE LONDON - API Standards and Governance Platform by Nicoleta Stoica
apidays
 
API Strategy in Cloud
PavanPardeshi1
 
apidays Helsinki & North 2023 - Business-oriented API products with APIOps Cy...
apidays
 
RubiX ID - API management - Pim Gaemers
RubiX BV
 
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Tanjina Prema
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays
 
API Monetization
Capgemini
 
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Techwave Consulting
 
I am sorry Developer, your API just became a Product.pdf
Francisco Picolini
 
5 pillars of API Management
James Farley-Sutton
 
Ad

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Advanced IT Governance
University of Hertfordshire
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KodekX | Application Modernization Development
KodekX
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

API Governance

  • 1. API Governance Risk and Control Consideration “Governance should make it easy for people to do the things the right way and hard for people to do things the wrong way.”
  • 2. 2 Lifecycle Management 1. API Organization a. Guiding Principles b. Business Road-mapping & Inventory c. Funding Model & Monetization d. Operating Model e. Roles & Responsibilities f. Decision Rights g. Syndication Model h. API Ownership & Accountability i. Define metrics j. Lifecycle Management API Governance Framework 2. Policies, Procedures & Standards a. Operating Model b. Roles & Responsibilities c. API Ownership & Accountability d. Best Practices e. API Development Guidelines f. Cataloging & Classification g. API Ontology 4. Technology & Platforms a. Services Gateway b. Services Registry & Catalogue c. Information Model d. Development Model (Int. & Ext.) e. Best Practices f. Reference Architecture Blueprint i. Conceptual & Logical Layers g. Sustainment h. Containerization Vision & Strategy 6. Change Management a. Business Impact & Readiness b. IT Operations c. Stakeholder Management d. Communication & Training e. API Market Place Updates 5. Vendor Management a. 3rd Party API Vendor Relationships b. Data Ownership & Privacy c. Legal Implications Foundational Infrastructure Services Platform Services Layer API Consumers API Providers Discovery Catalogue Versioning Authentication Entitlements Discovery API Ownership Data Standards Data Ownership API Lineage Controls Risk Ownership Deviation Process 3. Risk Controls a. Regulatory Compliance b. Information Security Controls c. Risk Adjudication d. API Controls Frameworks e. Controls Automation CI/CD f. Continuous Controls Monitoring Business Process Architecture Provides a governance framework (ring fence) where each team can operate in an agile manner and deliver solutions in line with the organizational Risk Appetite.
  • 3. 3 API Governance Operating Model Notional Functional Organization to enable the success of the API strategy. API Organization Team Policies, Procedures, & Standards Risk Control & Security Stakeholders & Executing Steering Committee Technology & Platforms Vendor Management Change Management Set Vision & Strategy 1 API Lifecycle2 3 4 5 6 Guiding Principles, Roadmaps, Lifecycle Management Technology Enablement & Foundational Services Operating Model Governance, Controls, 1st Line of Defense Platform and Runtime Vendor Relationships Business Impact, Change & Communications
  • 4. 4 Notional API User Community User Community Interactions. API Governance needs to account for the different types of interaction scenarios and related to controls in each scenario and interaction point. API Developer. Other API Developers will incorporate API into their Code base. (Partners & Trusted Developer) Mobile Platform Users who consume and incorporate API data into their App Development API Consumer 3rd Party Consumer API Eco-system API Producers API Consumers Internal 3rd Party API that Systems and App will consume 3rd Party APIs • Internal Developers • Partner Developers • External Developers
  • 5. 5 API Power Plant Analogy – Vision of what we need to build and govern… APIs provide a simplified standard interface for users to access the power of Citi through foundational architecture and processes. Simple Standard Interface Abstracts Complexity for the User Monetization Metering Elasticity Controls Security
  • 6. 6 API and Business Process Context There is a risk that organizations incorrectly treat APIs as independent entities; APIs should be identified and created within the context of a business process. APIs help the business process of the organization
  • 7. 7 1.0 API Organization An API organization is needed to address the following: a. Guiding Principles: The guiding principles guide the development of an API organization to measure the effectiveness of APIs. Questions related to “what quantifiable business value, pricing model?” Guiding API producers to assess regulatory & reputational impact, reusability, naming convention, information model, standards based. Enable users to understand the business process to be enabled. Define common traits so that teams are not re-inventing the wheel repeatedly. b. Business Road Mapping & Inventory: Creates a multi-year roadmap with quarterly goals and update. Create execution plan with checkpoints to align with roadmap. Incorporate input from Stakeholders and Steering Committee. Identify Assets that really matter both from a Business Value perspective and Risk perspective c. Funding Model & Monetization: Translate Roadmap to funding model and monetization model for internal and external consumers. Do we have a model to capture the end to end lifecycle of the APIs? APIs provide a single end point and a splintered funding model can risk the success of APIs strategy. d. Functional Team Operating Model: Create and manage the Citi API Functional Team model and interactions (Slide # 3). Update functional changes and ensure communications and updates between groups. e. Roles & Responsibilities: Clearly outline and help manage the roles and responsibilities of Citi API ecosystem. f. Decision Rights: Formalized decision-ing rights as to who or what group that decides on make or break call. g. Syndication Model: Model for teams to pool resources, funding and shared model to API management - e.g. APIs can aggregate data from multiple distributed systems and data; this will bring to light support and issue ownership implications. h. API Ownership & Accountability: Translate/personalize the change to the impacts within their function/LOB. They are also the advocate - the go-to person within their function/LOB to understand the changes. i. KPI and Metrics Definition: Create KPIs to quantify business value and metrics that organizations can use measure progress. j. Lifecycle Management: In reference to Slide #3, own the “dashboard” around the management, care and feed of the end of the end lifecycle of the APIs.
  • 8. 8 2.0 Policies, Procedures & Standards Responsible for Policy Creation, Procedure Documentation, and Standardization…. a. Operating Model : Do we have a set of questions that will guide the development of APIs and measure the effectiveness of APIs? For e.g. what is the business value and does it provide measurable business value? What is the regulatory impact, reputational impact? Develop naming conventions, informational model & standards. Which business processes do they enable? b. Roles & Responsibilities : Assign and identify roles and responsibilities within the API ecosystems within the context of the operating model. c. Best Practices : Translate Roadmap to funding model and monetization model for internal and external consumers. Do we have a model to capture the end-to-end lifecycle of the APIs? APIs provide a single end point and a splintered funding model can risk the success of APIs strategy. d. API Development Guidelines & Cookbooks.: Create API Development guidelines for the Business (Product Owners) and Development teams to build API using a standard Reference Architecture. Cookbooks outline step-by- step details on how to build APIs in a consistent model and ensure multiple teams can be leveraged to source and build APIs. e. Cataloguing & Classification: Similar to a book library, create the process to catalogue and classify the different types of APIs (business, infrastructure, partner etc.) based on a standard taxonomy. Ensure meta-data exists for ease of discovery and re-use. f. API Ontology Model: Building upon taxonomy we have a need to create an Ontological Model for APIs and their semantic relationships and dependencies.
  • 9. 9 3.0 Risk Controls The 1st line of defense to help drive compliance and assure that necessary controls are in place… a. Regulatory Compliance: Understand the regulation implications of creating APIs. This is especially important when we start exposing APIs as public or partner end-points. b. Security Controls : Information Security guidelines and standards to ensure secured, auditable and hardened APIs in line with the Security Standards. c. Risk Adjudication: As multiple teams and groups build APIs, act as the arbitrator and adjudication agent to assign Risk from an enterprise perspective in line with organizational risk appetite. d. API Controls Framework: Develop Controls Framework that is based on the API architecture. e. Risk Controls Automation CI/CD: Build time injection of Compliance controls within the CI/CD process during the API build process. f. Continuous Controls Monitoring: Operational Monitoring of APIs during run-time: metrics gathering, analytics, monetization and value measurement.
  • 10. 10 4.0 Technology & Platforms Foundational Technology Platforms that and architecture to enable the organization to realize API a. Technical Stack: Provide Technical Reference Architecture and stack to jump-start API development. b. Lifecycle Management: Foundational technology to enable Lifecycle management as outlined through the API Organization functional stream. c. Service Gateway: Gateway infrastructure to create secure API end points for managing consumers and producers. d. Service Registry & Catalogue: Registry for API and cataloguing method, naming conventions, policy management e. Information Model : Determine and publish a industry based Information Model that is line with Citi Data Standards. f. Development Model (Internal & External): Create environment for development and publishing of APIs, keeping in mind the different interaction paradigms. Manage a developer community to ensure API adoption and contribution. g. Technology Best Practices: Knowledge base of best practices to capture best practices and lessons learned. How do we build effective APIs? h. Reference Architecture Blueprint: Layered Reference Architecture that illustrates a multi-tier architecture e.g. Process Layer, Conceptual Layer, Logical Layer, Services, Platforms etc. i. Sustainment: Determine the process for sustainment of APIs based on SLAs. Sustainment should take into account a distributed support model (e.g. when an API aggregates data from other APIs or data sources). j. Containerization : Modular packaging of APIs and platform agnostic implementation (e.g. Docker)
  • 11. 11 5.0 Vendor Management a. 3rd Party Vendor Relationships: a. API Vendors b. Technology Vendors c. Data Vendors b. Data Ownership & Privacy : Who owns the data? In a distributed data model, APIs could aggregate or translated data from various systems or perhaps consumed in various mobile apps. What happens when someone uses am API to build a mission-critical app and the API breaks ? a. Cross border movement of data: what are the implications of an API consumer from Europe using an API that has data from the US? Privacy Laws are relative to the geography you are in. c. Legal Implications : What are legal implications when APIs are consumed or produced in the API economy? How do things work in a partnership model? What are the legalities around using APIs from the social media or open source APIs? Vendor Management for APIs create new interaction points with partners, development teams and internal stakeholders….
  • 12. 12 a. Business Impact of Change & Readiness: CM Process and impact on business, controls… b. IT Operations: Change Process centered around IT operations that support APIs. c. Stakeholder Management: Managed changes to API Consumers, Vendors, Steering Committee, Business Owners, Developer Community, Integrations. d. Communication & Training: Communication Plan and forum for changes being made, sunset APIs, data quality and training. Developer Training, API Community Support, market to deliver and create API eco-systems and build co- brand and brand recognition. e. API Market Places: API Content Management, Developer Communication, Partner Integration. 6.0 Change Management Address API Changes and Business Impact… *Source : IBM API Reference Architecture