When evaluating API Management, what aspect do you think is the most important to look for?

To me the most important aspect is following.
1) Security of the gateway & APIs - Almost all API solution vendors offer nearly same security policy on the gateway.
2) Ease of use - Since this is niche and finding right talent is difficult and costly. This feature makes a difference. While evaluating we should ask question that how easy is to use this tool and train people.
3) Performance management and monitoring - It is very important to get timely info from the gateway on the events which are occurring and issues which may occur.
4) Life Cycle Management - This need to align with organizational policy with respect to usage of APIs

Below you can find a list of elements I recommend to consider when evaluating this type of solutions.
Security Gateway
- Directory Authentication
- API Security

API Life Cycle Management
-API Deployment Management

Service Registry & Discovery
- API Discovery
- API Aggregation
- Protocols/Message Support
- Third Party Application Integration

Performance Management
- Traffic Management
- Mobile Optimization
- HTTP Acceleration and Data Caching
- Load Balancing and HA and Resilience

Analytics & Monitoring
- API Monitoring
- Email notifications (exchange)
- Analytics Services

Additional Capabilities/Characteristics
- Availability
- Support Model

Key elements Security features to make sure the APis are secured against malicious attacks.
another consideration is related to features to central manage a disparate set of APis, not matter they are exposed using the API management or not.

I think it depends on what is important to the business along with technical considerations. There are various aspects to consider including:

* Functional
* Performance
* Development
* Maintainability
* Lifecycle management
* Governance
* Cost
* Support/Training

The weighting of these factors in a selection/decision process will be determined by the importance of each factor to the organization and whether there are any constraints imposed (e.g., cost). Each vendor provides a different mix or emphasis of certain capabilities balanced against the product cost. Open source options exist if an organization is willing to compromise on certain aspects (e.g., functionality or support & training).

I would recommend you look at:
- Support for different ways of securing your APIs (Oauth, api key management, white listing, black listing, CORs etc)

- Deployment - you want your API Gateway to by close in terms of network proximity to the things being offered as APIs, so that there is little opportunity for circumventing the security. So if the APIs being provided are on-prem then can the API Gateway being used be run on-prem. If you're in the cloud does it restrict you to a particular vendor?

- Moneytization/utilization - whilst not everyone may be monetizing their APIs the insights into who is using the API platform, when, were can still be very beneficial in terms of providing SLAs even within an organization

- Scaling and control - whilst the gateways maybe be deployable to different locations you need a good secure central management view of all you APIs and where they are deployed. The gateways need to be easily scalable to handle increases and drops in volume, and such that the costing of the flex is not signficiant increments

- Performance and Reliability - you need a solution that can handle the call volume that far exceeds that of your back end as it needs to remain up and running when having to deflect attempts to disabler API servicves if they're public facing. This also means stability, reliability and predictability are important.

- API life cycle, the API goes beyond just the runtime moment, but you need to have a means to design the APIs in a collaborative manner (see API First), but API documentation in addition to the actual URIs and payload structures need to be captured. With this comes verison management of APIs so you can support API version strategies.

- The ability to add your own custom rules and custoim payload validation should be present. Sooner or later you'll need to add a rule into the API management that isn't supported out of the box. ideally there is the opportunity to inspect the payload and ensure there is no malicious content before it reaches the back end system. This is particuarly important if the backend system is known to be weak in terms of security - e.g. a dating PHP backend potentially will be vulnerable to SQL injection, so protecting it in depth is a need.

Best API Management Solution should support your future AI goals. There is no AI without APIs. The solution should provide:
- Reliability with zero business downtime
- Flexible and distributed deployments with near to real time data synchronization
- Single robust layer of security and integration with security add-ons systems
- Analytics for data based decision making
- Quick ROI
- Market adaptability
- Strong road-map for future
- Traffic Management
- Strong error Management
- Defined procedures for Backup and recovery
- Public Portal to showcase partner/developer APIs with complete documentation

Thanks,
Saiful Islam
Digital Solution Architect

Below are my inputs. Hope this helps

Before we embark into an API Management product evaluation, would advise to first assess their current API adoption maturity to identify the maturity level(foundation to enterprise platform), list down the capabilities to build and problems to address(immediate and long-term). These would typically be the imperatives from the digital/API strategy. Post this an evaluation of API Management product against define criteria and weight can be conducted to have a better validation of the product that would fit the strategy. Based on my experience, below are the some of the key aspects that I would look at when evaluating an API Management product

1. First, want to look at a product where my developers' life is eased and it accelerates the API lifecycle(from creation, testing, deployment, monitoring & securing).API developer portal(product vendors use different names for this feature) which is the primary interface for our developers, should enrich the developers experience with a developer & administrator friendly, point & click, configurable, installation ease interface. It is a very critical feature and if developers endorse the value(we should see a significant acceleration in API lifecycle), then we will see an acceptance & seamless adoption across the enterprise

2. Products should also be business-friendly – should provide the self-service capability to business so that IT can delegate the development of commonly requested functionality(API’s) to business. An example scenario is a request from Business for pulling up a subset of data(backend/process API’s) from the back-end system and displaying a report on mobile or other channels. Today, we have products where API’s can be created on the fly from a different system of records thru a point and click interface

3. Capability to abstract the web services and expose it as API’s – we will encounter with a landscape which is legacy driven where we will have SOAP web services and the immediate requirement is to expose them as APIs without going for a full modernization program. So, want to look at a product where it can build upon the API’s/web services which are already developed and the need is to make them available across omnichannel quickly without the need for a full rewrite of the code

4. API Gateway - Features for exposing the API’s securely across the extended enterprise(customer, partners & employees) which would include varied deployment environments(on-prem, Cloud, Hybrid, PaaS, and CaaS).Should come with configurable policies, proxying capability, traffic control, auto-scaling & installation ease. For high transaction loads especially during the holiday season(like black Friday) where we will see a spike in API transaction volumes and we would need the Gateway to scale up seamlessly. So, scaling would be a key feature to look at

5. Capability to manage & secure microservices API’s – as we are into an era of digital economy where business agility is one of key capability which is enabled thru Microservices adoption, would look into the capability of microservices management in the product – leveraging the API gateway, we can manage the interaction between microservices, ensure security compliances and also leverage the product for microservices development. Some of the products come with declarative business logic capability where we can develop the logic thru the usage of an excel spreadsheet. So, microservices development and management would be a good capability to look at

6. Capability to convert APIs developed from different protocols (SOAP to REST and vice versa) out of the box. As mentioned above, we will have the legacy estate in the enterprise and there would be API’s that are developed using different API specs and the world (erstwhile SOA and microservices)

7. API analytics and Monitoring capability – it is critical to have an analytical and monitoring capability out of the box to monitor your API health and produce KPI reports which can be used for assessing the business value & predictive maintenance

8. API versioning – product should have the capability of auto-versioning of APIs

9. API Testing – should have the capability for automated API testing using their own product stack or leverage other industry standard testing tools in the market

10. Enable DevOps culture – should come with capabilities to seamlessly integrate with either proprietary DevOps pipeline tech stack or Open source

11. Licensing Option – should come with a flexible commercial model for Onprem, Cloud, Multi-Cloud & Hybrid – we should be able to shift between hosting model

12. Deployment – should be able to deploy all the components or a subset of components across different environments(Onprem, Cloud, Multi-Cloud & Hybrid)

13. Support Model – should look at product vendor support model for the product – tech support, SLA’s, Partner Eco-System, Training, Academy, Certification, POC support & Product Roadmap

14. Organization Unit Details – look at if API Management is a dedicated org unit or it is an acquired entity and will be part of a larger product. This will give an indication of their commitment and vision

15. Support for PaaS/CaaS – should have capabilities to deploy across PaaS or CaaS

For solution development, I look for proven reliability, responsiveness, scalability, security, ease of use. The aforementioned answers are great too - the tool should support a full lifecycle, from development, to testing, deployment, monitoring and maintaining APIs, with real-time alerts and dashboards.

My opinion is that API portfolio definition in the form of catalog management and formal subscriptions to catalog-driven API definitions and, ideally where such subscriptions can be monetized, is the most important and differentiating aspect.

Many great comments have been made here. I'll add that it's important to conduct a POC and make sure the product meets your requirements - today and anything planned for the near future. APIM is growing in scope and capabilities so you'll want to ensure your vendor of choice has the resources to keep up with expectations as this space matures. APIM leaders today may not be the leaders tomorrow.

There should be a level of maturity in the release of an API. Some of the important aspects would be; 1. API to be searchable and identifiable; 2. Well documented and clear as to what is provided and what is needed; 3. Has a solid and robust logging and monitoring integration.

The point to note is that an API is as good as its stability and high response times.

Rajeev,

all vendors mentioned in the Gartner report have their merits. not just the leaders. Check this list I put together to vet the possible solution providers - maybe this helps.
1. Requirements – if you do not need external developer integration, don’t look for the snazziest portal
2. Infrastructure fit, if you are a Microsoft shop, don’t go for Open Source
3. Deployment – if you need your data to be on–premise for any reason, don’t go to the cloud
4. Integration – if you have many custom legacy bits, look for fast integration points and check (2)
5. Governance – is Lifecycle Mgmt an issue? Dependency charts, repository?
6. Ease of Use – install and use the software as fast as possible to “feel” the vibe – which one fits best?

Hope this helps

The ask is we want a API Gateway and Management tool which is capable of providing following sets of features:

•Encryption/Decryption[Part/full message based on AES or 3DES algo]
•Protocol Translation [SOAP-REST]
•Credential Management
•Load Monitoring & Management
•URL management
•Prevention against XSS and SQL Injection threats

For this we explored tools which are marked as leaders in Gartner Reports and based on that we identified following tools and now they want a comparative analysis on below mentioned tools which can be easily plugged into their landscape:

1.Oracle API Gateway
2.Mulesoft
3.Redhat( 3 Scale API) -- it seems that they provide the solution on cloud instead of On-Premise . Plus they don't have a simple solution rather it required a lot of customization in order to meet the customer requirements.
4.APIGEE

As of now we are not bound to any product it just we need comparative case study among above listed products and solution for this use case.

According to me its the features offered like security, easy of use, complete API Life Cycle Management, performance, scalability, low cost, deployment and maintainability.

Actually, it depends on the requirement. However, in general, I believe that the most important thing is the vendor expertise on the ground, second is how secure is that APIM solution and does it have OOTB security and IAM features, third thing, is how comprehensive is that solution, does it help developers to create services faster and fourth thing is the API portal and how easy to use is it and does it help in monetizing the data/APIs,

There are various factors which can be considered, depending upon the API,is: is it for internal (within org.) or external consumption. Also what functionality it exposes, do we need to put monitisation, geolocation details, what level of security is required and so on.

1. Requirements – if you do not need external developer integration, don’t look for the snazziest portal

2. Infrastructure fit, if you are a Microsoft shop, don’t go for Open Source

3. Deployment – if you need your data to be on–premise for any reason, don’t go to the cloud

4. Integration – if you have many custom legacy bits, look for fast integration points

5. Governance – is Lifecycle Mgmt an issue? Dependency charts, repository?

6. Ease of Use – install and use the software as fast as possible to “feel” the vibe – which one fits best?

The most important aspect is the one which best solves your need. What are the thing you need to succeed in the project? Is security your top priority? How about developer access to your APIs? I['ve seen many different needs for an API Management solution. Develop your must have's and then you best evaluate solutions.