This blog post summarizes a session from LEAP 2.0: The API governance conference, featuring key takeaways and insights. Explore the full on-demand videos, slides, and more here.
When you’re making API governance decisions, it helps to understand what great looks like. This is where a recent talk by Justin Russo at the LEAP 2.0 API Governance Conference comes in. Justin works as Senior Systems Software Engineer at Northwestern Mutual, a life insurance and financial services company. He shared the details of his business’s mature, effective API governance model, to showcase how streamlined developer experiences and automated governance can deliver a whole range of outcomes.
We’ve shared key insights from Justin’s presentation below, including top takeaways on:
- The challenges of automating API governance
- What goes into an API governance model
- What API governance looks like at Northwestern Mutual – and why
- The benefits of implementing an automated API governance model
Read on to discover the huge range of benefits that well-conceived and well-implemented API governance can deliver – and how to achieve them.
Building a next-generation API ecosystem
Northwestern Mutual has streamlined its developer experience by building its own automated governance model. The business has transformed its technical infrastructure, building on its 160-year history to position it at the forefront of driving industry-leading outcomes.
The business has long been an early embracer of technology, ever since it purchased one of the original commercially available IBM mainframe computers back in the 1960s. This means that there’s still legacy code lurking around Northwestern Mutual corners, at the same time as APIs are enabling the next generation of the business.
The challenges of implementing automated governance
Building an API that’s going to remain relevant means looking ahead. If you want the API that you’re building today to still be useful in five years’ time (instead of you rebuilding it every year or so), you’ll need to think about API governance.
An API governance model embraces standards, security metrics and more, all of which you can make into a full-on automated process. There are, of course, challenges to implementing such a model. However, overcoming these challenges can deliver significant results.
The challenges for Northwestern Mutual fell into three categories: API sprawl, compliance and consistency, and developer experience.
API sprawl
Do you know where all your APIs are, where they’re deployed to and who’s using them? Are you confident they have consistent security in place? And do you know what they’re being built on? The evolving nature of API infrastructures means that many businesses struggle to have a clear picture of all of this. Instead, they end up, over time, with API sprawl.
Northwestern Mutual tackled this head on by automating the registration of every API within the business within an API registry, or API catalog. It then put discovery endorsements in place to ensure people could find the APIs, know their value and reuse them.
The business also implemented automated insights and trend analysis, to see what was being used, where and how. It also automated the retirement of APIs, to ensure that those that were no longer relevant were struck from the environment, with retirement workflows in place to move customers along to the next and better solution for their business needs.
Compliance and consistency
Ensuring compliance and consistency within its APIs was another challenge that Northwestern Mutual sought to overcome. The business wanted to ensure that every API it deploys meets its standards and is built in a consistent way. Doing so means those interacting with different APIs from different parts of the company, can know what to expect. They don’t have to relearn an entire domain every single time.
Achieving this meant introducing a concept of governance by default, with 0% high security vulnerabilities – something that results from having good, standardized engineering practices in place.
Northwestern Mutual also wanted to ensure business relevance was embedded into every API it deploys, ensuring a sound business purpose (rather than a niche reason) for each API.
Developer experience
Developer experience was also a key challenge to overcome. Building an API governance model that makes developers’ lives harder will result in people not wanting to align with that model. It’s essential to make it easier for developers to meet your governance model where it is – and be able to build upon it.
Northwestern Mutual did this through a process called the integrated tech stack, which saved its engineers 40 hours per application that they needed to set up. All thanks to automations.
It also built in fail-fast processes, ensuring engineers know about any failures as soon as possible. Notifications alert the engineers to take corrective action, instead of them having to wait until they’re going to production to find out that there’s an issue.
The final element Northwestern Mutual focused on was adoption – because people need to know about APIs and use them if they’re going to deliver ongoing value. By including this focus, it has achieved an 80% adoption rate within the business.
What goes into an API governance model?
Northwestern Mutual sees an API governance model as having three specific categories: API management, business domain driven architecture and maturity model.
A good, centralized API management column in your governance model ensures there are good management practices in place to allow people to stand up APIs, retire them, and maintain them throughout their lifecycle. This encompasses having good tools to design, publish, document and secure APIs.
The second element of the API governance model embraces what is commonly called domain driven design. At Northwestern Mutual, this approach ensures that everything the business is building aligns with business domains, to ensure good business relevance.
The final element is the maturity model, which represents several stages along the API journey, from inception to initial deployment, all the way up to production (and beyond). It fosters a culture of collaboration among different teams and promotes constant reevaluation of what constitutes “great” when building your APIs.
What are the benefits of governance by default?
Bringing these elements together results in governance by default. It means that you can stand APIs up quickly while ensuring they align to what your business needs, have a path to a place where they are relevant, and continue to be a core pillar of what you want to build, which people will want to use.
This supports all of the different core personas who need to interact with your API ecosystem:
- API developers can create faster, compliant APIs with visibility into their usage and the ability to retire them seamlessly. You can accomplish this by building an integrated tech stack (more on that below) and ideal CI/CD deployment pipelines.
- API consumers can find compliant APIs, integrate with them and pull out business value by reusing them. An API registry helps here by cataloging and finding APIs, with access control systems supporting secure reuse.
- API governance inspectors benefit from visibility on the adoption, standards enforcement, trends, exceptions and usage patterns of your APIs. You can achieve this with auto-discovery through your API gateway, leading to auto-registration in your API registry, all with robust API standards that are endorsed, well-implemented and reported on.
- API management teams have the ability to maintain a complete API management lifecycle in an automated and secured way, while enabling internal stakeholders to adopt an API first mindset. This requires an efficient infrastructure, including an API gateway, API registry, security enforcement, reporting, governance and analytics covering the entire API ecosystem. Abstracting all this away means that those who are building APIs can focus on building them, rather than infrastructure concerns.
The Northwestern Mutual automated API governance model
Northwestern Mutual has built its automated API governance model around three key areas: the creation and deployment of APIs, notification and endorsements of APIs, and API reporting. Within those areas, are the main stakeholders: developers building the APIs, domain architects evaluating the APIs and ensuring they meet the required standards, and inspectors looking at the overall picture of APIs within the model.
Within this model, the developer uses an integrated tech stack. This is essentially a developer toolkit with a bunch of predetermined recipes for different types of application creation patterns within Northwestern Mutual’s accepted standards for what an application is.
A simple example of this is building an API using Node. Js in a dockerized container that’s deployed to Kubernetes. The integrated tech stack has a little button that says, “I want to make a Node. Js microservice.” You name the API, classify it within a business domain and specify what you want the API to achieve. Push a button and the system delivers new code, based off Northwestern Mutual’s templating, with all the compliance and security built in, to a repository. That triggers CI/CD pipelines that get the API into an environment, so you can immediately start seeing the API working, interact with it and build upon it iteratively.
The product is then vetted through the CI/CD pipelines, with any API that doesn’t meet the endorsement standards disallowed from going to production. This means notification endorsement is a crucial part of the process.
When an API gets deployed within Northwestern Mutual, it gets registered within the business’ API gateway, then auto-registered into the API registry catalog. At that point, a notification gets sent to the domain architect, who can then review the API to ensure it meets the required standards and maturity level. The developer then receives feedback.
Finally, as soon as an API is registered and deployed to Northwestern Mutual’s environment, the business can extract all sorts of data, metrics and analytics about its usage. It can pull that information into dashboards, showcasing which APIs are being used most, when APIs stop being used, whether any APIs are being used but shouldn’t be, and so on, as well as ensuring APIs are compliant. This also supports the tracking of various other matters. For example, if the business is aiming to adopt JWT as the main authentication model for APIs, it can track this and start pushing teams towards that direction.
Automated API governance with Tyk
Tyk sits at the heart of Northwestern Mutual’s API governance model. As a highly scalable, centralized API gateway, Tyk provides Northwestern Mutual with outstanding flexibility. It provides for all of the business’s documentation and governance needs, while also serving as a policy enforcement point for both coarse-grained and fine-grained entitlements (including field-based enforcement and policies for GraphQL).
Northwestern Mutual is also using Tyk as its main security enforcement point, with Tyk enabling the business to use API keys, general OAuth, JWT and great traffic management options like rate limiting, throttling, quotas, caching and circuit breakers. These are all built into the main gateway product.
The business also uses Tyk to export metrics to New Relic and Dynatrace. Tyk supports OpenTelemetry as a main tracing model to enable this seamlessly. The highly adaptable Tyk Pump component takes the Tyk central metric store and enables you to push out data to a dozen or more different reporting software tools.
The benefits of automated API governance
Northwestern Mutual worked with Tyk to build out its general maturity model design. It’s something that all businesses can do, using the Tyk API platform maturity model.
Doing so is a key step in developing an automated API governance model that empowers you to:
- Create compliant APIs quickly
- Fail fast via notifications, with self-service remediation instructions
- Report fast via automation, with detailed dashboards
- Comply fast via endorsements
- Enforce everything the right way, with early non-compliance warnings
This provides everything you need to ensure that your engineers are building things that will work for you as you head towards your organization’s bright future.
Inspired to implement your own automated API governance model? Then it’s time to talk to Tyk!
