The Bring Your Own Device (BYOD) movement has gained unstoppable momentum. And thanks to the burgeoning mobile app market, employees have high expectations for these tools. They want an attractive user experience tailored to their devices. In other words, companies need to invest in building apps, period.
During my two decades of working in enterprise IT, I’ve observed the client-server revolution, the internet explosion and the service-oriented architecture (SOA) boom. Despite all the buzz around cloud and big data, I believe mobile will dominate enterprise IT transformation over the next decade and help to shape those other two trends. Our company, Layer 7 Technologies, and competitors such as Apigee and Mashery, are providing API management solutions to support mobile integration for the consumer app market. I believe that BYOD will spark an ever greater demand for API management to address enterprise mobile apps.
I’ve seen some companies try to cut corners by pushing their existing browser-based enterprise apps out to mobile devices, and the returns are not encouraging. One electronics company Layer 7 worked with wanted to create a multi-platform mobile app for their employees, but discovered that their web security tokens were truncated on iPhones. An airline we worked with rolled out their first iPhone app and failed to get traction, because the user interface mimicked their backend green screens. These companies limited themselves by not taking advantage of the unique features of mobile devices, and employees were uninterested in using the clunky apps.
These are cautionary tales, but they have happy endings. Both companies ended up investing in the user experience. And by reusing much of their existing enterprise infrastructure, they still saved a lot of money. The electronics company fixed their mobile security protocol without replacing their access control servers. And the airline rewrote their mobile app to be more user-friendly without changing the backend enterprise application. Both companies combined their existing enterprise assets with an API management solution to create mobile-friendly APIs. These APIs powered the mobile apps with suitable security, reliability and performance.
Redrawing the borders between the presentation, logic and data tiers
These examples signal a shift in the enterprise IT landscape. During the internet explosion, applications settled on three tiers: presentation, logic and data. Because of the enabling technologies, the lines between the presentation and logic tiers frequently blurred, and a hard border was created between the logic and data tiers. For example, a web app for order processing might include business logic steps in the browser code either deliberately or by accident (if the same developer codes both tiers). With the enterprise mobile movement, I think that the tiers will remain the same.
However, I believe that the overwhelming emphasis on user experience combined with the impact of cloud and big data will now blur the line between logic and data, and the border between presentation and logic will become much more complete. That concrete border has a name: it is the API. That order process now needs to be available on the web and to a variety of mobile devices, so that the logic tier can be accessible to all channels through the API.
The API border is the new security perimeter
Because personal mobile devices cannot be trusted the same way a company-owned and managed desktop PC could be, the concrete API border is also the new security perimeter. For these reasons, an enterprise API proxy that provides secure, multi-channel access to the logic and data tiers will be valuable.
This API proxy plays a dichotomous role. It opens and eases integration with enterprise APIs, and it enforces the policies that check user identity and control access to backend resources and data. Due to the mixed personality of BYOD devices — business and pleasure — no API request message can be trusted outright. Identity must be checked using any number of principals — app, device, end user — and weighed against the requested assets.
The value proposition of the API proxy increases dramatically if it is able to map between the security protocol of choice in the mobile world, OAuth, and the existing security infrastructure in the enterprise. Web single sign-on solutions are too heavyweight for mobile devices, but their underlying policies and infrastructure can be reused in this context. The API proxy is the key to bridging the gap between the integration and security needs of the mobile devices and the existing and proven enterprise services and policies.
Companies are using the API proxy at the core of their API management solution for secure mobile app integration with their enterprise systems. A healthcare company we worked with wanted to offer an iPad-based app to collect their member data. The company was very concerned about data privacy and access control. Through the proxy, they were able to exceed the industry’s security requirements and easily reuse their enterprise applications to launch the app.
A developer-driven approach to integration
Driven by BYOD, companies are also following consumer app trends and offering API portals where developers can find out which APIs are available in the enterprise, how to connect to them, and how to establish contracts that include quotas, costs and service levels. I believe that this developer-driven approach to integration is a refreshing shift from the current SOA state and will help to improve the overall agility of enterprise IT.
Business and IT leaders who are wrestling with whether or not personal devices should be allowed in their company’s network should embrace this change. There is no stopping it, it’s already here. And there is a big upside to BYOD beyond employee satisfaction. People treat their personal mobile devices as an extension of themselves. Employee productivity improves with each new task that they can accomplish on their favorite toy and a ton of costs can be saved through reduction in paperwork and manual processing in general.
If companies turn their worries to figuring out how to engage field employees with apps that leverage 1080p resolution and LTE connectivity, they can rest assured that through API management they will have a solution that delivers on the promise and protects against the threats of the mobile future, adds immediate value to the present, and leverages the investments of the past.
Matt McLarty is vice president of client solutions for Layer 7 Technologies, a provider of API management solutions. Prior to Layer 7, Matt led technical sales for IBM application integration middleware and worked extensively as an enterprise architect in the financial service industry.