In the last decade we’ve seen a sizeable shift in the role APIs play in modern web and mobile applications, giving rise to the term API economy. The pressures of getting applications to market quickly, C level digital transformation initiatives, and the need to find specialist developer skills as application requirements become more complex are driving the importance and adoption of 3rd party APIs. There has also been the wide recognition that few companies have enough spare resource to waste reinventing the wheel by developing common, pre-existing functionality from scratch.
As we enter 2019, the value API-first companies provide to enterprises is undeniable. In some cases, APIs provide very niche, low-risk functionality such as maps, blogs or forms. In other cases, companies like Stripe have revolutionised how quickly and easily application developers can build payment functionality into their applications. Likewise, Twilio turned the perplexing world of telephony and communication connectivity into a few lines of code. Ubisecure, through our identity API, gives developers access to rich identity management functions that would otherwise need to be developed inhouse – representing a minefield of risk, where poor implementation leads to significant exposure to fines and damage to brand credibility.
APIs essentially democratise highly specialised functionality by making it available to everyone – from start-up to mature enterprise. But across the spectrum, customer facing applications need three core things: payment, communications, and identity (specifically authentication and authorisation). These will be the reference points used in this blog.
APIs as specialist, on-demand expertise
Gaining experience in niche standards-driven areas takes time and skill, whereas using APIs can provide that experience almost on-demand. That brings us to our first major conclusion – 3rd party APIs are built for very specific purposes. API companies like Ubisecure, Stripe and Twilio invest heavily in API products, serve many customers and consequently have a significant network effect. We watch the trends in our markets and we actively participate in driving regulation and standards. The value to our customers is in being the domain expert. This translates into highly effective solutions when compared to inhouse solutions.
It’s ultimately about giving companies the room to develop their special sauce
“We think of APIs as building blocks that are the raw ingredients of innovation because they allow developers and organizations of any size to rapidly build new ideas.” — Jeff Lawson, Twilio Co-founder & CEO.
Companies often underestimate how much time and effort needs to go into building core functionality. While developers are building core functionality, they’re not spending time on the application’s ‘special sauce’. Take Uber as an example. The app is a series of 3rd party APIs that enable the value proposition of the app. This has made the app lean, effective and agile. There are countless other apps that only exist today because of the rich library of APIs available for developers to outsource very specific functionality.
The problem that needed solving – making it easy to manage digital identity and handle identity data right with an Identity API
Identity Management is a broad term incorporating many functions and standards. Getting it right provides a highly effective means of managing and protecting your customers identity data as they engage with your application. Getting it wrong leads to data breaches, bad press and GDPR fines.
Consider the areas your developers would need to quickly become ‘experts’ in when building an inhouse solution:
Single sign-on (SSO), multi-factor authentication (MFA), use of social identity, dynamic use of strong identities, step up and contextual authentication, identity data storage, mobile identity support, identity standards like OpenID Connect, OAuth 2 and possibly even still SAML. Your developers would also need to implement the company’s infosec policies such as password management, delegation of authority, role-based access control (RBAC) and much more. Each one of these areas, if implemented poorly, could be front page news when it goes wrong.
Let’s look at the case of Facebook. In September 2018 Facebook suffered a massive breach due to a bug in its implementation of access tokens. Even a company with the developer power of Facebook can make mistakes when it’s an area outside of their core expertise.
“If there’s something to learn here, no matter how large a developer organisation some companies have, it’s well worth considering working with a proven identity federation solution, delivered by domain experts, rather than risk getting it wrong by building inhouse.” – Petteri Stenius, Ubisecure Principle Scientist.
At Ubisecure, we’ve long considered ourselves an API-first software company. Almost all of our enterprise customers use our Identity API to provide the identity management for their applications. The breadth of functionality provided by the Identity API and microservices are represented by the fact that we serve dozens of use cases across many verticals. All such use cases place our Identity API as an indispensable core component for both identity management functionality and risk management. In the same way that Stripe makes payment processing easy to implement, we take all the complex and risky identity management functionality and we make it available to our customers and partners through a set of highly structured, well documented APIs.
Once enterprises view third party APIs as expertise on-demand they gain the ability to invest in their ‘special sauce’ and get their applications to market faster. This is really why we value our place in the API economy – nothing is more exciting than helping our customers innovate.