By Richard Seroter, Senior Product Manager at Tier 3

With the advent of cheap computing power from the cloud, comes another trend: APIs rule. Programmatic access to systems – from government agencies to automobile manufacturers – has delivered a range of new products and services that can be consumed on a variety of devices.

The cloud industry – whether SaaS providers like Salesforce.com, or IaaS providers like Tier 3 – are expected to deliver a complete library of APIs that empowers developers and IT staff to build “mash-up” experiences that present information in new, contextual ways.

While APIs may not be listed in the stated characteristics of cloud computing, they are a necessity for any viable cloud service. How are customers using cloud provider APIs today? And what should we expect in the future as APIs evolve?

Today’s Usage

There are at least three major ways that enterprise customers today use cloud provider APIs:

• Specialized automation. A smart man once said “All APIs get used well beyond the initial intended use cases.” APIs are meant to empower users to consume services in whatever manners adds value to their situation. That could mean creating time-saving automation by combining APIs in a way that the vendor may not have anticipated. For example, whenever you add a new developer to your team, you could call an API to “create user” and immediately follow that by invoking a “create server” operation to give them a powerful environment for development and testing of code. APIs make it possible for consumers to create new aggregate “mashup” services that meet a unique business need.
• Integrate with back office systems. The introduction of cloud computing can be disruptive to IT departments, in good and bad ways. How are IT pros supposed to link existing operations and business systems to new environments that they don’t have physical control over? APIs provide the key. Whether you’re integrating with on-premises billing, configuration management, or support systems, APIs offer a way to integrate cloud assets to internal systems that run your business.  This flexibility also helps IT select the portfolio of applications they really want to spend their time managing – and offload “hands on” administration to the cloud.
• Consuming extended user experiences that offer unique functionality. There are two popular scenarios at play here. First, APIs make it possible for software vendors to create value-added products on top of what cloud providers natively offer. Industry leaders like RightScale and Enstratius sell software that can manage a host of different clouds from a unified, holistic interface. What makes this cottage industry – multi-cloud management – possible? Access to the underlying cloud APIs. Secondly, APIs give customers the chance to build their own tools for interacting with the cloud. For example, we have customers who used our APIs to create a slimmed down version of the Tier 3 Control Portal and run it internally. It’s also possible to build mobile applications that can provision servers, or make it easy for users to check their invoice in real-time. All of this is possible by consuming APIs.

The Road Ahead

So what’s next? There are a number of things on our minds at Tier 3, since elegant and functional API design is essential for us to remain competitive.  A few important trends guide our thinking, and may help you as well.

• Emerging standards. There is not yet a standard IaaS API that everyone conforms to. There has been plenty of debate about adopting Amazon Web Services APIs as a standard. But it’s important to recognize that a broad set of compatibility can be a hindrance to industry development if the architectural impact isn’t also considered. Cloud companies will be keeping a close eye on this moving forward, but at this stage, few want to deliver an API that meets a common definition but omits the unique capabilities the provider offers.
•  Security. Security needs to be considered up front. API providers should carefully assess what the right authentication framework is, and avoid inventing schemes that may introduce new vulnerabilities. One recent example of what not to do: the API for the new Tesla S automobile, as flagged by George Reese of Enstratius. By ignoring a standard authentication architecture (OAuth), Tesla inadvertently created an exploitable authentication flaw. Cloud providers – and any creator of an API – must pay special attention to the security of their service and not reinvent the wheel.
• Parity with vendor-controlled user interface. More and more, cloud customers want the ability to do anything through the API that they can do through the web interface provided by the vendor. The flexibility is critical for a range of enterprise scenarios. This means that APIs have to represent the full capabilities of the cloud platform, not just a convenient subset. This may require re-engineering by the cloud providers who maintain a separate public-facing web façade that isn’t actually consumed by the provider themselves.
• Advanced communication options, like webhooks. The traditional cloud API consists of request-reply operations that the customer calls to retrieve information. This works for some operations, but in many cases, we see customers call an API repeatedly to find out if something has changed. Did a new account get created? Was a change made to a cloud server? The vast majority of the time, the answer is “no” but the customer polls the API regularly just in case. With webhooks, the customer can configure an endpoint that the cloud provider should call whenever certain events occur. For example, a customer can set up a URL that should be called whenever someone adds a public IP address to a server. The customer can then quickly respond if that particular server should NOT be exposed to the public internet. The goal is to create a more event-driven experience where information is pushed – not pulled – from the cloud platform.

The ocean of APIs has made it easy for developers, enterprise IT, and consumers to enjoy rich experiences for work and play on the devices of our choosing. Cloud providers play a critical role in the current technology landscape and must constantly strive to create secure, complete, and innovative APIs.

Richard Seroter is a senior product manager for cloud computing provider Tier 3, a Microsoft MVP, instructor for developer-centric training company Pluralsight, frequent public speaker, InfoQ.com editor for cloud computing, and author of multiple books on application integration strategies. Richard maintains a regularly updated blog on topics of architecture and solution design and can be found on Twitter as @rseroter.