API sprawl: A threat you might want to address later, but you can’t ignore it

F5 announced a report which analyzes the serious threat to business and the economy posed by the global proliferation of APIs.

API sprawl threat

When APIs gained widespread adoption in the early 2000s, they were primarily viewed as a technical solution enabling applications to connect and exchange data. Today, by contrast, APIs are increasingly recognized as a major driver of innovation, value creation, and revenue. From digital marketplaces and entertainment apps to the Internet of Things (IoT) and IT microservices, APIs are at the heart of how the world conducts business.

“We estimate that the number of public and private APIs today is approaching 200 million, and by 2031 that number could be in the billions,” said Rajesh Narayanan, senior director and distinguished technologist at F5. “And we’ve merely scratched the surface in terms of the anticipated global economic impact of APIs.”

APIs come in many shapes and sizes, and serve a range of functions

There are public APIs, accessible by the general public—like those used by Google Maps or the Lyft app. There are private APIs, which are part of internal systems, as in the case of microservices APIs, or for use by internal teams only.

There are partner APIs that enable data sharing and the creation of innovative offerings. Roku’s service, for example, would not be possible without the ability to access data from Netflix, HBO, and other content providers using APIs. Managing and controlling all these different kinds of APIs can be a significant challenge for enterprises.

“As APIs of all kinds proliferate, it will become common for organizations to reach a point where they’re unable to effectively manage and control them,” said Narayanan. “This is API sprawl, the condition of having too many APIs of too many different kinds in too many different locations to get a handle on.”

A number of factors contribute to API sprawl:

  • A lack of global standards results in interoperability issues, driving the creation of multiple APIs to serve the same function.
  • Most enterprises are evolving toward microservices architectures, which by their nature result in dozens of APIs.
  • Continuous software development results in the frequent release of new API versions.
  • Enterprises create new APIs to enable integration between internal systems, programs, or applications.
  • Siloed business units often take separate API approaches.
  • Edge computing and everything-as-a-service business models drive the creation of yet more APIs, in more locations.

The problem is real and growing.

API sprawl introduces significant operational and security challenges

As the number of APIs and the complexity of apps grow, it becomes very hard to track where APIs are located. Discovering them within and outside the enterprise can be difficult, and end-to-end connectivity can be impacted.

Frequent updates to APIs result in versioning and documentation issues. Beyond that, APIs are prone to fraud and malicious behavior. External APIs must be validated continuously for trust, and internal API keys can be compromised, giving attackers access to critical infrastructure.

“If data is the new oil, then APIs could unfortunately become the new plastic, with byproducts wreaking havoc on the ecosystem,” said Narayanan. “To stay healthy and thrive in the API-driven economy, it’s time for organizations to get serious about creating, using, and managing APIs responsibly.”

Solutions like API gateways, ingress controllers, and sidecar proxies can enable highly effective management of intra-cluster API architectures, but they are insufficient for managing inter-cluster API sprawl.

To solve API sprawl across multiple clusters, enterprises require a single source of truth that tracks all APIs, seamless API discovery, proper versioning and documentation, API-to-API connectivity, and uniform monitoring of API reliability. And with APIs opening up so many new threat vectors, enterprises need to recognize the risk they pose, and make trust a metric for third parties accessing their APIs.

Don't miss