TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
INTERFACE by apidays - Automating API Governance by John Phenix
1. Date: June 2020
Prepared by: John Phenix
Chief API Architect, HSBC Commercial Bank
Automating API Governance
PUBLIC
2. 1
1
HSBC - The World’s Leading International Bank
39million
customers
3,900 offices
65
countries & territories
Present in
Reported Revenue
$53.8bn 254PB of data
Data Centres in 21
countries
96,600+ Servers
$1.5 Trillion
Daily payments processed
235,000
people around the world
46,000 IT Professionals $2.5bn Run / $3.3bn Change (cash)
PUBLIC
4. 3
Apple’s iOS Standards and Governance platform produces a consistent, market leading App experience
Why HSBC needs API Standards and Governance – an example from Apple
PUBLIC
5. 4
HSBC’s API Standards and Governance platform will produce a consistent, market leading API developer experience
Why HSBC needs API Standards and Governance
Governance
PUBLIC
Governance
6. 5
Tip 1: What to Govern?
PUBLIC
Security Operations Reputation
As little as possible!The minimum needed to deliver value and
manage risks
Tip 1: Focus governance on real risks rather than personal preferences
7. 6
Comprehensive
Tip 2: What does good look like?
PUBLIC
Scalable Consistent
Evidenced
Tip 2: Good governance scales to meet delivery cadence
8. 7
Visibility
Tip 3: Where to invest effort
PUBLIC
Tools Training
Automation
Tip 3: Shift left – make it easier to fall into success
9. 8
Tip 4a: Pick your style - Centralised
Small team(s) of API SMEs who manually review APIs.
You can duplicate the ARB (API Review Board) in different
geographies.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC
10. 9
Tip 4b: Pick your style - Federated
API Champions from every region and major project to enforce
standards locally and escalate non-compliance.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC
11. 10
Tip 4c: Pick your style - Automated
Speed and safety at scale requires an automated approach.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC
12. 11
Tip 4c: Pick your style -– Hybrid
Focus manual reviews on exceptions and qualitative analysis.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC
Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?”
13. 12
Tip 5: How to automate
Audit Trail
API
Engineers
Governance
Engineers
Batch
Rules Setup
CI/CD Pipeline
CAGE UI
Repository
Rules
Lead
Architects
Certification
Dashboard
CAGE
PUBLIC
14. 13
Peer Reviews
Tip 5: How to automate
PUBLIC
Building APIs Right Building the Right APIs
Training
Tip 5: Automate as much as you can, but you still need people
15. 14
5 Governance Tips
Q1: What to govern
Q2: What does good look like
Q3: Where to invest effort
Q4: How to pick your style
Q5: How to automate
PUBLIC
Tip 1: Focus governance on real risks rather than personal preferences
Tip 2: Good governance scales to meet delivery cadence
Tip 3: Shift left – make it easier to fall into success
Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?”
Tip 5: Automate as much as possible, but you still need people
16. 15
Example Rules
Security:
• Sensitive info in query parameters
• Standard headers
• Security policies
Operations:
• Naming standard
• Published to API Repository
• Versioning
• Check for duplicate APIs
• Health endpoint
Style:
• camelCase, PascalCase and snake-case
• Always return 2xx, 4xx and 5xx
• Misuse of HTTP verbs
• Plural nouns for resource collections
• Example request and response schemas
PUBLIC