Apigee - RFP Template for API Management

Updated 4/4/2016

Overview  A

Vendor Experience

B

Arcitecture

C

API !atewa"

D

API Anal"tics and #onitoring

E

API $ecurit"

%

Developer Portal

$ection A - Vendor Experience

 A&

Requirement Please descri/e "our compan"7s strateg" around API management8 (at percentage of "our compan"7s revenue is derived from API #anagement)

 A'

(en was "our API API management product !A)

 A*

(at + of te %ortune &,, uses te product) Is te product telco grade) (at + of te largest &' glo/al telcos use "our product)

 A  A.  A0

 A1  A2  A4  A&,  A&&  A&&  A&'  A&*  A&  A&.  A&0  A&1

Is te product in production wit wit large retail /rands) Can "ou provide examples of "our tougt leadersip in te API space) (at 9ind of experience do "ou ave running a managed cloud solution at scale for "our cloud customers) (o are "our largest customers in te3 Retail sector  %inancial sector  5elecommunications 6ealtcare (o are "our most significant :E( customers ;of "our API API products< in te past 0 monts) 6ow do "ou on/oard and partner wit customers for success) Do "ou provide free training for arcitecture= development= and operations on "our we/site) Do "ou provide online tutorials to elp us learn "our product) communit"

$ection B - Arcitecture Requirement

B*

Does "our product support pu/lic cloud= private cloud and "/rid deplo"ments) Is "our Private Cloud full" supported On-Premises ;does not ave an" dependencies on ma9ing calls externall"<) Does "our private and pu/lic cloud offering use te same code /ase)

B

Does te solution support a "/rid solution= were traffic management and securit" policies can /e colocated wit te API applications= wile oter API functions run on te core API management platform ;enterprise gatewa"< in te managed cloud or onpremises deplo"ment

B.

Does te platform a rcitecture support multi-tenanc" /ot for /ot pu/lic and private Cloud deplo"ments)

B0

Can multiple teams wor9 independentl" wit runtime isolation)

B1

6ow does te platform support a multi-region= multidata center deplo"ment to ensure te igest level of availa/ilit" and distri/ution)

B&

B'

B2

B4

B&,

B&& B&&

B&'

6ow does "our platform integrate into continuous development and deplo"ment practices) Explain ow "our solution supports a scala/le environment and descri/e wat is needed to provision additional capacit" per API API > per team > per region > per organi?ation8 Does "our solution provide a centrali?ed @I for multiDC deplo"ments or do we need to manage tem independentl") Does te solution support ?ero downtime patcing and updates) Does te solution ave te a/ilit" to do intelligent traffic routing to give users te closest point of presence over wide geograpical areas)

$ection C - API !atewa"

C& C'

C* C

C.

C0 C1 C2

C4 C&,  C&& C&'

C&* C&

C&. C&0

Requirement Does te product support OpenAPI ;formerl" 9nown as $wagger< to design APIs and generate documentation) Does te product facilitate rapid protot"ping of moc9  APIs) Does te product elp create u niform= consistent= well-formed APIs= even if te underl"ing /ac9end s"stems weren7t /uilt tat wa")

6ow are existing $OAP services added) Can deplo"ments of assets /e automated for te development lifec"cle) Can "our platform reference existing assets suc as encr"ption li/raries= scema validation tools= data validation li/raries= etc8 6ow does "our product support treat detection /" detecting fraudulent data inections at te API level) Please descri/e "our a/ilit" to protect from traffic spi9es8 Please descri/e "our a/ilit" to manage API consumption troug uotas8 Can uotas /e setup /ot /" developers as well as /" product managers post-development) Can te" /e adusted at runtime) Can uotas /e s"ncroni?ed across multi-region deplo"ments) Does te platform support pu/lising $OAP= RE$5= $O:= and #F st"le services as APIs as well as #$) Please descri/e process flows f or discovering services in te runtime environment8

Does te product support API masups) Please descri/e "our a/ilit" to enance Prox" functionalit" troug /ot configuration and code8 Please descri/e an" out of te /ox functions for doing traffic mediation= transformation= and securit" at te API Fevel8  Are standard transformations included) ;#F to $O:= $O: to #F= $OAP to RE$5= RE$5 to $OAP<

C&1

Does te prox" support compression)

C&2

Does te prox" support 655P  655P$) (en necessar"= can te prox" tal9 to #$ /ased s"stems)

C&4

C',

C'&

C''

C'*

C' C'.

C'0

C'1

C'2

Are streaming connections supported) Please descri/e te de/ugging tools /uilt into te platform8 Can te de/ugging tool sow a G/eforeG and GafterG of eac polic" during repla") Also can te de/ugging /e performed in an off-line mode to minimi?e an" overead to te runtime API traffic8

6ow is versioning supported)  Are all policies and s"stem configurations stored in standards /ased #F wit well pu/lised scemas for eas" migration>promotion) Does te prox" support cacing) In addition to an expiration= can te cace /e manipulated programmaticall") Do "ou support a multi-level cace model ) %or example= is te in-memor" cace a/le to spill over to te dis9) Does te product support cacing /ased on pa"load information and 655P eaders) Is tis availa/le via /uilt-in policies)

C**

Does te prox" rate limiting= uotas= and spi9e arrests) Can /eavior cange d"namicall" /ased upon factors suc as user credentials= location= device t"pe=888) Does te prox" support d"namic routing ;orcestrationHor intelligent routing to a second s"stem /ased upon te response from a first s"stem<) Please descri/e te out-of-te-/ox /ac9end service  APIs for common application functionalit" suc as user management= data storage and s"ncroni?ation= messaging= and locations8 Does te platform support identit" integration wit popular social networ9s and Internet services and if so= wic ones)

C*

Does te solution allow te storing and uer"ing of ar/itrar" scema-less $O: data)

C'4

C*,

C*&

C*'

C*. C*0 C*1

Can data /e tagged and ueried /" location) Can /inar" o/ects suc as files and images /e stored in te platform) Please provide examples of large-scale deplo"ments using tis capa/ilit"

C*2

Does te platform provide user management and social relationsip functionalit" for /uilding personali?ed applications)

C*4

Can te platform support pus notifications across various mo/ile platforms)

C, C&

C'

C* C C. C0

C1

Can te core functionalit" of te p latform /e extended /" te customer) Does te platform support extensions using common languages li9e ava= P"ton= or ava$cript) Can te platform ost and run unmodified :ode8s applications in order to implement custom APIs witout te need for a se parate application server)

Does te platform ave wi?ards to generate APIs from $wagger= $OAP services= and oter / ac9end services) (at are te standard governance features availa/le in te product) 6ow does te product support API Fifec"cle governance) Can "our product pu/lis APIs for external and internal consumers) 6ow are tese managed independentl") 6ow do "ou manage API visi/ilit" and restrict access to consumers) Is tis configuration in te platform or /uilt as part of te APIs ena/lement)

$ection D - API Anal"tics

D&

Requirement Please descri/e te out-of-te-/ox reports provided /" te tool8

D

Does te @I allow for drill down on eac o f te carts) Does te tool provide a wi?ard for creating custom reports)  Are tere maps for detailing geo-location of API calls)

D.

 Are te anal"tics collected as"ncronousl" ;so as not to impede runtime traffic<)

D' D*

D0 D1

D2

Does te anal"tics data= once collected= provide an  API for eas" access and export) Can te solution /e used to provide /usiness level visi/ilit") (at level of operational visi/ilit" can te solution provide /ased on API traffic flowing troug te s"stem)

D4

D&,

(at tools are availa/le out of te /ox to do various 9inds of trend anal"sis and inspection o f anomalies)

D&&

Can reports /e created on-demand) Does te tool support predictive and trend-/ased anal"tics)

D&'

Descri/e ow te product gaters contextual information ;information a/ove and /e"ond te /asic transaction details wic elps te /usiness to understand te transaction in dept<8 Please specif" tird-part" APIs and internal enterprise data sources8

D&* D& D&.

D&0 D&1 D&2 D&4

D', D'& D'' D'*

D' D'.

D'0

D'1

D'2

Is tere a service for attaining /usiness level insigts /ased on te contextual data) (at metrics and dimensions are supported /" te tool) Do "ou provide service performance monitoring= reporting= and anal"sis)

If pa"load data is captured= can tis data /e used for reporting) (at are te exception management reporting capa/ilities) Does "our product provide end-end visi/ilit" and trending performance statistics) Does "our solution support /illing /ased on 5P$ and>or aggregate transactions for eac developer>application8 $olution must provide performance management data wit counters per application t"pe and per API message t"pe8 (at level of reporting is availa/le to te developer) ;call latenc"= $FA provide compliance= oter metrics< Does te product eas"-to-use custom reporting capa/ilities over multiple dimensions and filters) Does "our product provide te a/ilit" to report using te pa"load of te messages) Does "our product provides te a/ilit" to easil" integrate wit oter s"stems= for instance troug  API calls) Does "our product provide capa/ilities to create custom das/oards to perform root-cause a nal"sis) Does "our product provide flexi/ilit" to extend te functionalit" and implement attri/ute specific runtime enforcements for API)  Are all of "our /illing and developer usage data availa/le via an API to allow an e as" integration wit existing s"stems) Does te product provide te a/ilit" to inspect te pa"load and retrieve pa"load data to create custom metrics to /e included in custom reports)

D'4

Does te solution provide te a/ilit" to perform s"ntetic transaction testing from different glo/al locations)

$ection E - API $ecurit"

E.

Requirement 6ow is single-sign on supported across all te roles involved in te lifec"cle in "our product) (at are te standard industr" securit" certifications availa/le for "our product) Do "ou use open standards to delegate autentication capa/ilities to "our tenants) Explain te mecanisms "ou use to supp ort API securit" ;e8g8 to9ens= encr"ption= polic" s"stems<8 Please descri/e te securit" > polic" enforcement options wen some assets migt reuire additional securit" in a cloud>on-premises infrastructure8

E0 E1

Please descri/e "our expertise wit OAut ;including maor customers "ou ave supported<8 (ic versions of OAut are supported)

E2

Are FDAP and AD supported)

E4

Does te product support /ot secure cannels and secure pa"loads)

E& E' E* E

E&, E&&

Does te prox" provide support for COR$) Does te prox" protect against #F or $O: attac9s)

E&'

 Are all of tese securit" features availa/le as selfservice via configuration ;not coding<)

E&* E& E&. E&0 E&1

6ow does te solution andle role /ased access controls to ensure different mem/ers of te API team can perform teir roles effectivel" witout affecting oter teams) Is "our pu/lic cloud offering PCI D$$ level & and level ' certified) Is "our pu/lic cloud offering 6IPAA compliant) Can te product /e extended to support custom>proprietar" implementations) Can APIs /e secured at te operation level) ;Ex3 can do !E5= /ut not PO$5 or P@5<

$ection % - Developer Portal

%&

%' %* %

%. %0

%1

Requirement 6ow are assets manifested in te developer po rtal for developer use) Please descri/e ow te tool facilitates on-/oarding8 Is tis portal availa/le as a completel" on-premises solution) Does te solution provide interactive documentation to allow API consumers to easil" tr" out pu/lised  APIs) Does eac developer ;or team< get teir own personali?ed metrics)

Is te registration form customi?a/le) Can te customer customi?e= s9in= and modif" te portal witout vendor involvement) Does te portal leverage standard C#$ tecnologies to ensure eas" to find s9ill sets and pre-existing modules)

%&,

Does te tool provide te a/ilit" to revo9e or suspend developer 9e"s) Does te solution support a B'B'D t"pe mode l wic allows enterprises to let teir partners manage teir own pool of developers and teir access to te enterprises APIs) Please descri/e te a/ilit" for te platform to supp ort moneti?ation8 (at are te various revenue models supported)

%&&

Are te pricing models configura/le witout coding)

%&'

Does te platform integrate wit tird-part" pa"ment s"stems)

%2

%4

Review Criteria for API-powered Digital Busin

Details  APIs are a critical part of our compan" strateg" moving forward8 It is important to us tat woever we partner wit considers API management a core part of teir /usiness8 (e7re interested in te trac9 record of "our compan" in API management8 In addition to te product features mentioned a/ove= would li9e to understand te real world experience "ou ave ad wit large scale deplo"ments on "our API management platform8 Jnowing te uptime reuirements of a telco= it is important to 9now tat te platform meets tese stringent criteria8 6ig-profile /rands tat trust "our platform would sa" a lot for te ro/ustness and performance of "our product8  APIs= social= and mo/ile are fast moving topics8 (e would li9e to wor9 wit a vendor wo leads te space8 (ile man" vendors are now offering cloud-/ased versions of teir products= it is critical tat te cosen vendor as demonstrated real world experience wit large scale customers running in te cloud8 (e would li9e to 9now more a/ out "our real world experience8

(e would li9e to 9now more a/ out "our mar9et momentum8

Details Depending on present and f uture proect reuirements= we ma" need one or /ot of te deplo"ments to /e supported8 In tis case= cloud is understood to mean a vendor managed cloud8 6"/rid is defined as a local gatewa" wit management functions and anal"tics in te cloud8

5o elp wit a flexi/le deplo"ment model tat reduces latenc" since traffic management and securit" appens closer to te application= avoids s"ncronous call-outs in te main message pat= and protects te last mile8 5e a/ilit" to run a multi-tenant environment can /e important wen dealing wit multiple lines of /usiness and>or partners8 Is te cloud installation a true multi-tenant environment) Does te exact same functionalit" exist wen deplo"ed on premises)  An enterprise $DFC ;software development life c"cle< can /e a complicated process wit man" constituents8 5e a/ilit" for diverse teams to ave teir own view of te platform wit logical separation of all policies and configurations is ver" important8 5e ideal tool will allow a centrall" managed platform to support development teams across te enterprise8 5e ideal tool will wor9 wit industr" popular CI>CD tools suc as #aven or en9ins8 !eograpical redundanc" is important /ot for ig availa/ilit" and also for latenc" and performance considerations8 (e need to understand ow an instance deplo"ed in one p"sical data center interacts and colla/orates wit an instance deplo"ed at an oter data center8 5e operations teams alread" ave wor9flows= processes= and scripts to perform teir wor98 Does "our platform integrate well wit tese existing tools) Can te platform /e run via te command line) Via scripts)

In toda"7s world= traffic /ursts appen8 (e nee d to 9now tat our capacit" can scale along wit tese d"namic fluctuations in traffic8 Ease of management is one of te da"-to-da" considerations in coosing a platform suc as tis8 6ow can te tool ease management over and contri/ute to overall productivit") %or critical applications and geograpicall" dispersed user /ase= ow can te platform /e administered so as not to incur an" downtime for developers= partners= and users) %or latenc" sensitive applications= intelligent routing to te nearest point of presence can /e ver" important8

Details

Can te services support oter protocols and ow is complex data transformation andled) 6ow ard is it to incorporate into existing development standard tools) (at development tools are reuired to develop and deplo" wit "our platform) I5 as invested in middleware= and ow can "our platform use tese assets)

%or example getCustomerInfo API would reuire multiple /ac9-end calls to /e made to multiple s"stems and eac s"stem supports different protocols ;for example $OAP we/ service= $O: service and direct data/ase call<8 Does tis reuire custom development or is it supported /" configurations) Please igligt wic prox" features cannot /e accomplised via simple configuration8

In order to reuse existing s"stems or to tal9 wit legac" s"stems= it is important tat te platform can perform tese transformations8 Can messages /e /ot sent and received /" te prox" in a compressed format) 5is will save /andwidt and reduce latenc" in some situations8 Previous generations of software /uilt  ard-wired connectors into teir tools8 5o avoid tese /rittle connections= can te platform perform all functionalit" over standard 655P) In te event of te existence of /ac9-end s"stem /ased upon #$= can reuests /e placed into te correct ueue)

%or long running transactions or large pa"loads= can te prox" stream traffic) Distri/uted s"stems are more complex tan client server s"stems8 (at tools does te platform possess wic will elp us to isolate issues and solve tem faster)

5is functionalit" can /e crucial during forensics or during preproduction polic"8 5o minimi?etesting impactoftoa developers and users= versioning needs to /e flexi/le8 Versioning refers to /ot te version on te API ;as part of te @RI< as well as te versions of te policies temselves8 Fastl"= versioning refers to minimi?ing te impact on operations troug o/viating te need to maintain multiple versions of a service8  A standard format li9e #F allows for eas" transformation and manipulation in a variet" of tools8 Cacing at te prox" minimi?es its against te /ac9 end s"stems8 (ile it is important to /e a/le to set a cace to expire a certain point in time= it is also necessar" to invalidate or refres te cace via standard API calls to reflect canges in /ac9 end s"stems8 In-memor" cace is ver" fast= /ut as limitations of si?e8 5e a/ilit" to perform multi-level cacing is important for eav" cacing situations8 5o optimi?e cacing= te platform sould /e a/le to cace /ased on man" t"pes of information= including data contained witin te pa"loadto ofdata te message8  Access and load on /ac9-end s"stems must /e configura/le and controlla/le8 5e a/ilit" to /loc9 /ased on seer traffic volume is important as are te finer grained controls of rate limits ;messages>time interval< and uotas ;raw K of reuests permitted<8 In te d"namic world of APIs and mo/ile applications it is often necessar" for te platform to ma9e d"namic decisions /ased upon various pieces of information contained witin te in/ound reuest8 In te d"namic world of APIs and mo/ile applications it is often necessar" for te platform to ma9e d"namic decisions /ased upon te current conditions8 #ost modern apps reuire functionalit" tat is missing from existing /ac9end s"stems8 B" providing tis f unctionalit" out-of-te-/ox= te platform speeds time to mar9et for all apps and reduces complexit" in te environment8 #ost apps reuire some social component8 B" providing tis functionalit" out-of-te-/ox= te platform speeds time to mar9et for all apps and reduces complexit" in te environment8 5o acieve maximum flexi/ilit"= does te platform allow for ar/itrar" ueries and storing d"namic data ;/e"ond pre-configured $LF-li9e scemata<) Focation /ased service are /ecoming more and more prevalent8 !eotagging data provides great power to te platform and covers a gap in most legac" s"stems8 (ile it is crucial to store p lain text= man" modern apps allow for image uploads ;and oter /inar" t"pes<8 (e would li9e to understand more a/out te real world experience wit tis part of te platform8

5is t"pe of functionalit" is often a/sent from legac" s"stems= "et reuired modernisapplications8 5is t"pe/" of most functionalit" often a/sent from legac" s"stems= "et reuired /" most modern applications8 It is crucial for te s"stem to /e a/le to communicate wit users in a manner in wic te" are familiar8 In te interest of minimi?ing professional services and increasing time to mar9et= can te a/ove mentioned data/ase functionalit" /e acieved via configuration ;not coding<) If we are to perform tese activities ourselves= te platform needs to support commonl" used tecnologies8 (it te increasing popularit" of :ode8s= it would /e useful to ave tis capa/ilit" /uilt into te platform and not reuire "et anoter tool to introduced into te In /e order for API teams to environment8 /e agile= rapidl" configure>/uild and deplo" APIs= it7s important to ave OO5B wi?ards tat can generate  APIs from $wagger docs= $OAP services and oter /ac9-end APIs8 It sould provide for cec9-/ox capa/ilit" to secure APIs using API 9e"s= OAut and /e a/le to enforce COR$ and oter commonl" expected policies8

Details 5e reports in tis list sould reuire no conf iguration8 :ormall" tese will include /asic traffic= usage= and performance information8 Drill down anal"tics allows for uic9 triage of te ealt of an API program and assists in rapid trou/lesooting during anomalous conditions8 :o vendor can provide ever" report we need o ut of te /ox8 5e platform sould ave a wi?ard for eas" creation of custom reports8 #an" decisions in an API program are /ased upon te location of users8 5e platform sould ave geo-location reporting /uilt in8 5e single greatest factor in te user satisfaction of an app is its response time8 Are te anal"tics collected in suc a wa" as to not impact response time) (e are not interested in creating a data silo8 5e collected anal"tics data must /e accessi/le for merging wit oter /usiness intelligence tools8 Be"ond operational level and developer level metrics= ow does te platform provide visi/ilit" to te /usiness)

Be"ond simple graps of traffic= wat visi/ilit" would an ops team gain from using te platform)

5e tool needs to /ot provide visi/ilit" into trends ;to prepare for capacit" /ursts or product demand= for e xample< and to allow inspection if anomalies are detected8 Do reports need to configured /efore launcing te s"stem) Can reports /e constructed on demand as te need arises ;li9e after viewing surprising traffic<)  After te fact forensics are important= /ut te a/ilit" to spot trends in advance is crucial in toda"7s environment8

5ransaction data= viewed in a vacuum= is of limited use8 Customer /eavior canges greatl" /ased upon teir location= te weater= te t"pe of device /eing used = etc8888 If needed= do "ou provide te services of data scientists to anal"?e tis contextual information and report /ac9 to te /usiness wit actiona/le insigts) 5e tool must support a variet" of anal"tics use cases witout reuiring additional programming

%or example= can tis data uer" /e completed3 uer" te list of customer ids ;part of te API pa"load< tat falls into segment vegi ;again part of API pa"load< tat called te order>create API ;API metadata< during te last seven da"s8

Details

OAut is one of te most widel" used forms of autentication for consumer or partner facing apps8 (e would li9e to understand /ot te product capa/ilities wit regards to OAut as well as real world experience8 FDAP and active director" are te most common forms of autentication in use toda"8 5is functionalit" sould /e accessi/le wit no coding8 Different t"pes of APIs and different t"pes of data reuire different t"pes of securit"8 $ometimes a secure $$F connection will /e sufficient8 $ometimes te pa"load will need to /e encr"pted as well8 COR$ ;Cross-origin resource saring< is a standard mecanism tat allows ava$cript #F6ttpReuest ;6R< calls executed in a we/ page to interact wit resources from non-origin domains8 COR$ is a commonl" implemented solution to te Gsame-origin polic"G tat is enforced /" all /rowsers8  As part of a defense in dept strateg"= does te platform elp in protecting against modern attac9 vectors suc as #F) In an effort to minimi?e te need for professional services and to accelerate time to mar9et= are all of te a/ove mentioned securit" features availa/le via standard policies>configuration)  Auditing and compliance processes dictate tat RBAC ;Role Based  Access Control< is supported /" enterprise platforms8 5e allows for an audit trail and administrative accounta/ilit"8 It also aids in te $DFC /" limiting te potential for one team7s wor9 to interfere wit te wor9 of anoter team8 #an" APIs reuire ;or eventuall" reuire< pa"ment processing as part of te moneti?ation strateg"8 PCI certification is necessar"8

Details (at additional development is reuired and wat features are supported)

Developer and partner productivit" depends on an e fficient on /oarding experience8 6ow does te tool ease tis friction) (ile documentation is important= experience sows tat a developer7s time to value is greatl" improved wit interactive tools8 5o assist developers and teams= will te" get teir own view of te metrics related to an" wic te" ave registered) Corporate policies ma"application dictate tat we collect certain pieces of information wen on/oarding a new developer8 5e data fields in te registration process need to /e configura/le to capture tese fields8

 As a follow up to te previous uestion= if we are to /e a/le to perform tis wor9 on our own= te portal will need to /e /ased on standard tecnologies8 In te event of an expired contract wit a developer or wen an a/normal situation occurs= te platform must allow for /ot te disa/ling and revocation of individual app 9e"s8 Farge partners reuire te a/ilit" to maintain te existing relationsips wit teir own developers8 6ow does te platform support tis second-level relationsip) $ome of te APIs will need to /e moneti?ed8 !iven tat tere are multiple wa"s to moneti?e an API= does te platform allow for mixing and matcing of tese models) Can te financial models /e created troug configuration onl" or do te" reuire custom coding) Once te metering as /een performed= it will /e necessar" to pass te transaction to a pa"ment processor8 5e platform sould /e a/le to connect to tese processors ;including CDRs<8

ss Platforms