Filetype Excel XLSX | Posted on 07 Jul 2022 | 4 years ago
Authentication
digital resources
446x Filetype XLSX File size 0.06 MB Source: cloud.google.com
Review Criteria for API-powered Digital Business Platforms
Updated 04-28-2020
Overview
A Vendor Experience
B Architecture
C API Gateway
D API Analytics and Monitoring
E API Security
F Developer Portal
G Microservices
H Governance and SDLC
I Training and Support
Section A - Vendor Experience
Requirement Details Response
A1 Please describe your company's strategy APIs are a critical part of our company's ability
around API management. to prosper in an increasingly digital society. It is
A2 When did your API management product first We're interested in the track record of your
become generally available (GA)? company in API management.
A3 Is your API Management platform a leader in We're interested in understanding how 3rd-party
the Gartner Magic Quadrant? industry analyst experts measure your platform
A4 Are there Fortune Global 500 companies using In addition to the product features, we would like
your API management product? to understand the real world experience you
A5 Provide examples of companies who are Companies that rely on your platform to
running mission critical APIs on your API significantly influence their customer
A6 Can you provide examples of your thought APIs, social, and mobile are fast moving topics.
leadership in the API space? We would like to work with a vendor who leads
A7 What kind of experience do you have running a While many vendors are now offering cloud-
managed cloud solution at scale for your cloud based versions of their products, it is critical that
A8 Do you provide use cases and testimonials for We would like to know more about your real
your existing customers? world experience.
A9 How do you onboard and partner with
customers for success?
A10 Can you provide some statistics for your
largest customers in terms of volume and
Section B - Architecture
Requirement Details Response
B1 Does your product support SaaS, customer- Depending on present and future project
managed, and hybrid deployments? requirements, we may need different
B2 Can your customer-managed offering
(sometimes called "Private Cloud") operate
B3 Does the platform architecture support multi- The ability to run a multi-tenant environment can
tenancy? be important when dealing with multiple lines of
B4 Can multiple teams work independently with An enterprise SDLC (software development life
runtime isolation? cycle) can be a complicated process with many
B5 How does the platform support a multi-region, Geographical redundancy is important both for
multi-data center deployment to ensure the high availability and also for latency and
B6 Explain how your solution supports flexible Unexpected bursts in API Traffic are bound to
scaling and describe what is needed to happen. We need to know that our capacity can
B7 Does your solution provide a centralized Ease of management is one of the day-to-day
interface for managing multiple data center considerations in choosing a platform such as
B8 Does the solution support zero downtime For critical applications and a geographically
patching and updates? dispersed user base, how can the platform be
B9 Does the solution have the ability to do For latency sensitive applications, intelligent
intelligent traffic routing to give users the routing to the nearest point of presence can be
B10 Does the solution support a hybrid deployment For system to system calls within a single data
model? This is one in which traffic center, it can be useful to eliminate the latency
B11 Does the solution provide the ability to start out Requirements and philosophies will change
as a SaaS (Public Cloud) version and later during the lifetime of an API or for evaluation
Section C - API Gateway
Requirement Details Response
C1 Does the product support OpenAPI (formerly
known as Swagger) to design APIs and
C2 Does the product facilitate rapid prototyping of
mock APIs?
C3 Does the product help create uniform,
consistent, well-formed APIs, even if the
C4 Is it possible for a company to enforce In some cases, we have security requirements
behavior for all APIs exposed by the system? that must be verified. How does the product
C5 How are existing SOAP services added? How is complex data transformation handled?
C6 Can deployments of assets be automated for How hard is it to incorporate into existing
the development lifecycle? development standard tools? What development
C7 Can your platform reference existing assets
such as encryption libraries, schema validation
C8 How does your product support threat
detection by detecting fraudulent data
C9 Please describe your product's ability to protect
from traffic spikes.
C10 Please describe the product's ability to manage
API consumption through quotas. Can quotas
C11 Can quotas be synchronized across multi-
region deployments?
C12 Does the platform support publishing existing
services in various formats - for example
C13 Does the product support API virtualization and For example getCustomerInfo API would require
mashups? multiple back-end calls to be made to multiple
C14 Please describe your ability to enhance API Many times, configuration can become
functionality through both configuration and prohibitively complex to accomplish the same
C15 Please describe any out of the box functions
for traffic throttling, caching, quotas, payload
C16 Are standard transformations included? (XML In order to reuse existing systems or to talk with
to JSON, JSON to XML, SOAP to REST, REST legacy systems, it is important that the platform
C17 Does the proxy support compression? Can messages be both sent and received by the
proxy in a compressed format? This will save
C18 Does the proxy support HTTP & HTTPS? How can we configure the platform to secure
the communications into the system, and out of
C19 Are streaming connections supported? For long running transactions or large payloads,
can the proxy stream traffic?
C20 Please describe the debugging tools built into Distributed systems are more complex than
the platform. client server systems. What tools does the
C21 Can the debugging tool show a "before" and This functionality can be crucial during forensics
"after" of each policy during replay? Also can or during pre-production testing of a policy.
C22 How is versioning supported? To minimize impact to developers and users,
versioning needs to be flexible. Versioning
C23 Are all policies and system configurations A standard format like XML allows for easy
stored using standards based formats? Can transformation and manipulation in a variety of
C24 Does the product support caching? Caching at the API gateway level minimizes hits
against the back end systems.
C25 In addition to an expiration, can the cache be While it is important to be able to set a cache to
manipulated programmatically? expire at a certain point in time, it is also
C26 Do you support a multi-level cache model ? For In-memory cache is very fast, but has limitations
example, is the in-memory cache able to spill of size. The ability to perform multi-level caching
C27 Does the product support caching based on To optimize caching, the platform should be able
payload information and HTTP headers? Is this to cache based on many types of information,
C28 Does the proxy have rate limiting, quotas, and Access to data and load on back-end systems
spike arrests? must be configurable and controllable. The
C29 Can API mediation behavior change In the dynamic world of APIs and mobile
dynamically based upon factors such as user applications it is often necessary for the platform
C30 Does the proxy support dynamic routing In the dynamic world of APIs and mobile
(orchestration—or intelligent routing to a applications it is often necessary for the platform
C31 How effectively and to what extent can the core In the interest of minimizing professional
functionality of the platform be customized by services and increasing time to market, can
C32 Does the platform support extensions using If customers want to build extensions to the
common languages like Java, Python, or platform capabilities, is it possible using
C33 Can the platform host and run unmodified With the increasing popularity of Node.js, it
Node.js applications in order to implement would be useful to have this capability built into
C34 Does the platform have wizards to generate In order for API teams to be agile, and rapidly
APIs from OpenAPI (formerly Swagger), SOAP configure/build and deploy APIs, it's important to
C35 Does your product provide flexibility to extend
the functionality and implement attribute
C36 How does the product support API Lifecycle
governance?
C37 Can your product publish APIs for external and
internal consumers? How are these managed
C38 How do you manage API visibility and restrict
access to consumers? Is this configuration in
C39 Does the platform support the ability for an API
to call another managed API endpoint out of
C40 Does your product support a common error
handling pattern?
Section D - API Analytics and Monitoring
Requirement Details Response
D1 Please describe the out-of-the-box analytics The reports in this list should require no
reports provided by the tool. configuration. Normally these will include basic
D2 Does the UI allow for drill down on each of the Drill down analytics allows for quick triage of the
charts? health of an API program and assists in rapid
D3 Does the product provide easy-to-use custom No vendor can provide every report we need out
reporting capabilities over multiple dimensions of the box. The platform should have a wizard
D4 Are there maps for detailing geo-location of API Many decisions in an API program are based
calls? upon the location of users. The platform should
D5 Are the analytics collected asynchronously (so The single greatest factor in the user
as not to impede runtime traffic)? satisfaction of an app is its response time. Are
D6 Do the analytics data, once collected, provide We are not interested in creating a data silo.
an API for easy access and export? The collected analytics data must be accessible
D7 Can the solution be used to provide business Beyond operational level and developer level
level visibility? metrics, how does the platform provide visibility
D8 What level of operational visibility can the Beyond simple graphs of traffic, what visibility
solution provide based on API traffic flowing would an ops team gain from using the
D9 What tools are available out of the box to do The tool needs to both provide visibility into
various kinds of trend analysis and inspection trends (to prepare for capacity bursts or product
D10 Does the product allow customers to create Do reports need to be configured before
reports on-demand? launching the system? Can reports be
D11 What metrics and dimensions are supported by The tool must support a variety of analytics use
the tool? cases without requiring additional programming
D12 Do you provide service performance
monitoring, reporting, and analysis?
D13 Is payload data captured? Can this data be For example, imagine an API call allows the
used for reporting? user to search for a list of products by
D14 What are the exception management reporting
capabilities?
D15 Does your product provide end-to-end visibility A transaction tracing identifier is passed
by supporting the creation or injection of a between systems to correlate individual system
D16 Does your product provide application usage
visibility and trending performance statistics?
D17 Does your solution support billing based on a
period of time and/or aggregate transactions
D18 Does the solution provide performance
management data with counters per
D19 What level of reporting is available to the API
Consumer? (call latency, SLA compliance,
D20 Does your product provide the ability to easily
integrate analytic data with other systems, for
D21 Are all of your billing and developer usage data
available via an API to allow an easy
D22 Does your product include the ability to detect
anomalous behavior in API traffic, and to alert
Section E - API Security
Requirement Details Response
E1 How is single-sign on supported for
Administrators and Operators of your product?
E2 How is single-sign on supported for visitors to
the developer portal?
E3 How is single-sign on supported for Users of
the APIs managed by your product?
E4 What are the standard industry security
certifications available for your product?
E5 What are the product data security controls for
customer data? I.E. data processing, data
E6 Does the product support open standards such
as OpenID Connect to delegate authentication
E7 Explain the mechanisms you use to support
API security (e.g. tokens, encryption, policy
E8 Please describe the support in the product for OAuth is one of the most widely used forms of
OAuth. authentication for consumer or partner facing
E9 Does the product support connecting to Active Okta, Ping, and Active Directory are the most
Directory to verify credentials and retrieve common forms of authentication in use today.
E10 Does the product support both secure Different types of APIs and different types of
channels and secure payloads? data require different types of security.
E11 Does the product or platform provide support CORS (Cross-origin resource sharing) is a
for CORS? standard mechanism that allows JavaScript
E12 Does the platform protect against XML or As part of a defense in depth strategy, does the
JSON attacks? platform help in protecting against modern
E13 OAuth 2.0 doesn't include a mechanism for
verifying the integrity of payloads; Does the
E14 Can the product be extended to support
custom/proprietary security mechanisms?
E15 Can APIs be secured at the operation level?
(Ex: can do GET, but not POST or PUT)
E16 Can your product enforce time-relative
authorization? For example, can your product
E17 Can your product expose APIs that bridge
security protocols? For example, accept an
E18 Does the product include a secure, encrypted
store? Can the product connect to a secure
E19 Does your product have a way to report on the
security stance of all APIs managed within, to
E20 How does the solution product mitigate
sophisticated bot and malicious client attacks?
E21 Can the product solution include third-party
client verification, such as through Recaptcha
E22 Is your public cloud offering PCI DSS certified? Many APIs require (or eventually require)
If so, what versions are certified? payment processing as part of the monetization
E23 Does your public cloud offering support the
delivery of HIPAA compliant services?
E24 Is your public cloud offering HITRUST The HITRUST CSF is an industry-agnostic
certified? certifiable framework for regulatory compliance
Section F - Developer Portal
Requirement Details Response
F1 Please describe how the tool facilitates on- Developer and partner productivity depends on
boarding. Can the portal be deployed as part of an efficient onboarding experience. How does
F2 Does the solution provide interactive While documentation is important, experience
documentation to allow API consumers to shows that a developer's time to value is greatly
F3 Is the registration form customizable? Corporate policies may dictate that we collect
F4 Can the customer customize, skin, and modify certain pieces of information when onboarding a
the portal without vendor involvement?
F5 Does the portal leverage standard CMS As a follow up to the previous question, if we are
technologies to ensure easy to find skill sets to be able to perform this work on our own, the
F6 Does the tool provide the ability to revoke or In the event of an expired contract with a
suspend developer keys? developer or when an abnormal situation
F7 Does the solution support a delegation model Large partners require the ability to maintain the
which allows enterprises to let their partners existing relationships with their own developers.
F8 Does the developer portal support integration Internal guidelines might require the support of
with existing Identity Providers? single sign-on with existing identity solutions.
F9 What mechanisms for filtering which APIs are We want to make it easy for developers to find
visible to which API users as they browse or the appropriate API Product and also control
F10 Please describe the ability for the platform to Some of the APIs will need to be monetized.
support monetization. What are the various Given that there are multiple ways to monetize
F11 Are the pricing models configurable without Can the financial models be created through
coding? configuration only or do they require custom
F12 Does the platform integrate with third-party Once the metering has been performed, it will
payment systems? be necessary to pass the transaction to a
Section G - Microservices
Requirement Details Response
G1 Can the solution's capabilities be used to
manage the consumption of a microservice?
G2 Can the API management solution manage Microservices architectures are often polyglot
G3 multiple microservices, each built in a different environments consisting of services built in
Can the API management solution act as a Microservices architectures often contain many
G4 facade or lightweight composition layer, independent microservices, each providing their
Can the API management solution manage Many companies are transitioning to
G5 multiple microservices alongside legacy microservices architectures over time. During
Can API proxies be built and deployed One of the benefits of a microservice
G6 independently of other API proxies? architecture is the ability to deploy them
Does the API management solution support a Adding a call out to the internet to proxy each of
G7 hybrid model for all of the inter-process the internal calls within a microservice mesh can
Can the API management solution be used in
G8 combination with an existing microservices
Can the API management layer be scaled at One of the benefits of a microservices
G9 the same rate as the underlying microservices architecture is the ability to scale a microservice
Does the API management solution provide
G10 security policies for microservices?
Does the API management solution provide In a microservices architecture, gaining visibility
analytics capability for microservices? into the complex web of interdependencies can
Section H - Governance and SDLC
Requirement Details Response
H1 Does your API management product support We have, or may want to adopt, devops
continuous integration and continuous delivery practices for automation, workflows, processes,
H2 How are APIs promoted from development all the APIs will need to be developed and move thru
way to production and how does the system help? several different steps along the SDLC
H3 Does the platform support decentralized Our organization has multiple business units
governance of independent API teams within an and/or divisions that operate independently of
no reviews yet
Please Login to review.
