There is an idiom in English, “you don’t let the foxes guard the hen house.” I’m not sure how well it translates, but the meaning is simple – don’t have people or things who can’t necessarily be trusted to do things requiring trust.
This was essentially the sub-theme of my first API Rant where I opined that the monitoring industry was becoming quite self-serving. But it’s a topic to explore in more detail because it’s come back and annoyed me again during a conversation with one of the API industries top vendors.
Me: (Explaining what we do and why people use it….)
Top Industry Vendor: (Arms crossed, looking grumpy) We do that…
Me: But you don’t, you only do X?
TIV: No, we do that too.
TIV: (Looks shifty) well we don’t actually need to do it that way because we monitor EVERYTHING
Me: But you also supply the entire infrastructure?
Me: You don’t think there is a conflict there?
TIV: (Now looking confused) No?
And so on.
Here’s the key thing. Do you trust the people who provided you with the Infrastructure to tell you that everything is working just fine? After all, they have your best interests at heart don’t they? Well? Do they?
API Rant – who else self certifies?
What other industry or field would actually leave the verification that what they have sold you, works as you expect it to, to the people who sold you the product in the first place? Or have an industry self-report that the services you rely on are working just great? After all, in the annals of human history nothing bad has happened because entire industries self-monitor and self-police. We’ve never had banking crisis from over leveraged lending, or drugs that weren’t fit for use put on the market early, or dangerous manufacturing practices polluting entire regions.
You get my point. Having a cloud vendor makes sense, having an API gateway makes sense, having IT infrastructure outsourcing providers MAKES SENSE – having them self-certify that what they have sold you works the way that you think it does, does not.
The API Economy is becoming key to how everything glues together – from carrier backends, through home automation, the tech we use to work from home in these weird times through to the banking infrastructure that is coming into being as we watch. Even healthcare is moving away from shuffling bits of paper around by mail and courier to secure, and hopefully, trusted API exchanges.
These are serious, important things we are increasingly expecting APIs to get in the middle of. We need to have serious and important conversations about how we agree that such things are working, are secure, are meaningful and, above all, trusted to do the very important tasks we are setting for them.
As I like to remind people, while APIs have been around for over 50 years, the API Economy as we know it today has been around for less than a fifth of that time and is still feeling its feet. But the time is coming for a real, meaningful, trust framework to be put in place for APIs – for API security, for API quality and for API contracts between providers and consumers. It needs to be transparent, open and, dare I say it again, meaningful.
Without that it will be increasingly hard to build the trust needed in critical technologies in a time when trust is sorely lacking.