We will close out this series by examining key decision criteria to help you select an API gateway. We offer a set of questions to determine which vendor solutions support your API technically, as well as the features your developers and administrators need. These criteria can be used to check solutions against your design goals and help you walk through the evaluation process.

Nota bene: use cases first

It is tempting to leap to a solution. After all, API development is a major trend, and security teams want to help solve API security problems. API gateways have been designed to enable developers to jump in quickly and easily. But there is no generic API security model good enough for all APIs. APIs are a glue layer, so the priorities and drivers are found by analyzing your API use cases: from what components you are gluing together, from what environment (enterprise, B2B, legacy, etc.), to what environment (mobile, Internet of Things, third-party developers, etc). This analysis provides crucial weighting for your priorities.

Product Architecture Describe the API gateway’s deployment model (software, hardware only, hardware + software, cloud, or something else).
Describe the scalability model. Does the API gateway scale horizontally or vertically?
What connectors and adapters, to other software and cloud services, are included?
How are new versions and updates handled?
What key features do you believe your product has that distinguishes it from competitors?
Access Provisioning and Developer Power Tools What credentials and tokens does the API gateway support for developers and API consumers?
How is access governed? What monitoring, management, and metrics features does the gateway offer?
Does the product offer client-side helper SDKs (iOS, Android, JavaScript, etc.) to simplify API consumer development?
Describe a typical “day in the life” of a developer, from registering a new API to production operationalization.
Describe out-of-the-box self-service features for registering new APIs.
Describe out-of-the-box self-service features for acquiring API keys and tokens.
Describe out-of-the-box self-service features for testing APIs.
Describe out-of-the-box self-service features for versioning APIs.
Describe how your API catalog help developers understand the available APIs and how to use them.
Development What integration is available for source code and configuration management?
For extending the product, what languages and tools are required to develop wrappers, adapters, and extensions?
What continuous integration tools (e.g., Jenkins) does your product work with?
Access Control How are API consumers authenticated?
How are API calls from API consumers authorized?
What level of authorization granularity is checked? Please describe where role, group, and attribute level authorization can be enforced.
What out-of-the-box features does the API gateway have for access key issuance, distribution, and verification?
What out-of-the-box features does the API gateway have for access key lifecycle management?
What tools are used to define technical security policy?
Describe support for delegated authorization.
What identity server functionality is available in the API gateway? e.g., OAuth Authorization Server, OAuth Resource server, SAML Identity Provider, SAML Relying Party, XACML PEP, XACML PDP, …
What identity protocol flows are supported, and what role does the API gateway play in them?
Interoperability What identity protocols and versions are supported (OAuth, SAML, etc.)?
What directories are supported (Active Directory, LDAP, etc.)?
What application servers are supported (WebSphere, IIS, Tomcat, SAP, etc.)?
What Service and Security gateways are supported (DataPower, Intel, Vordel, Layer7, etc.)?
Which cloud applications are supported?
Which mobile platforms supported?
Security Describe support for TLS/SSL.
Is client-side TLS/SSL (“2-way mutual authentication”) supported? How.
Please describe the API gateway’s support for whitelisting URLs.
What out-of-the-box functionality is in place to deal with injection attacks such as SQL injection?
How does the product defend against malicious JavaScript?
How does the gateway defend against URL redirect attacks?
How does the gateway defend against replay attacks?
What is the product’s internal security model?
Is Role-Based Access Control supported? Where?
How is access audited?
Cost Model How is the product licensed?
Does cost scale based on number of users, number of servers, or another criterion?
What is the charge for adapters and extensions?

This checklist offers a starting point for analyzing API gateway options. Review product capabilities to identify the best candidate, keeping in mind that integration is often the most important criterion for successful deployment. It is not as simple as picking the ‘best’ product – you need to find one that fits your architecture, and is amenable to development and operation by your team.