Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango

Transcript

1. Marjukka Niinioja, Osaango API Compliance By Design

2. None

3. Nice to meet you! Osaango Ltd founder, consultant and trainer.

   Marjukka has been named TIVI-magazine top 100 IT-influencers 2018-2022. She is co-author of API Economy 101 and co-founder of The API Collective and local organizer of APIdays Helsinki & North. Marjukka Niinioja, Founding partner at Osaango @osaangoltd @mniinioja www.osaango.com We are a specialized boutique consultancy. We focus on consulting on smart business ecosystems and underlying APIs, data and operational technology. Member of OpenAPI Initiative. Osaango Ltd Our customers are medium and large enterprises in fintech, media, legal, education, public sector, technology, building and construction. Our clients Osaango is part of The API Collective, global API specialist consultants. More details from www.theapicollective.com 2

4. Why should we care about Compliance by Design in API?

   Think of Compliance by Design as laying the groundwork for a house. You wouldn't add the foundation after building the walls, would you? Similarly, start with compliance in mind when designing your APIs.

5. Strategic alignment Just like pairing the right wine with the

   right cheese, aligning API development with business goals is crucial. It's not only about ticking off compliance boxes; it's about making compliance work for you! As an API provider, it's like being a chef – you need to ensure you're cooking up the right APIs for your hungry consumers. As an API consumer, you're the food critic. You need to know which APIs meet your high standards of compliance before deciding to dine with them. Tämä kuva, tekijä Tuntematon tekijä, käyttöoikeus: CC BY-NC-ND

6. • Compliance isn't just a buzzword—it's a safety net. •

   It's about keeping your secrets secret, making sure you're playing by the rules, and ensuring smooth sailing in operations. • As for the rulebook, it differs based on who you are and what you're up to. But at the very least, you'll want to cozy up with the GDPR (or your local equivalent), along with any industry- specific guidelines. What is API Compliance?

7. You must do API compliance by • Using automated compliance

   checks. • Implementing comprehensive documentation. • Ensuring continuous monitoring and auditing • Implementing API management But doing only these things will result in basic solutions, and would not identify and ensure the real, built-in, compliance. Use the APIOps Cycles (www.apiopscycles.com) method in your API design process to create the right level of compliance in your APIs from the start. How to Design for Compliance

8. Case Study: Designing for AI

9. Ensure you are designing APIs for AI applications that respect

   business domain boundaries.

10. Avoide the provision of illegal or non- applicable advice (example

    Fondia’s AI lawyer that should not answer questions that it doesn’t have articles about or law’s in countries it doesn’t support. Ensure technical safety, including robust authentication and authorization suitable for partner use cases. Address vulnerabilities (especially OWASP top 10 process flow!) and adhere to GDPR regulations. Compliance Challenges:

11. Implement domain-specific validation and business logic. Utilizing secure authentication mechanisms

    like OAuth2 - remember to not trust the clients! Conduct regular security audits and ensuring data privacy - including prompt engineering and access to any underlying APIs prompt data. Solutions and Best Practices:

12. Enhance API Interoperability with OpenAPI, AsyncAPI, and Industry-Specific Standards like

    DEXPI, FHIR, etc. Compliance Challenges: • Ensuring APIs are defined using widely accepted standards. • Maintaining compatibility and interoperability with other systems. Solutions and Best Practices: • Leveraging tools and frameworks that support OpenAPI, AsyncAPI specifications. • Following best practices for schema definitions and versioning. • Engaging in community standards to stay updated with the latest developments. Case Study: Using Standard Definitions

13. https://www.osaango.com/blog/what-is-an-open-api-or-what-makes-an-api-widely-adopted

14. Applying APIOps Cycles to Ensure API Compliance APIOps Cycles is

    an openly licensed (CC-BY-SA 4.0) method of lean and business-oriented API development. It promotes collaboration, easy and fast methods that enable business, product and technical experts to collaborate and communicate on new API and feature discovery, reuse and improvements. https://www.apiopscycles.com/

15. Identify Compliance Requirements Early: Use the API Canvas to map

    out business needs, including compliance requirements such as GDPR, industry standards (ISO), and security protocols. This ensures that compliance is considered from the outset. Stakeholder Engagement: Engage with legal, security, and business stakeholders to define what compliance means for your API. 1. Business First with API Canvas

16. Documentation and Standards: Ensure that compliance-related documentation is clear and

    accessible. Use standards like OpenAPI to define your API structure, which helps in maintaining consistency and adherence to compliance guidelines. Developer Onboarding: Simplify the process for developers to understand and implement compliance features, reducing the risk of non-compliance due to misunderstandings. 2. Mind the Developer Experience

17. Design for Compliance: Incorporate security and privacy by design principles

    into the API architecture. This includes using secure authentication and authorization mechanisms suitable for partner use cases, avoiding vulnerabilities, and ensuring data protection as per GDPR. Versioning and Namespace Management: Implement a robust versioning strategy to manage changes and ensure backward compatibility. Use namespaces to organize APIs logically, which helps in managing compliance across different API versions. 3. Minimum Viable API Architecture
18. None

19. Lean more at www.apiopscycles.com and www.osaango.academy Learn and support the

    method development by signing up to the new “Use APIOps Like a Pro!” course Let’s stay in touch! www.osaango.com www.theapicollective.com [email protected] +358408387308