APIs in Government: A blueprint to automating Business to Government (B2G) with Public APIs

Transcript

1. Business to Government APIs Managed with MuleSo. Autonomous agents Tobias

   Huegle Principal Client Architect

2. Agenda The Digital Maturity Roadmap 1 API First Approach as

   foundation for Business to Government APIs 2 Trust and security are paramount for Public Sector B2G API programs 3

3. The Digital Maturity Roadmap

4. The Digital Maturity Roadmap Manual Paper forms submitted offline and

   manually entered by receiver Digitised PDF Forms filled sent electronically / manually entered Portals authenticate and interact / submit digitally directly into receiver systems Automated APIs enable partners to directly retrieve and send relevant data from their systems into the receiver systems 1 2 3 4 High admin overhead & prone to errors Low admin overhead, efficient & high data quality Target State Source: Adapted from Digital Transformation Tech Talk, Dept of Health, 8 April 2022 presented by Fay Flevaras

5. Use Cases for APIs in Public Sector Streamline both government

   and provider operations Inform and interact with the public Consumption of Data Bi-directional automation of processes ❖ Timely exchange of data ❖ Reduce operational costs and manual handling ❖ Increase the quality of data and the overall security

6. Cultivate a thriving ecosystem Start with the API Consumer Observe,

   Measure and Iterate Drive API consumption Design and Deliver your API products Outside-in customer experience Embrace openness and experimentation Define your API business model Engage with partners and co-create API Consumer

7. Cultivate a thriving ecosystem WRONG APPROACH If you build it,

   they will come. BETTER APPROACH Build it for them, with them.

8. Cultivate a thriving ecosystem Best Practice Example: Department of Health,

   Disability and Ageing • Consultations • Participates in co-design activities • Provides feedback • Comprising ICT vendors, aged care providers, etc • Live webinar with Q&A • Recorded and published • Transparent & sector wide communication Co-Design in a smaller group following a public invitation Regular webinars with updates on digital transformation

9. Principles & Capabilities For successful B2G API Programs API First

   approach Universal API Management API Portal API Gateway Monitoring Identity & Access Management Onboarding & Conformance Enabling capabilities 1 2 3 Governance API Policies & Security 4 5 Single point of access with developer friendly API discovery and documentation and sign up. Reusable domain aligned services SAP Experience API Process API System API API Individual and M2M authentication and authorization Risk based conformance framework, pre-prod validation testing and certification for conformance pre integration

10. API First Approach as foundation for Business to Government APIs

    API First approach 1 Universal API Management 2 API Portal 3

11. National API Design Standard Source: https://api.gov.au/sections/getting-started.html#what-is-this-design-standard Technical API design standard

    to be used across the WoG for cross-jurisdictional data sharing System Level APIs: Low-level APIs that are exposed directly by an application. Process Level APIs: APIs composed of other System APIs through orchestration and choreography. Experience Level APIs: APIs intended to ease the adoption between an organisation and its external consumers

12. Rapidly deliver Multi Channel Experiences Innovation and digital products Experience

    Multi Channel Innovation Different channels such as app, portal & API will have slightly different requirements for authN/authO, data validations, payload formats, etc. API

13. Orchestrate new processes for agility Innovation and digital products Experience

    Agility and new value creation with reuse Process API Built once & reuse An intelligent service layer to handle common processes and orchestration providing a whole of agency services view.

14. Expose core backend systems Innovation and digital products Experience Agility

    and new value creation Process Core assets exposed via a consistent contract System SAP 151 Connectors 300 Integration Templates Frequent new releases >30 new connectors p.a. Recently added: Snowflake, AWS Lambda, Outlook 365, etc. Legacy Modernisation

15. API portals Self service support hub Low Barriers to Access

    while maintaining Trust Communication Nucleus Top notch API reference Best Practice Example: developer.health.gov.au

16. One Unified Platform to Manage the Full API Lifecycle Oncology

    Information System EMR Systems PAS System Mobile App API Login API Conversion Anypoint Platform Consumption and Reuse

17. Trust and security are paramount for Public Sector B2G API

    programs Identity & Access Management 4 Onboarding & Conformance 5

18. Identity & Access Management Concepts Every API must be protected!

    but the extent to which this is done depends on the sensitivity of the data. API Key & Secret Assertion & Certificate based OAuth2 & OpenID Connect Little overhead and easy to implement Insufficient security for sensitive data “Banking grade security” with public & private keys Higher overheads for both API provider and consumer

19. Assertion & Certificate based security for B2G APIs with OAuth2

    & OpenID Connect Identity & Access Management System API Gateway External API Client Initial Registration API Developer Portal Certificate Exchange Registration API Authentication API Get Access Token Validate client credentials Business API Access API resource (1) Self Service in API Developer Portal (2) Identity & Access Management System (IdAM) (3) API Gateway

20. The need for Conformance Your organization's data and processes Your

    partners data and processes System A System B System C As you increase programmatic access to your organisations data and processes you will need to ensure that your partner’s systems meet appropriate privacy and security requirements.

21. Typical Conformance Process for Public Sector API Programs Submit a

    test summary report and Declaration of Conformance via the developer portal. Business partner implement the API on their side and test it against a lower environment Developer Portal Supported Registration Additional security and conformance requirements that API implementers must meet and show evidence Optional risk based Review and validate test evidence and documentation to determine whether software is conformant. Register the business partner in the production environment and issue API production environment credentials. Registration Conformance Requirements Implement API Submit Test Report Validate Issue Credentials

22. Risk based approach to conformance “The system must use the

    gateway authentication API and manage refresh tokens” “Individual users are authenticated in your application and you have an audit trail” “Multi Factor authentication for users and all data is encrypted in transit and at rest ” “Application enforces role based access and the roles are in align with requirements xyz”

23. Q&A Link https://www.mulesoft.com/lp/whitepaper/api/develop-winning-api-product-strategy Consumption is a process, not a “light

    switch” Taking the outside-in mindset

24. Thank you