alphaspirit - Fotolia


Cloud computing APIs pose vendor lock-in risks

Cloud APIs are playing an increasingly important role within many IT shops. But without proper governance, they're also a gateway to cloud vendor lock-in.

Organizations migrating to the cloud likely understand the importance of application programming interfaces. These are typically RESTful web services that provide infrastructure services, such as storage and compute, or application services, such as business analytics. 

But as more enterprises depend on these application programming interfaces (APIs), some fear they will become locked into these services. Business processes and applications become tightly coupled to cloud computing APIs, becoming functionally dependent and, eventually, leading to lock-in.

Many of these fears are well-founded. Building applications around cloud-native services and APIs that are specific to a certain cloud provider or platform is the fundamental mechanism behind cloud lock-in. So why use cloud-native services at all?

First, they allow organizations to take advantage of advanced capabilities for applications, such as auto-provisioning and auto-scaling. They also provide application-level functions, like cloud database access, that are native to the cloud provider. 

Additionally, cloud computing APIs and cloud-native services lead to better performance. Cloud-native interfaces don't have to run through abstraction layers or translate platform-specific calls, such as accessing storage and compute services.

Finally, they provide native security, governance and management services. In this case, enterprises must buy into the way the cloud provider furnishes these services, which may not mesh with their own existing services or those provided by other cloud vendors. 

So while APIs and cloud-native services deliver a number of benefits, they still pose the risk of locking an application to a specific cloud provider. Here are three ways to avoid API lock-in, or at least mitigate the risk:

Use a cloud services governance system

A cloud API governance approach focuses on automation and governance at the cloud services layer. Cloud services governance is a general term that refers to the process of applying specific policies or principles to the use of cloud computing APIs or services. 

The goal of cloud services governance, as well as the governance tools that support it, is to place an abstraction layer between cloud services and the teams managing them. Applications can use this abstraction layer, as well, allowing businesses to use other cloud services with the same service governance layer and reduce lock-in risks.

Examples of cloud API governance technologies include Apigee and Mashery

Use a cloud resource governance system

Just as they do for cloud computing APIs and services, organizations should govern cloud resources, as well. And they can manage intricate cloud interfaces through resource governance tools, also known as cloud management platforms (CMPs).

Although CMPs offer governance capabilities, they take a different approach than cloud services and API governance tools. CMPs focus on the cloud resources themselves, such as storage, compute and database services, versus just the interfaces into the resources, like cloud services and APIs. Examples of CMPs include ServiceMesh, now owned by CSC, and RightScale Inc. 

Again, cloud abstraction layers are abstract APIs placed between the native cloud resources and the interface. As a result, organizations can use the same tools and interfaces for several cloud provider platforms to minimize lock-in risks. The abstraction layer can lead to better portability, along with the ability to manage different cloud platforms using a single pane of glass or single API set. 

Use an open cloud standard

While there are pros and cons of using an open source cloud platform like OpenStack, the APIs will be consistent from distribution to distribution.  As a result, the APIs are likely to be compatible and lock-in becomes a non-issue.

In the real world, we're going to see some lock-in with cloud computing APIs. And while we can avoid it, or at least reduce the risk, using the three approaches above, it costs time and money, which some enterprises may not be willing to invest. However, just being aware that API lock-in issues exist, and managing them as best as you can, is where the real value lies.

Next Steps

Bolster API management with analytics, reporting strategies

Techniques for minimizing API security risks

Three issues that bog down cloud API performance

Growing revenue through efficient API management

Why API management features can be overwhelming for some.

Dig Deeper on Cloud APIs and integration