layer7-ca-logoLast in our series of posts looking at API management platforms is Layer 7.

The Layer 7 API Management Solution evolved from their SOA gateway products, which Smart421 has been tracking for a number of years. Computer Associates (CA) acquired Layer 7 on 22nd April 2013, with the Layer 7 products becoming a key strategic element of CA’s security product portfolio.

The Layer 7 products can be deployed in four ways: as hardware appliances, as VMWare Virtual Appliances (i.e. packaged VXDs), as Amazon AWS Machine Images, and as a traditional deployable software package. Different product ranges apply to each deployment approach, but all options use a traditional perpetual licence arrangement with annual support. Exact licence terms and costs vary by deployment approach, but are in general are based on the performance of the hardware.

For companies that prefer to use hardware appliances, terms are significantly less onerous than other appliances (e.g. IBM DataPower), as hardware and software licences are paid separately, so replacing hardware doesn’t require a new software licence. Equally, software upgrades for appliances are provided as a standard part of annual support for as long as the hardware can support them, rather than being firmware upgrades which are provided for a shorter length of time.

Alongside their core API management products, Layer 7 have a software as a service offering known as APIfy. This proposition is currently in beta, is free to use, and could be an interesting deployment option for customers if a clear upgrade path to the full product becomes available when it leaves beta.

The Layer 7 products support all the features you would expect of an API management platform, but because this platform is based on Layer 7’s mature XML gateway product, it also supports very extensive and flexible features for traffic management, custom security, message encryption, transformation, and routing. The core API management functions have been implemented using the same SOA gateway primitives available to developers, which gives a good indication of the power of the gateway.


  • Long history of providing high security SOA gateway technology is an excellent foundation for deployment in blue chip organisations with stringent security requirements. Supports a wide range of security technologies, e.g. SAML, X.509, LDAP, OAuth, OpenID and Kerberos.
  • Very flexible technology providing support for esoteric/unusual environments common in enterprises. Supports protocol transformation (even down to TCPIP sockets), complex routing, orchestration and parallel execution.
  • Extensible with Java plugins.
  • Flexible deployment models, on prem and in-cloud.
  • Very strong scoring by both Gartner & Forrester
  • The only of the 4 vendors offerings which is available from the AWS Marketplace (but still using a BYOL model)


  • Unlike e.g. APIgee, there is no ‘free’ version that can be used for a production pilot with easy migration to the production version. This may change once APIfy leaves beta.
  • Traditional commercial models only – no pay-as-you-go option, although licences are available for trial use.

When would we use it?

  • Enterprises requiring high-security on premises deployment with virtual or hardware appliances.
  • Enterprises wanting to deploy a custom solution within an AWS virtual private cloud (i.e. where all components are hosted within the client’s virtual cloud rather than on the public internet).
  • Enterprises with complex integration requirements (e.g. integration with MQ, databases, TCP/IP sockets etc).


MasheryNext in our series of posts looking at API management platforms is Mashery.

Mashery scored well in both Gartner and Forrester reports. Mashery were acquired in April last year by Intel. This has strengthened both Mashery with the backing of a company the size of Intel, but also provides Intel with a way into the API Management market place and aligns with their recent shift towards the software market (e.g. through the acquisition of McAfee)

The Mashery product provides similar features to the other products, and can be deployed both in the cloud and on-premises. Integration between Mashery and Intel’s Expressway Gateway appliance will also add comfort to those customers who are used to having a physical appliance on premise.

Interestingly, Mashery’s marketing message revolves as much around internal APIs as public ones: Something we agree with wholeheartedly.


  • Strong, feature rich product (including protocol translation; SAML, X.509, LDAP, OAuth, OpenID support; policy enforcement etc).
  • On-premise, Cloud and hybrid options available which provides flexibility when engaging with customers.
  • Strong presence in the UK markets with the likes of Argos, TomTom, ASOS, Experian etc using their products.
  • Strong Developer Portal supported by Mashery I/O Docs.
  • Backing of Intel likely to lead to significant investment into the Mashery products.


  • Risk of potential product consolidation as a result of Intel Acquisition, although no sign of this occurring yet.
  • Like Apigee, in our opinion the enterprise security story isn’t quite as strong with the core Mashery product as with some other options, although this is bolstered by integration with Intel’s Expressway appliances.
  • Level of sophistication of the integration with Expressway was unclear in our investigation. It might be brilliant, but we’d advise further investigation.

When would we use it?

  • Deployment where quality of portal experience is paramount.
  • Where a customer is an existing Expressway customer, or has a strong preference for physical appliances and/or Intel networking kit.
  • To utilise the enhanced capabilities such as  pre-packaged reporting for internal and/or external use , policy enforcement or protocol translation.

Next in our series of posts looking at API management platforms is 3scale.

3Scale offer a SaaS API Management Solution which differs from the other API Management Vendors in the way it handles API traffic. Rather than applying authorisation, rate limits and quotas through a centralised proxy, 3Scale provide a series of open source plugins, allowing decentralised processing of traffic. These plugins can be installed either within individual applications (APIs provided for Java, Node.js, PHP, Ruby, .NET, Perl and Python), existing ESBs, or within on-premises or cloud hosted proxy servers running NGINX, Varnish or Apache HTTP Server. 3Scale also supports integration with the Akamai Content Distribution Network allowing authentication, throttling and caching to occur at the network edges.

As with the other API Management vendors, 3Scale’s offers reporting on API utilisation for both API owners and API consumers.

Regardless of chosen deployment methodology, API traffic does not traverse or get stored within 3Scale’s infrastructure, eliminating a potential scalability bottleneck, and easing any potential concerns about security particularly given recent revelations about national intelligence agencies’ ability to conduct surveillance on private communication lines.

3Scale is a simpler product than many of the others, and therefore does not support e.g. message transformation or routing (see the disadvantages section below). Smart421 would therefore recommend 3Scale is deployed alongside existing integration infrastructure. 3Scale’s plugin architecture should allow 3Scale capabilities to be added to an existing ESB technology.Whilst they didn’t score as highly in the Gartner and Forrester reports, 3Scale do have some big named customers such as Skype, US Department of Energy, Telegraph Group, Transport for London and JustGiving.


  • Simple, low pricing.
  • Free tier allows POCs and Pilots to be built and deployed cheaply and easily.
  • Clean simple architecture supporting both cloud and on-prem deployment of traffic management components.
  • IaaS deployment solutions for NGINX on AWS, Heroku and Microsoft Azure.
  • Solid core product including authentication/authorisation, developer plans, developer portals, forums and billing engine.


  • Not as feature rich as some of the competition. In particular doesn’t provide the ability to do protocol or message transformation, although this can be achieved by creating custom NGINX Lua scripts. Orchestration of multiple underlying calls is also not supported.
  • Portal always cloud hosted, which may be a hard barrier for some customers.
  • Rated towards the back of the pack by both Gartner and Forrester.
  • Smaller company than most other players, which carries some commercial risk.  3scale secured $4.2m private funding in April 2013.

When would we use it?

  • Smaller customers for whom cost is the overriding factor.
  • Customers looking for a simple solution to combine with an existing investment in internal REST-capable ESB technology, or green field customers who will expose REST APIs directly from back-end systems.

apigee-logoAs we mentioned last week, for the next few weeks we’re going to give you a whistle-stop tour of the key API management platforms we have our eye on.

I should be clear: This is our view, not fact. Do your own due diligence before making any purchasing decisions!

First up: Apigee.

Apigee is a well-established API Management Solutions provider (founded in 2004 and previously known as Sonoa Systems) and have a strong reputation within the marketplace with many (over 500) companies using their API Management Solutions including well-known brands such as Twitter, Nike, AT&T, eBay.

Apigee are positioning themselves as an all-encompassing Digital Services provider, branching out into providing commonly required supporting APIs for building e.g. social network features and push notifications etc. The Apigee platform itself is very capable, supporting both cloud and on-premises deployment.

Apigee recently closed $35m in funding to “meet demand as the businesses transform for the Digital World built on Apps, Data and APIs”. This funding came from BlackRock, Inc and Accenture.


  • Well established and respected brand in the API Management market place
  • Supports both Cloud on On-Premise solutions
  • Developer portal is good (using Drupal) which could be skinned to customers.
  • API-DN (distribution network), which moves policy enforcement out towards the network edge in a similar way to a CDN.
  • Very broad range of features, extending well beyond just an API gateway:
  • A free offering is available. Limitations (amongst others): Cloud only, portal is for non-production use only. No support for SSL. Reduced storage, reduced SLA.


  • Doesn’t have quite as good an enterprise security story as some of the other options in our opinion, which is key to some of our customers.
  • Message transformation, routing and protocol transformation more limited than some other options.
  • Apigee chose not to appear in both Gartner and Forrester reports, making it hard for enterprises to compare them to other offerings.

When would we use it?

  • Customer focussing on REST services (which should be everyone these days!)
  • Customer who specifically needs integrated billing services or BAAS features.
  • Relatively green field customer who doesn’t have a lot of gnarly internal integration to do.
  • Customer for whom a hardened appliance isn’t necessary.

Over the next few weeks, we’ll be sharing some of our findings from a review we conducted on four API management products, to help you work out which might work best for you and your organisation.

As part of this review, we found that they broadly fell into one of the two categories below:

  • API-native solutions: API-native solutions are useful for customers who don’t have a strong history of modular architecture or SOAP-based services. Some vendors are focusing on helping these types of companies by creating high-end developer portals; they also offer the infrastructure required to support these initiatives and provide easy to access and use data on consumption of APIs to cater for billing and reporting needs
  • SOA-native solutions: Vendors offering SOA-native solutions build upon the existing investments in SOAP / XML processing with the addition of new capabilities for RESTful service support, developer portals, and API-friendly security. This type of solution generally provides this capability through the integration of existing enterprise infrastructures via SOAP-to-REST protocol conversion. This integration capability can be very attractive to businesses, especially those who have invested heavily themselves in SOAP/ XML based services and architecture.

It’s worth considering which of these categories best aligns with the needs of your business. Are you a relative green field, happy to build brand new APIs, and adopt a ‘REST only’ (or at least JSON/HTTP only) approach, or do you have more complex needs, and want something with a bit more flexibility and pragmatism?

Keep an eye on the blog next week to understand which products fit into which categories, and what kinds of organisations they suit best.

There have been some high profile instances recently of a Mobile App being “Retired”:

  • LinkedIn for iPad (they are retiring versions prior to 7)
  • Flappy Birds (yes, I know this link goes nowhere – it’s been withdrawn!)

Let’s take the second one first as that has even made CNN News and the pages of TIME as incredulous tech and gaming journalists speculate about the real reasons why anyone would voluntarily sacrifice over $50k a DAY in revenues by withdrawing an App from Apple and Google stores. Maybe Dong Nguyen just made enough money, or maybe he really was getting fed up with something that a lot of App Developers forget about – how to support your App in the ever-changing world of mobile. Or maybe he just wanted to create loads of publicity before cheap imitations like this took over.

In the former example of LinkedIn, like many of you probably,  I’ve been getting emails for a few days now encouraging me to change:

We wanted to follow up and remind you that we’ll no longer be supporting LinkedIn iPad app versions older than 7.0 starting February 18. This will help us focus on creating even better mobile products and experiences for you.

You currently have one of these older apps, but you can download the latest app anytime from the iTunes App Store. It’s a brand new app — we think you’ll like it! With the new app you can now search for jobs — plus like, share, and comment on what you’re reading.

Have questions? Visit our Help Center for more info.

Now, this is in spite of my having updated to version 7.1 of the App almost as soon as it came out as I regularly update my Apps. Why don’t they know that and stop spamming me? Oh, I forgot, that’s what LinkedIn does best…

“So what?”  you say…

Well, one common theme is that the “idea” to “retirement” lifecycle of mobile is fast – less than a few months in flappy birds (rather extreme) case and seems like LinkedIn have put some thought and effort into trying to ensure customers did not continue using their unsupported App version. This is accepted and understood by consumers who most likely downloaded the thing for free anyway but what if you’re the CEO of a company that just invested a few hundred thousand in developing some internal Apps for your employees?

Most people accept that the mobile development landscape is complicated and not getting any easier, in spite of cross-platform tools and web development paradigms so one of your pillars of your Mobile Enterprise is managing those Apps, supporting them, providing updates as operating systems update and, before long, retiring them completely. Have you thought through this before you launch your Apps on to your staff or customers?

We are seeing common trends, one very obvious one is that developing successfully for mobile within the Enterprise needs Agile methods to deliver value. So in a mature organisation a good choice for extending development to cover inception and longer term management could be an extended Agile delivery lifecycle such as provided in Disciplined Agile (DAD). The lifecycle extends your standard iterations to provide the initiation and support parts of the lifecycle.


The important points are not to stifle innovation, nor to slow down responsiveness to your users’ demands but to make sure you don’t waste your innovators’ time supporting out of date code and you also notify your users to get new versions in an intelligent way. Notification of users seems such a simple and common practice it’s amazing that Windows-8 Mobile doesn’t have common notification management yet although it’s rumoured to be coming soon as the Action Centre.

Having only just bitten the bullet and dumped my Android phone for a shiny new Nokia Windows-8 handset I’m finding first hand now a lot of these subtle differences in maturity between Android, iOS and Windows-Mobile, but Microsoft/Nokia are catching up fast and needs to be part of your mobile first strategy.

When it comes to adopting cloud computing, to my mind there are three types of company:

  • Early adopters who swallow the pill in a big way. They’ll get burned, almost without exception. But they’ll come out stronger, leaner, meaner and faster than the rest.(Netflix, I’m looking at you.)
  • Those who do their homework the day it’s set. They’ll either have or will shortly select non-mission critical applications and move them into the cloud, and at the same time start looking to create new apps in the cloud albeit in a low key way. These guys will be slow and steady, but they’ll get there in the end. (Most of the 2015 FTSE 100?)
  • Those who do their homework the night it’s due. They’ll wait for everyone else to ‘take the risk’ for them, and only then start a gradual, lumbering migration. Just like at school, these guys will get outpaced by the competition. For some of them, it’ll be a terminal mistake. (Most of the current FTSE 100?)

Make no mistake, all companies will end up in the cloud eventually. How (and if) you get there is up to you.

My advice? Don’t be last.

Brian Burke, Research VP at Gartner speaking at a Local Briefing event in London on 2nd February 2010, was talking about the flatter horizontal organisation and which means that control is much more difficult to exercise these days.

I think that control has always been a difficult idea.  The thought that one of us can control the actions of others is scary.  By and large we submit to the control of others because it is in our benefit to do so, either for individual gain or for the collective good.  The idea that the Enterprise Architecture (EA) team have control over the Strategy, the execution of Strategy, or are responsible for the upholding of the principles against all comers is an old fashioned illusion.

Governance comes high up the list of wants of all Enterprise Architects (if only we could make ….), but the control and the power to control is illusory.  Enterprise Architects need to make it in the interest of others to conform to the strategy, the principles and standards.

The EA team only wield power by virtue of the willingness of others to follow and for others to perceive that it is in their best interest.  For some people the collective interest is not sufficient.  They perceive that their own self interest can be best served by going against the collective interest and they will do so.  One of the tricks is to line up individual self interest with the collective interest.

The flatter organisation and the reduction in command and control management is also mooted as a significant trend and change.  Of course, when it comes to command and control, Seddon was right to draw the connection between leaders such as Ohno, Ford and Sloan as examples of command and control implementers (Seddon, 2005 p.9) and also right to recognise where all this came from in the first place: Taylorism and scientific management , as highlighted by the prominent management consultant John Seddon (2005 pp.199-202; Greenberg and Baron, 2008 pp.12-13).

Would it be reasonable to say that the higher performance comes from pull rather than push as well as a workforce engaged in the life of the organisation?  Systems thinking means engaging the workforce in decision making in stark contrast to creating “management factories”. For example, putting variety back into the production line and devolving decision making to the workforce.

Systems thinking should enable organisations to move from satisficing to higher performance.  Also, it fits with the notion of open systems based organisations and those that are “learning” based.  Organisational culture, therefore, becomes a key determinant, alongside, it has to be emphasised, good people management and an acknowledgement of how the architecture of enterprise-wide computer systems help to bond an organisation together.

Author Peter Senge loves to talk of ‘learning organisations’ but even he acknowledges this is very hard to achieve.

Senge (1995, p.21) asserts “deep beliefs are often inconsistent with espoused values in organisations. The organisation might espouse an ideal or ‘empowering’ people, but an attitude that ‘they won’t let us do it’ prevails. Thus, even though espoused values change, the culture of the organisation tends to remain the same. It is a testament to our naïvete about culture that we think we can change it simply by declaring new values. Such declarations usually produce only cynicism.”

The most effective organisations have always been those that are managed by co-operation rather than dictat (although modern-day disciples of Machiavelli’s The Prince may dispute this: see this paper for a discussion).  It is now even more obvious that this is the only way to manage.  The armed forces (a model of command and control) manage by the willing co-operation of their participants (the troops).

To claim, therefore, that Enterprise Architects can no longer rely on the command and control type of organisation is to deny the political skills of the previous CIOs and Chief Architects in gaining respect for their opinions and actions for their plans.

In the context of EA the power of veto is illusionary without the respect and support from peers, as once exercised, the power dissipates rapidly when unpopular decisions are forced through.

The soft skills that are required by IT architects are formidable, if the architect is to play their part in the shaping of the solutions or the organisations, they need the full set of soft skills, just as Gartner research director Chris Wilson pointed out.  It is not a new set of skills though, as Chris Wilson says “to be qualified as the best paid snake oil salesmen we had better be equipped to facilitate, persuade and sell and sell and sell.”

Way back in 1987, Beckard and Harris came up with a valuable contribution to help us all to get a handle on organisational transitions. Their ‘change equation’ still holds the road today. I’ll leave you to work the numbers for your own situation.

C=[ABD] > X


A=Level of dissatisfaction with the status quo

B=Desirability of the proposed change or end state

D=Practicality of the change (minimal risk and disruption)

X=“Cost” of changing

You might be thinking that this still leaves Enterprise Architects in a dilemma, but hey – what’s new there? It’s precisely why Enterprise Architecture should be entrusted to the professionals.


Beckhard, R. and Harris, R.T. (1987) Organizational Transitions: Managing complex change 2nd edn. Reading, MA, Addison Wesley

Greenberg, J and Baron, R.A (2008) Behavior in Organizations 9th edn. Upper Saddle River, NL, Pearson Education.

McGuire, D and Hutchings, K. (2006) ‘A Machiavellian analysis of organizational change’ Journal of Organizational Change Management 19 (2) pp. 192-209 DOI 10.1108/09534810610648906 Also available at [accessed 02 February 2010].

Seddon, J. (2005) Freedom from Command and Control: a better way to make the work work 2nd edn. Buckingham, Vanguard Education.

Senge, P., Kleiner, A., Roberts, C., Ross, R, and Smith, B. (1995) The Fifth Discipline Fieldbook London, Nicholas Brealey Publishing.

ImageSome of us within Smart421 are currently looking at the “softer” skills required to enhance and develop our approach to running Consultancy engagements.  This isn’t about Project Management or Business Analysis, although these are important parts of any engagement.  It’s more about building relationships, managing the client, understanding personalities, leading teams and so on.

With this in mind, I’ve just finished a fairly intensive 5-day training course towards the ISEB certificate in IS Consultancy Practice.  The course is a great compliment to my ISEB Diploma in Business Analysis and builds on some of the ideas from the diploma.

Our trainer was Sue Calvert from Parity Training, who did a great job of covering a huge breadth of material, building in plenty of case study time for the group and keeping us interested for 5 days – thanks Sue! You can see the aims and syllabus on the Parity Training website, so I won’t repeat it all here.

I was joined by David Clothier of Siemens and Faisal Choudhry of Fujitsu.  Whilst it would have been good to have more people on the course, to get the ideas flowing and see how other people approached the case study, we got on well and managed to keep the energy up during the group work.

We covered a lot of ground, so there was an obvious trade-off in terms of depth.  But good use of case study work and homework (gasp!) really helped us get a better feel for some of the more important aspects.

Thursday’s homework was preparing a 10 minute presentation on a topic from the syllabus – I chose “Managing Bids and Contracts”, as these are areas that everyone in Smart421 is regularly involved in.

Some of the key things I learned or had re-inforced were:

  • Identify Supporters and manage Blockers
    It’s crucial to understand who can help and hinder the achievement of your objectives.  Assuming your Sponsor isn’t a Blocker (!), get them to help with this.
  • Use appropriate analysis tools and techniques to prompt you to capture and manage information
    Used well, MOST, SWOT, PESTLE, RACI, MANDACT (and many more!) can be really helpful.
  • Build the relationship
    This is something that Smart421 already does pretty well – don’t treat engagements as one-off’s.  Build trust, demonstrate capability by delivering, identify other areas where you can genuinely help the client and the relationship will bloom and grow!
  • Identify and manage Risks
    There are risks within the assignment, and there will be other risks to us as the supplier of Consultancy services.  It’s important to track all of these.
  • Always clarify the budget
    This really determines whether the solution is Bugatti Veyron or Chevrolet Lacetti.  We forgot to do this at one stage on the case study.  D’oh.  Although we did find ways to make huge savings for the imaginary client – creating additional budget! :-)
  • Understand Mindsets, Personality Types and Motivations
    In the client and in your consultancy team.  This helps to tailor your approach, communication and deliverables, get the best out of your team and deliver maximum value to the client.
  • People, Process, Technology
    In any transformation, remember there’s more to a solution than the IT/IS component.

I’m looking forward to putting some of these learnings into practice on upcoming engagements.

Fingers crossed for the 2 hour written exam on 14th August!  Must remember to make time for revision…

As a systems integrator and consultancy, we at Smart421 frequently have to justify to potential clients why they should use us, and explain what value we provide to their organisation.

Thinking on this point, which is primarily an issue for sales and marketing types, you will also realise that this applies at a personal level too – as an individual, during regular personnel reviews, or if you are job hunting, people need to explain the value that you bring to a company. I’m not gong to discuss the approaches that bring best results in these particular aspects (hey, we are all in competition at some level or other, but if you want to make a pitch to join Smart421 you can certainly check on our job openings and apply – a good pitch from you can get you into the team).

Back to the consultancy aspect, a prospective client has to feel comfortable that we will provide a level of service that they will be happy with, and that helps them in achieving something that they may not otherwise be able to do at that time. So what are clients buying? Two things, I would say. First is the approach that we bring in working to resolve their problems. Second is the experience and expertise that we hold as a company.

Smart421 has expertise over the whole area of the software lifecycle, right from strategy, enteprise architecture and analysis through to application design, development, delivery and support. We also handle migration and retirement of systems at the end of their useful life too. Within that whole range, we have knowledge of numerous software products and platforms, alternative project management approaches, quality controlled processes for delivery and service management as well as our own controls for staff and finances as required for any company.

If a single person held all of these skills, how valuable do you think they would be to your company?

An application from someone that could list and validate all of this knowledge on their C.V. would seem almost unbelievable. But that is what you get if you use our services – access to all of that knowledge and expertise, provided on either an individual or team basis.

Any commercial agreement will of course define the terms of each particular engagement, so you don’t get endless access to all of this just through using an individual consultant. That consultant does however have this backup to refer to, increasing their value substantially to the end client. For a team of consultants, that provides more of the same, through greater points of contact and an enhanced collective viewpoint. If you could create a small internal team with this large amount and range of knowledge, imagine the potential benefits to your business.

When project work is handled by Smart421, this same set of skills and knowledge will be used to assure reliable delivery, using best practice and with our commitment to providing the best solution to meet client needs.

Enough of the sales pitch. I just thought it worthwhile to put forward some viewpoints about the value of using at Smart421, especially from the point of view of being part of the team that has to deliver on our promises.

So next time you are considering the use of third-party resources and question the value over that of internal resources, or plain hired-in contractors, this should provide some food for thought about what you are actually buying from such a consultancy.


Get every new post delivered to your Inbox.

Join 1,122 other followers