Duration 31:14
16+
Play
Video

How Gap balances security and self-service in their API program

Vijay Sairam Pratap
Global Head of Product & Solutions Marketing at Google
+ 1 speaker
  • Video
  • Table of contents
  • Video
Google Cloud Next 2020
July 14, 2020, Online, San Francisco, CA, USA
Google Cloud Next 2020
Request Q&A
Video
How Gap balances security and self-service in their API program
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
366
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Vijay Sairam Pratap
Global Head of Product & Solutions Marketing at Google
Patrick McMichael
SSE (Director) at Gap Inc.

Seasoned sales and marketing leader with 15+ years experience in product marketing, brand management and growth hacking across startups and large enterprises.Demonstrated exceptional success in driving market traction for new products and services; evidenced by multi-million dollar sales pipeline. A proven leader in envisioning, developing and deploying nurture campaigns using multi-touchpoint and community-based marketing strategies.

View the profile

I am the rare breed of developer whose passion for technology is matched with a passion for rapidly realizing business value. Software in development may be an investment, but it is also an expense. It does not become an asset until it reaches production. Speed to value is essential.For over two decades, my software craftsmanship has been honed and enhanced. Combined with an insistence on increasing agility (both technical and business), this results in quality software products that see the light of production faster. These dynamics are, in turn, driven into the DNA of the teams I lead and the individuals I mentor.

View the profile

About the talk

APIs are a crucial part of Gap Inc.’s application modernization journey, and Apigee capabilities such as security and analytics have been fundamental in managing those APIs. Now multiple years into their API journey, Gap Inc. shares learnings gleaned from refining their approach to API Management in the crucible of real-world complexity.

Learn how Apigee hybrid became the ideal choice for Gap Inc.’s API management. Hear the critical role the Apigee integrated developer portal plays. As Gap Inc.’s API adoption has continued to grow exponentially, a self-service model that provides necessary governance with the least friction experience possible has become critical.

What does it really take to light up and then continue to evolve APIs that keep both end users and security teams equally delighted? Learn from real-life examples and workflows demonstrations.

Speakers: Vijay Sairam Pratap, Patrick McMichael

Watch more:

Google Cloud Next ’20: OnAir → https://goo.gle/next2020

Subscribe to the GCP Channel → https://goo.gle/GCP

#GoogleCloudNext

API202

product: Apigee; fullname: Vijay Sairam Pratap;

event: Google Cloud Next 2020; re_ty: Publish;

Share

Thank everybody for joining us. Welcome to our session on how Gap balances security and Self Service in the repair program. A micro speaker today, appreciate the opportunity to be here with you, baby. I program story with you, I specifically as it pertains towards the criticality of the developer portal. Responsible both for the structural elements of r. A t Center as well as in the cloud and for shaping our best practices with the API program. So thanks for the chance to share with you today. Awesome. Thank you, Patrick.

The first part is going to cover the new wave to Lifestyle. Can you send me even after stores reopen? I said something about the changing shopping in inches of time. While I have five areas that have been called out on the slide. Them online investment and 11 is the date of receiving. So as to create personalized, the aspect of how to read some of the existing stores in my location. Second customers are now experimenting Commerce, live event is a lot more than that

in areas. Like customer service leveraging, the power of AI to see how they can enable us to have the agents for resting more and more into sophisticated finding solutions for associate shopping experience as distant app. All these changes are happening at the programming interface API, and the price Market in the least with the least amount of friction. So as to create new experiences, so how do we Run. If you guys, aren't you attending if you need me to be managed and analyzed across a multitude of your environment. Be on premises Cloud, hybrid

Cloud, SAS, and other items you need an enterprise-grade. How many is a multi Cloud management platform? It gives businesses control over the Enterprise and across their business such as curbside pickup. So it is mediation. Third Park is what is going to be the focus of this presentation section of the management platform. That helps you manage the community of these is analytics. As the name suggests, the more you're able to measure the better. Are you able to improve your contractions with your computer? All the

above mentioned areas. Play in, helping you deliver your API products. Billy Napier. Good products. Is just the start of an Epi program. There is no doubt that while publishing an API is a major Milestone. What is just the beginning of the process is once you have publisher apis, as products is to attract and engage developers Google apps that you created. Turn off. Let's look at what is a c main ingredient in to creating an effective. Are there any external

second bring your abs to Market? It's like a piece of marketing mix please. Digital storefront is important as to help your developers to find your API track, the damn phone with them and build, a relationship experience starts with u. So we spoke about brisket Pantages, discovery. Stop recreating the wheel. You have the ability of surfacing all your API in a structured fashion over the table. Would you have the ability for people to search identify by improving the discovery?

Depending on your business case? You actually help improve your relationship with your consumer. Whether they are a part of your organization. The discovery is a very important part is is the interest Hospital streamlining onboarding and cell service. This is the place where you basically help you if I can do much to security and quickly and improve. This is the part of optimizing ATM programs, with the Power of Equality, volume the rising across pricing chairs, and

more apples, almond traffic patterns issues to better make this trip. Security will be the most frequent attack Vector resulting in data breaches. Do you need to enjoy the fact that you can do manual API key? We do have a very robust and it is a tool that will help you build a world-class experience catalog, which helps you discovered Discovery, Brandon support and lost his relationship to relationship. Apogee. Liverpool to come Spacek in two flavors. The first one being the

only consideration I want to do and 2nd and time. Great now that we understand. How is it really? So let's talk to Patrick and find out if your house. Yeah. Is is passing this message. Thanks appreciate the chance to share with you what this is looking like us. Why we believe that integrated development portal is exactly the way we saw. Some of our most pressing challenges for an internal developer audience before I do that. Let me share with you just a little bit about our company. Gap is been around for just

over 50 years. Started out in 1969 as a single store doing blue jeans and vinyl records. Both of which genes are still as in style, was ever, a vinyl records of May to come back today and global company, but was still the same values to bring them for over 50 years. Specific to our API program, joined our team. I've watched an API program grow into hundreds of apis, the API platform. Team is onboarding, the API producer and consumer teams will talk more about

those two personas in just a little bit. Here we are on boarding. Multiple teams every single day. We've grown into over 200 developer apps where those teeth if your producer team for developing and testing your API. If you're a consumer team for weaving those apis into a Mason customer experiences, my calls every single year are flowing to the platform, both in our own data center, as well as now in the cloud across multiple regions. What is it look like as you go and try to grow your API program

in your scale and complexity increases first, joined the API program, a few years ago, we had a business initiatives. One that was customer-facing one, which was Workforce user-facing. And we have about a dozen to 18 core apis. To both of those programs were focused on their business objectives, fast forward, 5 years and those 12 to 18 Corps apis is now hundreds of ATI. I laughed now, but at the time we started this, those were managed by Google spreadsheet trying to keep track on where each of those were which one development which were ready for Primetime. No way

on Earth that scales to what we're facing today. I want to talk about this from the perspective of two key. Personas number one, is the API consumer. What is the Preston question that Persona has? When can I start accessing your API? They are hounding our API producer teams in the platform Steam on a daily basis. They are under tight commitments, they got deadlines to meet. They got budgets, they have to stay with her assets, discussed in the introduction here by BJ covid. Pandemic has caused teams to feel the need to

Pivot faster than ever the rules of the game, what you can do, in-store, what you can do online, that is changing on a daily basis and region by region. What about the API producers? Their number one pressing question is, I want to use consumer teams meet these business objectives. Use my API ready for Primetime. Great in my backhanded business implementation, I have a proxy that I'm wrapped that with, but is it really ready to turn loose to the masses yet? What we've learned over these last few years and

involving our program. Is it an API goes through a life cycle. It all starts with an open API Spec, Ops 3, complaints, that becomes a conversation between the team, producing the API, and our infosec partners. It's critical that that be done at the early part of the life cycle. What happens if that's the lady is a team to be on the verge of a production, go live. Only to find. They have to go back. 10 steps backwards when you have those conversations up

front in the annual sales. S, mentality is very cheap to make changes maybe info sex as a given a p. I need to be locked out a little bit tighter. So maybe there's manipulation that needs to happen on a Json payload. Then you start dropping lines of code, you build your attitude prostate which is just as much a part of that ATI. Contract is the API implementation itself. It precedes on the intersect for pain testing. If you've got Black Friday, a haunting your dreams at night, you are load testing those apis

and eventually you are lighting that up for the world which is what we're doing this for in the first place. That life cycle is a huge Balancing Act. The consumer teams are like the kid in the backseat of the car on the way to Disney World with Louis friction Self Service experience was absolutely possible. Meanwhile, as BJ mentioned, apis are a huge attack Vector. None of us like the G word but governance is essential. If you're going to have a successful IPM programs, you got to make sure those eyes are dotted and T's are crossed that your

apis are secure, both those that are Exposed on your internet work in any of those that need both of your external network As we gone through our evolution of the program and built this life cycle, end of the way apis are developed and made ready for consumption. We found two major challenge serious. I want to talk real quickly. Number one is you have to have a single source of Truth when it comes to understanding, which apis have gone to that requisite gating, You got to be able to go to one place and understand what's there and for us, the perfect place

to make. That happen is a developer portal. If you don't see it, it's not ready for prime time. And that may vary in that early part of the life cycle, the only people who can see that API should be the owning team and info set. As it's gone through all that, getting that I described is now going to be lit up for any API consumer. Audience has to do when a team comes in to request access to an API is ready. For prime time, we have communication challenges, you may have a API consumer team with 10 developers and they're reaching out to the apogee platform team

for access to the safety items they need to meet their next deliverable the business. And they're going on three different communication Channels with 10 different people. Effectively asking for the same thing but under just as many different names and creates confusion with an effort to clean up that required these two challenges. We believe the apogee integrated developer portal is really well to Vision to address, but I would rather show you than tell you. So with that, let me switch into a demo So I'd like to take some of these Concepts that we've been talking about

and show you what they look like in practice. So we talked about going to a life cycle and progressively being opened up access to a wider set of audiences. So here we've got to apis USPTO and then end-of-month reporting this first one you'll see is available to everybody that has gone fully through the gating cycle. It's been certified by infosec has been load tested, it is ready for prime time so it's available not only to the only team into infosec but now to the consumers as well as the second API is earlier than that life cycle

and is only available to the team that building that API and then to infosec The other Concepts we talked about is how you get in to governing that kind of access as it goes to that life cycle. And there's a few key things you want to see in after the edge here and wonder developer accounts. These are users who have created accounts for themselves within the developer portal. Those users may choose to create team which they will be, that made the owner of, they can add additional members to those teams and then versus concept of audiences.

We've got our broader audiences of API consumers and producers and then our infosec pentesting team. Now, right now, each of these has one team each, but there could certainly be multiple teams that are all considered an API consumer audience. For example, you also want some things ready for full consumption. By everybody have the ability to Simply say, if your authentic ated to the portal, you can see this supposed Look at things from the perspective of the developer portal itself. Right now I'm logged in with a user that's going to simulate being a tech lead.

On one of the API producer teams. That technique has gone in instantiated, a team with these guys. They are in a check to do. Sir team that user is the owner of that team was able to delegate responsibilities. Two other users can also help in that day in day out Administration. You'll also notice that this team currently has access to one application suffix with devops witches and naming convention for Ati, producer team, where the apis, the taxes are those with. They are developing and accessing purely for the purpose of evolution and testing for Primetime.

So you see the steam owns that and then a new one which is undergoing development Now let's come in instead as that you said it was delegated responsibility within this team. so that user logs in, you'll notice that they can see that team ever made a member of they have admin access notice. None of this is that are both so they don't have quite the same. Add access has an owner would have taken tree lines of that application. Now, this particular developer on this team is actually the one responsible for this end-of-month reporting application. So they're going to go ahead and add

that evolve that API is back-end and his friend in proxy. They can Leverage The API key and these secrets whether those in points are governed based on the influence that discussions by. If ya keep talkin, all of that is available for them. Now, let's say this user has taken this far enough, and they're not ready to have until set begin pentesting on that application. What does that look like? I'm going to come in now simulating, a member of the pen testing team. That user is going to come in,

they can go to the application that they use for pain testing. And they've been working on this other one. That's already graduated ready for prime time. So go ahead and remove that if they don't need that at the moment. But they're going to go ahead and add this new one leveraging, the same scene secretive and using 6 months. Pentesting. so, this ATI so far has visibility to a Infosec pentesting audience, as well as the audience of the owning Avi producer team. Now it's come in from the perspective of

a consumer. So we're going to come in as the owner of the consuming API team, they're building an application that needs the safety. You'll see there's already a team in place for the safety iconsumer team. This user is an owner and they've already delegate responsibility to one of the members of that team. That's also doing development work. So that user is there. Now right now there are no applications we mentioned during the introduction on this talk that the covid pandemic has really shifted the way retailers are doing their business and one of those is

this notion of curbside pickup. So we're going to go ahead and create an application for that. Hope the curbside the light. And it's going to go ahead and use him product is all ready for primetime. But they also know they're going to need the functionality that the end-of-month reporting API provides notice it right now. That is not visible. So I want to stop them and talk about the key challenges that we've observed. These last two years number one was single source of Truth. We said, if you see it is available, if you do not see, it is not yet ready for

Primetime. Notice limited audience for the end-of-month reporting ATI was the only team and infosec but a consuming team cannot yet. See that that's a single source of Truth all in the portal. Send the thing we talked about was communication, even for those apis that are ready for Primetime. One of the things that frequently happens is multiple members of the same team. Will come in and make requests some of them by text, some of them by email, from them by servicenow tickets. All effectively for the same API, but leveraging,

different name for the API, they're trying to get for the devil out. They want it added to for what team there. A part of its endless confusion and a lot of redundancy notice here, this user came in to see their team their apps and when they did that, self service request, it was already completely clear. What they were looking for. On this case, they can get one of the two that they need, but not the second one. That's going to prompt them to go talk with that API producer, team and find out what's going on. Now, let's assume that they have that conversation and info sex.

As you know, we just completed our pen testing, the only producer team in the meanwhile has been doing their load testing that is not certified. This ATI is ready to be graduated. So, previously was visible only to the gym and enforce that we are now going to make this API visible to everybody. We're doing that through consumers, you could also choose to move away from audiences and just say, any authenticated user depending on your requirements and your configuration. We're simply going to add consumers to this mix. Now. If I come back in

as the member of that team does consuming, this Dad needs end-of-month API access, they can drill right into the application. And noticed they now have visibility to this that after has graduated on dating and is now ready for broad consumption. Self-service. And they've got themselves access to this. Seamstress in a few key Concepts. We've demonstrated this idea that you can have this experience which is self-service, low-friction, simplifies communication, leverages

the portal is the single source of truth. I'm not having to sacrifice governance is key to a secure API program. Hopefully, this gives you an idea, you might do this a little bit differently in your organization. But hopes, it gives you a sense of what a developer portal. Workflow might look like for an internal developer audience. Like we have I hope if you've gotten anything out of the talk. Here is a handful of key Concepts. Number one, if you want an API program, focused on Innovation and you have to have a low-friction

experience without that. It becomes frustrating for everyone involved, but that low-friction Self Service. Experience cannot come at the sacrifice of security and governance does have to be there. We believe that a developer portal gives me away to achieve both of those to find that balance between they don't have to be at odds with one another. There's a way to have both have to be integrated developer. Portal is exactly the right way to accomplish this for gas. There's a lot of developer options. I would be the first to tell you. Your organization may be

better suited for the Drupal portal. Another organization like ours. We believe the integrated developer portal. Has the better fit you guys pick the one that fits your needs. The best Great. Thank you, Patrick. That was amazing. I love, I love, I love the example of the sheep. Oh my God, a mighty long way. And I'm really envious about the kind of progress. That one thing about how do you get things, what would it be and why? If I could go back, 5 years and do anything different, it

would be to make sure that from day, one out of the gate, we had that developer portal in place. We're in the process of moving from opbk to hybrid opens up the door for using the integrated developer portal, the way of demoed it here. Unblock the saint, all these major challenges, but if I could go back, we would have had that for a life from day one. We would have built those process flows with that low fiction but good governance once or twice elected muscle memory around, what does work clothes look like leveraging the portal so that

that's not something you transition into later. It's your starting reality from day one. Awesome. Thank you, Patrick. You know this is been great. Thanks a lot for taking the time to join us. I would like time to thank everybody who joined us to the station. I hope you had some nice tea. Take away. The fact that it's a, thank you and have a great day.

Cackle comments for the website

Buy this talk

Access to the talk “How Gap balances security and self-service in their API program”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “Google Cloud Next 2020”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Abdul Kinadiyil
Solutions Architect at Google Cloud
+ 1 speaker
Chuck Rhoades
Director of Engineering at Yum
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Nick Fogler
Founder/CEO at 4 Mile Analytics
+ 1 speaker
Mike Xu
Architect at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Peter Dykstra
No-Code Apps & Automation at Google
+ 1 speaker
Tony Fader
Software Engineer at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “How Gap balances security and self-service in their API program”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
635 conferences
26170 speakers
9693 hours of content
Vijay Sairam Pratap
Patrick McMichael