The EU report on API's for Innovative Public Services
The European Commission launched the APIs for Innovative Public Services (API4IPS) study in May 2020. This project investigated how APIs can support the development of innovative Public Services in the EU and innovation in the public sector more generally. The objective was to identify the API-related technical, organisational and legal essentials to help government organisations manage and coordinate digital interactions through APIs.
This work by the EU provides a good reference for other governments to consider in their own Public Service API programs. The project focused on three main areas:
1. API strategy technical essentials
The analysis of essential technical aspects to be considered by government organisations seeking to innovate their processes and leverage the potential of their API-driven technological infrastructures. The aspects include API management, discoverability, security and traceability concerns.
2. API strategy legal and organisational essentials
The legal and organisational aspects that need to be considered by government entities including (1) lawful operation of their API infrastructure including legal frameworks, and (2) coordination of API-driven digital relationships and organisational practices and conditions in an API’s Terms of Service documents.
3. API strategy essentials for public sector innovation
The focus areas for the EU when using API infrastructure in public sector innovation processes including the technical, organisational and legal essentials that need to be tackled when using API infrastructure in public sector digitalization processes.
Background
The EU report notes that value that APIs play in the creation of digital ecosystems and the coordination of digital interactions. While sound technical infrastructure is clearly essential, the report stresses that there also needs to be legal stability to manage the mutual benefits for service providers, users and wider society.
Using APIs for data access and sharing can remove barriers to innovation and enable interoperability between organisations both technically and legally. Flexible technical API arrangements allow concurrent interactions between different systems and actors. API infrastructure can hence be used to control and monitor digital interactions and is a key component when defining data governance processes, and digital interactions via contracts or other technical agreements.
Finally, governments refining their digital agenda may wish to manage and coordinate their API infrastructure with both an internal and external approach. From an internal perspective, this could be a means to improve their processes and advance digital transition. Externally, this could to support integration into the digital scene and the evolution of a robust ecosystem.
Digital management and coordination - internally
The report notes the need for the management and coordination of API infrastructure within agencies. This requires sound technical infrastructure both at the product and organisational levels, API discoverability, security, and its links with digital traceability.
The management of APIs in organisations is a multi-stakeholder effort that requires of a view of the digital ecosystem within the organisation. API infrastructure can facilitate the re-use of internal assets, avoid duplication and reduce efforts to improve quality-of-service provision. API infrastructure can be employed to manage and monitor the digital interactions of the organisation and its ongoing evolution. Government organisations can also use their API infrastructure as regulatory reporting tools to support policy implementation.
Digital governance and coordination externally
Agencies also need to be adequately connected to the digital ecosystem in order to manage digital interactions. This may take place through API-driven services that control the conditions of access and use. From a digital ecosystem perspective, APIs are intermediate components that connect actors and systems in digital value chains. Integrating different API components within digital chains has implications for the assignment of responsibilities, accountability, liability and intellectual property rights. These implications need to be coordinated in order to stabilise the digital ecosystem, and governments will have an active role as custodians.
The EU provides a helpful use case for other governments around establishing policy mechanisms for digital governance within a wider systemic approach.
API management
When an agency provides APIs, it is crucial that these are managed and coordinated appropriately. A cross agency focus should be on increasing the efficiency, innovation, and cost reduction though sharing and re-utilisation of resources. This coordination may take place at tactical levels (e.g. centralised portals and catalogue) and reflect the management of APIs as a software product. This will be guided by software development lifecycle processes including strategy definition, design, documentation, development, testing, deployment, security, monitoring, discovery, promotion, and change management. Portfolio management of API’s will also require organisational, planning, platform and governance aspects.
API discoverability
API discoverability is about the effort to make APIs available, understandable, and to promote their use. This is closely linked to technical interoperability and how effectively they connect to digital ecosystems. The project identified twenty discoverability mechanisms (see figure 1), including innovative discoverability practices such as no-code solutions, open iteration, beta releases, and the use of machine learning. Developer portals were the most widely used discoverability mechanism.
The report also recommends that:
Governments should create a single API catalogue for the whole of government. This should not stop single department level API catalogues, but these need to be connected so a comprehensive whole-of-government API catalogue is available.
API product managers should be appointed who ensure that API implementation is aligned with the organisation’s API practices. A product management approach should be used for API catalogue/development portals to ensure technical sustainability and outreach.
APIs should include an OpenAPI Specification (or similar) file that describes the API in a machine-readable format. OpenAPI specification files should be available for download for every API listed in an API catalogue.
Website accessibility guidelines should be treated as a high priority to ensure that government developers with a disability are able to use developer portals without barriers.
API security concerns
API’s offer organisations means to connect and re-use digital assets, and this introduces risk that can test the security of digital environments. As with all aspects of (cyber) security, failure can have significant consequences at the organisational level and undermine a wider government ‘system’. At the operational level, API infrastructures with vulnerabilities can lead to the unlawful disclosure of private information to malicious access to digital infrastructure. Hence, cybersecurity should be a priority when designing, implementing and deploying both internal and public facing services.
The EU project notes the Open Web Application Security Project® (OWASP) top 10 security concerns for web application security as: Broken Object Level Authorisation, Broken User Authentication, Excessive Data Exposure, Lack of Resources and Rate Limiting, Broken Function Level Authorisation, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management, and Insufficient Logging and Monitoring.
Security standards related to API security include:
OAuth 2.0. for delegated authorisation for third-party applications to access resources they do not own without resource owner needing to share security credentials.
Extensible Access Control Markup Language (XACML) which defines an attribute-based access control system but can also be used to implement role-based access control. XACML defines base concepts (policy set, policy and rules) and the language for expressing the access control policy; and OpenId Connect specification, which exploits the OAuth 2.0 delegated authorisation mechanism for federated authentication functionality.
At the transport level the Transport Layer Security (TLS) provides communication integrity, confidentiality and authentication by encrypting data and authenticating connections when moving data over the internet via HTTP;
At message/payload level the JSON Advanced Electronic Signature (JAdES), and JSON Web Signatures (JWS) apply;
API privacy and traceability
There are strong privacy requirements under the General Data Protection Regulation (GDPR) that apply to API design, implementation and operational components. Means for governing API interactions in organisations with distributed systems include API gateways and service meshes that can monitor and trace digital interactions and provide logging, monitoring and managing private data and its processing.
Legal and organisational aspects
The EU report stresses the necessity for government and public administrations to tackle the legal aspects of API data sharing, data access, and beyond. Government agencies are noted as frequently having the dual role of ensuring their own compliance with requirements but also overseeing the compliance of other actors.
At one level API’s are software subject to intellectual property rights (such as patents, copyrights, trade secrets, trademarks), and at another, an API is governed by service agreements at technical and contractual levels. Because APIs enable connectivity into digital ecosystems, the technical and legal constraints will dictate the interactions among actors despite the frequent absence of specific API laws. This means agencies providing or consuming APIs should follow specific rules, even if distributed across different regulations as the basis for its legal framework.
Table 1 - Determining the legal framework applicable to the specific use of APIs.
API organisational and coordination aspects
The multifaceted complexity of APIs also complicates management and coordination. New roles, responsibilities, and possibly entities may need to be created to facilitate AI innovation and promulgate solutions to the public sector. Government processes and workflows may also need to be adapted to support digital transformation at the strategic, tactical and operational levels.
EU Commission Report : file:///C:/Users/P%20W/Downloads/JRC129923_01.pdf
Commentaires