Category Archives: Products

WSO2 API Management Strategy: Industry Observations and Implications

Recently we at WSO2 were asked by a leading analyst to outline our vision and strategy for the future of API management. We felt that our response captured much of our current and planned execution, so much so that we felt we needed to share it. Our culture at WSO2 has always been one of transparency, and in the past, we’ve even shared our financials.

Following are some of our positions on API management and additional market insights, as well as our vision of the composable enterprise. Stay tuned for additional strategy-related posts that dive more deeply into our technology “big bets” and direction.

How digital transformation is changing the landscape of APIs and digital connections

Current IT trends show that over the next few years, enterprises will find they need to deal with more than 1 trillion programmable endpoints and APIs. These will consist of traditional application APIs, data APIs, data streams, software component APIs, microservices, sensors, and IoT inputs as well. Indeed, everything may become an API.

Knowledge workers know this, and will want/need access to all these APIs/endpoints whether it’s only to create a basic SaaS-to-SaaS connection, or to create a more complex integration. Therefore, over the next 2 to 5 years, we expect that tools and processes will necessarily evolve to address this level of scale and complexity.

Additionally, infrastructures to support this huge quantity of endpoints will gravitate toward those optimized for microservices and serverless underpinnings. From a development perspective, current low-code integration approaches that involve centralized IT orgs and/or waterfall style processes simply will not scale. As a result, architectures will necessarily tend toward more decentralized, cell-based approaches underpinned by microservices and serverless.

With the trend toward trillions of endpoints, WSO2 believes much of what is today considered part of the “development” organizations will evolve to include API integration. The trend will be particularly strong where APIs serve as the core of digital apps and applications that rely on Internet of Things (IoT) data and artificial intelligence (AI). This is at the core of the disruption WSO2 sees in the coming years: that IT organizations tend less toward “development”, and more toward being “API integrators.” We call this new disruptive IT phase the composable enterprise, which will be fueled by the explosive availability and use of APIs and programmable endpoints.

The future of digital connections across enterprise boundaries

WSO2’s position is that API ecosystems across enterprises will expand as today’s software disaggregation (componentization) trends continue. Thus the composable enterprise will become a combination of both internal and external API-based services, each front-ended by private and/or public APIs. This API diversity—and dynamism—will inherently require hybrid API integration capabilities and distributed (rather than centralized) forms of management and governance.

To accomplish this, we see the use of distributed integration technologies, such as microgateways and micro ESBs, which necessarily operate in a decentralized fashion, bridging services from different sources, vendors, and enterprises.

From a business perspective, WSO2 sees ever-tighter service integrations across enterprises, suppliers, partners, and customers—all underpinned by API integration technologies. IT departments will become the “services supply chain managers.”

A perfect example is WSO2 customer Wells Fargo, which has successfully front-ended its organizations and systems with public APIs and gateways to accelerate new product and service delivery, as well as speed integrations with business partners. This form of API marketplace is being adopted by digitally driven organizations that are encouraging partners, suppliers, and even customers, to work more closely with their offerings.

Enter: the composable enterprise

The WSO2 vision of the composable enterprise does not imply a purely internal IT model, but rather an approach that spans the enterprise’s complete external service ecosystem as well.

The notion of the composable enterprise will involve closer, more secure, and more real-time digital interactions between vendors, suppliers, and customers—as well as for internal integrations. API-based interactions will also result in more rapid product and service innovation among all parties, creating new forms of value for customers, partners, and internal business units alike. Already, multiple forms of storefronts, macro-gateways, and monetization models are arising where enterprises are brokering their internal services for use by external entities.

Today, WSO2 customers are pursuing this vision. Wells Fargo, BNY Mellon, and StubHub are just three of many enterprises that are publishing their APIs, as well as basing their internal architectures on disaggregated components front-ended with APIs, gateways, etc.

Indeed, many leading companies are already basing the bulk of their revenue on the API economy, capitalizing on the business wave highlighted in by the Harvard Business Review back in 2015:

“…Salesforce.com generates 50% of its revenue through APIs, Expedia.com generates 90%, and eBay, 60%. Salesforce.com has a marketplace (AppExchange) for apps created by its partners that work on its platform; they now number more than 300. Expedia’s APIs allow people using third-party websites to tap its functionality in order to book flights, cars, and hotels. And APIs allow eBay to list its auctions on other websites, get bidder information about sold items, collect feedback on transactions, and list new items for sale-all of which give additional exposure to eBay items and increase revenue.”

Future drivers and shapers of API management

WSO2 sees the major pressures driving the future of the API management space as grouped into two main categories: the market drivers led by the demand for API business and the technology shapers, led by vendors and innovators.

Drivers of API demand aren’t entirely new, but they have recently risen in their influence on IT behavior:

  1. The trillion endpoints future: the trend toward every digital asset becoming a programmable endpoint and causing IT to create strategies to access these assets.
  2. Digital business competitive pressures: forcing organizations to more quickly find ways to digitally interact with suppliers, partners, and customers.
  3. Knowledge worker information consumption: where organic demand for nearly every digital asset begins with line-of-business users looking for new data and conveniences.
  4. SaaS-to-SaaS app integration: a trend increasing exponentially where every new SaaS app or component is more valuable each time it’s integrated with another.
  5. Machine learning: with applications of ML forcing both data at rest and data streams to become accessible and front-ended with APIs.

Similarly, API management is being shaped by adjacent systems and technologies, quickly maturing the use (and re-use) of software endpoint components:

  1. Microservices and serverless technologies: these are (and will be) driving massive app disaggregation because of the abstractions and simplicities they create for software deployment, directly leading to a world of more broadly distributed micro APIs and microgateways.
  2. Cloud native dynamic systems: growing class of distributed and dynamically changing microservices will cause API discovery and surveillance to become dynamic as well.
  3. Configuration-based integration tools (e.g. ESBs) and code-based integration programming languages (e.g. Ballerina): because, “Software is eating the world,” every company is being forced to make software and agile integration to become a core competency. This creates a world where forms of API integration need to become as agile as developers and organizations want them to be.
  4. API security, access and governance: these requirements are leading to the native integration between integration, access Management, and API management.
  5. The advent of distributed cell-based architectures: these new architectures will allow for decentralized development, test and deployment, speeding integration activities across organizations.

Implications WSO2 sees for the future of API management solutions

  • Implications for architecture: there will be a growing shift toward cloud-native architectures and a need for decentralized composable units of architecture. Each composable unit is what WSO2 terms a “cell”. Cells are defined by, and interfaced through, APIs; are governed by micro- and macro-gateways; include embedded control planes like service meshes; and are developed by decentralized, independent teams.
  • Implications for development agility: with the need to develop and maintain an increasing number of connections across the enterprise, an organization’s ability to remain agile while supporting this expanded connectivity, faces pressures. WSO2’s vision is not only enabling organizations to make these connections, but to empower development teams, DevOps, and operations to increase their adaptive agility while doing integration. Integration teams must become integration agile, adopting the tools, organization, and processes similar to agile development.
  • Implications for tools: all API management and integration tools will need to involve some form of distributed technology, and all will necessarily evolve to be microservice and serverless friendly, i.e.:
    • Provide distributed forms of observability and security
    • Offer multiple control planes
    • Support service meshes
    • Support hybrid orchestration architectures

In closing…

Here at WSO2, we’re betting that all developer organizations will eventually have to adopt integration skills as well — especially as all digital assets become accessible and programmable.

We’re also anticipating the result will be the composable enterprise, shifting business onto a digital ecosystem. And to facilitate that, we’re building open source integration tools, integration agile methodologies, and even programming languages, to help digitally driven organizations achieve this future.

Stay tuned for more of our technical “big bets” in a future blog.

Ask an Expert: Catching up with Dakshika Jayathilaka

Dakshika Jayathilaka is the team lead for WSO2’s UX efforts. With more than 10 years of industry experience in the areas of UX planning, interaction design trends, wireframing, prototyping, and more, Dakshika is a speaker, visiting lecturer, and a family man.

In this interview, Dakshika talks about some of the things he’s passionate about – WSO2 (of course), UX and its role in an integration company, and an exciting new project that he has been working on!

1. For how long have you been at WSO2 and what has your journey been like?

I have been working at WSO2 for more than 4 years and it had been a tremendous journey with an awesome bunch of people. As the first UX member at WSO2, I was able to inspire software engineers to enhance the usability of our offerings by actively driving the UX process, which is crucial in delivering successful projects to clients. Currently I am actively working on an interesting project that will enhance our tooling experience.

2. There’s a misconception that UI and UX are the same. Can you enlighten us about this?

Let’s take a step back and first look at the definitions for UI and UX are.

UI designing is closely related to graphic designing, where as UX designing involves the more technical aspects of application development including learning the user needs, gathering and analyzing market data, and performing alternative testing.”

In the IT industry, UI which stands for User Interface is an umbrella term that covers everything designed into information devices which enable people to interact with them. Examples of UIs are laptop screens, desktop screens, etc. These interfaces facilitate users to interact with software applications. UI designing is the discipline that refers to the crafting of such interfaces. User experience designing, which is commonly known as UX, covers everything done to enhance user satisfaction by focusing on usability and accessibility aspects. UX can be considered as a discipline that stemmed from traditional HCI practices.

To answer the original question, UX isn’t just a buzzword invented to replace UI. However, UI can be thought of as subset of UX. UI designing is closely related to graphic designing, where as UX designing involves the more technical aspects of application development including learning the user needs, gathering and analyzing market data, and performing alternative testing.

3. What are the key aspects and considerations for a good user experience?

Good (or improved) user experience depends on the market, the personas that we cater to, the level of user stories, and epics we have derived. In case you’re not familiar with these words, here’s a quick introduction to them:

  • A persona encompasses the characteristics of a person. For example, a debit card user can be considered as a persona that ties with the need to transact with the debit card.
  • A user story identifies each individual requirement of a particular persona, e.g., as a debit card user I want to pay for my grocery items using my debit card, so that I do not have to carry cash in my wallet.
  • An epic intervenes all the inter-related user stories to provide the bird’s eye view.

It’s critical to understand the personas you are catering to with your product offering. You need to be familiar with users’ jargon to effectively communicate with clients, gather the user requirements, and map them to personas. This is the foundation of a good UX design.

After gathering the requirements, you need to craft the user stories and epics to provide the overall picture to the internal stakeholders. Such meetings will help you to brainstorm good ideas and forecast the design. Most B2B organizations are following agile practices and thus, you may have multiple meetings with both internal and external stakeholders to refine user stories. Such market findings will help you to come up with a good story flow.

Once user stories are finalized, do alternative designs using your previous UX project experience. Subsequently, conduct A/B testing to come up with the most usable design. This too can have iterations. Finally, always keep yourself updated about new tools and research around the UX domain to be on top of the game.

4. Working in a middleware company that involves more technical work when compared with an end user application, how do you view the benefits of UX and the role of an UX engineer?

UX is not an afterthought and you need to thoroughly think about your design and system development. Middleware companies also have different personas and priorities, and the needs differ depending on the areas of focus. For example, at WSO2, Enterprise Integration and Identity and Access Management mainly target integration specialists and identity administrators, while API Management focuses on API admins, publishers, and developers. To achieve the right experience, we perform lab testing, A/B testing, and heuristic evaluations on each product area.

When you really think about it, UX is a crucial aspect for the middleware domain that gives it a competitive edge.”

According Jared M. Spool, “Without also having proactive UX design efforts, the design team is only fixing problems caused by decisions the product team has already made. These already-made decisions are about what the product will do, how it will work, and what its underlying architecture will be.”

When you really think about it, UX is a crucial aspect for the middleware domain that gives it a competitive edge.

5. What’s the latest project you are working on and how do you think that will benefit our customers?

Currently I am working with the WSO2 Enterprise Integrator team to introduce usability improvements to the tooling. Enterprise integration is often considered a complex process that requires technical skills to work with. WSO2 Enterprise Integrator is an open source, hybrid integration platform that allows developers to do quick, iterative integrations with any application, data, or system.

Integration tooling is a must and needs to be designed with great UX in mind. Integration is also a vast area and includes multiple personas. Thus, with this project, we are trying to improve the experience of integration specialists and ad-hoc integrators. This will mainly cover the developer experience of each persona. In essence, we are trying to provide the right experience to each user category while providing proper user onboarding.

6. Where do you see the future of UX is heading and what are some trends to watch?

Soul-searching is happening in many professions at the moment, as high-tech, reliable, and inexpensive artificial intelligence (AI) and automation technologies are becoming a reality in every industrial sector. There are already commercial attempts at using AI to improve the UX.”

UX has evolved not only because of the ubiquity of smart technology (smart devices, Smart TVs, etc. ), but also because developed economies are increasingly focused on the service industry, where customer experience is crucial. Soul-searching is happening in many professions at the moment, as high-tech, reliable, and inexpensive artificial intelligence (AI) and automation technologies are becoming a reality in every industrial sector. There are already commercial attempts at using AI to improve the UX. VUI (Voice User interfaces) are increasingly used to improve end user experiences.

The enterprise world is also growing fast and moving towards the agile environment, where UX needs to be agile to support the rapid movements. UX is evolving towards CX (Customer Experience), which covers more breath and depth to fulfill the needs of enterprises.

7. Finally, what advice would you like to give the budding developers/UX engineers?

  • Patience: becoming a great UX engineer does not happen overnight. It is a long, steep journey. But it is worth it. There is a plethora of online material that you can refer to get things started.
  • Stay inspired: follow UX specialists in the industry and keep yourself updated about new trends and strategies related to UX.
  • Sharpen your skills: constantly improve your design skills, domain knowledge, business acumen, interpersonal skills, and presentation skills.
  • Be open to feedback: always be open to feedback from your colleagues, your clients, and others.. An open mind helps you to see things from others’ perspective, and assess the viability and applicability.
  • Empathy: be willing to provide help and guidance to your colleagues by getting in to their shoes.
  • Maintain a portfolio: it’s important to maintain a good portfolio with case studies to showcase your track record as well as your potential.
  • Passion: be passionate about the subject, and this is also important as you need to identify with the psychology and cognitive behavior of people.

Dakshika dressed up as the Joker at a costume party!

Announcing the WSO2 Serverless Solution

Most enterprises today looking for serverless solutions have few options without cloud lock-in. Remember that public serverless offerings will capture a customer’s data, lock out external event streams, and likely limit developer language choice. This lock-in hinders application migration, multi-cloud scaling, and the use of private cloud resources. A more palatable solution ought to allow organizations to tap serverless for disaggregated architectures, and allow them to utilize both public and private cloud resources, event models, and programming paradigms.

In response, customers today are mostly forced to use public serverless offerings from AWS (Lambda), MSFT, GOOG, etc., with limitations placed on the supported programming languages for each. Users are further locked-in because of the need to use adjacent proprietary services like the cloud’s storage services. And if a company wants to use an alternative, they’ll require considerable investment to manage.

Enter the WSO2 serverless solution

Today we’re introducing the WSO2 Serverless Solution, a private function hosting environment based on Apache OpenWhisk and Kubernetes. And it’s immediately available, though on a limited-access basis.

To develop the solution, WSO2 has been working with Rodric Rabbah and Perry Cheng, co-founders of CASM LLC and co-creators of Apache OpenWhisk. They bring in-depth knowledge on custom deployments and backend optimizations to the overall solution, and both continue to be active members of the OpenWhisk community.

The solution allows organizations to leverage their existing event sources and programming languages. Underlying the open source function platform, Apache OpenWhisk allows developers to plug existing event sources into the solution. It also allows developers to use their preferred programming language as a function runtime which will allow them to re-use most existing code, and allows users to define their own custom resource limits. These combine to provide greater overall agility to a serverless solution. And you’ll have freedom from cloud lock-in.

And the best part is that the WSO2 Serverless Solution is a private hosted platform managed by WSO2, so it ought to significantly reduce learning, set-up and maintenance overhead for DevOps teams.

A little more detail…

The serverless solution is fundamentally powered by Apache OpenWhisk and Kubernetes to allow IT orgs to provide a uniform, elastic, and secure platform for reactive, event-based, and batch workloads.

The Solution offers several unique capabilities:

  • Private function platform – powered by Apache OpenWhisk deployed on top of Kubernetes
  • Managed hosting environment – provided by WSO2, mapped to internal private resources and events, with customized elasticity.
  • Private, dedicated servers and operations – provides segregated tenancy
  • Support for any programming language – broader support than any single public cloud vendor
  • Leverage any existing event source – no matter where you deploy
  • Transparent computational elasticity – to support both short and long running computation
  • Guaranteed computational capacity – because it is a private function environment
  • Secure platform, plus service isolation, and encryption of data in motion
  • Local development environment – for developer teams
  • Dev tracing and operations of event-driven apps with logging, monitoring, and analytics

Why did we do this?

WSO2’s mission is to help digitally-driven organizations become integration-agile. And we do that with a platform of open-source Integration, API Management, Identity Management and related products. One core motive of ours (and of the overall open source model) is freedom from lock-in… So it stood to reason that if we wanted to simplify integration tasks, it would require simplifying deployment tasks too. So we developed this cloud-vendor-neutral deployment approach to complement our products.

Availability

As mentioned, the solution is immediately available on an early-access basis. Pricing is offered at a flat rate, on either a monthly or annual billing. For more information see the WSO2 Serverless Solution.

Ask an Expert: Catching up with Srinath Perera

Srinath Perera is vice president of research at WSO2. He is a scientist, software architect, author, and speaker. He is also a key architect behind Apache Axis2 and WSO2 Stream Processor. We caught up with Srinath recently to get his take on the significance of Streaming SQL, the future of open source stream processing solutions, and why we must learn to think, question, and see beyond the obvious.

1. What has your journey at WSO2 been like?

This is my ninth year at WSO2, but I have been working with Sanjiva Weerawarana on similar technologies since 2003. Yes, it’s been close to 15 years, and it’s been a lot of fun. I have worked on a wide variety of challenging problems, and have worked with many brilliant individuals who will make good stories for one’s grandchildren one day. I have done a lot more than I imagined years ago.

2. For agile digital businesses, the availability of business insights is a significant factor in gaining a competitive advantage. How does WSO2 Stream Processor help?

Our product can easily plug-in to a user’s system and collect data. You could then write queries using Streaming SQL to detect important conditions. Streaming SQL is similar to SQL, but works on data streams instead of data tables. The former is flowing, while the latter is stored on a disk.

Compared to what our competitors offer, we have very powerful Streaming SQL with operators most others do not have. We enable you to use machine learning models within Streaming SQL itself. Also, if you are looking for a small deployment, our server can run a HA deployment with only two nodes and process about 100,000 events/second. If you are looking for a large deployment, we can run on top of Kafka. In the event you are unsure or undecided, you can always start small and later switch to Kafka without changing any code.

Streaming SQL is similar to SQL, but works on data streams instead of data tables. The former is flowing, while the latter is stored on a disk.”

3. What does the future hold for open source stream processing solutions?

In my opinion, stream processing has not become mainstream yet. People are still figuring out analytics. It’s not easy to find developers who excel in analytics. Stream processing has to wait for that adoption to play out. No one will try to do real-time before they figure out basic analytics; that is unless you have specialized use cases such as for stock markets, surveillance, and anomaly detection.

People are still figuring out analytics. It’s not easy to find developers who excel in analytics. Stream processing has to wait for that adoption to play out.”

4. What are the benefits of an open source stream processing solution?

I think there’s a growing trend for middleware as an open source model. They use complex code, support a wide variety of use cases, and are used by many. We are increasingly made aware that products are best built using the open source model. I think there’s no better testament than Microsoft, a company that hated open-source, but has now embraced it.

I think there’s a growing trend for middleware as an open source model. They use complex code, support a wide variety of use cases, and are used by many.”

5. How did you start working in stream processing?

A long time ago, in 2007, while I was doing a Ph.D, we worked on a paper comparing Complex Event Processors (or CEPs, which is an older name for stream processing) and rule-based systems. I was fascinated by the technology, and after I joined WSO2, I supervised an undergraduate thesis project to build an open-source CEP engine. This was in 2011 – well before stream processing became cool! It was called WSO2 Complex Event Processor back then and was later renamed WSO2 Stream Processor.

6. What is your proudest accomplishment in recent times?

In general, it is the role I have played with Apache Axis2. However, if you want me to choose something recent, I suppose my work with the WSO2 Research Team stands out. Some good work will be made public soon. I have also worked with Paul Fremantle, WSO2’s CTO, to build a framework to evaluate different emerging technologies. You will hear more about this too soon.

7. What advice would you like to give a budding developer or an architect to better their career?

I would say learn to think, question, and see beyond the obvious.”

There is this quote that I love, “Wisdom is tolerance of cognitive dissonance.” It took me awhile to understand what it meant. We all interpret how the world works, but when we discover things that do not match our way of thinking, we ignore them. However, the world is more complicated than that. By understanding those mismatches and by learning through struggle and discomfort, we achieve true wisdom. That is what that quote conveys.

I would say learn to think, question, and see beyond the obvious. I refuse to tell people I work with how to solve something. Instead, I tell them, “Tell me how you will solve it and then I will complain.” I think they are used to it now. That way, we all use put our critical thinking skills to good use and one day, they will not need me for guidance.

To learn more about Srinath’s work, follow him on Twitter and read his blog.

Ask an Expert: Catching up with Sagara Gunathunga

Sagara Gunathunga, the product lead of the identity and access management (IAM) team at WSO2, has had one amazing career. Starting as a committer to Apache, he most recently led WSO2’s efforts to become GDPR compliant – using WSO2! In this interview, he tells why GDPR must be viewed as an opportunity to build closer relationships with customers and why we must always be curious to innovate.

1. Tell us about your introduction to open source and your journey at WSO2 so far.

Before I joined WSO2, I was a contributor to the Apache Software Foundation. In 2006 I attended various open source events like ApacheCon and I was highly motivated with the concept of contributing towards open source. So the motivation and some initial work towards it ended up with me being a committer in Apache. My first committer-ship was in an Apache project which was part of the Apache web service project and this also paved the way for my access to other projects.

During this time, I got a chance to join WSO2. Initially, I was driving WSO2’s contribution towards Apache. I started working on Axis2 and web services project during my own time and arranged various initiatives to review and mentor their work towards Apache. I also encouraged others to become committers. At present, I am part of the IAM team. It was quite challenging at the start, as none of my previous projects were on security and my knowledge was limited to the security aspects that I’ve been exposed to when working on Apache projects. Services, application development, and governance were my core focus areas back then but I used the knowledge I gathered as the base for career as an “identity guy”. There was lots to learn, going deep into the concepts of IAM – but it’s a been a rewarding journey.

2. What’s the most exciting project you’ve been a part of recently?

One of the main tasks I was assigned to was to work with the privacy standards given the emerging requirements in the EU/UK(GDPR) and Australia. As a technology company, it’s quite a task to keep up with all the privacy standards per country. Given that we have an identity product, it’s a priority for us.

We manage 50 mn+ identities, so in our case we store personal information and the main challenge is “how do we comply ourselves with the standard?” There are many known approaches like “Privacy by Design” but my architectural effort was to make WSO2 Identity Server comply with all the privacy standards, not just GDPR. Then we had to expand that exercise to all other WSO2 projects as all WSO2 products has some sense of personal data.

From a business perspective, WSO2 has data from customers and users that we need to protect and I was a part of that team that handled the privacy compliance/GDPR compliance. Meeting the deadline on the 25th May was daunting, but we did it!

From a business perspective, WSO2 has data from customers and users that we need to protect and I was a part of that team that handled the privacy compliance/GDPR compliance. Meeting the deadline on the 25th May was daunting, but we did it!”

4. You proudest moments at WSO2?

Not just one, but being a part of WSO2 alone is always something to be proud of. The reality is that on the surface, you don’t see a lot of technological innovations in this part of the world (South Asia) due to various reasons. At WSO2 we are able to innovate given these limitations, competing with leading and innovative tech companies around the world. Right now we are known as the largest OSS integration vendor in the world managing 50 mn identities through our identity server, and that’s truly special.

The reality is that on the surface, you don’t see a lot of technological innovations in this part of the world (South Asia) due to various reasons. At WSO2 we are able to innovate given these limitations competing with leading and innovative tech companies around the world.”

5. How do you see GDPR- is it an opportunity or a roadblock?

It depends on your individual perspective. Some think it’s a financial barrier/roadblock but many other people do not share this view. Last month I presented at the GDPR summit and at various meetups where GDPR was discussed. I learnt that most people think it’s an opportunity for them to demonstrate their commitment towards user privacy, how they respect it, and demonstrate the ways in which they have measures in place to provide data protection.

There are positive perceptions – including as an avenue for brand recognition and how you care about your customers. That’s great and I think it’s one of the best ways to prove to your customers that you respect their privacy and you have taken all measures to protect their data. Businesses are now moving away from being solely profit-oriented and to instead building relationships with their customers. That’s the most important aspect, and I believe this is how GDPR should be viewed.

6. Where do you think the future of IAM is heading and where does WSO2 Identity Server fit into that picture?

IAM is a broad term. We’ve noticed that authentication or how you verify the authenticity of a user is an evolving space and is a part of many privacy standards. For example, PSD2 and Open Banking in the UK requires enforcing Strong Customer Authentication (SCA). Financial institutions and banks used to have biometric and token devices for authentication. Yet, given the volume of cyber attacks and privacy violations, it is important that you provide maximum protection for your users. Therefore, authentication needs to become more agile and adaptive.

We’re hoping to provide adaptive authentication with WSO2 Identity Server, which is a very exciting direction for us!

7. WSO2 IS is an open source IAM product how does it stand as opposed to a regular IAM vendor or product?

At WSO2 the GA releases are under Apache 2.0 license which means you are free to do whatever you want.”

Open source is a loaded term. To ensure that what we offer is truly open source, we provide binary distributions that are freely accessible so you are able to customize, redistribute, and access the source code.

There are other “open source” IAM products where you can get the source code and run it, but you cannot run the officially binary release in production. At WSO2 the GA releases are under Apache 2.0 license which means you are free to do whatever you want. You can use the code and run it yourself or extend, customize or even resell. In case you need professional support and help, you can then engage with us.

8. From the point you started at WSO2, you have had an amazing professional journey. Any advice for budding developers or engineers who are beginning their careers?

Be curious. Always.

If you’re curious, the commitment and passion to what you do will come naturally. But if you settle, innovation becomes a battle.”

I have been in the field for more than 10 years and I’m more curious than ever given how much the technology landscape is evolving. If you are planning to have a fruitful career (which I’m sure you are), you have to be curious. I’m paraphrasing one of our greatest losses from recent times, Stephen Hawking, who said the key to his success was being curious. When people grow up they tend to settle with what they know but if you are curious, you grow with knowledge. It’s a guiding principle for me too.

As an identity guy, the key is to learn ideas and concepts thoroughly, so the application of the technology becomes easier. If you’re curious, the commitment and passion to what you do will come naturally. But if you settle, innovation becomes a battle.

Wait, I have to have WHAT in place by May 25, 2018?

We’re THIS close to inventing a drinking game everytime someone says GDPR. It’s quite fascinating to see how much is going to change with this regulation. Just like college, everyone is scrambling to meet the deadline of May 25, although the regulation came into place in 2016 and this is technically a “grace period”. Personal data and privacy are more important than anything else. We bet you now regret the time you clicked on “What does your favorite pizza topping say about your personality?” in exchange for all the personal data you submitted at the time – without so much as a second thought.

GDPR is going to change everything and place user consent on top, which is great. But if you’re an enterprise dealing with data of anyone living in the EU, you’ve got a lot to do. We put together a few questions we encountered, let us know if these help!

What exactly do I need to have in place to be in compliance with GDPR?

In this article we’ve listed 7 pragmatic steps you can take depending on where you are on the journey. Here’s a quick look of what they are:

  1. Build awareness around GDPR: in-depth awareness and building in-house expertise on all aspects of the regulation.
  2. Analyze if you’re company is affected: if you’re dealing with PII (personally identifiable information) of “residents” in the EU, then your company must deal with GDPR.
  3. Review the impact of your current data: thoroughly evaluate if all data collection methods used the necessary consent and furthermore, if you are able to demonstrate proof of consent.
  4. Review your systems and processes: review data storage and access mechanisms, and specifically decide if a data processing impact assessment (DPIA) must be carried out. It’s recommended you get a professional’s help with this.
  5. Implement necessary safeguards: adjusting business processes, upgrading software/storage systems, training for staff members, and introducing auditing systems.
  6. Appoint a DPO/EU representative: to address GDPR related matters within the organization such as advising staff members on data protection procedures, monitor compliance, and act as the point of contact for supervisory authorities when liaising with them.
  7. Revise your documents and policies: thorough review of all documents and policies of the organization such as websites, terms and conditions, privacy policies, and social channels.

I’m a company in Milwaukee/Bikini bottom [or insert wherever you’re from]. Should I concern myself with GDPR and if so, to what extent?

As long as you’re dealing with PII – Personally identifiable information of those living in the EU, GDPR affects you. From a small retail company to a large financial organization, as long as you deal with Karen who lives in Norway, your company must be compliant with the law. You can find a link to all the laws here.

Should we extract and provide all of the customer data if requested by the customer? All the data or just the personal data like name, address, email, etc? Should we also extract the old orders that we have stored in the system?

Yes. Absolutely. There’s a right on “data portability”, meaning there should be a mechanism to access all the details if an end user wants to. Remember that with GDPR, it’s all about the customer and their rights must be given the utmost priority.

All data or personal data?

All the data. Whatever that’s stored, for whichever reason, should be made available if the user requests. The key term here is, PII – personally identifiable information. And if individuals want their data erased, you must adhere to it too.

Does WSO2 provide consultancy to make an organization GDPR compliant?

If it involves technology such as using WSO2 products, yes, we can provide consultancy to help your organization. Successful GDPR compliance require changes in people, process, and technology aspects. WSO2’s suite of technologies can be used to make your organization GDPR compliant. To reiterate, if you’re looking for consultancy from a technology perspective and if it concerns our products and technology, yes, we provide consultancy based on that.

How can you help me speed up the process? What tools do you provide? / How exactly are you helping to implement GDPR compliance?

WSO2 provides a stack that’s fully GDPR compliant, this includes the WSO2 Identity Server, Enterprise Integrator, API Management, and the open banking solution. This article will help you understand what you need to look for when searching for a GDPR compliant IAM product and how it helps to optimize your GDPR strategy. WSO2’s open source Identity Server in particular can help you save time and cost involved given the consent management and the privacy tool kit in our latest release. Get in touch with us if you’re building your own solution or if you have any questions. What our products will essentially do is, help you build a GDPR compliant solution. You can find out more here.

Should we perform pseudonymization of the database in order to protect our data?

If by our you mean your customer, yes. Performing pseudonymization is in fact a best practice. So yes, by all means. If the end user requested you to erase their data, you should comply according to the “right to be forgotten” rule. Having a proper IAM solution in place to do this would be helpful too. We also have a privacy toolkit that will enable you to do that, learn more here.

We are a company who is doing business with EU customers. We maintain their data in our CRM, do we fall under GDPR? In this case how can we collect consent of customer of CRM?

Yes, you are processing, collecting details of EU residents, therefore you are affected by GDPR.

What if legacy apps are involved?

GDPR is focused on the end user, doesn’t matter how your business does things, whether it is cutting edge or not. So even if it’s legacy apps you work with, you must have processes in place that will bridge between the applications and the regulation.

Are there examples of what other companies have done to become GDPR compliant?

It might be not explicit but if you do a quick search or pay attention to your inbox, a lot of other companies might be already sending you mails saying updating their privacy policies meaning that’s them taking steps to become compliant. And that’s just one part of ensuring explicit consent.

Did we miss a question? Get in touch with us and we’ll get back to you!

Four Warning Signs an Integration Wall is Approaching

The Integration and API Management markets are growing, expanding in both popularity and use. Enterprise App integration will surpass $33b by 2020, and other markets like iPaaS and Data Integration are growing at double-digit CAGRs. Enablers, such as containers and serverless technologies are only accelerating the move toward increased disaggregation of applications.

All seems rosy. And it mostly is.

But with the explosive growth of APIs and endpoints, traditional centralized tools like ESBs will become unsuitable, and simple low-code snap-together tools won’t scale to address the broader scope. We’re potentially about to hit an “integration wall” at high speed.

Consider the following four warning signs – some technical, some process – that I find are beginning to plague the integration market:

1. Waterfall Development for integration is hitting a wall.

Although most code development has shifted to an Agile Development model, the same can’t be said for Integration tools. As the quantity and diversity of endpoints increases, and as Integration projects become more diverse and complex, use of the waterfall model is beginning to slow down integration projects. And with a future where there will be billions of Integratable endpoints, it’s obvious that an Agile Development model for integration will need to become the norm.

2. Existing tools and programming languages aren’t optimized for Integration-at-scale.

Enterprises that currently use low-code, snap-together, centralized integration technologies (including iPaaS) will not be optimized for orchestrating, integrating, observing and governing the expansion of constantly-changing endpoints. Nor are traditional centralized approaches (think: EDI and older ESBs) prepared to handle increasing endpoint scale or diversity. Many of these existing tools are well-adapted for Line-of-Business or Citizen Integrators of relatively small-scale implementations but are far from well adapted for more complex integration-at-scale projects.

3. Current programming languages are not optimized for Integration.

With languages like Java/Spring or JavaScript/Node, developers can engineer flow, but must take responsibility for solving the hard problems of integration. With these languages, developers have to write their own integration logic or use bolt-on frameworks. Clearly a new programming paradigm will be needed long term.

4. The Exploding Endpoint Problem is very real.

As I referenced above, IT is ill-prepared to address the oncoming wave of service disaggregation, the diverse types of APIs, differing sources of service endpoints, challenges from Big Data, and multiple approaches to serverless IT. The industry is about to hit a scale and diversity wall. To wit,

  • 917 apps in use per enterprise (Netscope, 2016)
  • 893-1206 average cloud services used per employee (Kleiner Perkins, April 2017)
  • 19,000 APIs as-of January 2018 (Programmable Web, 2018)

And if you don’t believe those numbers, Matt Eastwood of IDC recently pointed out that the number of containerized services has expanding well beyond where VMs ever were. Yep, billions of programmable endpoints aren’t kid’s stuff.

Where does this leave us?

A new approach to addressing the future of integrating thousands-or millions-of endpoints could lie in a new programming language, Ballerina.

Ballerina is a simple programming language whose syntax and runtime have been optimized for the hard problems of integration. Its focus is integration – bringing concepts, ideas and tools of distributed system integration into the language. Based on the concepts of interactions within sequence diagrams, Ballerina has built-in support for common integration patterns and connectors, including distributed transactions, compensation and circuit breakers. And it supports JSON and XML, making it simple and effective to build robust integration across distributed network endpoints.

So, watch this space for future developments. And in the meantime, beware of the approaching wall.

5 Countries, 14 Cities: WSO2’s IAM Summer Tour

Given the needs for regulatory compliance, the need to offer a customized experience for customers and employees and tightening privacy controls (think Cambridge Analytica), having a solid IAM system solves more than just a simple IT problem of connecting identities.

Certain debates you need to resolve within your team is what kind of technology (we suggest IAM) will help you accelerate your compliance processes especially with having to meet deadlines. Or if adopting an open source IAM solution would offer more value as opposed to a traditional IAM solution and if it offers better capabilities or create additional privacy or security issues. What must you look for when opting for Customer IAM solution and what value do you create by prioritizing these?

WSO2’s Senior Director of Security Architecture, Prabath Siriwardena (fresh out of sabbatical), is going to hit the road starting April 30 and we’re going all out with everything we know on identity and access management and how adopting open source IAM can help you better with your IAM strategy. He’s got a jam packed schedule and given his expertise of over 10 years including extensively speaking at conferences worldwide (he just spoke at RSAC 2018, sold out his books on API security), we think you should be marking your calendars just like you’re waiting for the final GOT season.

Here is a partial list of the topics we will cover:

  • Improving app IAM: About 71% of enterprise security decision makers believe that securing customer facing apps is a critical priority. So here’s what it means. You need to ensure that you have an effective customer IAM solution in place that offers BYOID, progressive profiling, strong SSO and authentication, and self-care portals to secure your customers data and offer them and engaging experience. What should you have in place so your IAM solution can address these?
  • Securing APIs: APIs are everything and most enterprises are increasingly adopting and exposing APIs with more 3rd parties involved. Are your APIs secure enough and what best practices should you adopt?
  • The IAM and Compliance Relationship: In the wake of privacy and regulations like GDPR, what steps are your enterprise taking to be compliant?

Find the answers to these and more! We’re starting with Canada and taking it all the way to WSO2Con USA.

Here’s where we’re going to be:

Canada

USA

Sri Lanka

  • May 30 – Jaffna

Singapore

UAE

  • June 6 and 7 – Dubai

Learn more about our events and how the WSO2 Identity server can help your enterprise.

Ask an Expert: Catching up with Seshika Fernando

Women in engineering are unicorns (almost) and that’s probably why #Ilooklikeanengineer became a thing. But WSO2, with a 30% female representation, tells you a different story. Plus, we consider everyone at WSO2 a handpicked lot. So is Seshika Fernando. She’s a Chevening scholar, a speaker at conferences around the world, backed by both finance (London School of Economics) and computer science. Outside her workspace she’d be playing basketball as if it were rugby or making sure her son Ezra is getting enough sleep.

We caught up with Seshika recently to speak to her about her transition from the WSO2 analytics team to financial solutions, why open banking is taking over the world, and why she encourages more girls to join the IT industry.

1. How have your experiences at WSO2 been so far?

It’s been great! I was originally involved in data analytics while in the Research team. Now I manage the financial solutions initiative at WSO2 where I am able to capitalize on my background in Finance and create specialized solutions on top of WSO2 products, catered towards the specific business requirements of the financial industry.

I’ve had great experiences at WSO2. From being able to speak at atleast half a dozen international conferences a year, to interacting with some of the largest brands in the world, to playing basketball. WSO2 has been a great place to work irrespective of the team I belonged to.

2. How did the idea for building an open banking solution come about?

Open banking is taking over the banking world – not only in Europe but globally. And our open banking solution, built on top of the battle hardened WSO2 products, is proving to be very useful in all these markets.”

WSO2 gave me a challenge – “create solutions for the Financial Services industry using WSO2 products.” With a background in Computer Science as well as Finance, I took this up with open arms. At the time we started this initiative, PSD2 was taking over every conversation in the European banking sector.

With many of our existing customers coming to us with the PSD2 requirement, we forged ahead and created WSO2 Open Banking. Now in retrospect, this was the best decision we made. Open banking is taking over the banking world – not only in Europe but globally. And our open banking solution, built on top of the battle hardened WSO2 products, is proving to be very useful in all these markets.

3. This leads us to believe that the market for PSD2 solutions is open to many forms of competition. How did you formulate a technical and sales and marketing strategy to ensure WSO2 stands out?

Yes, there was stiff competition when we started. However, thanks to the vast capabilities of WSO2 products, surviving and thriving within this landscape have been easy.

There was stiff competition when we started. However, thanks to the vast capabilities of WSO2 products, surviving and thriving within this landscape have been easy.”

First of all, even though we entered the race late, we realized that most of the requirements of the PSD2 regulation can be serviced through the existing WSO2 products. Technically, all we had to do was wire everything together, add any missing features, and package an end to end solution which enabled banks to achieve full compliance very quickly.

We had to go for a very aggressive sales and marketing strategy in order to gain traction in a market that was full of different types of competition (not just our usual middleware competition). So we planned different types of campaigns to first create awareness and then engage with banks that were outside our usual customer base. Once we did the first few implementations, word got around and we were getting a large number of requests from both European and non-European banks.

4. Can you tell us about your experiences with customers who are trying to become PSD2 compliant? What are the key challenges they face?

Security is the utmost concern for all banks. Since it is sensitive customer data that is being exposed, banks that engage with us emphasize the importance of the ability to secure data and its access, above all other requirements. The WSO2 Open Banking solution overcomes all security challenges, since it incorporates WSO2’s very strong and proven IAM offering.

Most of our customers are also looking for ways to make their regulatory investment worthwhile, by being able to earn some revenues from their implementation of PSD2. With a digital transformation focused open banking implementation, our open banking customers are easily able to achieve this.

5. It seems obvious that banks will need to think beyond API when planning a technology strategy for compliance. How difficult/easy is to convince them to do so?

When we look beyond the regulation and discuss implementation details with each bank, the need to integrate with existing internal systems, the requirement for comprehensive Identity and Access management, the capability to onboard third party providers, and the necessity to have a strong analytics component to achieve regulatory reporting requirements comes to light. These requirements are usually enough for customers to understand the necessity for an overall technology strategy rather than just an API strategy.

However, we don’t just stop there. We understand that each customer (big or small) is making an investment to extend their technology platforms in order to satisfy these requirements. We help the customer identify ways that they can reuse the technology they are investing in, to further digitize and optimize their existing processes in a way that promotes market expansion and create new revenue streams.

6. What are your thoughts on how open banking will be adopted globally?

It’s only a matter of time before open banking becomes a must have for all banks globally.”

Well, all regions are moving towards open banking albeit at different paces. Australia is next in line to implement open banking through regulation and there are many other regions such as New Zealand, Hong Kong, Japan, etc., that have stated their intentions to mandate open banking through regulation.

In the meantime in all other parts of the world, even without regulatory pressure, individual banks are adopting open banking due to the many benefits they can achieve especially in an environment where they could be the first movers to a new ecosystem. Therefore, it is only a matter of time before open banking becomes a must have for all banks globally. WSO2 is excited and ready to work with each region on their specific open banking journeys.

7. Finally, as a woman playing a leadership role in a technology company, what is your advice to other women in the field on how they can reach the highest pillars of success?

I’d encourage more and more girls to join the IT industry, and contribute towards development of great products that are created by a diversified workforce for a diversified consumer base.”

I believe that being female does not have any disadvantages for a career in IT. Since women are the minority in this industry, it provides women a superb opportunity to easily standout within a male dominated workforce. Furthermore, the IT industry’s flexible working arrangements really enable us to balance work life and family life.

I would encourage more and more girls to join the IT industry not just to profit from its various benefits but also to reverse the gender imbalance and contribute towards development of great products that are created by a diversified workforce for a diversified consumer base. In fact, I’ve even written a blog post on the subject for the World Bank.

Seshika, 2nd from the right, Winner of the Young Engineer of the Year award for 2017 by IET Young Professionals-Sri Lanka

Three Months in to PSD2 – Confessions of the WSO2 Open Banking Team

It’s been 3 months since the PSD2 compliance deadline and the dust is settling in. Or is it really? Just like when it started, the post PSD2 landscape is viewed from different angles. It has been called everything from a ticking time bomb to a slow burn to a never ending honeymoon period. We think the biggest surprise was that everyone thought that January 13 was the end. It wasn’t, it was the beginning.

When we created WSO2 Open Banking, we knew customer needs would be diverse and every technology experience we deliver would be unique. Turns out we were right. Our journey with WSO2 Open Banking has unraveled some interesting experiences while working with different stakeholders in this compliance ecosystem. Here’s what we learned.

Confession #1: (Almost) Everyone was late to the party

Everyone (including us) started counting down to PSD2 from 6 months to 3 months to 1 month. But the reality was, January 13 was just the date when PSD2 was implemented by the EU parliament as a European-wide regulation.

Several regions across Europe chose to deal with imposing PSD2 in their own way. We’ve been tracking the country-specific deadlines quite closely and about 46% are yet to set an official deadline for compliance. We believe that the final date for compliance will be when the Regulatory Technical Standards (RTS) come into effect in September 2019. That’s good news for us because there’s still a large viable market for compliance technology! ;)

Confession #2: Compliance confusion did not discriminate

Over the past several months, we’ve worked with many banks of different sizes across Europe and they all had similar questions:

This led us to believe that banks, regardless of size, require a lot of guidance in the compliance process. It’s a good thing we have a team of experts to do just that!

Confession #3: They came, they saw, they vanished

When PSD2 first started gaining traction in 2016, the knee-jerk reaction of every API management and integration vendor was “this is a goldmine of opportunity we cannot miss”. So they went head on into the market with an existing product. Come 2018 when the need for compliance technology has evolved, these “first mover” technology vendors have gone quiet.

It remains uncertain whether it was the lack of a well thought out strategy to keep consistent market demand, fintech domination, or not giving the compliance market the attention it deserved. One thing is for sure, this is a highly competitive market for technology vendors like us. But no complaints, we love a challenge and are pretty good at winning them!

Confession #4: API standards (and the organizations writing them) are a solution providers BEST friends

A lot of shade gets thrown at not having a common API standard across Europe (version 1.1 of the Berlin Group API specification is yet to come, we’ve got our eyes peeled for that). However, Open Banking UK has got this in the bag by having a comprehensive API specification that WSO2 Open Banking supports.

When we first started out, these standards really helped set the base for building our solution. Our development team continues to spend a good couple of hours every week identifying latest improvements in the specifications and contributing to their development by participating in working groups.

Confession #5: Compliance is not a back breaker…it just needs a well thought out strategy

A lot of banks think of compliance as a major headache and seek a “quick fix” to compliance just so they can tick off the checkbox. The reality is, quick fixes can do more damage than good. PSD2 compliance is a big deal and if you go into it without a strategy, that’s cause for alarm. Even if you don’t have a dedicated open banking or compliance team you can still get the job done.

You just need to rally the right members, set your goals for compliance and figure out what you need from a technology vendor. Then you need to pick the technology that gives you value for money and won’t take eons to work with your systems and deliver compliance. It’s a matter of working closely with a solution provider towards a common goal.

Confession #6: Do your research or go home – The learning never stops

There is a minimum of 3 articles written a week on open banking. Everything from thought leadership material, opinion pieces (like this one), and publications from standards continue to explore and discuss this ecosystem. And what we learn from our conversation with customers is an invaluable source of research to keep abreast of where the market is heading. We treat each of these as a unique source of intelligence and they continue to nurture our product management, sales, and marketing strategies. It’s the only way to survive in an ecosystem as dynamic as this one.

It’s been a great ride so far and we can’t wait to see what comes up next! No doubt there will be plenty more surprises and exciting developments to look forward to!

The WSO2 Open Banking Team