When speaking with our customers, and particularly with platform teams, we repeatedly hear about how difficult it is to discover and govern all the services and APIs that actively run on their infrastructure.
In ever-expanding and changing environments, platform teams often grapple with the challenge of monitoring and managing the creation and termination of services across numerous disparate application teams. This lack of visibility can lead to inefficiencies and potential conflicts as the scale of operations increases. Additionally, staffing churn makes it hard to keep up with which services exist and who their corresponding owners are. This challenge is generally referred to as API sprawl and stems from a lack of centralized API oversight across teams and business units.
Organizations that aren’t able to keep an ongoing track of what APIs and services exist inevitably have shadow APIs, undiscovered and unmanaged APIs. These APIs may have been developed with good intent, and by skirting organizational governance and controls, they may have had perceived value as a quick solution. Yet left unchecked, they introduce a range of risks and inefficiencies.
Shadow APIs often bypass standard security reviews and protocols and may expose sensitive data or create unnecessary vulnerabilities in the service. Even though they may be known by a development group or line of business, these APIs may not undergo continuous security testing, data compliance controls, or patching, increasing threat vectors such as data breaches or unauthorized access.
Kong forecasts the number of annual API attacks will grow 548% by 2030. This means every single API endpoint running in your infrastructure is an opportunity for attack by bad actors.
Security aside, the presence of shadow APIs can still pose serious compliance and operational risks. These APIs were most likely not built following organizational standards and introduce inconsistencies in data handling, compliance, and alignment with regulatory requirements. Lack of controls may result in non-compliant practices, which can open up organizations to legal ramifications that may include fines and costly remediation.
These security and compliance risks are on top of the inefficiencies created in collaboration barriers when assets are unknown to organizations, resource waste in the creation of redundancies in functionality, and add maintenance burdens of service that are more likely to become abandoned over time.
That said, maintaining an up-to-date inventory of live services and all their various dimensions typically requires a significant amount of manual work from platform teams.
With Kong Konnect Service Catalog, you can automatically discover running services and APIs through infrastructural integrations and auto-populate the catalog as services, APIs, and other critical data get discovered and updated in real-time.
Let’s explore how that works and the value you get!
If you’re already a Kong customer and using our runtimes to manage your APIs, implementing Service Catalog into your API platform is effortless. Because Service Catalog is natively integrated with Kong Gateway and Kong Mesh, once activated, it will pre-populate with all the services that exist in Gateway Manager and Mesh Manager.
Beyond our native runtime integrations, we currently support a discovery integration with Traceable and will support more discovery integrations across Kubernetes, serverless functions, and more in the months to come, so you can expand discovery and cataloging across your infrastructure regardless of where your application teams run. Traceable is integrated with Kong in two ways: at the gateway level with the Traceable plugin and via a direct integration with Service Catalog.
The Traceable platform identifies unmanaged APIs by collecting a variety of data, including CI/CD pipelines, WAFs, and load balancers. Through the Service Catalog integration, API platform owners can bring those shadow APIs into management and compliance via a Kong Gateway.
To learn more about how to secure APIs using the Konnect Service Catalog x Traceable integration, check out this blog.
If you discover an unmanaged API in your infrastructure via the catalog, you can take action to ensure it’s secured by fronting it with a proper gateway in Gateway Manager and go one step further by populating a record of who owns the service, its function(s), analytics, git repo activity, and more. With minimal effort, you unlock centralized visibility into the health and activity behind every running API in your organization. Let’s explore the value of this in more detail next.
Once a service has been discovered, you can start to enrich the specific service’s record with various data points across the Kong platform and third-party applications.
For example, if you refer to the screenshot above, you’ll notice we’re looking at a dashboard for a Billing service that’s been cataloged. In the Overview section for Billing, we can see a range of information including official Engineering Slack channels, the GitHub repo for the service, and the PagerDuty on-call Engineer and status of arisen incidents, just to call out a few.
Service Catalog aggregates critical information from these third-party applications through robust integrations, which means any developer, with the proper permissions, can go in and view real-time updates and data regarding any cataloged service.
With these centralized summaries of each live service, developers have a dedicated space where they can view critical information about each cataloged service. For example, let’s say Helena is building a service that will potentially integrate with the Billing service. She can head into the catalog, find the Billing service dashboard, and locate who owns the service as well as which Slack channel she could message to get the conversation rolling. If she wants to refer to the Billing service’s API documentation, she can also find that information stored in the “API Specs” tab of the dashboard (see screenshot below).
Here’s another example: let’s say Sam just got back from vacation, and now she’s trying to understand at a high level what’s been happening in the backend of her Flight Bookings service. To get a comprehensive birds-eye view, she heads over to the Flight Bookings service in the Service Catalog and opens the “Events” tab.
From there, she can refer to a chronological list of events related to her Flight Bookings service that occurred in the time she was out, including:
Taking in this information at a high level, with the ability to filter by Event type, gives Sam a good idea of where she needs to follow up and saves her a lot of time in doing so. Being the single record of activity for any given service, you can see how Events is useful for service and platform owners in everyday monitoring and for better collaboration when triaging incidents.
For new employees joining a company, Service Catalog is a great place to start familiarizing themselves with existing services in the organization.
These are just a few examples of how a centralized dashboard of aggregated, real-time information for each service can help developers find the information they need to efficiently get their work done.
Once you’ve (1) gathered an active inventory of the APIs and services running internally in your organization and (2) after you’ve enriched this inventory with critical contextual information, you can start to drive org-wide governance by setting up Scorecards tied to your compliance initiatives around security, reliability, quality, and more.
You can configure Scorecards (available in Konnect Service Catalog as an add-on) based on Kong-recommended best practices and industry standards for security, documentation, and service maturity. Once you’ve applied scorecards to all or select services in your catalog, scorecards will automatically score each service with a “pass/fail” and present the exact reasons for non-compliance with individual rules.
This means platform teams can automate traditionally time-consuming compliance checks and leverage clear paths to remediation with non-compliant service owners. For a deeper look into how Scorecards works, head over to this blog.
Eliminate shadow APIs and boost developer productivity by cataloging your services and APIs today!
If you’re already a Konnect user, log in, and you’ll have a pre-populated catalog in minutes. If you’re new and would like to build yours for free, it’s so easy to get started with Konnect Plus.
We can’t wait to see the catalogs you build, and if you have any feedback, let us know at releases.konghq.com.
Today we're excited to announce Kong Gateway 3.9! Since unveiling Kong Gateway 3.8 at API Summit 2024 just a few months ago, we’ve been busy making important updates and improvements to Kong Gateway. This release introduces new functionality arou
Kong Gateway 3.8 Hits Major Milestone for Enhanced Performance, Accelerated AI Adoption, Comprehensive Security, Extensibility, and Ease of Use We're excited to announce the release of Kong Gateway 3.8 , a significant update that marks a major mile
Kong Gateway Enterprise 3.5 is packed with security features to support the use cases demanded by our enterprise customers through major improvements in Secrets Management integrations and our Open-ID Connect (OIDC) plugin. Additionally, we’ve a
As API ecosystems grow more complex, maintaining visibility and security shouldn't be a hurdle. Kong Gateway 3.13 simplifies these challenges with expanded OpenTelemetry support and more flexible orchestration. These new capabilities not only make y
A quick refresher: Kong Cloud Gateways Kong Cloud Gateways are fully managed, high-performance data planes running on customer-dedicated infrastructure, orchestrated and operated by Kong through Kong Konnect . Customers can choose between: Serverle
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R