Questions to Ask

Ask vendors the questions that matter.

In addition to asking about specific features, there are several questions that are worth asking vendors. The following questions help in understanding the maturity of products and focus on potential breakpoints of projects.

What deployment types are supported, and can they be mixed?

Any sufficiently large-scale API management project will inevitably face the challenges of supporting hybrid environments, where parts of infrastructure remain on-premises while others reside in a cloud (or multiple clouds). Vendor’s support for such scenarios is the most crucial decision factor.

What API protocols and standards are supported? Can legacy systems be modernized transparently?

API virtualization capabilities, when various disparate backend sources are transformed and converted on the fly for seamless compatibility, can greatly simplify exposing the company’s core expertise across various markets and industries.

Which authentication and authorization paradigms, standards and protocols are supported?

Support for a broad range of identities, authentication and authorization tokens, and other mechanisms is extremely important for heterogeneous distributed application architectures such as microservices.

Which integrations with 3rd party security tools are supported?

Even the most sophisticated API management platforms cannot provide a full range of security capabilities; integrations with other solutions are a must, and customers might not want to implement them on their own.

What certifications have you obtained for the solution?

Geographical and industry-specific certifications do more than just showing that the solution does not break compliance regulations. It also demonstrates a vendor’s commitment and consistency and conveys trust. Moreover, security certifications such as SOC 2 and ISO 27001 should be considered requirements.

How developer-friendly is your solution?

Engaging API developers with security matters at the earliest stages of the API lifecycle is the key to implementing “secure by design” APIs. This relies not just on integrations with IDEs and other developer tools, but on the quality of documentation and availability of guidance and best practices.

Which internal security and privacy-enhancing measures are supported?

Security of API management solutions is just as critical as the security of APIs themselves. Strong authentication methods, segregation of duties and role-based access, audit log for all administrative activities, as well as privacy-enhancing functions are important for overall security and compliance.

How does your solution achieve scalability and high availability?

API gateways should be considered parts of critical infrastructure, as a potential performance bottleneck or single point of failure might disrupt important business processes and lead to massive losses.

What are the upcoming features on your roadmap?

Discussing features that may become critical aspects of the solution in the future, their development and rollout timelines, and overall vision of the vendor will help assure that organizational goals are in alignment.

Can I speak to some reference customers?

It is usually helpful to speak to one or more reference customers, specifically when the reference customer is in a similar industry or region.

These are a sampling of the many possible questions to ask vendors. For further assistance, KuppingerCole Advisory Services helps clients in the vendor selection process. KuppingerCole Research Services provides additional information on vendors, such as in Market and Leadership Compass documents.