Layer7 API Management Review

Does well protecting APIs against vulnerabilities, but the lifecycle management approach needs improvement

What is our primary use case?

We use it as a gateway for protecting some of our critical infrastructure out on the grid. We have six data centers and it is implemented in each one of them, protecting our grid.

We have several applications that talk to the grid, and they pass through that gateway to get out there, ensuring that we terminate connections from the lower security environment and reestablish credentials for the higher security environment.

How has it helped my organization?

Being able to protect our communications protocols, from the back office out to the substations that control the device, is helpful.

What is most valuable?

We use a pretty simplistic approach and it does what we need it to do for terminating connections and then reestablishing what we needed to do in a DMZ. All of those features are pretty good. We don't really use the full-blown API management solution which they offer, more just the gateway components.

From a security standpoint, it works great. It is the right solution for us. It's lightweight, a software-appliance configuration which was easy to deploy and configure. It is what we need. It does well protecting APIs against vulnerabilities.

It is okay for incorporating identity access control with OAuth.

What needs improvement?

The entire lifecycle management approach needs improvement: from the API management, development, deployment, some of the settings around the quotas, and some security policy applications, etc. for the APIs. We found the Apigee platform a lot more robust in that area.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The solution is very stable. There have been no issues.

What do I think about the scalability of the solution?

Scalability is fine for what we are doing.

How is customer service and technical support?

Tech support is pretty good. They're pretty responsive. When we have an issue we give them a call. They jump on, help us find the root cause and provide a solution, or they talk us through configuration items.

We're big CA users, so we have all sorts of their products within our environment. It benefits them to be responsive.

How was the initial setup?

The deployment for CA's API Management, the way we're using it, took a couple of months and then we were operational. Our planning was typical Waterfall-type planning, at the time. We had a problem and targeted the problem with that solution. Our problem concerned security, protecting our grid-control area.

It took three FTEs for what we are doing. We also have a support structure around that. There's a whole team that manages the infrastructure and configurations of the policies. Since it has been up and running, it has required about one FTE to maintain it.

What about the implementation team?

We just worked with CA and our own resources. 

What was our ROI?

We haven't seen ROI from their gateway solution, other than protecting us from vulnerabilities. In that regard, it's kind of hard to monetize things. We have definitely benefited with cost savings from some of CA's other products.

What's my experience with pricing, setup cost, and licensing?

For what we are after, the pricing is okay. It is competitive.

Which other solutions did I evaluate?

For an API management solution, we chose the Google Apigee Edge platform. We went a different direction because CA was somewhat limited on some of the lifecycle management things that we were looking for. We use Apigee for modernizing legacy systems and for monetizing APIs, among other things.

We were one of the earlier adopters of the gateway technologies. I don't remember what we compared CA to back then. Lately, it has been between Apigee and MuleSoft and CA. We did that comparison.

We evaluate every five years. We see if we need to stay where we are or go in a different direction. Technology changes quite quickly.

What other advice do I have?

CA API Management is a pretty solid product for what we are using it for. It's been good. It has served our purpose and kept us out of trouble.

Evaluate what's out there in the industry. Make sure that you chose the right product for your use cases.

I would rate this solution at about six out of ten, overall. At the time when we were evaluating it, it was about the complete lifecycle management. We were looking to build APIs to legacy systems, using IDE deployment strategies - all of those things were lacking. Products like MuleSoft and Apigee had better, more robust software development approaches for both mobile as well as web-based or batch processing.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Layer7 API Management reviews from users
...who work at a Financial Services Firm
...who compared it with IBM API Connect
Add a Comment