Apigee and the Interoperability Model (ModI) for the Italian Public Administration

Apigee API Management allows the Italian Public Administration and its customers, suppliers, and system integrators to achieve full compliance with the new Interoperability Model (source New Interoperability Model - ModI) written and designed by Agency for Digital Italy (AgID).

Apigee as ModI platform enabler

One of the key aspects of the ModI is promoting the adoption of an API-first approach in order to help deliver maximum accessibility and interoperability across all the actors and services involved.

Apigee provides the right foundation for delivering ModI complaints interaction.

Below, we’ll describe how specific Apigee features help Public Administrations and other entities achieve compliance in the initiatives and programs that require Modl certification.

Hybrid and multi-cloud deployments
Each Public Administration organization has its own IT landscape. Some may have opted to host their digital services on-premises, while others prefer to host them on public cloud providers. Another might be on a digital innovation journey to migrate to one or more cloud hyperscalers or engaging in consolidation programs. Therefore, it’s important to select an API management platform that can support many different kinds of deployment models.

Apigee enables Public Administrations to achieve the architectural freedom to deploy their APIs anywhere — whether in their own data center or on the public cloud of their choice. For example, a public administration can choose to host and manage Apigee in containerized runtime services in its own Kubernetes cluster or choose a Google-managed option and have Apigee available on Google Cloud. 

Learn more about the Apigee supported deployment platforms and operating models.

Traffic management and control policies
The ModI guidelines prescribe how interactions between public administrations and the use of their digital services should take place. 

Apigee uses policies on API proxies to program API behavior without writing any code, allowing organizations to add common functionality, such as security controls, rate limiting, transformation, and mediation. Public Administrations can select from a robust set of more than 50 policies (pictured below) to drive and control the behavior, traffic, security, and quality of service (QoS) properties of every API. Apigee even supports custom scripts and code, such as JavaScript applications, to extend API functionality.

Monitoring and logging
Monitoring and logging also plays a vital role in the design and development of APIs. With this in mind, it’s critical for public administrations to select an API management platform that provides these capabilities for their digital services.

With Apigee, Public Administrations can leverage built-in and custom API analytics dashboards to investigate spikes, improve performance, and identify improvement opportunities by analyzing critical information from their API traffic. In addition, Apigee can debug API proxy flows, making it possible to investigate every detail of API transactions within the console or in any distributed tracing solution. Public Administrations can also isolate problem areas quickly by monitoring API performance or latency, identifying anomalous traffic patterns and receiving notifications about unpredictable behaviors.

Automated API Security with ML-based abuse detection
More and more frequently, governments and public services are being targeted in cybersecurity attacks. Government agencies and Public Administrations should take all the necessary precautions to minimize or eliminate API security risks.

Apigee provides Advanced API Security, an add-on capability to protect APIs from misconfigurations, malicious bot attacks, and critical abuses. Advanced API Security assesses managed APIs regularly, surfaces API proxies that do not meet ModI’s security standards, and provides recommended actions when issues are detected. ML-powered dashboards accurately identify critical API abuses by finding patterns within large amounts of bot alerts and acting promptly on important incidents.

Using Apigee, public administrations can easily define ModI’s complaint profiles, which can then be used to assess the degree of adherence of their digital services with respect to the guidelines.

Now let’s investigate in more detail how Public Administrations can leverage Apigee for their ModI compliance initiatives.

How to implement ModI guidelines and patterns within Apigee

As you have seen so far, the ModI guidelines collect a set of requirements that Public Administrations must comply with when exposing and/or consuming digital services via APIs.

These recommendations address several aspects, including identification of needs, organization, semantics, techniques, security, processes for ensuring National Digital Data Platform (PDND) interoperability, and more. In addition, the regulator of these guidelines also defines the level of applicability for requirements, indicating whether they are obligatory or optional. 

While not all requirements relate to API management, leveraging Apigee can enable Public Administrations to adhere to certain guidelines. In particular, Apigee provides all the building blocks that can be used and assembled together to satisfy the ModI requirements for techniques and security.

For example, with Apigee, Public Administrations can expose digital services with both REST and SOAP protocols. In addition to the service exposition, Apigee can also be used to invoke downstream digital services exposed by other entities (both in REST and SOAP).

In order to validate the payload, this can be achieved with the out-of-the-box policies provided by Apigee, such as the OpenAPI Specification Validation policy and the SOAP Message Validation policy:

Plus, Public Administrations can also configure TLS and/or mTLS as transport protocols for these interactions, as recommended by ModI.

For addressing the security at the application level based on the ModI requirements, Apigee provides the following out of the box policies:

Apigee also provides out of the box policies for inspecting the voucher that will be used in order to access these digital services and apply the right action based on the information contained in the voucher, such as:

We already mentioned that Apigee can also be used to invoke digital services exposed by other PAs and in case of need Apigee will also be able to orchestrate more than one downstream digital service. Additional out of the box policies like the following help with this:

It is important to note that out-of-the-box policies will need to be “assembled” together to expose and consume digital services in compliance with the ModI guidelines. To do this, Public Administrations can create a pre-configured set of policy flows for addressing different ModI requirements.

These pre-configured flows can be combined into a shared flow in Apigee and re-used by developers when they need to expose or consume digital services. These shared flows can be called from API proxies or other shared flows using the FlowCallout policy.

Public Administrations will need to have a central team that can configure shared flows and make them available to everyone.

Once these specific shared flows are made available in Apigee, they can be included in the logic defined for exposing/invoking specific digital services.

Accenture accelerator for ModI

Apigee has partners like Accenture that are already working on these specific ModI compliance flows.

Accenture recognizes the significance of this solution and has developed ModI compliance flows within its innovation centers, in particular at the Accenture Cloud Innovation Center (ACIC) in Rome, to cover all the ModI requirements and guidelines. The Cloud Innovation Center is specifically focused on cloud solutions tailored to address customer’s unique business needs. 

Positioned strategically, the ACIC not only provides industry knowledge, agility, and technical expertise for cloud-driven business transformations but also houses the specialized Center of Excellence dedicated to the Sovereign Cloud, ensuring strict adherence to regulatory requirements specific to the public sector. This creates an ideal environment to cultivate understanding and expertise in Apigee technology while addressing customer needs in compliance with government regulations.

The following section will delve deeper into Accenture's initiatives in using Apigee to enable ModI compliance flows.

The aim of the Accenture accelerator is to provide an out-of-the-box solution that enables customers to make their Apigee environment ModI compliant.

The accelerator is following the below process.

• Analysis of official documentations

• Gathering of ModI requirements

• Categorization of ModI requirements

The outcome of the analysis produced a set of requirements needed for ModI compliance with impacts at the API management level, which were categorized as follows:

• Natively supported: meaning they are natively satisfied by Apigee's out-of-the-box capabilities

• Custom: meaning they will be satisfied through the development of reusable shared flows.  

• Procedural: meaning they will have to be applied at development time of individual e-service and are in charge of the api developers. They will be collected in a "Developer Handbook".

The breakdown of requirements in the categories is given below.

The Accenture accelerator will be made available via the Google Marketplace so that it can be easily adopted by interested customers. It will be published as a ready-to-use package that can be easily integrated into the target Apigee organization. At this point, the customer will have the opportunity to choose, for each API Proxy, which ModI requirements to apply, selecting the associated shared flow.

The following is an example of how to apply a ModI requirement using the Apigee Google Cloud console. The same approach can also be applied in GitOps mode.  

1. Create an API proxy.

2. Enter API information

3. Deploy the API proxy.

4. Edit the API proxy.

5. Select a shared flow to apply a ModI requirement.

6. Update the API proxy.

Conclusion

Apigee API Management and Google Cloud partners are very well positioned to address the digitalization of the Italian Public Administration. Thanks to the large investments and open tenders at every level of the Italian Public Administration that the government has published, this opportunity should be seized quickly to help citizens and companies facilitate the movement of goods, people, services, and data throughout Italy and the European Union. 

For further information you can get in contact with your Apigee representative.