Centralised API Governance with Kong API Gateway for a UK Research Institution

About Our Client

Our client is a recognized research institution and a member of Russell Group. It is committed to delivering world-class education and research. This university, with a diverse community of 30,000 students from 150 countries, continuously strives to improve its services.

The University operated with siloed applications, each independently interacting with back-end systems. This resulted in a fragmented and redundant infrastructure, lacking central visibility into its overall capabilities. To streamline operations and enhance system efficiency, the University sought to modernize its online platforms by implementing a centralized API control system for better integration and oversight.

Business Objective

The primary goal is to maximize the reuse of existing capabilities and ensure they are easily discoverable by university staff, preventing redundant development. Also, it provides instant access to student data for more rapid administrative duties. It employs an API-First strategy to shift from a UI-focused method to an API-as-a-Product (AaaP) setup. In addition, the university sought to develop a developer-friendly setting with relatively standardized API contracts and resources. Overall, they wanted to establish a robust API ecosystem to ensure seamless API deployment, tracking and optimisation across the university.

Challenges Faced by the University

The university was looking to modernise its digital infrastructure by unifying API management. However, they faced some other significant challenges:

• Due to the lack of a centralized API management system, multiple services of the university were operating in silos.
• API onboarding and deployment processes included manual intervention, resulting in time consumption.
• Security and compliance of APIs as per university security guidelines.
• Developers struggled to discover and consume API efficiently due to the absence of a unified platform.

Kong Implementation

• Kong Gateway as the API Management Solution – First of it’s kind to go live, leveraging Kong’s fully SaaS Gateway solution.
• Automated API development using APIOps – From the API Spec, the Kong APIs are auto-generated via APIOps.
• Rate limiting, authentication(OIDC), and logging – Leveraging Kong’s built-in plugins for enhanced security and monitoring.
• Kong Developer Portal – Providing a single interface for developers to discover and consume APIs.
• CI/CD integration – Using Kong’s declarative configuration to enable automated deployments and version control.
• Observability and monitoring – Integrating Kong with tools like Splunk for real-time analytics and logging.

How did NeosAlpha help?

1. Establishing a Unified API Management System

Challenge: The university’s API security posture didn’t meet industry standards. There was a lack of typical structure, no standardised models, and APIs were developed without specifications or a design-first approach. This resulted in inconsistent security.

Solution: We implemented key security and traffic management plugins within Kong API Gateway to enhance API security by creating a single control point for all APIs. We suggested the university adopt a design-first approach to ensure API specifications were created before development to meet standards and compliance requirements.

2. Creating a Centralized Developer Portal

Challenge: With no centralized API access, developers struggled to discover and integrate services effectively.

Solution: We built a unified developer portal, enabling developers to explore available APIs, access relevant documentation, and integrate services more efficiently. This solution significantly improved the developer experience and reduced the time and effort needed to onboard new APIs.

3. Automating API Deployment with CI/CD Pipelines

Challenge: The university’s API onboarding process was manual and time-consuming, leading to slow development cycles. The lack of automation resulted in frequent manual errors and inconsistent deployment approaches.

Solution: Our team developed fully automated CI/CD pipelines, allowing APIs to be deployed seamlessly with minimal manual intervention. As part of the API Ops onboarding process, we integrated governance frameworks using Spectral YAML, Insomnia, and Inso CLI tools. This automation reduced deployment time, enhanced governance, and ensured consistent API management.

4. Strengthening Security and Compliance

Challenge: The university needed a secure API access model that integrated with its existing Single Sign-On (SSO) tools while adhering to OWASP security standards.

Solution: We integrated Identity Provider (IDP) authentication to enable secure user access and enforced OWASP security rules in API pipelines. These measures enhanced security, minimized vulnerabilities, and ensured compliance with industry best practices.

Results

Here is how our Kong API Gateway solution helped the University with:

• An API management platform was set up with all processes and best practices documented for the university.
• With API setup, the university can independently manage API onboarding without manual intervention.
• Simplified the API access by developing a unified developer portal.
• Optimised API deployment, reduced API release, and enhanced governance through API Ops best practices.
• Enhanced security and compliance.
• Seamless network integration to ensure connectivity among existing university networks.