More Related Content
Similar to Confronting API Security in the Brave New Open Banking Era (20)
Confronting API Security in the Brave New Open Banking Era
- 1. © 2015 Akana. All Rights Reserved.
Confronting API
Security in the
Brave New Open
Banking Era
Sachin Agarwal
- 2. © 2015 Akana. All Rights Reserved.
Digital Disruption in Banking
Mobile Cloud Customer Centric
Block Chain Payments FinTech
- 5. © 2015 Akana. All Rights Reserved.
How do banks Open up to the Digital
Economy
While managing Risk?
- 6. © 2015 Akana. All Rights Reserved.
EVOLUTION OF DIGITAL
CHANNELS
- 7. © 2015 Akana. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network
isolation
• Limited Users
Access locations and variability of operations were limited
- 8. © 2015 Akana. All Rights Reserved.
Web Services
The enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate
based, PKI, WS-Trust
• Some B2B and Partners
applications
• Complex, but quite secure
and flexible
- 9. © 2015 Akana. All Rights Reserved.
And then came APIs
Disrupting how and where information is accessed
• Mobile and Social Apps
don’t’ understand PKI,
WS-Security, etc.
• Focus on human
readability, developer
adoption
- 10. © 2015 Akana. All Rights Reserved.
Realizing End-to-End Security
Managing the
User Experience
Securing the
App - PII, PHI
Enabling Easy Developer Access
Securing the Channel
Securing the Backend
- 11. © 2015 Akana. All Rights Reserved.
Understanding the Security Landscape
• Protocol specific threats
• Key Management
• OAuth
• Monitoring
• Licensing
• Security Token Mediation
API Specific Security
Single Sign On MDM
ATP, Firewall, VPN etc.
- 12. © 2015 Akana. All Rights Reserved.
Major API Security Concerns
- 14. © 2015 Akana. All Rights Reserved.
Securing APIs
1 Authentication &
Authorization
2 App Key Validation/
Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
- 15. © 2015 Akana. All Rights Reserved.
Authentication/Authorization/SSO
Control and restrict access to your APIs
Make it easy yet secure
- 16. © 2015 Akana. All Rights Reserved.
Understanding OAuth
OAuth lets a person delegate constrained access from
one app to another
User
Resource
Owner
Client
App
Resource
Server
- 18. © 2015 Akana. All Rights Reserved.
OAuth – You need
• OAuth Clients
• Provisioning
• Approval Flow
• OAuth Server
• Identity Integration
• Token Validation
• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)
• QoS, Monitoring
• Policy Management
• API Proxying
• Reporting
• Analytics
OAuth is hard and complicated
- 19. © 2015 Akana. All Rights Reserved.
Licensing
Package your APIs in different ways
Use API keys to restrict what the App can access
The licenses control:
– OAuth Authorization Scopes
– Document visibility
– Quota policies
- 20. © 2015 Akana. All Rights Reserved.
Message and Parameter Security
HTTP Parameter
• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey
• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security
• Implement HTTPS
• For XML payloads encrypt specific parts of the message
- 21. © 2015 Akana. All Rights Reserved.
Threat Protection
• Denial of Service
• Injection Attacks
– Detect and prevent SQL,
JavaScript or XPath/XQuery
injection attacks
• Cross Site Scripting
• Network address and range
blacklists/whitelists
• HTTP Parameter Stuffing
- 22. © 2015 Akana. All Rights Reserved.
Content Filtering
• Provide a content firewall,
protecting against malicious
content
• Validate message content
including message headers,
form and query parameters,
XML and JSON data
structures.
• Policies for XML and JSON
DoS
• Protection against viruses in
attachments and other binary
content via ICAP integration
with leading anti-virus
engines
- 23. © 2015 Akana. All Rights Reserved.
Quota Management/Rate Limiting
Restrict the number of calls an App can make
Apply controls based on context, affinity, segmentation etc.
- 24. © 2015 Akana. All Rights Reserved.
Relevance to PCI Compliance
• APIs are now part of e-commerce
• Card payments pass through API
• The infrastructure underlying the API?
- 25. © 2015 Akana. All Rights Reserved.
Akana API Gateway
Gateway
Security
Authentication
Protection
IAM Integration
Encryption
Mediation
Quality of Service
Paging/Caching
Orchestration
Scripting
- 26. © 2015 Akana. All Rights Reserved.
The Akana Digital Business Platform
- 27. © 2015 Akana. All Rights Reserved.
API Resources and API University
• Resource Center
– http://resource.akana.com/
• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/14301
@akanainc