SlideShare a Scribd company logo

Confronting API Security in the Brave New Open Banking Era

Download as PPTX, PDF
Akana
Akana

Akana VP of Product Marketing, Sachin Agarwal, describes API security for banking and financial organizations.

Technology
1 of 27
© 2015 Akana. All Rights Reserved. Confronting API Security in the Brave New Open Banking Era Sachin Agarwal
© 2015 Akana. All Rights Reserved. Digital Disruption in Banking Mobile Cloud Customer Centric Block Chain Payments FinTech
© 2015 Akana. All Rights Reserved. However Risks Exists
© 2015 Akana. All Rights Reserved.
© 2015 Akana. All Rights Reserved. How do banks Open up to the Digital Economy While managing Risk?
© 2015 Akana. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
© 2015 Akana. All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
© 2015 Akana. All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
© 2015 Akana. All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
© 2015 Akana. All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
© 2015 Akana. All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
© 2015 Akana. All Rights Reserved. Major API Security Concerns
© 2015 Akana. All Rights Reserved. API Consumer Security?
© 2015 Akana. All Rights Reserved. Securing APIs 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
© 2015 Akana. All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
© 2015 Akana. All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
© 2015 Akana. All Rights Reserved. OAuth Flow
© 2015 Akana. All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
© 2015 Akana. All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
© 2015 Akana. All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
© 2015 Akana. All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
© 2015 Akana. All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
© 2015 Akana. All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
© 2015 Akana. All Rights Reserved. Relevance to PCI Compliance • APIs are now part of e-commerce • Card payments pass through API • The infrastructure underlying the API?
© 2015 Akana. All Rights Reserved. Akana API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
© 2015 Akana. All Rights Reserved. The Akana Digital Business Platform
© 2015 Akana. All Rights Reserved. API Resources and API University • Resource Center – http://resource.akana.com/ • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/14301 @akanainc

Recommended

Architecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and AkanaArchitecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and Akana
Akana
 
Eat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a TimeEat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a Time
Akana
 
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPowerRealizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Akana
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
SmartBear
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
API Economy - The Making of a Digital Business
API Economy - The Making of a Digital BusinessAPI Economy - The Making of a Digital Business
API Economy - The Making of a Digital Business
Akana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
Akana
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
Apigee | Google Cloud
 

Recommended

Architecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and AkanaArchitecting Mobile Solutions Using Microsoft Azure and Akana
Architecting Mobile Solutions Using Microsoft Azure and Akana
Akana
 
Eat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a TimeEat Your Microservices Elephant One Bite at a Time
Eat Your Microservices Elephant One Bite at a Time
Akana
 
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPowerRealizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
Akana
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
SmartBear
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
API Economy - The Making of a Digital Business
API Economy - The Making of a Digital BusinessAPI Economy - The Making of a Digital Business
API Economy - The Making of a Digital Business
Akana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
Akana
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
Apigee | Google Cloud
 
Delivering on Personalization with the Power of APIs
Delivering on Personalization with the Power of APIsDelivering on Personalization with the Power of APIs
Delivering on Personalization with the Power of APIs
Akana
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}
Sachin Agarwal
 
API Management
API ManagementAPI Management
API Management
Roger van de Kimmenade
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
Akana
 
Open api in enterprise
Open api in enterpriseOpen api in enterprise
Open api in enterprise
Guru Lakshmeekar B
 
A Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health CareA Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health Care
Akana
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
BizTalk360
 
Is it time for a Connector-less Approach to Cloud Integration?
Is it time for a Connector-less Approach to Cloud Integration? Is it time for a Connector-less Approach to Cloud Integration?
Is it time for a Connector-less Approach to Cloud Integration?
Akana
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
Akana
 
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
WSO2
 
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
WSO2
 
Lean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps CyclesLean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps Cycles
Nordic APIs
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your Mesh
Akana
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
Akana
 
Intel Mashery API Management Solution
Intel Mashery API Management SolutionIntel Mashery API Management Solution
Intel Mashery API Management Solution
David Gevorkyan
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays
 
Build an api eco-system you can be proud of
Build an api eco-system you can be proud ofBuild an api eco-system you can be proud of
Build an api eco-system you can be proud of
Cisco DevNet
 
API Adoption Patterns in Banking & The Promise of Microservices
API Adoption Patterns in Banking & The Promise of MicroservicesAPI Adoption Patterns in Banking & The Promise of Microservices
API Adoption Patterns in Banking & The Promise of Microservices
Akana
 
Ch.10 개인금융
Ch.10 개인금융Ch.10 개인금융
Ch.10 개인금융
Minsuk Chang
 

More Related Content

What's hot

Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}
Sachin Agarwal
 
A Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health CareA Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health Care
Akana
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
BizTalk360
 
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
WSO2
 
Lean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps CyclesLean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps Cycles
Nordic APIs
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Build an api eco-system you can be proud of
Build an api eco-system you can be proud ofBuild an api eco-system you can be proud of
Build an api eco-system you can be proud of
Cisco DevNet
 

What's hot (20)

Delivering on Personalization with the Power of APIs
Delivering on Personalization with the Power of APIsDelivering on Personalization with the Power of APIs
Delivering on Personalization with the Power of APIs
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
 
Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}Jumping Ahead with {enterprise:apis}
Jumping Ahead with {enterprise:apis}
 
API Management
API ManagementAPI Management
API Management
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
Open api in enterprise
Open api in enterpriseOpen api in enterprise
Open api in enterprise
 
A Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health CareA Peek Into The Future of Mobile-Enabled Health Care
A Peek Into The Future of Mobile-Enabled Health Care
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
 
Is it time for a Connector-less Approach to Cloud Integration?
Is it time for a Connector-less Approach to Cloud Integration? Is it time for a Connector-less Approach to Cloud Integration?
Is it time for a Connector-less Approach to Cloud Integration?
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
 
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
 
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
 
Lean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps CyclesLean Method for Building Good APIs for Business – APIOps Cycles
Lean Method for Building Good APIs for Business – APIOps Cycles
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your Mesh
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
 
Intel Mashery API Management Solution
Intel Mashery API Management SolutionIntel Mashery API Management Solution
Intel Mashery API Management Solution
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
 
Build an api eco-system you can be proud of
Build an api eco-system you can be proud ofBuild an api eco-system you can be proud of
Build an api eco-system you can be proud of
 

Viewers also liked

핀테크 성공을 위한 디지털 비즈니스 마인드
핀테크 성공을 위한 디지털 비즈니스 마인드핀테크 성공을 위한 디지털 비즈니스 마인드
핀테크 성공을 위한 디지털 비즈니스 마인드
Bradley Byoungyong Moon (문병용)
 
Investing in fintech: Trends in financial technology for investors and entrep...
Investing in fintech: Trends in financial technology for investors and entrep...Investing in fintech: Trends in financial technology for investors and entrep...
Investing in fintech: Trends in financial technology for investors and entrep...
OurCrowd
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 

Viewers also liked (20)

API Adoption Patterns in Banking & The Promise of Microservices
API Adoption Patterns in Banking & The Promise of MicroservicesAPI Adoption Patterns in Banking & The Promise of Microservices
API Adoption Patterns in Banking & The Promise of Microservices
 
Ch.10 개인금융
Ch.10 개인금융Ch.10 개인금융
Ch.10 개인금융
 
FinTech, from 'Nice to Know' to 'Need to Know'
FinTech, from 'Nice to Know' to 'Need to Know'FinTech, from 'Nice to Know' to 'Need to Know'
FinTech, from 'Nice to Know' to 'Need to Know'
 
150625_핀테크포럼 6월 정기모임_핀테크의 성공은 보안이다
150625_핀테크포럼 6월 정기모임_핀테크의 성공은 보안이다 150625_핀테크포럼 6월 정기모임_핀테크의 성공은 보안이다
150625_핀테크포럼 6월 정기모임_핀테크의 성공은 보안이다
 
Fintech overview 페이게이트 박소영대표 20151006_v5
Fintech overview 페이게이트 박소영대표 20151006_v5Fintech overview 페이게이트 박소영대표 20151006_v5
Fintech overview 페이게이트 박소영대표 20151006_v5
 
핀테크 성공을 위한 디지털 비즈니스 마인드
핀테크 성공을 위한 디지털 비즈니스 마인드핀테크 성공을 위한 디지털 비즈니스 마인드
핀테크 성공을 위한 디지털 비즈니스 마인드
 
Financial Literacy on the Go
Financial Literacy on the Go Financial Literacy on the Go
Financial Literacy on the Go
 
Investing in fintech: Trends in financial technology for investors and entrep...
Investing in fintech: Trends in financial technology for investors and entrep...Investing in fintech: Trends in financial technology for investors and entrep...
Investing in fintech: Trends in financial technology for investors and entrep...
 
Digital Healthcare – Realizing Interoperability with APIs
Digital Healthcare – Realizing Interoperability with APIsDigital Healthcare – Realizing Interoperability with APIs
Digital Healthcare – Realizing Interoperability with APIs
 
Driving Digital Innovation with a Layered API Design Approach
Driving Digital Innovation with a Layered API Design ApproachDriving Digital Innovation with a Layered API Design Approach
Driving Digital Innovation with a Layered API Design Approach
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
An Architecture for a Platform Providing Things As A Service
An Architecture for a Platform Providing Things As A ServiceAn Architecture for a Platform Providing Things As A Service
An Architecture for a Platform Providing Things As A Service
 
การหา Google map key api
การหา Google map key apiการหา Google map key api
การหา Google map key api
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
 
Extracting Insights from your API Programs
Extracting Insights from your API ProgramsExtracting Insights from your API Programs
Extracting Insights from your API Programs
 
Http คืออะไร
Http คืออะไรHttp คืออะไร
Http คืออะไร
 
Node at Apiary.io
Node at Apiary.ioNode at Apiary.io
Node at Apiary.io
 
Oracle api gateway overview
Oracle api gateway overviewOracle api gateway overview
Oracle api gateway overview
 
APIs: The Lynchpin of your Open Banking PSD2 Strategy
APIs: The Lynchpin of your Open Banking PSD2 StrategyAPIs: The Lynchpin of your Open Banking PSD2 Strategy
APIs: The Lynchpin of your Open Banking PSD2 Strategy
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design Workflows
 

Similar to Confronting API Security in the Brave New Open Banking Era

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
Akana
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
Sachin Agarwal
 
APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?
Akana
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 

Similar to Confronting API Security in the Brave New Open Banking Era (20)

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Transforming Your Business Through APIs
Transforming Your Business Through APIsTransforming Your Business Through APIs
Transforming Your Business Through APIs
 
Take Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice ArchitectureTake Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice Architecture
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
 
Modernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIsModernize Service-Oriented Architecture with APIs
Modernize Service-Oriented Architecture with APIs
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and Hacks
 
Deploying mobile unified communications and collaboration (UCC) with Microsof...
Deploying mobile unified communications and collaboration (UCC) with Microsof...Deploying mobile unified communications and collaboration (UCC) with Microsof...
Deploying mobile unified communications and collaboration (UCC) with Microsof...
 
Embracing SOA and the Cloud
Embracing SOA and the CloudEmbracing SOA and the Cloud
Embracing SOA and the Cloud
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
 
APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?APIs and Services: One Platform or Two?
APIs and Services: One Platform or Two?
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals2012 ah vegas guest access fundamentals
2012 ah vegas guest access fundamentals
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
 

More from Akana

The Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and IntegrationThe Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and Integration
Akana
 
API Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform OverviewAPI Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform Overview
Akana
 
Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?
Akana
 
Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?
Akana
 
Using APIs
Using APIsUsing APIs
Using APIs
Akana
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
Akana
 
Turbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA GoalsTurbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA Goals
Akana
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
Akana
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
Akana
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT EnterpriseThe API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
Akana
 
Realizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower CustomersRealizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower Customers
Akana
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
Akana
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
Akana
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
Akana
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your Mesh
Akana
 
Lifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle APILifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle API
Akana
 
Maybe It's Time for a Connector-less approach to Cloud Integration
Maybe It's Time for a Connector-less approach to Cloud IntegrationMaybe It's Time for a Connector-less approach to Cloud Integration
Maybe It's Time for a Connector-less approach to Cloud Integration
Akana
 
Intermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and DemoIntermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and Demo
Akana
 
Jumping Ahead with Enterprise APIs
Jumping Ahead with Enterprise APIsJumping Ahead with Enterprise APIs
Jumping Ahead with Enterprise APIs
Akana
 

More from Akana (20)

The Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and IntegrationThe Latest in API Orchestration, Mediation, and Integration
The Latest in API Orchestration, Mediation, and Integration
 
API Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform OverviewAPI Design Essentials - Akana Platform Overview
API Design Essentials - Akana Platform Overview
 
Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?Making Sense of Hypermedia APIs – Hype or Reality?
Making Sense of Hypermedia APIs – Hype or Reality?
 
Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?Microservices: Why Should Businesses Care?
Microservices: Why Should Businesses Care?
 
Using APIs
Using APIsUsing APIs
Using APIs
 
Unified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the WebUnified Security for Mobile, APIs and the Web
Unified Security for Mobile, APIs and the Web
 
Turbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA GoalsTurbo-Charge DataPower to Reach Your SOA Goals
Turbo-Charge DataPower to Reach Your SOA Goals
 
The Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and QualityThe Science of APIs in a Mobile World:Security, Control and Quality
The Science of APIs in a Mobile World:Security, Control and Quality
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT EnterpriseThe API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
 
Realizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower CustomersRealizing SOA and API Convergence for IBM DataPower Customers
Realizing SOA and API Convergence for IBM DataPower Customers
 
Rapid Mobile App to API Integration
Rapid Mobile App to API IntegrationRapid Mobile App to API Integration
Rapid Mobile App to API Integration
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your Mesh
 
Lifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle APILifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle API
 
Maybe It's Time for a Connector-less approach to Cloud Integration
Maybe It's Time for a Connector-less approach to Cloud IntegrationMaybe It's Time for a Connector-less approach to Cloud Integration
Maybe It's Time for a Connector-less approach to Cloud Integration
 
Intermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and DemoIntermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and Demo
 
Jumping Ahead with Enterprise APIs
Jumping Ahead with Enterprise APIsJumping Ahead with Enterprise APIs
Jumping Ahead with Enterprise APIs
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Confronting API Security in the Brave New Open Banking Era

  • 1. © 2015 Akana. All Rights Reserved. Confronting API Security in the Brave New Open Banking Era Sachin Agarwal
  • 2. © 2015 Akana. All Rights Reserved. Digital Disruption in Banking Mobile Cloud Customer Centric Block Chain Payments FinTech
  • 3. © 2015 Akana. All Rights Reserved. However Risks Exists
  • 4. © 2015 Akana. All Rights Reserved.
  • 5. © 2015 Akana. All Rights Reserved. How do banks Open up to the Digital Economy While managing Risk?
  • 6. © 2015 Akana. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
  • 7. © 2015 Akana. All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
  • 8. © 2015 Akana. All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
  • 9. © 2015 Akana. All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
  • 10. © 2015 Akana. All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
  • 11. © 2015 Akana. All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
  • 12. © 2015 Akana. All Rights Reserved. Major API Security Concerns
  • 13. © 2015 Akana. All Rights Reserved. API Consumer Security?
  • 14. © 2015 Akana. All Rights Reserved. Securing APIs 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
  • 15. © 2015 Akana. All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
  • 16. © 2015 Akana. All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
  • 17. © 2015 Akana. All Rights Reserved. OAuth Flow
  • 18. © 2015 Akana. All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
  • 19. © 2015 Akana. All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
  • 20. © 2015 Akana. All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
  • 21. © 2015 Akana. All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
  • 22. © 2015 Akana. All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
  • 23. © 2015 Akana. All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
  • 24. © 2015 Akana. All Rights Reserved. Relevance to PCI Compliance • APIs are now part of e-commerce • Card payments pass through API • The infrastructure underlying the API?
  • 25. © 2015 Akana. All Rights Reserved. Akana API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
  • 26. © 2015 Akana. All Rights Reserved. The Akana Digital Business Platform
  • 27. © 2015 Akana. All Rights Reserved. API Resources and API University • Resource Center – http://resource.akana.com/ • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/14301 @akanainc