Your SlideShare is downloading. ×
0
© 2014 Axway | Confidential 1
API Security for the Cloud
Ross Garrett
rgarrett@axway.com | @gssor
Cloud Identity Summit 20...
© 2014 Axway | Confidential 2
Access Control isn’t this simple
© 2014 Axway | Confidential 3
Modern Enterprises have many open
windows
© 2014 Axway | Confidential 4
Web APIs power the Open Enterprise
© 2014 Axway | Confidential 5
Identity is key to protecting APIs
	
  
	
  
© 2014 Axway | Confidential 6
Identity is key to protecting APIs
	
  
	
  
?	
  
© 2014 Axway | Confidential 7
User Experience is actually key
	
  
	
  
© 2014 Axway | Confidential 8
There are many layers to a complete
Security Solution
API Gateway
MDM	
   MAM	
   Firewallin...
© 2014 Axway | Confidential 9
The Role of the API Gateway
•  Threat Protection
•  Encryption
•  Authentication
•  Authoriz...
© 2014 Axway | Confidential 10
A simple API Security example
© 2014 Axway | Confidential 11
The Role of the API Gateway
Basic throttling or rate limiting, can prevent malicious
access...
© 2014 Axway | Confidential 12
Basic Identity Federation
© 2014 Axway | Confidential 13
The Role of the API Gateway
•  Securely bridging identity across domains
–  Mediating betwe...
© 2014 Axway | Confidential 14
The password anti-pattern
© 2014 Axway | Confidential 15
Solving this problem with OAuth
© 2014 Axway | Confidential 16
The Role of the API Gateway
•  Provide an OAuth façade on top of legacy IAM
•  Clients shou...
© 2014 Axway | Confidential 17
Leveraging Social Login
© 2014 Axway | Confidential 18
Leveraging Social Login
© 2014 Axway | Confidential 19
The Role of the API Gateway
•  Apply Social Login at an infrastructure level
–  Bringing AP...
© 2014 Axway | Confidential 20© 2014 Axway | Confidential 20
Some Customer Examples
© 2014 Axway | Confidential 21
Leading pharmacuetical company – SSO
Solu6on	
  
API Gateway
API	
  
Intranet
Site
Oracle A...
© 2014 Axway | Confidential 22
Large US Health Plan – Mobile Access
Iden)ty	
  Management	
  
Integra)on	
  
Mobile	
  Dev...
© 2014 Axway | Confidential 23
Mutual fund
provider
Solution
API Gateway
Secure
connection
Check cookie
Leading Mutual Fun...
© 2014 Axway | Confidential 24
Thank-­‐you!	
  
Ross Garrett
rgarrett@axway.com | @gssor
Upcoming SlideShare
Loading in...5
×

CIS14: API Security for the Cloud: Tales from the Trenches

466

Published on

Ross Garrett, Axway
Examples of how organizations are securing APIs, examining the API security state of play for the cloud, including how they are implementing OAuth, managing keys, and handling API security in the real world.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
466
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "CIS14: API Security for the Cloud: Tales from the Trenches"

  1. 1. © 2014 Axway | Confidential 1 API Security for the Cloud Ross Garrett rgarrett@axway.com | @gssor Cloud Identity Summit 2014
  2. 2. © 2014 Axway | Confidential 2 Access Control isn’t this simple
  3. 3. © 2014 Axway | Confidential 3 Modern Enterprises have many open windows
  4. 4. © 2014 Axway | Confidential 4 Web APIs power the Open Enterprise
  5. 5. © 2014 Axway | Confidential 5 Identity is key to protecting APIs    
  6. 6. © 2014 Axway | Confidential 6 Identity is key to protecting APIs     ?  
  7. 7. © 2014 Axway | Confidential 7 User Experience is actually key    
  8. 8. © 2014 Axway | Confidential 8 There are many layers to a complete Security Solution API Gateway MDM   MAM   Firewalling   IAM   API   Security  
  9. 9. © 2014 Axway | Confidential 9 The Role of the API Gateway •  Threat Protection •  Encryption •  Authentication •  Authorization •  Policy Enforcement (E.g. Throttling)
  10. 10. © 2014 Axway | Confidential 10 A simple API Security example
  11. 11. © 2014 Axway | Confidential 11 The Role of the API Gateway Basic throttling or rate limiting, can prevent malicious access to public APIs
  12. 12. © 2014 Axway | Confidential 12 Basic Identity Federation
  13. 13. © 2014 Axway | Confidential 13 The Role of the API Gateway •  Securely bridging identity across domains –  Mediating between token formats •  Provide an STS overlay on top of existing IAM infrastructure –  Enabling the extension of identity assets to the cloud •  Track and audit usage
  14. 14. © 2014 Axway | Confidential 14 The password anti-pattern
  15. 15. © 2014 Axway | Confidential 15 Solving this problem with OAuth
  16. 16. © 2014 Axway | Confidential 16 The Role of the API Gateway •  Provide an OAuth façade on top of legacy IAM •  Clients should not be storing user passwords –  OAuth Tokens represent explicit authorization for a specific task •  Provide a centralized way to de-authorize clients –  Low latency token store
  17. 17. © 2014 Axway | Confidential 17 Leveraging Social Login
  18. 18. © 2014 Axway | Confidential 18 Leveraging Social Login
  19. 19. © 2014 Axway | Confidential 19 The Role of the API Gateway •  Apply Social Login at an infrastructure level –  Bringing API Access and SSO together •  Monitoring and Reporting –  Trends over time –  Audit trail •  Enterprise Identity Management Integration –  Adapters to directories, Web Access Management
  20. 20. © 2014 Axway | Confidential 20© 2014 Axway | Confidential 20 Some Customer Examples
  21. 21. © 2014 Axway | Confidential 21 Leading pharmacuetical company – SSO Solu6on   API Gateway API   Intranet Site Oracle Access Manager SharePoint Active Directory Web Browser •  Users have two passwords (one for Intranet, one for Sharepoint) •  Two user authentication technologies (Oracle and Microsoft) Challenge  
  22. 22. © 2014 Axway | Confidential 22 Large US Health Plan – Mobile Access Iden)ty  Management   Integra)on   Mobile  Devices   Solution SAML   Secure connection Oracle  SOA     Web  APIs   API Gateway API   •  Manage mobile (tablet, phone) access to medical systems •  Consolidate across Oracle and IBM identity systems Challenge  
  23. 23. © 2014 Axway | Confidential 23 Mutual fund provider Solution API Gateway Secure connection Check cookie Leading Mutual Fund Provider – Cloud Access •  Must authenticate clients against CA SiteMinder •  Must expose internal systems as APIs for Mobile apps to access •  Secure Connection to Salesforce Challenge   Encrypted Data
  24. 24. © 2014 Axway | Confidential 24 Thank-­‐you!   Ross Garrett rgarrett@axway.com | @gssor
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×