CIS14: API Security for the Cloud: Tales from the Trenches
Upcoming SlideShare
Loading in...5
×
 

CIS14: API Security for the Cloud: Tales from the Trenches

on

  • 286 views

Ross Garrett, Axway ...

Ross Garrett, Axway
Examples of how organizations are securing APIs, examining the API security state of play for the cloud, including how they are implementing OAuth, managing keys, and handling API security in the real world.

Statistics

Views

Total Views
286
Views on SlideShare
286
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CIS14: API Security for the Cloud: Tales from the Trenches CIS14: API Security for the Cloud: Tales from the Trenches Presentation Transcript

  • © 2014 Axway | Confidential 1 API Security for the Cloud Ross Garrett rgarrett@axway.com | @gssor Cloud Identity Summit 2014
  • © 2014 Axway | Confidential 2 Access Control isn’t this simple
  • © 2014 Axway | Confidential 3 Modern Enterprises have many open windows
  • © 2014 Axway | Confidential 4 Web APIs power the Open Enterprise
  • © 2014 Axway | Confidential 5 Identity is key to protecting APIs    
  • © 2014 Axway | Confidential 6 Identity is key to protecting APIs     ?  
  • © 2014 Axway | Confidential 7 User Experience is actually key    
  • © 2014 Axway | Confidential 8 There are many layers to a complete Security Solution API Gateway MDM   MAM   Firewalling   IAM   API   Security  
  • © 2014 Axway | Confidential 9 The Role of the API Gateway •  Threat Protection •  Encryption •  Authentication •  Authorization •  Policy Enforcement (E.g. Throttling)
  • © 2014 Axway | Confidential 10 A simple API Security example
  • © 2014 Axway | Confidential 11 The Role of the API Gateway Basic throttling or rate limiting, can prevent malicious access to public APIs
  • © 2014 Axway | Confidential 12 Basic Identity Federation
  • © 2014 Axway | Confidential 13 The Role of the API Gateway •  Securely bridging identity across domains –  Mediating between token formats •  Provide an STS overlay on top of existing IAM infrastructure –  Enabling the extension of identity assets to the cloud •  Track and audit usage
  • © 2014 Axway | Confidential 14 The password anti-pattern
  • © 2014 Axway | Confidential 15 Solving this problem with OAuth
  • © 2014 Axway | Confidential 16 The Role of the API Gateway •  Provide an OAuth façade on top of legacy IAM •  Clients should not be storing user passwords –  OAuth Tokens represent explicit authorization for a specific task •  Provide a centralized way to de-authorize clients –  Low latency token store
  • © 2014 Axway | Confidential 17 Leveraging Social Login
  • © 2014 Axway | Confidential 18 Leveraging Social Login
  • © 2014 Axway | Confidential 19 The Role of the API Gateway •  Apply Social Login at an infrastructure level –  Bringing API Access and SSO together •  Monitoring and Reporting –  Trends over time –  Audit trail •  Enterprise Identity Management Integration –  Adapters to directories, Web Access Management
  • © 2014 Axway | Confidential 20© 2014 Axway | Confidential 20 Some Customer Examples
  • © 2014 Axway | Confidential 21 Leading pharmacuetical company – SSO Solu6on   API Gateway API   Intranet Site Oracle Access Manager SharePoint Active Directory Web Browser •  Users have two passwords (one for Intranet, one for Sharepoint) •  Two user authentication technologies (Oracle and Microsoft) Challenge  
  • © 2014 Axway | Confidential 22 Large US Health Plan – Mobile Access Iden)ty  Management   Integra)on   Mobile  Devices   Solution SAML   Secure connection Oracle  SOA     Web  APIs   API Gateway API   •  Manage mobile (tablet, phone) access to medical systems •  Consolidate across Oracle and IBM identity systems Challenge  
  • © 2014 Axway | Confidential 23 Mutual fund provider Solution API Gateway Secure connection Check cookie Leading Mutual Fund Provider – Cloud Access •  Must authenticate clients against CA SiteMinder •  Must expose internal systems as APIs for Mobile apps to access •  Secure Connection to Salesforce Challenge   Encrypted Data
  • © 2014 Axway | Confidential 24 Thank-­‐you!   Ross Garrett rgarrett@axway.com | @gssor