The Magic Behind Enterprise Apps: How to Expose Reliable, Scalable and Secure Enterprise APIs?


Published on

Video and slides synchronized, mp3 and slide download available at URL

Blake Dournaee covers the often forgotten back-end architecture for mobile apps which should expose cross-platform APIs to mitigate some of the effects of mobile O/S fragmentation. Filmed at

Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and a frequent speaker at API & PCI-DSS conferences throughout the US and Europe.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Magic Behind Enterprise Apps: How to Expose Reliable, Scalable and Secure Enterprise APIs?

  1. 1. The Magic Behind Enterprise Apps: How to expose Reliable, Scalable and Secure Enterprise APIs. Blake Dournaee Senior Product Manager Intel Data Center Software Division Intel Confidential — Do Not Forward
  2. 2. Watch the video with slide synchronization on! /reliability-security-enterprise-api News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
  3. 3. Presented at QCon San Francisco Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  4. 4. Warning: This talk is not “sexy” ….but it may make your life easier 2
  5. 5. Coding at home versus coding at work Enterprise Developer Independent Developer • • • • • • • • • • • Open source & low cost tooling Organic software development process Coolest programming language Code for fun and or profit No legal department Minimum security & compliance No “legacy” applications Complete creative control Lower or zero risk adversity Sole developer or small team Liberal use of “aaS” services • • • • • • • • • • • Mix of licensed software and open source Formalized software development process Incumbent programming languages Code for a living Legal department Formalized security & compliance “Legacy” applications Restricted creative control Higher risk adversity Larger development team Deliberate use of “aaS” services 3
  6. 6. API Enterprise Apps Come From APIs How do you package valuable internal data & services for internal, partner, and external dev. community app creation? Crossplatform Legacy Data
  7. 7. Enterprises Have Unique Requirements for Mobile Enablement Trying to get a mobile project going at your Enterprise? Does this look familiar? • Disparate middleware and database technologies • Disparate identity management silos • Disparate programming languages • Current architecture optimized for web browsers • Vertical integration prohibits cloud outsourcing • Inconsistent security model across domains • PII/PCI compliance requirements? On top of this you want: • • • • • BYOD – Any device Native application features & feel Low development & maintenance costs Fast time to market Robust security for Enterprise data
  8. 8. Mobile Enablement is Expensive • Our mobile reality is fragmented – iPhone, Android, Windows, Blackberry • Multiple versions of everything • Competing programming languages • Competing devices and ecosystems • How can Enterprises reduce cost drivers? Two Ways: • A standards-based way to … • write portable mobile apps • make data available to those apps So… where are most Enterprises today in this journey?
  9. 9. Traditional 3-Tier Architecture Web server Web server Browser Presentation Tier App server App server Database Master Load Balancer Web server Load Balancer Load Balancer App server Database slave 1 App server Database slave N Logic (application) Tier Persistence Tier 3-Tier Shared Nothing Architecture • Most common architecture, widely deployed • Gold standard, developed as a result of the web revolution • Problem: Designed primarily for HTML web browsers, not mobile apps Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson
  10. 10. What’s Happening – Two Approaches Emerging Build it: Hang APIs for mobile off my ESB Outsource it: Buy a cloud service & outsource app creation Back-end as a Service
  11. 11. Existing Approaches - Challenges ESB Approach - Challenges Outsourced Approach - Challenges  Lack of Perimeter Security  Loss of Control  Trust mediation, especially for legacy systems  Vendor / SDK Lock-in  Scalability  Data Portability  Resource protection  Development Costs  High costs of success*  Secure cloud brokering  Requires new business relationships Is there another way?
  12. 12. Wait a Minute…. Mobile apps thin the server business logic Processing is pushed to the client Client / Server? Crap… We’re back to Client / Server Almost…
  13. 13. 2-Tier, App-Optimized Architecture API API Database Master Load Balancer Load Balancer APIs Database slave 1 API HTML5 & Native Apps Database slave N Data Services and Delivery Layer Persistence Tier 2-Tier Data Services (API) Architecture • Emerging standard for app enablement • Pushes view/presentation to client side • Enterprise Data is made available through a data service layer
  14. 14. “New” 3-Tier Architecture API API Database Master Load Balancer API Governance, Management and Security Load Balancer Load Balancer APIs Database slave 1 API HTML5 & Native Apps Delivery & Governance Tier Database slave N Data Service Layer Persistence Tier 3-Tier API-optimized architecture • Emerging standard for app enablement • Pushes view/presentation to client side • Delivery tier focuses on integration, mediation, and security instead
  15. 15. Proxy Design Pattern When • • • • Architectural best practice for API or web services communication Product agnostic Relies on indirection to solve security, performance and management problems Ideal for application to application traffic HTTP HTTP Governance Gateway Gateway Layer Client HTTP/JSON API JSON/XML/ *L All problems in computer science can be solved by another level of indirection – David Wheeler "...except for the problem of too many layers of indirection.“ – Kevlin Henny
  16. 16. New Developer AuthN Requirements API & Mobile Authentication Mechanisms Authenticating Credential Secret API Key API Key API Key Shared Secret OAuth Consumer Key OAuth Consumer Secret Username Password Username One-time Password Enterprise Authentication Mechanisms ? Authenticating Credential Secret Username Password Certificate Private Key Kerberos Ticket Password SAML Assertion Password or Private Key Username One-time Password Enterprises can’t afford another identity silo Consumer & BYOD Existing Enterprise IDM systems
  17. 17. “New” 3-Tier Architecture • • • • Low development costs HTML5/ JavaScript programming Rich UI with access to native device features Stateless synchronous API calls Full-duplex communications (Websockets) Step-up authentication, including OAuth and Enterprise login support Transport level security API Load Balancer API Database Master Database slave 1 API HTML5 & Native Apps • API Governance, Management and Security Load Balancer Load Balancer APIs Data Service Layer Delivery & Governance Tier • • • • • • • • • • Massive scalability for millions of devices Hardware or software Enforces OAuth/API key authentication Supports synchronous API calls and Websockets SSL/TLS Acceleration PII/PCI data protection on inbound/outbound data Perimeter security, threat defense Enterprise IDM support, LDAP/AD Dynamic API key security for HTML5 JSONP and CORS support • • • Database slave N Persistence Tier APIs serve application data, and responses Can be in legacy formats – XML, SOAP, binary, text Any protocol, HTTP/SOAP, JMS, FTP, Raw TCP • • • Enterprise persistency tier – RDMS or NOSQL Generally interfaces with application server Can serve data directly through the service gateway
  18. 18. Build it now or it will come… (1 of 2) Yammer Architecture 16
  19. 19. Build it now or it will come… (2 of 2) LiveOps Architecture 17
  20. 20. Why HTML5 Is Great for Apps HTML5 is Advanced • Proven web technologies with advanced features • Intel takes HTML5 further with new APIs and Parallel JavaScript* HTML5 is Open • Built on open web technologies and W3C standards • More than two million HTML5 developers worldwide • Intel advances HTML5 via open source projects and the W3C HTML5 is Everywhere • More than one billion mobile devices with HTML5 browsers in 2013 • 40% app developers use HTML5 today, another 40% plan to in the future Create Apps Faster, Better and at Lower Cost Intel Confidential
  21. 21. Cross-origin Resource Sharing (CORS) Need CORS support API A1 Domain A API B Domain B • CORS – Standards based, W3C protocol, meant to replace JSONP • Client is allowed to share resources from one page to another in the same domain. • But restrictions for a page to access resource from other domains. • Meant to protect the client; Server can allow origins Client: (XmlHttpRequest2 or XDomainRequest) Server: Access-Control-Allow-Origin: <domains> Use the CORS protocol to control client access across servers in multiple domains
  22. 22. HTML5 Websocket Websockets • Full duplex communication with a persistent socket connection • Replaces HTTP half-duplex communication • Dramatically reduces overhead compared to polling (as much as 2K per HTTP response) • Sounds good, but what about tradeoffs? • Lack of header information changes the security model – message level security no longer possible • More emphasis on SSL/TLS acceleration and enforcement • Requires authentication during “connection upgrade” • Can be done against Enterprise identity management systems • Drives increased need for perimeter defense, content scanning • Establishes requirements on load balancers for stickiness
  23. 23. HTML5 API Key Security HTML5 Application Deployment Model HTTP Request Server HTML5/JavaScript API Key Security Concern • • • • • HTML5 apps are pushed to the client, including all API keys API Keys for cross-platform requests will be distributed to all clients Clients can view source to obtain API keys Solution #1: Obfuscate API key – may work for low value APIs Solution #2: Replace API key with function call to API layer for step-up authentication
  24. 24. Use Case: Conference Room Finder
  25. 25. Demo: Conference Room Finder Siloed Corp App Legacy Heat Sensor Data Mashup API BYOD Demands
  26. 26. Architecture 24
  27. 27. Enterprise Conference Room Application
  28. 28. Intel Confidential — Do Not Forward
  29. 29. Watch the video with slide synchronization on! -security-enterprise-api