Unified Security for Mobile, APIs and the Web
Upcoming SlideShare
Loading in...5
×
 

Unified Security for Mobile, APIs and the Web

on

  • 461 views

This presentation explains the varioius security scenarios for your mobile and Web applications, and APIs. We go into the specifics of OAuth, SAML, SSO, authentication/authorization, policy, ...

This presentation explains the varioius security scenarios for your mobile and Web applications, and APIs. We go into the specifics of OAuth, SAML, SSO, authentication/authorization, policy, protection and a host of other related issues that will help you understand how to keep your data secure.

Statistics

Views

Total Views
461
Views on SlideShare
460
Embed Views
1

Actions

Likes
0
Downloads
13
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Unified Security for Mobile, APIs and the Web Unified Security for Mobile, APIs and the Web Presentation Transcript

  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Unified Security Mobile, Web and APIs
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Security Landscape • Authentication, Authorization, SSO • Licensing • Quota Management • Protection • Role of Policy Au/Az/SSO Licensing Quota Management Protection
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO • Confusing array of standards: – OAuth – SAML – OpenID – SCIM • A variety of App types – Desktop – Mobile – Web • Enterprise SSO and its set of legacy systems
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Use Cases • Enterprise support for public credentials – Tiered service • Providing APIs for Web applications • Enabling a new API digital channels using OAuth. Perhaps in conjunction with: – SAML – OpenID • Extending/modernizing Enterprise SSO via: – OpenID Connect – SAML
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Combining SAML and OAuth 1. Try to get OAuth Token 2. Redirect with SAML Authentication Request 3. Log the user in, create the SAML assertion and redirect again 4. Verify SAML token and issue OAuth token 5. App makes call to API 6. Gateway validates OAuth token and performs fine grained authorization
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing • You may want to enable a business model based on different: – Operations or resources – Levels of service • The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing - Flow Validate OAuth Token Authorize API Call Determine License Licenses provides QoS policies
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management • You probably want different licenses with different levels of service • The levels of service are: – Throughput – Bandwidth consumed over time – Concurrency – Availability • Apps could either be cut-off or events generated when quotas are exceeded. Events can be used for overage billing
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Protection • Denial of Service • Injection Attacks • XSS • Viruses
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Role of Policy Lower cost and risk: • Separate functional and non- functional • Decouple changing standards from your implementation • Provide multiple options depending on the channel • Mediate
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Role of Policy • An API is exposed externally that has a security policy of: – OAuth with SAML2 • Internally, the security policy is: – WSS/SAML • The system can use these declarative policies to automatically convert the OAuth token inbound to the WSS/SAML token that is required by downstream services
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software’s API Platform
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Platform • Measure the impact of your programsAnalytics • Build your developer and partner ecosystem Developer Engagement • Secure and protect your systemsGateway Services • Simplify and speed up development Service Integration • Build the right services & APIs the right way Lifecycle Management
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. In the Cloud or On-Premise
  • Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Thanks… Alistair Farquharson, CTO, SOA Software www.soa.com @afarqu @SOASoftwareInc