Your SlideShare is downloading. ×
Who says Elephant Can't Dance?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Who says Elephant Can't Dance?

2,387
views

Published on

Published in: Technology, Education

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,387
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Who says Elephant Can’t Dance?Securely Externalizing APIs @ CiscoAnand SharmaIT ArchitectJuly 2012© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. Follow my (re)tweets at @indrayam© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. 45 Billion Dollars 9.5 Billion Dollars 21% Cisco Services’ Annual Revenue Annual Revenue Share of Total (Overall) (Cisco Services) Revenue© 2012 Cisco and/or its affiliates. All rights reserved. Note: Approximate Numbers with a dash of extrapolation. 45 looks better than 43 on a slide..;-) Cisco Confidential 3
  • 4. March 2010"Cisco’s Partner Program is one of the most formidable in the industry."© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Manufacturer Distributor Reseller / Partner Customer DirectRoute(s) to Market 1 Tier (DVAR) 2 Tier © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Partners drive a large percentage of Cisco’s Business© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Serving the middle of the Long Tail in the Partner/Customer Experience Traditional Enabled Partner Defined Experience B2B Hundreds of partners Make it easy to do business with Cisco! Extend our Reach Enable Disruptive Innovation Externalized Business Services Thousands of Partners and Customers Cisco UI / Portals Tens of Thousands of Partners and Customers High Cost, High Touch Low Cost, Self Service, Loose integration No Integration Tight integration “Have it your way. Period.” “Have it our way” “Have it your way, if you can afford it” Reach to Number of Partners© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. Typical Cisco’s SMARTNet Service 24x7 Phone Support Web 1.0 Apps (Forums) Web 2.0 Apps (Wikis) Social Media Apps (Facebook, Twitter) What’s missing? Hint: “Have it your way” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. Mobile Apps Cisco Support Community Sales/Partner Deal Mgmt Quote-to-Order Marketing Quoting Product Data Configuration Pricing Got API? Campaigns Order Status Product Data Services Inventory Service Go to Market Contract Service EoX Service Rebates Field Notice Service Certifications & Specializations Intelleshield Service Incentives & Promos PSIRT Service© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. API Externalization @ Cisco circa 2010XML Firewall  XML Gateway  SOA Gateway Source: “Expanding Role of XML Gateways” Webinar Hosted by Layer 7 and Forrester © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Basic Auth Over HTTP(S)Application ID is a pseudo Human ID No difference between Human and App ID Manually Created Generic IDs. Self- Service capabilities minimal HTTPS Basic Auth based authentication Hard to Manage (Add/Edit/Disable) Group-based Authorization Logic © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. - Web Services (nomenclature), SOA Gateway, Basic Authentication, Group-based Access Control + APIs, API Management Platform, OAuth 2.0, XACML (ABAC/PBAC) Note: We stopped calling it Web Services. This was around mid-2010. Everyone else was doing it..;-)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. Cisco APIx PlatformAddressing Key Cross Cutting Concerns Cross-Cutting Concerns Handled by every API API #2 API #1 API/WS Client “No Gateway/Proxy Approach” Key Cross-Cutting Concerns of every API Cross-Cutting Concerns Handled by Gateway/Proxy For every API App Authentication API Console API Entitlement API #2 API Analytics API Rate Limiting/Throttling API #1 API/WS Client API Proxy Developer Console/On-Boarding “Proxy Flow through Approach” API Community Cross-Cutting Concerns Handled by In-memory API Interceptor which in turn communicates with API Proxy API Console API Proxy API #2 API #1 API/WS Client “Proxy Connector Approach” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. Cisco APIx PlatformOur API Management Platform Journey… Home Grown Web Services Management Console (WSMC) APIx Platform v1.0 Dec 2009 launches launches Jan 2012 Nov 2010 Nov 2011 Cisco PingFederate 6.5 (OAuth2 AS) goes LIVE © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  • 16. Cisco APIx Platform…that led to our current version Mar 2012 APIx Platform v2.0 launches http://apiconsole.cisco.com o Mashery powered Public Cloud Based API Console and Cisco On-Prem OSGi-based (Equinox) API Proxy Node Cluster o Human and Application Entitlement powered by Entitlement Framework APIs using Cisco Entitlement Policy Manager o API Authentication using OAuth 2.0 IETF Draft (soon to be a standard), powered by Cisco OAuth 2.0 Cluster using PingFederate 6.5 o Business Policy & OAuth 2.0 Access Token Enforcement Point (PEP/TEP) implemented as Adapters on OSGi-based (Equinox) API Proxy o Implemented Access Token Cache Object (ATCO) capability to efficiently provide Human and/or Application Context to backend APIs o Deployment Flexibility allowing Cisco to securely expose APIs on Cisco DC Footprint and/or Mashery’s API Distribution Network o Developer On-Boarding (with proper Business Entitlement) handled by Cisco Entitlement Framework UI Tools o Ready for Multiple API Providers (read, Tenants) within Cisco © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  • 17. Cisco APIx PlatformExternalizing Cisco APIs © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 18. Cisco APIx Platform 1. Highlights Human (Party Developer) AuthenticationAPIx Platform Application Registration Architecture 2. using PingFederate SAML Based SSO Human (Party Developer) Authorization using XACML based policies stored in Cisco Entitlement Policy Manager. Exposed by Entitlement Framework as RESTful APIs 3. Application Registration integrated with PingFederate APIs which acts as SSOT of Application Credentials 4. Party Centric Identity of the Application captured during App Registration © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  • 19. Cisco APIx Platform 1. Highlights OAuth 2.0 Grant Type dance to get “AccessAPIx Platform Application Runtime Architecture Token” is driven independent of APIx Platform 2. An adapter on the OSGi-based API Proxy acts as the Access Token Enforcement Point (TEP) as well as the Business Policy Enforcement Point (PEP) 3. Access Token Cache Object (ATCO) improves performance significantly by reducing load on PF OAuth 2 AS and Entitlement Framework APIs 4. ATCO provides Human and/or Application Context in Base-64 Encoded JSON Object to the Backend API. 5. All 3 integration touch points with PF, EF and Backend API Handshake are configurable per API Endpoint © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  • 20. Cisco APIx PlatformAccess Token Cache Object (ATCO) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  • 21. Entitlement (XACML) Engine Human/APIAPI Management Authentication (OAuth) Securely Externalizing APIs @ Cisco © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  • 22. What did we observe?#1. Open APIs are not typical use-case for Cisco Source: Hey Devs, APIs are good for you (Gigaom.com) © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  • 23. What did we observe?#2. “Dark” or Enterprise APIs (Private/Pseudo-Private/Public) is extremely critical © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  • 24. What did we observe?#3. Cisco APIs will have to be device and hosting agnostic. No surprises here. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  • 25. What did we observe?#4. “OAuth Everywhere” for all APIs seems like a daunting task  Preserving App Context  OAuth implementation is non-trivial  OAuth SDKs are maturing © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  • 26. What did we observe?#5. More OAuth-centric tactical issues  Life of an RT per App (not per Instance)  Token Translation (between ObSSO Cookie and Access Token)  OAuth Grant Types shown to Users during registration  API Console + OAuth Authorization Server Admin capabilities: Deleting App Revoking Token © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  • 27. APIs are important for Cisco. We’re just getting warmed up!Proof-point from our initial Pilot Partners using End-of-Life (EoX) API “This is huge for us. It allows us to “…breaking new ground” have very intelligent conversations with our customers that might have been the domain of a hard core CCIE or networking guru.” “It just worked … It helped close a $1.3 million renewal … EOX API was the shining star of our “… don’t care about MSCP audit. Even Cisco people metrics/reports. Give me were impressed.” more APIs” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  • 28. Backup Slides Q&A© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28