0
A Practical Guide to API Security and OAuthfor the Enterprise K. Scott Morrison            Eve Maler CTO and Chief Archi...
Housekeeping Questions - Chat any questions you have and we’ll answer them at the end of this call Twitter              ...
Layer 7 Confidential   3
OAuth As A Serious API Security ToolFor Enterprises: A Practical OverviewEve Maler, Principal Analyst    © 2009 Forrester ...
“API economy” technologies andhabits are trickling down into theenterprise.Leverage OAuth’s strengths for modernservice an...
Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions....
Web APIs aren’t toys; they’re business-enabling tools forretail, content delivery, financial transactions . . .           ...
Security pros’ control over developers diminishes withdistance                                             Layer 7 Confide...
A variety of pressures make traditional security andaccess control methods less viable                                    ...
Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions....
Web 2.0 players originally invented OAuth simplyto solve the ―password antipattern‖                                       ...
At base, OAuth lets a person delegate constrainedaccess from one app to another   Source: July 13, 2011, “Protecting Enter...
Using the OAuth approach helps manage risk, cost, andcomplexity in environments that need Zero Trust  Gets client apps ou...
In consumer-facing scenarios, services can audit whomade each API call on whose behalf Third parties offer  productivity ...
In extranet and SaaS integration scenarios, services canconsume SAML                                                      ...
OAuth-native SSO is ―off label‖ but popular forunifying user-present and user-absent experiences  Source: July 13, 2011, “...
―Two-legged‖ userless A2A scenarios enable uniformauditing and compliance for low-level services Including services such ...
Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions....
Simplicity doesn’t have to equal insecurity — if you useand insist on good OAuth practices             Server-side        ...
So how can you maximize value in anOAuth-enabled future?    Determine which scenarios resonate with your     organization...
In particular, keep an eye on OAuth’s SSO futures                                            Layer 7 Confidential   21
Thank youEve Maler+1 425.345.6756emaler@forrester.comTwitter: @xmlgrrlwww.forrester.com   © 2009 Forrester Research, Inc. ...
A Practical Guide to API Security and OAuthfor the Enterprise K. Scott Morrison CTO and Chief Architect
First Let’s Nail the Terminology…                        ClientResource Owner     (RO)                           Authoriza...
Request Twitter (Client) Access – Facebook (AS)                                           Layer 7 Confidential   25
Authorization Grant – Twitter (Client), Facebook (AS)                            Finger of Resource Owner                 ...
Authorization Granted – Twitter (Client), Facebook (AS)                                             Layer 7 Confidential  ...
API Call (request for Protected Resource)from Twitter (Client) to Facebook (RS)                                           ...
Manage Twitter (Client) Access – Facebook (AS)                                           Layer 7 Confidential   29
Manage Flipboard (Client) Access – Facebook (AS)                                          Layer 7 Confidential   30
Comprehensive REST Access Control Needs:            OAuth Clients   OAuth Tokens            Provisioning    Persistence   ...
The Layer 7 OAuth Toolkit Provides:             OAuth Clients   OAuth Tokens             Provisioning    Persistence      ...
Today’s Demo                     ClientResource Owner     (RO)                      Authorization                         ...
Demo       To View the Demo, Download a        Recording of This Webinar in          Layer 7 Resource Library             ...
Upcoming SlideShare
Loading in...5
×

API Security and OAuth for the Enterprise

2,362

Published on

I this presentation enterprises will get a practical overview of what they need to know when approaching APIs and technologies like OAuth.

Mobile and Cloud initiatives are driving enterprises to expose data and applications to the outside world. Whether SOAP, REST or JSON, these APIs give enterprises an efficient way to open up information to services running in the Cloud and apps running on mobile devices like the iPad.

However, securing and governing the lifecycle and operation of these APIs is not straightforward. It requires new approaches to access, protection and management. This invariably requires adoption of new technologies such as OAuth, which are not yet well understood.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,362
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
63
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "API Security and OAuth for the Enterprise"

  1. 1. A Practical Guide to API Security and OAuthfor the Enterprise K. Scott Morrison  Eve Maler CTO and Chief Architect Principal Analyst Layer 7 Technologies, Inc. Forrester Research, Inc.
  2. 2. Housekeeping Questions - Chat any questions you have and we’ll answer them at the end of this call Twitter facebook.com/layer7 - Today’s event hashtag: layer7.com/linkedin - #L7webinar layer7.com/blogs - Follow us on Twitter as well: - @KScottMorrison - @xmlgrrl - @layer7 - @forrester Layer 7 Confidential 2
  3. 3. Layer 7 Confidential 3
  4. 4. OAuth As A Serious API Security ToolFor Enterprises: A Practical OverviewEve Maler, Principal Analyst © 2009 Forrester Research, Inc. Reproduction Prohibited Layer 7 Confidential 4
  5. 5. “API economy” technologies andhabits are trickling down into theenterprise.Leverage OAuth’s strengths for modernservice and app security scenarios whilesteering clear of its dangers. Layer 7 Confidential 5
  6. 6. Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 6
  7. 7. Web APIs aren’t toys; they’re business-enabling tools forretail, content delivery, financial transactions . . . Layer 7 Confidential 7
  8. 8. Security pros’ control over developers diminishes withdistance Layer 7 Confidential 8
  9. 9. A variety of pressures make traditional security andaccess control methods less viable Layer 7 Confidential 9
  10. 10. Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 10
  11. 11. Web 2.0 players originally invented OAuth simplyto solve the ―password antipattern‖ Layer 7 Confidential 11
  12. 12. At base, OAuth lets a person delegate constrainedaccess from one app to another Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 12
  13. 13. Using the OAuth approach helps manage risk, cost, andcomplexity in environments that need Zero Trust  Gets client apps out of the business of storing passwords  Allows for a variety of user authentication methods  Allows app access to be tracked and revoked on a per-client basis  Allows for least-privilege access to API features  Can capture explicit user authorization for access  Lowers the cost of secure app development  Bonus: solves a much larger class of needs around security, identity, access, and privacy Layer 7 Confidential 13
  14. 14. In consumer-facing scenarios, services can audit whomade each API call on whose behalf Third parties offer productivity apps to eBay sellers that list items and do other tasks through the eBay API These apps never see the seller’s eBay credentials They don’t merely “impersonate” the seller Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 14
  15. 15. In extranet and SaaS integration scenarios, services canconsume SAML  Partner apps integrate with the construction firm’s valve-design service  On-site partner engineers log in to their home systems through a tablet  They can then use apps that call the valve-design service through SAML SSO Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 15
  16. 16. OAuth-native SSO is ―off label‖ but popular forunifying user-present and user-absent experiences Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 16
  17. 17. ―Two-legged‖ userless A2A scenarios enable uniformauditing and compliance for low-level services Including services such as: - Calculating sales tax - Formatting shipping labels - Verifying credit card numbers - Performing HTML code checking Most scenarios separate these two server functions Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 17
  18. 18. Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 18
  19. 19. Simplicity doesn’t have to equal insecurity — if you useand insist on good OAuth practices Server-side Client-side Establish UX standards Store OAuth tokens for users’ “consent and other secrets ceremonies.” securely. Use the strongest Fully protect the use of protocol options your your callback endpoint. ecosystem will tolerate. If your use of OAuth If you depend on involves cryptographic password algorithms, reuse a authentication, well-tested library. remember you’re not immune from user credential-stealing risks such as phishing. Layer 7 Confidential 19
  20. 20. So how can you maximize value in anOAuth-enabled future?  Determine which scenarios resonate with your organization’s needs.  Ask which SaaS providers are in a position to force your hand.  If you will be publishing your own web APIs, catalog your client app requirements and constraints.  Partner with enterprise architects to plan how OAuth token handling and your current SOA infrastructure need to interact.  Accept some volatility around OAuth’s evolution — and even embrace it. Layer 7 Confidential 20
  21. 21. In particular, keep an eye on OAuth’s SSO futures Layer 7 Confidential 21
  22. 22. Thank youEve Maler+1 425.345.6756emaler@forrester.comTwitter: @xmlgrrlwww.forrester.com © 2009 Forrester Research, Inc. Reproduction Prohibited
  23. 23. A Practical Guide to API Security and OAuthfor the Enterprise K. Scott Morrison CTO and Chief Architect
  24. 24. First Let’s Nail the Terminology… ClientResource Owner (RO) Authorization Server (AS) Resource Server (RS)(a.k.a., the User) Layer 7 Confidential 24
  25. 25. Request Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 25
  26. 26. Authorization Grant – Twitter (Client), Facebook (AS) Finger of Resource Owner Layer 7 Confidential 26
  27. 27. Authorization Granted – Twitter (Client), Facebook (AS) Layer 7 Confidential 27
  28. 28. API Call (request for Protected Resource)from Twitter (Client) to Facebook (RS) Layer 7 Confidential 28
  29. 29. Manage Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 29
  30. 30. Manage Flipboard (Client) Access – Facebook (AS) Layer 7 Confidential 30
  31. 31. Comprehensive REST Access Control Needs: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Layer 7 Confidential 31
  32. 32. The Layer 7 OAuth Toolkit Provides: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Omg, it’s full of win Layer 7 Confidential 32
  33. 33. Today’s Demo ClientResource Owner (RO) Authorization Server (AS) Resource Server (RS) Get Recipe(a.k.a., the User) Layer 7 Confidential 33
  34. 34. Demo To View the Demo, Download a Recording of This Webinar in Layer 7 Resource Library Layer7.com/library Layer 7 Confidential 34
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×