API Security and OAuth for the Enterprise
 

API Security and OAuth for the Enterprise

on

  • 2,359 views

I this presentation enterprises will get a practical overview of what they need to know when approaching APIs and technologies like OAuth. ...

I this presentation enterprises will get a practical overview of what they need to know when approaching APIs and technologies like OAuth.

Mobile and Cloud initiatives are driving enterprises to expose data and applications to the outside world. Whether SOAP, REST or JSON, these APIs give enterprises an efficient way to open up information to services running in the Cloud and apps running on mobile devices like the iPad.

However, securing and governing the lifecycle and operation of these APIs is not straightforward. It requires new approaches to access, protection and management. This invariably requires adoption of new technologies such as OAuth, which are not yet well understood.

Statistics

Views

Total Views
2,359
Views on SlideShare
2,359
Embed Views
0

Actions

Likes
4
Downloads
51
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    API Security and OAuth for the Enterprise API Security and OAuth for the Enterprise Presentation Transcript

    • A Practical Guide to API Security and OAuthfor the Enterprise K. Scott Morrison  Eve Maler CTO and Chief Architect Principal Analyst Layer 7 Technologies, Inc. Forrester Research, Inc.
    • Housekeeping Questions - Chat any questions you have and we’ll answer them at the end of this call Twitter facebook.com/layer7 - Today’s event hashtag: layer7.com/linkedin - #L7webinar layer7.com/blogs - Follow us on Twitter as well: - @KScottMorrison - @xmlgrrl - @layer7 - @forrester Layer 7 Confidential 2
    • Layer 7 Confidential 3
    • OAuth As A Serious API Security ToolFor Enterprises: A Practical OverviewEve Maler, Principal Analyst © 2009 Forrester Research, Inc. Reproduction Prohibited Layer 7 Confidential 4
    • “API economy” technologies andhabits are trickling down into theenterprise.Leverage OAuth’s strengths for modernservice and app security scenarios whilesteering clear of its dangers. Layer 7 Confidential 5
    • Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 6
    • Web APIs aren’t toys; they’re business-enabling tools forretail, content delivery, financial transactions . . . Layer 7 Confidential 7
    • Security pros’ control over developers diminishes withdistance Layer 7 Confidential 8
    • A variety of pressures make traditional security andaccess control methods less viable Layer 7 Confidential 9
    • Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 10
    • Web 2.0 players originally invented OAuth simplyto solve the ―password antipattern‖ Layer 7 Confidential 11
    • At base, OAuth lets a person delegate constrainedaccess from one app to another Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 12
    • Using the OAuth approach helps manage risk, cost, andcomplexity in environments that need Zero Trust  Gets client apps out of the business of storing passwords  Allows for a variety of user authentication methods  Allows app access to be tracked and revoked on a per-client basis  Allows for least-privilege access to API features  Can capture explicit user authorization for access  Lowers the cost of secure app development  Bonus: solves a much larger class of needs around security, identity, access, and privacy Layer 7 Confidential 13
    • In consumer-facing scenarios, services can audit whomade each API call on whose behalf Third parties offer productivity apps to eBay sellers that list items and do other tasks through the eBay API These apps never see the seller’s eBay credentials They don’t merely “impersonate” the seller Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 14
    • In extranet and SaaS integration scenarios, services canconsume SAML  Partner apps integrate with the construction firm’s valve-design service  On-site partner engineers log in to their home systems through a tablet  They can then use apps that call the valve-design service through SAML SSO Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 15
    • OAuth-native SSO is ―off label‖ but popular forunifying user-present and user-absent experiences Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 16
    • ―Two-legged‖ userless A2A scenarios enable uniformauditing and compliance for low-level services Including services such as: - Calculating sales tax - Formatting shipping labels - Verifying credit card numbers - Performing HTML code checking Most scenarios separate these two server functions Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report Layer 7 Confidential 17
    • Agenda Web services are opening up — and paying a security price. OAuth is a powerhouse of API security and SSO solutions. Leverage OAuth’s ascendance while minding its weaknesses. Layer 7 Confidential 18
    • Simplicity doesn’t have to equal insecurity — if you useand insist on good OAuth practices Server-side Client-side Establish UX standards Store OAuth tokens for users’ “consent and other secrets ceremonies.” securely. Use the strongest Fully protect the use of protocol options your your callback endpoint. ecosystem will tolerate. If your use of OAuth If you depend on involves cryptographic password algorithms, reuse a authentication, well-tested library. remember you’re not immune from user credential-stealing risks such as phishing. Layer 7 Confidential 19
    • So how can you maximize value in anOAuth-enabled future?  Determine which scenarios resonate with your organization’s needs.  Ask which SaaS providers are in a position to force your hand.  If you will be publishing your own web APIs, catalog your client app requirements and constraints.  Partner with enterprise architects to plan how OAuth token handling and your current SOA infrastructure need to interact.  Accept some volatility around OAuth’s evolution — and even embrace it. Layer 7 Confidential 20
    • In particular, keep an eye on OAuth’s SSO futures Layer 7 Confidential 21
    • Thank youEve Maler+1 425.345.6756emaler@forrester.comTwitter: @xmlgrrlwww.forrester.com © 2009 Forrester Research, Inc. Reproduction Prohibited
    • A Practical Guide to API Security and OAuthfor the Enterprise K. Scott Morrison CTO and Chief Architect
    • First Let’s Nail the Terminology… ClientResource Owner (RO) Authorization Server (AS) Resource Server (RS)(a.k.a., the User) Layer 7 Confidential 24
    • Request Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 25
    • Authorization Grant – Twitter (Client), Facebook (AS) Finger of Resource Owner Layer 7 Confidential 26
    • Authorization Granted – Twitter (Client), Facebook (AS) Layer 7 Confidential 27
    • API Call (request for Protected Resource)from Twitter (Client) to Facebook (RS) Layer 7 Confidential 28
    • Manage Twitter (Client) Access – Facebook (AS) Layer 7 Confidential 29
    • Manage Flipboard (Client) Access – Facebook (AS) Layer 7 Confidential 30
    • Comprehensive REST Access Control Needs: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Layer 7 Confidential 31
    • The Layer 7 OAuth Toolkit Provides: OAuth Clients OAuth Tokens Provisioning Persistence Approval Flow Querying *all of this* Persistence Metrics Querying Revocation Metrics Refresh OAuth Autz Prot Res Server Analytics server Policy Modeling Reports Policy Modeling Token validation Monitoring OAuth Protocol Bearer, MAC, SAML SLAs Identity integration Identity integration Alerting Token issuing Integrity check Token refresh API proxying SLA enforcement SLA enforcement Omg, it’s full of win Layer 7 Confidential 32
    • Today’s Demo ClientResource Owner (RO) Authorization Server (AS) Resource Server (RS) Get Recipe(a.k.a., the User) Layer 7 Confidential 33
    • Demo To View the Demo, Download a Recording of This Webinar in Layer 7 Resource Library Layer7.com/library Layer 7 Confidential 34