This presentation discusses how organizations can leverage API management solutions for mobile access.The iPhone, iPad and Android are changing the corporate IT landscape. Employees want access to company services and resources from their smart phones and tablets. Meanwhile, employers want to provide "everywhere access" for employees, without making costly new investments or compromising security.
Fortunately, a new class of enterprise mobile access solutions has emerged. These solutions make it simple for organizations to adapt existing data and application services for use on app-driven mobile devices, reusing existing enterprise identity and security controls.
API Management for Enterprise Mobile Access a How-to guide
1. API Management for Enterprise Mobile Access
A Layer 7 Technologies Solution
Matt McLarty, VP, Client Solutions, Layer 7 Technologies
2. Housekeeping
Questions
- Chat any questions you have and we’ll answer them at the end of this call
Twitter facebook.com/layer7
- Today’s event hashtag:
layer7.com/linkedin
- #L7webinar
layer7.com/blogs
- Follow us on Twitter as well:
- @layer7
3. Agenda
• BYOD and the App Explosion
“Bring Your • Innovation through Consumerization
Own Device”
• Enterprise Mobility and the Mobile App Paradigm
Enterprise
Mobile • Leveraging Enterprise Services and Assets
Integration
• API Publication, Security and Monetization
Enterprise API • Solutions and Case Studies from Layer 7 Technologies
Management
7. Pillars of an Enterprise Mobility Strategy*
“By exposing
Business Drivers access … through
Hardware Ownership & Support a standardized
mobile-friendly
Deployment, Provisioning & Management enterprise
Enterprise Services Platform
services layer,
the cost of
Application Portfolio & Roadmap innovation can
be dramatically
Corporate Governance & Processes
reduced.”
Security Standards & Audit Processes
* From “iPad in the
Enterprise”, N.
Clevenger, Wiley 2011
8. Mobile App-to-Enterprise Service Integration
• Existing enterprise • Re-use of API and
services can create shared services
and increase infrastructure
revenue
Increase Cost
Revenue Reduction
Quality of
Compliance
Service
• Leverages proven • Uses existing
systems with security policies
enterprise SLA’s and technologies
9. Mobile App-to-Enterprise Service Integration Challenges
Mobile Devices
Enterprise Services
Data Services
Network
Proliferation of mobile Composite services Service API’s
Data privacy and
devices increases need API’s from unavailable in mobile-
integrity must be
message volumes multiple providers, friendly formats &
preserved end-to-end
exponentially requiring federation protocols (REST, JSON)
BYOD approach mixes API’s must be reusable How to access
personal and business across multiple mobile business intelligence
use, blurring the and non-mobile and Big Data in real-
security perimeter platforms time
10. Enterprise Service Platform Evolution
Web Apps and Web Services (2001-2010)
Thin & Thick
Client
Web Proxy App Server DB Server
Mobile Apps and API’s (2011 and beyond)
Mobile On-
Apps Prem
Cloud
Mobile Access Gateway API Server Data Services
(Hadoop, RDBMS)
11. The Mobile Access Gateway
Mobile Devices
Enterprise Services
Real-time bridging from
SOAP, XML and legacy
s Data Services JSON
formats to REST,
Network mobile protocols
Optimized high scale
engine for compute- Single logical gateway
intensive integration cluster configurable to
functions handle mobile, web and
B2B traffic
Proliferation of mobile Composite services
App- and API-specific Service API’s
Data privacy and
Existing enterprise
devices increases need API’s from
security handling— unavailable in mobile-
message volumes multiple providers, friendly formats & access control andbe
integrity must
including Oauth— preserved end-to-end
crypto extended to App-
exponentially requiring federation
adapts the perimeter protocols (REST, JSON)
API through Gateway
BYOD approach mixesFederated security for reusable
API’s must be How to accessEvent-aware integration
3rd party API’s, multiple mobile
personal and business across data capability for real-time
business intelligence
use, blurring the aggregation for
and non-mobile analytic data synthesis
and Big Data in real-
composite API mashups
security perimeter platforms time and integration
12. The Mobile Access Gateway
Mobile Devices
Mobile Access Enterprise Services
Service API’s Real-time bridging from
unavailable in mobile- SOAP, XML and legacy
Gateway friendly formats & Data Services JSON
formats to REST,
protocols (REST, JSON) mobile protocols
Proliferation of mobile Optimized high scale
devices increases engine for compute- API’s must be reusable Single logical gateway
message volumes intensive integration across multiple mobile cluster configurable to
exponentially functions and non-mobile handle mobile, web and
platforms B2B traffic
BYOD approach mixes App- and API-specific Existing enterprise
personal and business security handling— Data privacy and access control and
use, blurring the including Oauth— integrity must be crypto extended to App-
security perimeter adapts the perimeter preserved end-to-end API through Gateway
Composite services Federated security for How to access Event-aware integration
need API’s from 3rd party API’s, data business intelligence capability for real-time
multiple providers, aggregation for and Big Data in real- analytic data synthesis
requiring federation composite API mashups time and integration
13. Mobile App-to-Enterprise Integration Stakeholders
App Who is allowed to API
Developer use my API’s? Are Owner
What API’s are they being used?
available and how
can I use them?
Mobile On-
Apps Prem
Cloud
Mobile Access Gateway API Server Data Services
(Hadoop, RDBMS)
IT Info
How is our data Security
Operator being protected and
What is changing? access controlled?
Is everything
running smoothly?
14. Layer 7 API Management Suite
API Proxy
- Enterprise-grade Mobile Access Gateway
API Portal
- Developer on-boarding, support and resources
- API metrics and reporting
Enterprise Service Manager (ESM)
- API migration, management and dashboarding
Secure OAuth Toolkit
- Support for 2 and 3-legged OAuth
15. API Management – How it All Works
Enterprise APIs
1. Publish & Secure APIs 2. Onboard Developers
Developer
Security Architect
4. Close the Loop
3. Monetize your APIs
IT Operator
Business Manager/
API Owner
16. Mobile Access Gateway – API Proxy
Enterprise APIs
Feature/Function API Proxy
Credentialing Y
Custom Assertion SDK Y
JDBC support Y
SAML support Full
Convert SOAP<->REST Y
WS* support Y
XACML support Y
1. Publish & Secure APIs MTOM support Y
Transports supported JMS, MQ, FTP(s), HTTP(s), raw TCP
Concurrent Assertion support Y
OAuth support 1.0 and 2.0, HMAC, RSA
Rate Limiting Y
Multiple Form Factors Hardware, Software, VMware, AMI
17. Mobile Access Gateway – OAuth
• Plug in your ID providers, IAM, CA Siteminder,
OAM, …
• Plug in any developer portal, api key
management system
Layer 7 implements OAuth
Layer 7 implements OAuth Resource Server for your REST
Authorization Server services, APIs
Client application
(REST client) API Dev Portal or Client API Key store
1. Handshake
2. Service call
Handshake only
(optional)
Resource owner
(subscriber) ID Provider
For resource owner authentication
18. API Portal – Onboard and Manage Developers
Enterprise APIs
2. Onboard Developers
Feature/Function API Portal
Developer Registration Y
API Key Management Y
API Explorer Y
API Rate Limiting Y
API Reporting Y
Developer Support Y
Fully-branded CMS Y
Account Management Y
19. ESM – API Migration and Lifecycle Management
Automated dependency resolution when migrating policies between environments
cloud01LDAP
prod01LDAP
Development Test (Enterprise) Production (Cloud)
dev01LDAP
3. Monetize your API’s
20. Example Scenario – Web Application Security
Thin & Thick
Client
Web Proxy App Server DB Server
Policy Server Directory
(e.g. SiteMinder) (e.g. AD)
Monitoring & Logging
21. Example Scenario – Web Services Security
Thin & Thick
Client
Web Proxy App Server DB Server
B2B
Clients
Policy Server Directory
(e.g. SiteMinder) (e.g. AD)
Mobile Access Gateway
(L7 SecureSpan Gateway)
L7 Enterprise
Service Manager Monitoring & Logging
22. Example Scenario – API Management
Thin & Thick
Client
Web Proxy App Server DB Server
B2B L7 API Portal
Clients
Policy Server Directory
(e.g. SiteMinder) (e.g. AD)
Mobile
Apps
Mobile Access Gateway
(L7 SecureSpan Gateway)
L7 Enterprise
Service Manager Monitoring & Logging
23. Case Study: API-Enabling Health Care
Challenge: Reduce cost and delay in processing Medicaid member information by bringing
the process online
Solution: Mobile Access Gateway allows iPad application to securely connect to existing
backend APIs; data routing, strict authN & authZ, comprehensive threat protection
Results: Improved the provider’s health care coverage and member services, while
increasing the effectiveness and efficiency of its Medicaid program
24. Case Study: Mobile-Enable Airline Services
Challenge: Securely expose existing services to third party developers in order to expand
their market reach
Solution: The Layer 7 API Proxy allows the airline to securely expose and manage their APIs,
while caching Sabre requests
Results: Significantly grew market reach, while controlling costs associated with constantly
pulling data from Sabre to service Developer requests
25. Case Study: Smart Grid Gateway
Challenge: Migrate energy services to Smart Grid technology, leveraging the new capabilities
offered by additional data and communication
Solution: SOA, Web and API Security Gateway enables high volume meter data collection,
assisted service and upcoming mobile self-service for enhanced client experience
Results: Cost avoidance for higher volume meter traffic, improved customer service through
real-time channels, improved service availability through proactive system monitoring
26. Conclusions
Employees are …and IT groups must
bringing mobile accommodate them
devices to work en without compromising
masse… security and SLA’s
Mobile Apps are …existing enterprise
being built to services can be used to
improve productivity quickly and reliably
and reduce cost… enable these apps
Enterprise API
Management …through a Secure
Mobile Access Gateway,
integrates Mobile an API Portal, and open
Apps and Enterprise standards
Services…
Editor's Notes
Technical/security architects work with the Layer 7 Gateway to create policy that secures their enterprise APIsWeb administrators work with the Layer 7 API Portal to customize the look and feel; create API documentation and resources; etc, enabling developers to quickly understand how to work with the APIs and build out an applicationBusiness Managers and API Owners tasked with monetizing their APIs (or expand their market reach) create business rules around who can use which APIs in what waysThose business rules created on the API Portal are written down to the Layer 7 Gateway and enforced at runtime to ensure proper API interaction
Enterprise Service Manager also provides operational reporting and dashboarding