Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7

1,893 views

Published on

In an API Economy, everyone and everything has an API. That means 26 billion APIs by the year 2015. What is your organization doing to prepare for this fundamental shift in IT infrastructure? In this webinar, KuppingerCole´s Distinguished Analyst Craig Burton and Layer 7 Technologies CTO Scott Morrison explain the API Economy and the role of Identity for your organization.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,893
On SlideShare
0
From Embeds
0
Number of Embeds
60
Actions
Shares
0
Downloads
31
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7

  1. 1. Craig BurtonDistinguished Analyst, KuppingerColecb@kuppingercole.com
  2. 2. Identity in an API EconomyThe API Economy and SAML• Introduction to the The API Economy Ecosystem• The Cambrian Explosion of Everything• An API for Everyone and Everything• Admin-based mapping is broken• E2S (Entity to Service) automation—beyond SAML• Summary 2
  3. 3. Identity in an API EconomyThe API Economy• The Five KuppingerCole API tenets 1. Everything and everyone will be API-enabled 2. The API Ecosystem is core to any cloud strategy 3. Baking core competency in an API-set is an economic imperative 4. Enterprise inside-out 5. Enterprise outside-in 3
  4. 4. The API EcosystemUnderstanding the API Ecosystem• The API Ecosystem is divided into to type of API designs – The API Provider—the enterprise inside-out – The API Consumer—the enterprise outside-in 4
  5. 5. The API EcosystemUnderstanding the API Ecosystem• The API Provider—the enterprise inside-out – API types • Open APIs—published APIs for public consumption • Dark APIs—unpublished APIs for closed consumption• The API Consumer—the enterprise outside-in – API types • Open APIs—published APIs for public consumption • Dark APIs—unpublished APIs for closed consumption • Internal APIs—legacy applications with traditional information and resources 5
  6. 6. The API EcosystemUnderstanding the API Economy—the billionaire club 6
  7. 7. The API EcosystemUnderstanding the API Economy—Twitter unpacked• 13 billion API calls a day• 54 million+ calls an hour• 900,000+ calls per minute• 15,000+ calls per second Twitter traffic drove 2012 Olympic Coverage—All API-driven 7
  8. 8. The API EcosystemUnderstanding the API Ecosystem 8
  9. 9. The API EcosystemOpen API Growth Rate 9
  10. 10. The API EcosystemAPI Growth Rate• Open APIs – We just hit the 7,000 API mark – 8,000 by year end – 16,000 by 2015• Dark APIs – Dark APIs are 5x+/- Open API growth rate – 80,000 by 2015 10
  11. 11. The Cambrian Explosion of EverythingGrowth In the Cambrian Era—unprecedented growth of life 11
  12. 12. The Cambrian Explosion of EverythingApple’s numbers• 400 million iOS devices• 700,000 apps• Average person uses 100+ apps per device• 84 million iPads• 68% market share in 2012• 17 million iPads sold in April-June 2012• More iPads than any PC vendor’s entire product line• 94% of Fortune 500 are investing in or deploying iPads at work 12
  13. 13. The Cambrian Explosion of EverythingCisco’s predictions and KC API tenet #1• 2.8x devices per person on the planet by 2015• 19.6b devices• 7 billion people• Tenet #1: Everyone and Everything is API-enabled – 26.6 billion APIs 13
  14. 14. Broken ModelThe Admin-based mapping model Is broken• Identity model for ALL current SAML-based systems do not scale• Identity model is Admin-based• All entities are mapped to services by people (Admins)• The Math – Mapping 26.6 billion entities to just one service – 640,000 admins 24 hours a day for 5 years – Apple numbers 100+/10 apps per device• Broken 14
  15. 15. Federation is evolvingApproach IdPs SPs Type of IdP1:1 – e.g. with a specific 1 1 Owned by federation partnersupplier1:n – e.g. authN to many 1 n Owned by companycloud servicesn:1 – e.g. a service for many n 1 Owned by many federationsuppliers or cloud service partnerscustomersn:1 – e.g. supporting n 1 Owned by whomever –different logins Facebook, enterprise, government (eID),…n:n – reality, if you look at the n n Look at all the federations ofbig picture your company and you have a mix 15
  16. 16. The traditional federation approach: Direct connections Users Apps 16
  17. 17. The future federation approach: Meshed/service-focused Users Apps 17
  18. 18. E2S Automatione2s (Entity to Service) Automation—Beyond Admin-based SAML• Scalable SAML will require automation• Automation is enabled via APIs• The future of e2s identity mapping must be API-based to meet today’s demand – 400 million+ iOS devices – 26.6 billion APIs – These numbers are conservative 18
  19. 19. E2S Automatione2s (Entity to Service) Automation—Beyond Admin-based SAML• OpenID Connect is SAML’s API future – Tractability unknown – No vendor is using it for automation yet – No vendor is doing e2s automation yet• SCIM (System for Cross-domain Identity Management) is potential e2s automation protocol• Note: Salesforce Identity gives both of these standards a boost of reality. 19
  20. 20. Identity in the API EconomySummary• SAML will not support all use cases (but some)• Other standards are not as mature• That means: – Don’t rely on an approach that is focused on traditional approaches – Understand these approaches as a subset of the big picture – Design your architecture for hat big picture – Start with the subset you need – Look for technology which is built for (or who’s suppliers are devoted to) the big picture 20
  21. 21. Identity, Access and Privacy UsingSecureSpan Simple, Scalable Solutions for OAuth, OpenID Connect, and SCIMK. Scott MorrisonCTOOct 2012
  22. 22. The Old Enterprise Line ofFormal and structured security & connectivity business VPNs & prop. Protocols for thick clients servers HTTP(s) for browsers SOAP+WS-* for B2B Firewall VPN Enterprise Road NetworkWarriors with VPN SSL WS-S Browser Formal Clients Trading Partners
  23. 23. The New Hybrid Enterprise Line ofHighly agile security & connectivity business Internal REST, OAuth, OpenID Connect, SCIM servers Directories Firewall Client Directories Enterprise Mobile Network Devices Recall: Change Drivers are Social, Mobile & Cloud Clouds From: CB Informal, API-driven integrations
  24. 24. The Hybrid Enterprise Is Made Possible By APIs API Server Mobile App An API is a RESTful service Web Client Web App 24
  25. 25. A Fundamental Shift is OccurringThe Old Enterprise The New Hybrid Enterprise This is the secret to achieve scale and agile federation
  26. 26. The Problem: How to we bridge the gap between the need, and a concrete implementation? Issues • Agility • Scalability • Distribution
  27. 27. First Consider The Foundation TechnologiesOAuth To get access to an API.OpenID To share information about users.ConnectSCIM APIs for Identity Provisioning and Management Across Domains. Now prioritize these considering maturity and available infrastructure
  28. 28. Priority #1: OAuth Make it easy Make it scale
  29. 29. How to Make OAuth EasySimple, drop-in virtual or hardware Protected gateway SecureSpan Resource Acts as both Authorization Server (AS) and Gateway Protecting RS Resource Server (RS) Advanced security on all APIs Directory Threat detection, audit, QoS mgmt, etc Firewall Enterprise Network SecureSpan Mobile Gateway as Devices AS All Authorization Grants ➠ Authorization code Clouds, Webapps, etc ➠ Implicit Informal, ➠ Resource owner password API-driven credentials integrations ➠ Client credentials
  30. 30. How Easy?
  31. 31. How Easy?
  32. 32. How Easy?
  33. 33. How to Make OAuth Web Scale SecureSpan Secure Zone Protected Gateway Resource Firewall 2 cluster RS DMZ Firewall 1 Directory SecureSpan Gateway as Secure Token Store SecureSpan Gateway cluster as AS
  34. 34. How to Make OAuth Scale – Architecture Resource provider Internal (secure) network DMZ Internet • Who is asking • Which API? • What scope? • Is token valid? Resource • etc… Accessed when Server API Proxy client requests resources Server • Prove who you are • Authorize entitlement • etc… OVP Accessed when Authorization client Client client requests Serveruser authorization Store and tokens Token Token Store Server • Create • Check IDMS • Expire • Revoke • etc… Accessible through an LDAP query Endpoints accessible through an API Endpoints accessible through OAuth protocol API
  35. 35. Priority #2: Introduce OpenID Connect Resource provider Internal (secure) network DMZ Internet Core • Provide IDtoken • Validate and return claims Resource CheckID Server UserInfo • Provide access token • Get attributes (eg: family_name, picture, gender, birthdate, etc) OVP Optional SessionMgmt client Client Store Optional 1. Refresh endpoint DynamicReg 2. End session endpoint Token Store Discovery IDMS Accessible through an LDAP query Endpoints accessible through an API Endpoints accessible to outside clients
  36. 36. Priority #3: Introduce SCIM “…make it fast, cheap, and easy to move users in to, out of, and around the cloud. “ http://www.simplecloud.info/ RESTful API for user/group CRUD user/group schema
  37. 37. Summary Implement OAuth now! - Don’t roll your own - Plan for failure - Plan for scale Plan for OpenID Connect - Understand what you need to share - Look to integration with existing identity providers Plan for SCIM - Came about because of obvious need - Maturing very fast
  38. 38. For further information: K. Scott Morrison Chief Technology Officer Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.comOct 2012

×