Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration Services, Adobe - Layer 7 User Conference Palo Alto

563

Published on

The session will enable you to understand what roles APIs play in any move to the cloud or for mobility. The presentation is NOT about technology but focuses on the decisions and considerations …

The session will enable you to understand what roles APIs play in any move to the cloud or for mobility. The presentation is NOT about technology but focuses on the decisions and considerations necessary to develop these APIs. You will also learn about some of the security “got ya’s” which you should avoid! Learn about decisions which were necessary for my company to pursue an API strategy through the Service Gateway – learn from our mistakes and come up with solid decisions for your implementation.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
563
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.1 Copyright © 2013 CA. All rights reserved.API Roles in Cloud and Mobile SecurityGreg Olsen, IT Manager, Integration Services
  • 2. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.2 Copyright © 2013 CA. All rights reserved. Problem Statement Service Gateway API Portal Current Condition Q&AAgenda
  • 3. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.3 Copyright © 2013 CA. All rights reserved.ProblemsGetting on the same page
  • 4. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.4 Copyright © 2013 CA. All rights reserved. Problem Statement 1: Insufficient capabilities allowing for serviceexposure and integration with customers, partners, external serviceproviders, and applications residing outside our internal securitydomain (e.g., Amazon). Missing capabilities include consistentapplication of security policy, SLA management andenforcement, and easily usable administration interfaces. Problem Statement 2: Need a central discovery method for allenterprise APIs. Missing capabilities include metrics anddocumentation.Problem Statments
  • 5. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.5 Copyright © 2013 CA. All rights reserved. The project which drove the Service Gateway Project: Manager’s Hub 1200 managers within Adobe Need to approve invoices/sick leave/sabbatical forms/offer letters/etc. frominternal applications (SAP) to SaaS services The Manager’s Hub allows approvals to be done via smart phones, tabletsand desktops – a mobile strategy Second driver: SAP Hana Project Implement 16 new services within Adobe and with select external vendors Roll out on June 22, 2012 Deployed Development, Non-prod and Production in May 2012 Deployed first set of services into Production in June 2012Problem 1 Solution: Service GatewayNovember 2011 until June 2012
  • 6. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.6 Copyright © 2013 CA. All rights reserved.Service Gateway: Business Capabilities &BenefitsCapability Area Capability Description Business BenefitsPolicy • Consistent service based policies acrossthe enterprise• Ability to customize policies to meetchanging or unique requirements• Creation, deployment and enforcementAbility to provide a morepredictable and reliable level ofservice for key business functionsService Level • Service Performance• Throughput, Availability and UtilizationTracked over Time• Enforce established SLAs• Rate limiting to protect backend servicesVisibility to service performancemeasures allowing the businessto track how well SLAs are beingmetSecurity • Authentication and Authorization (OAuth,SAML)• Denial of Service Detection• Encryption• XML attack and intrusion prevention (i.e.,nesting, injection)Protection of key resourcesthrough the use of state of the artsecurity mechanismsDeployment • Virtual appliance (VMware, Amazon AMI,etc.)• Hardware based appliance• Relevant to our current environmentsLeverages existing investmentsand allows for expansion intonew environments whereservices are being developed
  • 7. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.7 Copyright © 2013 CA. All rights reserved.Integration Principles, Technologies, Services and ToolsREST, JSON, oAuth, SAML, X.509 Certs, PKCS, PCI-DSS, TLS, EDIINT (AS2), EDIFACT, ANSIX.12, SFTP, HTTP/HTTPS, XML, Xpath, XML Schema, XSLT, SOAP, WS-Security, WS-Trust, WSDL, WS-Policy, JMSTIBCO BW TIBCO EMSwebMethodsInformaticaSAP PITumbleweedCorticonPGPApache CXF7SupportForumSelf-ServicePortalOnlineTrainingVirtual DevLabServiceCompositionAdvancedMessagingDatabaseIntegrationEventProcessingDistributedCacheManaged FileTransferServiceAccess &GovernanceB2BIntegrationBusinessRules MgmtLoose Coupling, Simplicity, Service Orientation, Global Access, CloudCapable, Reusability, Reliability, TransparencyEnablingStandards andTechnologiesProductsiPaaS ServicesiPaaS Tools(Self Service)ArchitecturePrinciplesLayer 7GatewayLayer 7API Portal
  • 8. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.8 Copyright © 2013 CA. All rights reserved.Service Gateway Use Cases: PrioritiesUse Case Use Case Use Case* REST to SOAPMediationApply Policies Based onMessage Data* ResiliencyCross-Domain ServiceMediationDynamic Endpoint Lookup * Scalability* Authentication andAuthorizationDistributing Policies toService GatewayLoad Balancing* Logging and Auditing Service LevelManagementSSL Offload* Unexpected Velocity ofTransactionsMonitoring Health of theService Gateway* Required – all else is a must have but can initially live without
  • 9. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.9 Copyright © 2013 CA. All rights reserved. The Gateway is faster at processing than the software in thebackend – be prepared to throttle back the velocity of data! Some authentication models may not be approved for use by yoursecurity teams Today, we use IMS or SSO tokens and validate against IMS or OpenAMserver Originally, we wanted to use oAuth Speed of adaption Originally we thought we’d have at least one year to ramp up Once it went live, EVERYONE wanted to use it Our current volume is higher than we thought we’d be after one year –plan for rapid adaptionConcerns and CaveatsService Gateway
  • 10. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.10 Copyright © 2013 CA. All rights reserved. Require a single location to find all the APIs flowing through the ServiceGateway Track usage of the APIs Discovery of reusable APIs Documentation Sample codeProblem 2 Solution: API PortalFrom April 2012 to August 2012
  • 11. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.11 Copyright © 2013 CA. All rights reserved.API Portal
  • 12. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.12 Copyright © 2013 CA. All rights reserved.Enterprise APIs1. Publish & Secure APIs 2. Onboard Developers3. Monetize your APIs DeveloperTechnical/Security ArchitectWeb AdministratorBusiness Manager4. Close the LoopAPI PortalAPI Portal: Part of Layer 7’s Turnkey Solution
  • 13. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.13 Copyright © 2013 CA. All rights reserved. All want the benefits of the portal but not the work Documentation needs to be completed according to templates we’veshared Most teams do not want “another set of templates” even though the valueis clear Adaption is slower than anticipated Reticence by some of our business units to use an IT-owned andoperated applicationConcerns and CaveatsAPI Portal
  • 14. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.14 Copyright © 2013 CA. All rights reserved. Developers look to off-load security work to the Service Gateway forall their APIs – can’t keep up with demand! InfoSec looks to the Service Gateway to ensure data is compliantwith internal policies Network Security looks to the Service Gateway to monitor attacksfrom the outside (we get scanned for vulnerabilities about onceevery 3 days) Statistics after one year (ahead of forecast):TodayAve. Calls PerMinute/Hour95/5700Max Calls Per Minute/Hour 907/54,420Total Number of APIs 29Number of BUs 7
  • 15. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.15 Copyright © 2013 CA. All rights reserved. Had two problems to solve: a central gateway for all services andAPIs and a central registry for all those services and documentation Caveats Agreements by all (security and application owners) prior to productionroll-out General agreements by all developers to use API PortalSummary: A Few Words to Remember
  • 16. © 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.16 Copyright © 2013 CA. All rights reserved.Q&A

×