Managing API Security in SaaS and Cloud


Published on

Opening SaaS applications and cloud services to outside developers is becoming critical to achieve cloud-enterprise integrations, information sharing across affiliate Web sites and enabling mobile / tablet access to data. Controlling how API's get securely exposed to different consumers requires a simple, scalable way to manage API security, address versioning and meter consumption without burdening either application developers or application consumers.

Join eBay's Chief Security Strategies Liam Lynch and Layer 7's CTO Scott Morrison for this informative presentation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing API Security in SaaS and Cloud

  1. 1. Managing API Security Liam Lynch a y c Chief Security Strategist, eBay Founder and Identity Strategist, CSAFeb 23, 2011
  2. 2. Web services security y Large scale public services need scale but also granular security as well Service fabrics such as Rest are valuable for agile development Many consumers of services can’t use SOAP or other forms of XML request response Whatever the protocol there needs to be protection and dynamic service delivery
  3. 3. Service protection Early on protection for service was SSL and access tokens Typical use case was 3rd party iframe invocation in client browsers REST was a step up in protection but the typical use case was still dangerous Full SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case Until…
  4. 4. Service abstraction Service abstraction allows for denial of service protection Abstraction allows older services to be upgraded without rewriting code Abstraction allows for integrated service delivery Abstraction allows for upgrading security and service standards Abstraction allows for increased security by coordinating with… with
  5. 5. Service orchestration Orchestration provides a capability to bring in service delivery components just in time Security level orchestration leverages abstraction to enable evaluation at run time The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions Policies for access can be orchestrated from a variety of sources ddepending on client access and other f t di li t d th factors such h as service authorization
  6. 6. Summary y Service protection has a history of proprietary and troublesome interoperability issues Service abstraction enables better service security by introducing a standards based layer in front of service platforms Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation
  7. 7. Managing API SecurityCommon Patterns and Case Studies K. Scott Morrison CTO and Chief Architect, Layer 7 , yFeb 23, 2011
  8. 8. Has A Problem… g p The API Internal Firewall-2 Hosts Firewall-1 The Internal Internet Data Center Partner DMZ How can LargeCorp Securely publish and manage their new API?
  9. 9. Cloud-based Security & Management Is Too Remote y g The API Internal Firewall-2 Hosts Firewall-1 Cloud Security Offering Internal The last 1000 miles… Data Center DMZ Hackers H k
  10. 10. Layer 7: The Enterprise Solution For Service Protection y p Keep Security and The API Mgmt. Close to the API Operator Internal Data Center Partner DMZ  Military-grade security for REST and SOAP APIs/Services  Complete visibility into use patterns y  Integration into existing infrastructure  Identity & Access Mgmt, Portals, Operations, billings, etc
  11. 11. Case Study: Publishing Web-based APIs y g Problem: A leading European car portal wanted to securely expose auto and ecommerce information to third party developers S l ti L Solution: Layer 7 authorizes/authenticates thi d party d th i / th ti t third t developers attaching t l tt hi to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile- focused Web service APIs
  12. 12. But Now Has A New Problem… g p Internal Firewall-2 Hosts Firewall-1 Lots of APIs Lots of Developers Internal Data Center DMZ How can L H LargeCorp scale API C l management?
  13. 13. The Enterprise Solution For Service Abstraction p Management of APIs Internal the way applications Hosts are managed Lots of Provider Developers View Internal Data Center Developer DMZ View Vi  Full policy life-cycle management  Policy versioning, roll-back, audit  Policy migration (dev-test-prod)  Clear separation of duties Cl ti f d ti  Role-based Access Control (RBAC)  APIs for integration with existing infrastructure and tools
  14. 14. Case Study: Publishing Information Service APIs y g Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even d t N th d close. SOA Architect, World’s leading publisher of science and health information Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p q their platform of choice, simplifying and speeding information gathering
  15. 15. Finally, How Will Automate? y g p Virtualization Infrastructure High Usage Internal Volumes Data Center DMZ How can LargeCorp react to rapid changes in scale?
  16. 16. The Enterprise Solution For Service Orchestration p Virtualization Secure and automated Farm co-ordination of all infrastructure to maintain Virtualization SLAs API Switches, Load Balancers, etc High Audit DB Usage Internal Volumes Data Center DMZ  Orchestration using GUI tools  Fully integrated into security context  Parallelized access  Connectors to HTTP, TCP, SSH, FTP, JMS, SNMP, SMTP, MQSeries, etc
  17. 17. Case Study: IaaS & PaaS API Security y y Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self- provision and self-manage private cloud resources without compromising the cloud p provider’s virtualized infrastructure Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise
  18. 18. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech com http://www.layer7tech.comFebruary 23, 2011