Your SlideShare is downloading. ×

Managing API Security in SaaS and Cloud


Published on

This presentation explains how to expose APIs in a controlled, secure manner. To control and secure APIs in this way requires an API management system able to address versioning and meter consumption …

This presentation explains how to expose APIs in a controlled, secure manner. To control and secure APIs in this way requires an API management system able to address versioning and meter consumption without burdening either third-party developers or application consumers.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Managing API Security Liam Lynch a y c Chief Security Strategist, eBay Founder and Identity Strategist, CSAFeb 23, 2011
  • 2. Web services security y Large scale public services need scale but also granular security as well Service fabrics such as Rest are valuable for agile development Many consumers of services can’t use SOAP or other forms of XML request response Whatever the protocol there needs to be protection and dynamic service delivery
  • 3. Service protection Early on protection for service was SSL and access tokens Typical use case was 3rd party iframe invocation in client browsers REST was a step up in protection but the typical use case was still dangerous Full SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case Until…
  • 4. Service abstraction Service abstraction allows for denial of service protection Abstraction allows older services to be upgraded without rewriting code Abstraction allows for integrated service delivery Abstraction allows for upgrading security and service standards Abstraction allows for increased security by coordinating with… with
  • 5. Service orchestration Orchestration provides a capability to bring in service delivery components just in time Security level orchestration leverages abstraction to enable evaluation at run time The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions Policies for access can be orchestrated from a variety of sources ddepending on client access and other f t di li t d th factors such h as service authorization
  • 6. Summary y Service protection has a history of proprietary and troublesome interoperability issues Service abstraction enables better service security by introducing a standards based layer in front of service platforms Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation
  • 7. Managing API SecurityCommon Patterns and Case Studies K. Scott Morrison CTO and Chief Architect, Layer 7 , yFeb 23, 2011
  • 8. Has A Problem… g p The API Internal Firewall-2 Hosts Firewall-1 The Internal Internet Data Center Partner DMZ How can LargeCorp Securely publish and manage their new API?
  • 9. Cloud-based Security & Management Is Too Remote y g The API Internal Firewall-2 Hosts Firewall-1 Cloud Security Offering Internal The last 1000 miles… Data Center DMZ Hackers H k
  • 10. Layer 7: The Enterprise Solution For Service Protection y p Keep Security and The API Mgmt. Close to the API Operator Internal Data Center Partner DMZ  Military-grade security for REST and SOAP APIs/Services  Complete visibility into use patterns y  Integration into existing infrastructure  Identity & Access Mgmt, Portals, Operations, billings, etc
  • 11. Case Study: Publishing Web-based APIs y g Problem: A leading European car portal wanted to securely expose auto and ecommerce information to third party developers S l ti L Solution: Layer 7 authorizes/authenticates thi d party d th i / th ti t third t developers attaching t l tt hi to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile- focused Web service APIs
  • 12. But Now Has A New Problem… g p Internal Firewall-2 Hosts Firewall-1 Lots of APIs Lots of Developers Internal Data Center DMZ How can L H LargeCorp scale API C l management?
  • 13. The Enterprise Solution For Service Abstraction p Management of APIs Internal the way applications Hosts are managed Lots of Provider Developers View Internal Data Center Developer DMZ View Vi  Full policy life-cycle management  Policy versioning, roll-back, audit  Policy migration (dev-test-prod)  Clear separation of duties Cl ti f d ti  Role-based Access Control (RBAC)  APIs for integration with existing infrastructure and tools
  • 14. Case Study: Publishing Information Service APIs y g Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even d t N th d close. SOA Architect, World’s leading publisher of science and health information Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p q their platform of choice, simplifying and speeding information gathering
  • 15. Finally, How Will Automate? y g p Virtualization Infrastructure High Usage Internal Volumes Data Center DMZ How can LargeCorp react to rapid changes in scale?
  • 16. The Enterprise Solution For Service Orchestration p Virtualization Secure and automated Farm co-ordination of all infrastructure to maintain Virtualization SLAs API Switches, Load Balancers, etc High Audit DB Usage Internal Volumes Data Center DMZ  Orchestration using GUI tools  Fully integrated into security context  Parallelized access  Connectors to HTTP, TCP, SSH, FTP, JMS, SNMP, SMTP, MQSeries, etc
  • 17. Case Study: IaaS & PaaS API Security y y Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self- provision and self-manage private cloud resources without compromising the cloud p provider’s virtualized infrastructure Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise
  • 18. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech com http://www.layer7tech.comFebruary 23, 2011