Your SlideShare is downloading. ×

Melbourne API Management Seminar

748
views

Published on

In this presentation, Mike Amundsen, Francois Lascelles and Devon Winkworth of Layer 7 Technologies provide information on: …

In this presentation, Mike Amundsen, Francois Lascelles and Devon Winkworth of Layer 7 Technologies provide information on:

The latest trends in the API economy and best practices and tips for securely exposing enterprise APIs
Key issues around API Management, including access control, data security/privacy, developer management and API performance management

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
748
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. API Management Breakfast Seminar Francois Lascelles Devon Winkworth Mike Amundsen Chief Architect Solutions Architect, APAC Principal API Architect
  • 2. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 3. Challenges for the Modern EnterpriseX-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs  Publish Public APIs Reliably  Real-time Supply Chain  Build Developer Ecosystems  X-agency information sharing  Monetize Internal Information  Media Syndication  Socialize Applications  Trading PlatformsCloud Access & Integration Connect Enterprise to Mobile Apps Login SaaS Access Password  BYOD Employee Enablement IaaS Integration & Governance  Field Enablement Hybrid Private / Public  API Developer Communities Burst to the Cloud  Smart Grid
  • 4. Why APIs? The Rebirth of Applications Enterprise API Customers & Partners
  • 5. Traditional “Closed” APIs Divisions Cloud Enterprise API Mobile Partners
  • 6. The New “Open” API Divisions Cloud Open API Mobile Partners
  • 7. Third Parties are Key Divisions Cloud Open API Mobile Partners
  • 8. API Management Scope Developer Developer Portal API App API Gateway API Management Infrastructure  API Lifecycle  Access control  Discovery, documentation  SLA enforcement  Developer onboarding  Threat protection  Performance, scaling  Analytics  Integration  Monetization
  • 9. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 10. Attending to the Hockey Sticks More Devices More Apps More APIs
  • 11. API Developers Developers are your target audience They need great tools to use your API They know what works And they tell others about it
  • 12. Developers are your Target Audience APIs Developers Apps Users
  • 13. They need great tools to use your API Docs Getting started Sandbox Registration Samples
  • 14. Developers know what works… 30 min to a quick win or else “It was easy for me to get started with this API.” Make them look good to peers and superiors “Hey, I know just the API we can use to solve this problem.” Make it easy for them to use/promote your API “Company X has a great API, you should try it.” Make it hard for them to mis-use/break your API “This API is very intuitive.”
  • 15. …And they tell others about it. Conferences 100+ developers, designers, project leaders Code-a-thons 100- developers, API publishers, API hosts Meetups Local developers, designers, leadership - User Groups (~50) - Pub Nights (~25) Online Wide range of highly targeted communities - Forums - Chat rooms - Social media
  • 16. Reaching out means… Know your target audience Give them the tools they need… To do their jobs well… So they will spread the good word.
  • 17. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 18. Example: Australia Sports API Sample API: Professional sports information aggregation - Teams - News - Results
  • 19. Layer 7 GatewayEnsure Privacy & Security Compliance: Optimize API Traffic: Authorization & Data Leak Prevention Rate Limiting API Key Management Authentication SOAP REST XML JSON Attack Prevention Browser Exploit Blocking Traffic Control TransformationsSecurity Control
  • 20. Demo: Exposing an API with the Layer 7 Gateway Gateway API endpoint REST Client Policy Manager
  • 21. Layer 7 Gateway Capabilities • Authentication: for different IAM, SAML, Oauth, • Authorization including Oauth, XACML Access Control • Token translation / SAML STS • Horizon call back into enterprise • Identity federation across service zones • API threat protection • XML / JSON schema validation Security • Data filtering, redaction • Data privacy: message- and field-level encryption • Data integrity: digital signatures, hashing, validation • Throttling, rate limiting, x-cluster message counter • Prioritization, traffic shaping and QoS Metering/SLA • Content caching to reduce latency overhead • Monitoring, reporting on API usage • Activity reporting to IT management systems • Format conversion: SOAP/REST/JSON/XML • Protocol mediation: HTTP(S), messaging, file-based, SSH Abstraction/Mediation • Dynamic content- and context-based routing • Composite services: in-line callouts, message enrichment • Workflow: fan-in, fan-out, looping, synch/asynch
  • 22. Layer 7 Gateway Form Factors Hardware Appliance VMWare Virtual Appliance Rack mountable 1-U device Packaged virtual image of hardware applianceCommon criteria EAL 4+ certification, FIPS 140/2 level 3 “VMWare-ready” certified Optional hardware accelerator modules for XML, crypto Open Virtualization Format (OVF) Software AWS Virtual Appliance Instantiate from your AMI catalogSoftware installation for Linux or Solaris based systems Integrate with EC2, RDS, Auto Scale, ELB
  • 23. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 24. Layer 7 API Portal ObjectivesDrive Developer Adoption: Provide Insight for all Stakeholders: Developer API Docs Analytics Rankings Enrollment 45% 28% Forums API Explorer Quotas Task TrackingOnboarding Reporting
  • 25. Demo: API Portal  Developer portal - Discover an API - Try the API - Register as a developer - Register an application - Get an API key - Metrics - Community  Demo
  • 26. Layer 7 API Portal Capabilities • Self-service registration and colleague enrollment Developer • Plans are provided to help you stratify developers into tiers • Account managers assigned to help manage specific, high‐value partners Management • Manage the generation of API keys/OAuth secrets for each developer application • Discussion Forums, integrated messaging, FAQs, Announcements to foster community among developers Developer • API Documentation, sample code/applications • API Explorer to allow you to submit queries and see API responses Support interactively • Reports that measure API usage, application usage and API latency • Out‐of‐the‐box templates for API documents, landing pages, etc. • Content can be versioned and rolled back Content • Personalized default dashboard for all developer and publisher users Management • Look and feel easily changed (i.e. logos, fonts, colors, etc.) • Control access to documentation and forums based on API status (i.e. private vs. public) • Account tiers defined to allow for developer grouping and actions • Define unique and/or standard plans for each API Business • Define quotas, rate limits and other features for each API plan Management • Applications tracked as they move from development to test to production • Application usage measured providing developer understanding and info for planning
  • 27. Time for a Break!!
  • 28. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 29. API access control  You got an API key, now what? - An app is sometimes identified at runtime by including its API key in a query parameter - (that doesn’t count as access control) - Typically, the user of the mobile app needs to be authenticated - Standard: OAuth 2.0 - Multiple grant types possible - Opaque, bearer tokens is the most common approach
  • 30. OAuth Toolkit  Better Integration – Leverage Existing Assets  Faster Time to Market OAuth 1 OAuth 2  Scaling – Interpreted vs. Stateful Tokens – Caching 2 & 3-legged OAuth OpenID Connect API Protection
  • 31. Anatomy of an OAuth handshake (one of many possible grant types illustrated) OAuth Authorization Server Subscriber(resource owner) consent 1 Authorization endpoint 1 +autz code 2 Token endpoint Mobile App (client) +access token This is a shared secret
  • 32. Why exchange a secret with an OAuth authorization server in the first place? OAuth Provider A: In order to consume an API OAuth Authorization Server Consume REST API OAuth Resource Server With access token from handshake API endpoint  access token -> app, user  Enforce access control policies
  • 33. OAuth: Leverage existing identity, existing SSO  API Management - Get SSO cookie, integrate with policy server (web agent) <handshake> - Associate SSO cookie with access token SSO token Check SSO session Maintain my SSO experience!  SSO Policy Server
  • 34. Token Monitoring, Revocation Track usage of live tokens Integrate with portals, BI, provider tooling through open API Expose token revocation to the right parties Token Management Look for unusual usage revoke patterns Dev portal revoke revoke check BI API Provider Subscriber portal FAIL! exploit compromise
  • 35. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 36. Layer 7 Mobile Access Gateway A lightweight, low-latency mobile gateway for solving critical mobile challenges in the following areas:
  • 37. Demo - Mobile Access Gateway  Mobile Access Gateway - http/websocket/xmpp/push - Mobile notification hookup (APNS, Android) - Targeted notifications  Demo
  • 38. Layer 7 Mobile Access Gateway Capabilities • Map Web SSO & SAML to mobile-friendly OAuth, OpenID Connect and JSON Web Tokens Identity • Create granular access policies at user, app and device levels • Build composite access policies combining geolocation, message content etc. • Simplify PKI-based certificate delivery and provisioning • Protect REST, SOAP and OData APIs against DoS and API attacks • Proxy API streaming protocols like HTML5 Web Sockets and XMPP messaging Security • Enforce FIPS 140-2 grade data privacy and integrity • Validate data exchanges, including all JSON, XML, header and parameter content • Surface any legacy application or database as RESTful APIs • Quickly map between data formats such as XML and JSON Adoption • Recompose & virtualize APIs to specific mobile identities, apps and devices • Orchestrate API mashups with configurable workflow • Cache calls to backend applications • Recompose small backend calls into efficiently aggregated mobile requests Optimisation • Compress traffic to minimize bandwidth costs and improve user experience • Pre-fetch content for hypermedia-based API calls • Proxy and manage app interactions with social networks • Broker call-outs to cloud services like Salesforce.com Integration • Bridge connectivity to iPhone, Windows and Android notification services • Integrate with legacy applications using ESB capabilities
  • 39. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 40. Layer 7 API Management Implemented at 200+ Enterprise andGovernment Customers Financial Services Communications Public Sector Select Others
  • 41. Case Study: Publishing Telecom APIs Problem: publicly exposing Telecom APIs presents some unique challenges around how they get packaged, secured and managed for easy consumption Solution: SecureSpan Networking Gateway policy-based controls allowed Orange to define the message, identity and interface level security for their APIs; track usage; monitor interface health; and update APIs without breaking client applications “ Making Nursery [Telecom APIs] available to local, 3rd world partners has allowed Orange to overcome many of the barriers that had previously limited our “ growth in emerging markets. Benoît Herard, Orange Labs Results: Orange has created an agile IT platform on which to develop new offerings faster and at less cost by reusing/recomposing existing services
  • 42. Case Study: APIs Expanding Market Reach Problem: wanted to securely expose existing services to third party developers in order to expand their market reach Solution: Layer 7 API Proxy allows Alaska to securely expose and manage their APIs, while caching Sabre requests Results: significantly grew market reach, while controlling costs associated with constantly pulling data from Sabre to service Developer requests
  • 43. Case Study: APIs Enabling the Enterprise Problem: reduce cost and delay in processing Medicaid member information by bringing the process online Solution: SOA Gateway allows iPad application to securely connect to backend APIs; provides data routing & guards APIs against intrusion with strict authentication, authorization and comprehensive threat protection Results: improves Amerigroup’s health care coverage and member services, while increasing the effectiveness and efficiency of its Medicaid program
  • 44. Case Study: Publishing Information Service APIs Problem: allow customers and partners to use Google Apps to access multiple, existing information services Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even close. SOA Architect, World’s leading publisher of science and health information Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from their platform of choice, simplifying and speeding information gathering
  • 45. Case Study: SaaS & Mobile Integration Problem: securely integrate to SaaS services such as Salesforce.com and Workday, as well as secure mobile payments for Mastercard’s MoneySend service Solution: Layer 7 securely gates all interactions with cloud-based SaaS providers and mobile applications, authenticating and authorizing all inbound/outbound interactions Results: users manage only a single login/password for all systems; administrators manage a single LDAP, thereby enhancing security and lowering administration costs
  • 46. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  • 47. Challenges for the Modern EnterpriseX-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs  Publish Public APIs Reliably  Real-time Supply Chain  Build Developer Ecosystems  X-agency information sharing  Monetize Internal Information  Media Syndication  Socialize Applications  Trading PlatformsCloud Access & Integration Connect Enterprise to Mobile Apps Login SaaS Access Password  BYOD Employee Enablement IaaS Integration & Governance  Field Enablement Hybrid Private / Public  API Developer Communities Burst to the Cloud  Smart Grid
  • 48. Layer 7 – One Solution for 4 Hybrid Problem SpacesAcross Divisions & Partners Outside Developer Communities  Simplify Information Sharing  Build a developer channel  Enable Centralized Shared Services  Monetize information assets  Improve B2B  Improve customer reach  Bridge ESB Domains Improve customer retention SOA Gateway  API Portal Cloud Access  Help Enterprises Connect To Across Mobile The Cloud  Mobile Developer Onboarding  Help Service Providers Deliver  BYOD New Services  Mobile application management  Deploy Security-as-a-cloud CloudConnect Service Mobile Access Gateway  App security
  • 49. Established Leader The Forrester Wave: Gartner Magic Quadrant SOA & API Application Gateways, Nov 2011 For SOA & API Governance Technologies, Oct 2011 Risky Strong Bets Contenders Performers Leaders challengers leaders Strong Intel Vordel Software AG Forum Systems IBM Oracle IBM HP Progress Software ability to execute Layer 7 Progress Software Tibco Software Vordel Current Software AG SOA Software Offering Crosscheck Networks Mashery Bee Ware Managed Methods WS02 Tibco Software Intel Market Presence Weak Weak Strategy Strong niche players visionaries“Layer 7 SecureSpan is strong across the board. SecureSpan SOA Gateway “[Layer 7 has a] …. complete offering, with good coverage of general SOA scored well in all of the major functional evaluation categories…It has the governance (on-premises and in the cloud), B2B, ESB and API management broadest array of form factors and one of the strongest strategies for functionality…[The Company is] fast-moving, well on its way to implementing virtualization and cloud-based deployment.” its good vision for SOA governance and the related marketplaces.”Additional Notable Recognition
  • 50. Thank YouFor more information contact: Colman McCaffery cmccaffery@layer7tech.com + 61 413 776 428