Melbourne API Management Seminar

1,636 views

Published on

In this presentation, Mike Amundsen, Francois Lascelles and Devon Winkworth of Layer 7 Technologies provide information on:

The latest trends in the API economy and best practices and tips for securely exposing enterprise APIs
Key issues around API Management, including access control, data security/privacy, developer management and API performance management

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,636
On SlideShare
0
From Embeds
0
Number of Embeds
95
Actions
Shares
0
Downloads
53
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Melbourne API Management Seminar

  1. 1. API Management Breakfast Seminar Francois Lascelles Devon Winkworth Mike Amundsen Chief Architect Solutions Architect, APAC Principal API Architect
  2. 2. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  3. 3. Challenges for the Modern EnterpriseX-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs  Publish Public APIs Reliably  Real-time Supply Chain  Build Developer Ecosystems  X-agency information sharing  Monetize Internal Information  Media Syndication  Socialize Applications  Trading PlatformsCloud Access & Integration Connect Enterprise to Mobile Apps Login SaaS Access Password  BYOD Employee Enablement IaaS Integration & Governance  Field Enablement Hybrid Private / Public  API Developer Communities Burst to the Cloud  Smart Grid
  4. 4. Why APIs? The Rebirth of Applications Enterprise API Customers & Partners
  5. 5. Traditional “Closed” APIs Divisions Cloud Enterprise API Mobile Partners
  6. 6. The New “Open” API Divisions Cloud Open API Mobile Partners
  7. 7. Third Parties are Key Divisions Cloud Open API Mobile Partners
  8. 8. API Management Scope Developer Developer Portal API App API Gateway API Management Infrastructure  API Lifecycle  Access control  Discovery, documentation  SLA enforcement  Developer onboarding  Threat protection  Performance, scaling  Analytics  Integration  Monetization
  9. 9. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  10. 10. Attending to the Hockey Sticks More Devices More Apps More APIs
  11. 11. API Developers Developers are your target audience They need great tools to use your API They know what works And they tell others about it
  12. 12. Developers are your Target Audience APIs Developers Apps Users
  13. 13. They need great tools to use your API Docs Getting started Sandbox Registration Samples
  14. 14. Developers know what works… 30 min to a quick win or else “It was easy for me to get started with this API.” Make them look good to peers and superiors “Hey, I know just the API we can use to solve this problem.” Make it easy for them to use/promote your API “Company X has a great API, you should try it.” Make it hard for them to mis-use/break your API “This API is very intuitive.”
  15. 15. …And they tell others about it. Conferences 100+ developers, designers, project leaders Code-a-thons 100- developers, API publishers, API hosts Meetups Local developers, designers, leadership - User Groups (~50) - Pub Nights (~25) Online Wide range of highly targeted communities - Forums - Chat rooms - Social media
  16. 16. Reaching out means… Know your target audience Give them the tools they need… To do their jobs well… So they will spread the good word.
  17. 17. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  18. 18. Example: Australia Sports API Sample API: Professional sports information aggregation - Teams - News - Results
  19. 19. Layer 7 GatewayEnsure Privacy & Security Compliance: Optimize API Traffic: Authorization & Data Leak Prevention Rate Limiting API Key Management Authentication SOAP REST XML JSON Attack Prevention Browser Exploit Blocking Traffic Control TransformationsSecurity Control
  20. 20. Demo: Exposing an API with the Layer 7 Gateway Gateway API endpoint REST Client Policy Manager
  21. 21. Layer 7 Gateway Capabilities • Authentication: for different IAM, SAML, Oauth, • Authorization including Oauth, XACML Access Control • Token translation / SAML STS • Horizon call back into enterprise • Identity federation across service zones • API threat protection • XML / JSON schema validation Security • Data filtering, redaction • Data privacy: message- and field-level encryption • Data integrity: digital signatures, hashing, validation • Throttling, rate limiting, x-cluster message counter • Prioritization, traffic shaping and QoS Metering/SLA • Content caching to reduce latency overhead • Monitoring, reporting on API usage • Activity reporting to IT management systems • Format conversion: SOAP/REST/JSON/XML • Protocol mediation: HTTP(S), messaging, file-based, SSH Abstraction/Mediation • Dynamic content- and context-based routing • Composite services: in-line callouts, message enrichment • Workflow: fan-in, fan-out, looping, synch/asynch
  22. 22. Layer 7 Gateway Form Factors Hardware Appliance VMWare Virtual Appliance Rack mountable 1-U device Packaged virtual image of hardware applianceCommon criteria EAL 4+ certification, FIPS 140/2 level 3 “VMWare-ready” certified Optional hardware accelerator modules for XML, crypto Open Virtualization Format (OVF) Software AWS Virtual Appliance Instantiate from your AMI catalogSoftware installation for Linux or Solaris based systems Integrate with EC2, RDS, Auto Scale, ELB
  23. 23. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  24. 24. Layer 7 API Portal ObjectivesDrive Developer Adoption: Provide Insight for all Stakeholders: Developer API Docs Analytics Rankings Enrollment 45% 28% Forums API Explorer Quotas Task TrackingOnboarding Reporting
  25. 25. Demo: API Portal  Developer portal - Discover an API - Try the API - Register as a developer - Register an application - Get an API key - Metrics - Community  Demo
  26. 26. Layer 7 API Portal Capabilities • Self-service registration and colleague enrollment Developer • Plans are provided to help you stratify developers into tiers • Account managers assigned to help manage specific, high‐value partners Management • Manage the generation of API keys/OAuth secrets for each developer application • Discussion Forums, integrated messaging, FAQs, Announcements to foster community among developers Developer • API Documentation, sample code/applications • API Explorer to allow you to submit queries and see API responses Support interactively • Reports that measure API usage, application usage and API latency • Out‐of‐the‐box templates for API documents, landing pages, etc. • Content can be versioned and rolled back Content • Personalized default dashboard for all developer and publisher users Management • Look and feel easily changed (i.e. logos, fonts, colors, etc.) • Control access to documentation and forums based on API status (i.e. private vs. public) • Account tiers defined to allow for developer grouping and actions • Define unique and/or standard plans for each API Business • Define quotas, rate limits and other features for each API plan Management • Applications tracked as they move from development to test to production • Application usage measured providing developer understanding and info for planning
  27. 27. Time for a Break!!
  28. 28. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  29. 29. API access control  You got an API key, now what? - An app is sometimes identified at runtime by including its API key in a query parameter - (that doesn’t count as access control) - Typically, the user of the mobile app needs to be authenticated - Standard: OAuth 2.0 - Multiple grant types possible - Opaque, bearer tokens is the most common approach
  30. 30. OAuth Toolkit  Better Integration – Leverage Existing Assets  Faster Time to Market OAuth 1 OAuth 2  Scaling – Interpreted vs. Stateful Tokens – Caching 2 & 3-legged OAuth OpenID Connect API Protection
  31. 31. Anatomy of an OAuth handshake (one of many possible grant types illustrated) OAuth Authorization Server Subscriber(resource owner) consent 1 Authorization endpoint 1 +autz code 2 Token endpoint Mobile App (client) +access token This is a shared secret
  32. 32. Why exchange a secret with an OAuth authorization server in the first place? OAuth Provider A: In order to consume an API OAuth Authorization Server Consume REST API OAuth Resource Server With access token from handshake API endpoint  access token -> app, user  Enforce access control policies
  33. 33. OAuth: Leverage existing identity, existing SSO  API Management - Get SSO cookie, integrate with policy server (web agent) <handshake> - Associate SSO cookie with access token SSO token Check SSO session Maintain my SSO experience!  SSO Policy Server
  34. 34. Token Monitoring, Revocation Track usage of live tokens Integrate with portals, BI, provider tooling through open API Expose token revocation to the right parties Token Management Look for unusual usage revoke patterns Dev portal revoke revoke check BI API Provider Subscriber portal FAIL! exploit compromise
  35. 35. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  36. 36. Layer 7 Mobile Access Gateway A lightweight, low-latency mobile gateway for solving critical mobile challenges in the following areas:
  37. 37. Demo - Mobile Access Gateway  Mobile Access Gateway - http/websocket/xmpp/push - Mobile notification hookup (APNS, Android) - Targeted notifications  Demo
  38. 38. Layer 7 Mobile Access Gateway Capabilities • Map Web SSO & SAML to mobile-friendly OAuth, OpenID Connect and JSON Web Tokens Identity • Create granular access policies at user, app and device levels • Build composite access policies combining geolocation, message content etc. • Simplify PKI-based certificate delivery and provisioning • Protect REST, SOAP and OData APIs against DoS and API attacks • Proxy API streaming protocols like HTML5 Web Sockets and XMPP messaging Security • Enforce FIPS 140-2 grade data privacy and integrity • Validate data exchanges, including all JSON, XML, header and parameter content • Surface any legacy application or database as RESTful APIs • Quickly map between data formats such as XML and JSON Adoption • Recompose & virtualize APIs to specific mobile identities, apps and devices • Orchestrate API mashups with configurable workflow • Cache calls to backend applications • Recompose small backend calls into efficiently aggregated mobile requests Optimisation • Compress traffic to minimize bandwidth costs and improve user experience • Pre-fetch content for hypermedia-based API calls • Proxy and manage app interactions with social networks • Broker call-outs to cloud services like Salesforce.com Integration • Bridge connectivity to iPhone, Windows and Android notification services • Integrate with legacy applications using ESB capabilities
  39. 39. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  40. 40. Layer 7 API Management Implemented at 200+ Enterprise andGovernment Customers Financial Services Communications Public Sector Select Others
  41. 41. Case Study: Publishing Telecom APIs Problem: publicly exposing Telecom APIs presents some unique challenges around how they get packaged, secured and managed for easy consumption Solution: SecureSpan Networking Gateway policy-based controls allowed Orange to define the message, identity and interface level security for their APIs; track usage; monitor interface health; and update APIs without breaking client applications “ Making Nursery [Telecom APIs] available to local, 3rd world partners has allowed Orange to overcome many of the barriers that had previously limited our “ growth in emerging markets. Benoît Herard, Orange Labs Results: Orange has created an agile IT platform on which to develop new offerings faster and at less cost by reusing/recomposing existing services
  42. 42. Case Study: APIs Expanding Market Reach Problem: wanted to securely expose existing services to third party developers in order to expand their market reach Solution: Layer 7 API Proxy allows Alaska to securely expose and manage their APIs, while caching Sabre requests Results: significantly grew market reach, while controlling costs associated with constantly pulling data from Sabre to service Developer requests
  43. 43. Case Study: APIs Enabling the Enterprise Problem: reduce cost and delay in processing Medicaid member information by bringing the process online Solution: SOA Gateway allows iPad application to securely connect to backend APIs; provides data routing & guards APIs against intrusion with strict authentication, authorization and comprehensive threat protection Results: improves Amerigroup’s health care coverage and member services, while increasing the effectiveness and efficiency of its Medicaid program
  44. 44. Case Study: Publishing Information Service APIs Problem: allow customers and partners to use Google Apps to access multiple, existing information services Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even close. SOA Architect, World’s leading publisher of science and health information Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from their platform of choice, simplifying and speeding information gathering
  45. 45. Case Study: SaaS & Mobile Integration Problem: securely integrate to SaaS services such as Salesforce.com and Workday, as well as secure mobile payments for Mastercard’s MoneySend service Solution: Layer 7 securely gates all interactions with cloud-based SaaS providers and mobile applications, authenticating and authorizing all inbound/outbound interactions Results: users manage only a single login/password for all systems; administrators manage a single LDAP, thereby enhancing security and lowering administration costs
  46. 46. Agenda API Management Overview and Trends Reaching out to Developers – B2D Publishing and Consuming APIs Engaging & Supporting Developers and Reporting the Results Break OAuth – the next step in Access Control Solving Mobile Challenges Customers Success Stories Summary and Wrap up
  47. 47. Challenges for the Modern EnterpriseX-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs  Publish Public APIs Reliably  Real-time Supply Chain  Build Developer Ecosystems  X-agency information sharing  Monetize Internal Information  Media Syndication  Socialize Applications  Trading PlatformsCloud Access & Integration Connect Enterprise to Mobile Apps Login SaaS Access Password  BYOD Employee Enablement IaaS Integration & Governance  Field Enablement Hybrid Private / Public  API Developer Communities Burst to the Cloud  Smart Grid
  48. 48. Layer 7 – One Solution for 4 Hybrid Problem SpacesAcross Divisions & Partners Outside Developer Communities  Simplify Information Sharing  Build a developer channel  Enable Centralized Shared Services  Monetize information assets  Improve B2B  Improve customer reach  Bridge ESB Domains Improve customer retention SOA Gateway  API Portal Cloud Access  Help Enterprises Connect To Across Mobile The Cloud  Mobile Developer Onboarding  Help Service Providers Deliver  BYOD New Services  Mobile application management  Deploy Security-as-a-cloud CloudConnect Service Mobile Access Gateway  App security
  49. 49. Established Leader The Forrester Wave: Gartner Magic Quadrant SOA & API Application Gateways, Nov 2011 For SOA & API Governance Technologies, Oct 2011 Risky Strong Bets Contenders Performers Leaders challengers leaders Strong Intel Vordel Software AG Forum Systems IBM Oracle IBM HP Progress Software ability to execute Layer 7 Progress Software Tibco Software Vordel Current Software AG SOA Software Offering Crosscheck Networks Mashery Bee Ware Managed Methods WS02 Tibco Software Intel Market Presence Weak Weak Strategy Strong niche players visionaries“Layer 7 SecureSpan is strong across the board. SecureSpan SOA Gateway “[Layer 7 has a] …. complete offering, with good coverage of general SOA scored well in all of the major functional evaluation categories…It has the governance (on-premises and in the cloud), B2B, ESB and API management broadest array of form factors and one of the strongest strategies for functionality…[The Company is] fast-moving, well on its way to implementing virtualization and cloud-based deployment.” its good vision for SOA governance and the related marketplaces.”Additional Notable Recognition
  50. 50. Thank YouFor more information contact: Colman McCaffery cmccaffery@layer7tech.com + 61 413 776 428

×