Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

2,163 views
1,908 views

Published on

The bring-your-own-device (BYOD) trend is in full swing as the growth of mobile devices within the enterprise explodes. How do you enable secure data access for mobile applications? How do you deal with user authentication? How do you allow broader adoption of enterprise applications on user owned devices? CA and Layer 7 outline solutions to these issues, explore different approaches to mobile security, and use case studies to illustrate how others have solved these problems.

This workshop was all about:
• The latest mobile trends and opportunities
• Emerging mobile risks and how these can be addressed
• A reference architecture for secure enterprise mobility

Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

  1. 1. The IAM-as-an-API Era Has ArrivedAnd You Can Blame/Thank MobilityEve Maler, Principal Analyst, Security & RiskMobile Security WorkshopFebruary 7, 2013
  2. 2. Agenda !  Consumerization of IT and its cousins are challenging IAM traditions !  Apply Zero Trust to your identity, security, and agility problems in "bring-your-own" environments !  Leverage emerging technologies to provide identity services that are mobile-cloud ready© 2012 Forrester Research, Inc. Reproduction Prohibited 3
  3. 3. “It was Colonel Mustard in theresearch library with a smartphone…”
  4. 4. The future of IT is bring-your-own everything App sourcing and hosting SaaS apps Apps in public clouds Partner apps Apps in private clouds On-premises enterprise apps Enterprise computers Employees Contractors Enterprise-issued devices Partners Public computers Members Personal devices Customers App access channels User populations Source: March 22, 2012, Forrester report© 2012 Forrester Research, Inc. Reproduction Prohibited 5 “Navigate The Future Of Identity And Access Management”
  5. 5. Genentech’s Salesforce app trumps native Salesforce.com Source: Genentech webinar© 2012 Forrester Research, Inc. Reproduction Prohibited
  6. 6. Steve Yegge describes why … and the next challenge [Jeff Bezos] issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses. … “1) All teams will henceforth expose their data and functionality through service interfaces.” … Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, theres more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds. But Ill argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.© 2012 Forrester Research, Inc. Reproduction Prohibited Source: Rip Rowan on Google Plus 7
  7. 7. Now many APIs have direct business models, all enabling mobile Source: John Musser of ProgrammableWeb.com© 2012 Forrester Research, Inc. Reproduction Prohibited 8
  8. 8. “Classic” IAM:Sounds awesome, maybe later? Source: satterwhiteb | CC BY 2.0 | flickr.com
  9. 9. Didn’t we already solve the web services security problem? Transport-layer solutions Platform-specific solutions XML signature, XML encryption, XML canonicalization WS-Security, WS-Trust, WS-I Basic Security Profile SAML ID-WSF© 2012 Forrester Research, Inc. Reproduction Prohibited 10
  10. 10. The API economy forces you to confront the webdevification of IT friction Y value X© 2012 Forrester Research, Inc. Reproduction Prohibited 11
  11. 11. Agenda !  Consumerization of IT and its cousins are challenging IAM traditions !  Apply Zero Trust to your identity, security, and agility problems in "bring-your-own" environments !  Leverage emerging technologies to provide identity services that are mobile-cloud ready© 2012 Forrester Research, Inc. Reproduction Prohibited 12
  12. 12. In Zero Trust, all interfaces are treated as untrusted Apply Zero Trust all the way up the stack, including – most particularly – identity and access management functions. Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report© 2012 Forrester Research, Inc. Reproduction Prohibited 13
  13. 13. Internal to the organization Staff user store Organization serves as an identity server for At external business functions partners Consumer user storePlan for Exposed to customersinward,outward, A security token service (STS)and circular handles token issuance, translation, and consumption.identity Staffpropagation user store Organization serves as an identity client of Institutional user stores user store For functions internal to the organization Consumer user store© 2012 Forrester Research, Inc. Reproduction Prohibited Source: March 22, 2012 “Navigate The Future of IAM” Forrester report 14
  14. 14. Go from IDaaS to IAM-as-an-API The business app’s own API determines access control Back-end apps, web apps, mobile apps . . . granularity Business apps API client API client IAM API client IAM API client Internet Robustly protect all Internet interfaces, regardless of their sourcing model Web service and app APIs APIs for authentication, authorization, provisioning . . . Scale-out IAM infrastructure infrastructure Applying the pattern API façade pattern to IAM functions© 2012 Forrester Research, Inc. Reproduction Prohibited Source: March 22, 2012 “Navigate The Future of IAM” Forrester report 15
  15. 15. Who’s already doing it?© 2012 Forrester Research, Inc. Reproduction Prohibited 16
  16. 16. Agenda !  Consumerization of IT and its cousins are challenging IAM traditions !  Apply Zero Trust to your identity, security, and agility problems in "bring-your-own" environments !  Leverage emerging technologies to provide identity services that are mobile-cloud ready© 2012 Forrester Research, Inc. Reproduction Prohibited 17
  17. 17. New identity solutions disrupt…but attract.Or, The good thing about reinventing the wheel is thatyou can get a round one.* *Douglas Crockford, inventor of JavaScript Object Notation (JSON) Source: tom-margie | CC BY-SA 2.0 | flickr.com
  18. 18. Emerging IAM standards have an edge over traditional ones for Zero Trust Key features: •  Agility •  Mobile/cloud friendliness •  Robustness Key features: •  “Solving the right problem” •  Enterprise-only scope Key features: •  Governance •  Hubris© 2012 Forrester Research, Inc. Reproduction Prohibited Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012” 19
  19. 19. The new Venn of access control for the API economy© 2012 Forrester Research, Inc. Reproduction Prohibited 20
  20. 20. Web 2.0 players invented OAuth just to solve the “password anti-pattern”© 2012 Forrester Research, Inc. Reproduction Prohibited 21
  21. 21. What it really does is let a resource owner delegate constrained access WS-SECURITY IN THE MODERN ERA IS PRONOUNCED “OAUTH”© 2012 Forrester Research, Inc. Reproduction Prohibited 22
  22. 22. OAuth can help manage risk, cost, and complexity FOR INTERNET-SCALE ZERO TRUST, YOU NEED IT ALL Gets client apps out of the business of storing passwords Friendly to a variety of user authentication methods and user devices, including smartphones and tablets Allows app access to be tracked and revoked on a per- client basis Allows for least-privilege access to API features Can capture explicit user authorization for access Lowers the cost of secure app development Bonus: provides plumbing for a much larger class of needs around security, identity, access, and privacy© 2012 Forrester Research, Inc. Reproduction Prohibited 23
  23. 23. Use case: consumer-facing web and mobile apps EBAY HAS “CHANNEL PARTNERS” THAT CREATE APPS FOR SELLERS Third parties offer eBay seller productivity apps to eBay (in resource owner role) sellers who list items and do eBay (in authorization server other tasks through the and resource server roles) eBay API. These apps never see the Third-party seller app seller’s eBay credentials. (in client role) They don’t merely “impersonate” the seller. The app can take action even if the user is offline.© 2012 Forrester Research, Inc. Reproduction Prohibited 24
  24. 24. Use case: B2B and business SaaS app integration through SAML SSO CONSTRUCTION FIRM LETS PROJECT PARTNERS “SSO IN” TO APIS USING NATIVE APPS Partner workforce member Partner apps integrate with (in resource owner role) Construction firm the construction firm’s (in authorization server resource server, valve-design service. and SP (RP) roles) On-site partner engineers log in to their home systems through a company-issued tablet. Partner app (in client and IdP roles) They can then use special apps that call the valve- design service, bootstrapped by SAML.© 2012 Forrester Research, Inc. Reproduction Prohibited 25
  25. 25. Use case: “Two-legged” userless protection of low-level web service calls EBAY SECURES INTERNAL SERVICES TO MEET AUDITING AND COMPLIANCE GOALS Includes services such as sales tax calculation, eBay service shipping label formatting, (in resource server role) credit card number verification, and HTML code checking. eBay STS (in authorization server role) eBay calling app In all use cases: The two (in client role) servers are typically separate but communicate in a proprietary fashion.© 2012 Forrester Research, Inc. Reproduction Prohibited 26
  26. 26. OpenID Connect turns SSO into a standard OAuth-protected identity API SAML 2.0, OpenID 2.0 OAuth 2.0 OpenID Connect Initiating user’s login session X Not responsible for session initiation Initiating user’s login session Not responsible for X Collecting user’s Collecting user’s collecting user consent to share consent to share consent attributes attributes High-security identity X High-security identity No identity tokens tokens (using JSON tokens (SAML only) per se Web Tokens) X X Distributed and No claims per se; Distributed and aggregated claims protects arbitrary APIs aggregated claims X Dynamic introduction Client onboarding is Dynamic introduction (OpenID only) static X X Session timeout (in Session timeout No sessions per se the works)© 2012 Forrester Research, Inc. Reproduction Prohibited 27
  27. 27. Where SAML is “rich,” OpenID Connect holds promise for “reach” Already exposing customer identities using a draft OpenID Connect-style API Working to expose workforce identities through OpenID Connect LOB apps and smaller partners can get into the federation game more easily; complex SAML solutions will see price pressure over time© 2012 Forrester Research, Inc. Reproduction Prohibited 28
  28. 28. The classic OAuth scenarios enable lightweight web services securitySame user assumedon both sides of the equation Proprietary communication between the servers* © 2012 Forrester Research, Inc. Reproduction Prohibited 29
  29. 29. OpenID Connect also has limitations The IdP/AP split requires brokering Same user on both sides of the equation© 2012 Forrester Research, Inc. Reproduction Prohibited 30
  30. 30. UMA turns online sharing, with arbitrary other parties, into a “privacy by design” solution I want to share this stuff selectively, in an efficient way •  Among my own apps •  With family and friends •  With organizations Historical Biographical Reputation Vocational I want to protect this stuff from User-generated being seen by everyone in the Social world, from a central location Geolocation Computational Biological/health Legal Corporate ...© 2012 Forrester Research, Inc. Reproduction Prohibited 31
  31. 31. What about config-time synchronization? “I DON’T ALWAYS SYNCHRONIZE, BUT WHEN I DO, I PREFER SCIM” Maximum PII disclosure, brittleness, and Synch solution authorization proposed by latency: software vendors in the last decade: The winner: Nightly secure FTP Service Provisioning A RESTful identity sessions to transfer Markup Language synch API, CSV files containing (SPML) protectable by employee records OAuth, endorsed by cloud providers: System for Cross- domain Identity Management (SCIM) HR, auditors© 2012 Forrester Research, Inc. Reproduction Prohibited
  32. 32. So, what should you do next? Get ready: Zero Trust is pulling along new Security solutions to meet Accessibility needs© 2012 Forrester Research, Inc. Reproduction Prohibited 33
  33. 33. Expose accessible identity APIs for (all and only) what you’re authoritative for© 2012 Forrester Research, Inc. Reproduction Prohibited 34
  34. 34. Assist your smaller partners in exposing identity APIs you can begin relying on© 2012 Forrester Research, Inc. Reproduction Prohibited 35
  35. 35. Count on mobility to disrupt old security paradigms and pull API security to the fore© 2012 Forrester Research, Inc. Reproduction Prohibited 36
  36. 36. Thank youEve Maler+1 617.613.8820emaler@forrester.com@xmlgrrl, +Eve Maler
  37. 37. Secure Mobility:Reward & RiskJason Hammond, CISSPAdvisor, Solution StrategyFebruary 7, 2013
  38. 38. Agenda Transformational Power of Mobility New Mobile Risks Mobile Security Framework CA Secure Mobility Solutions2 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  39. 39. Mobility Transforms the Customer ExperienceHow do you plan to leverage mobile customer engagement? Mobile is the New Face of Customer Engagement “Business spending on mobile projects will grow 100% by 2015. More than half of business decision-makers will increase their mobile apps budget in 2012 as they look for better ways to engage with customers and partners.”* “Mobile spend will reach $1.3 trillion as the mobile apps market reaches $55 billion in 2016.”* $1.3 trillion *Mobile is the New Face of Engagement, Forrester Research, Inc., Feb 13, 20123 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  40. 40. Mobility Enables the Workforce How do you plan to leverage mobility to enable the workforce? CISO Market Survey How significant are the following security concerns to your organization for individually-owned mobile devices being used by employees for work? Security Concerns - % of “Very Significant” Device may be stolen 61% and corporate data exposed Malware could be introduced 58% to corporate network Compliance requirements 48% Data on device will go with 41% employee to next employer Legal data ownership issues 35% Lack of integration with traditional IT systems 29% Cost of providing 26% technical support*Source: Info Workers Using Mobile And Personal Devices For Work Will Transform n = 353Personal Tech Markets, Forrester Research, Inc. February 22, 2012, 4 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  41. 41. Multiple Users; Multiple Channels
  42. 42. Engage Mobile UsersMulti-channel support PC / Laptop Browsers Security Policy Phone / Tablet Browsers Web Non- API Traditional Devices Mobile Phone / Tablet Native Mobile Apps Multi-Channel 360 Degree View Scale with Volume6 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  43. 43. New Mobile Risks
  44. 44. New Mobile RisksBYOD • Consumerization • Privacy expectations • Personal and corporate data • Legal liability8 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  45. 45. New Mobile RisksLost Devices Size, mobility and business impact of data increases risk9 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  46. 46. New Mobile RisksDisappearing Perimeter Lack of visibility and Persistent sync of sensitive control of sensitive information information Inhibits visibility and10 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying data control of or distribution permitted
  47. 47. New Mobile RisksMobile Usage Threats Personal download of vulnerable apps Users sharing data between apps Exposed APIs to threats11 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  48. 48. Identity is the new network perimeter Partner User Cloud Apps/Platforms & Web Services Centralized identity service Customer to control access to all enterprise GOOGLE applications SaaS (SaaS & on- Mobile premise) employee Enterprise Apps Internal Employee On Premise12 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  49. 49. The “new balance” of security SECURELY GROW THE BUSINESS ENABLE PROTECT THE + PURPOSE ONLINE BUSINESS Improve customer BUSINESS experience Reduce risk Increase customer Enable control & loyalty compliance IMPROVE EFFICIENCY Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution13 permitted
  50. 50. Market ShiftMobile Device to Mobile Apps & Data Solutions Data-Centric IT Security Data Device Management (Encryption, DLP) (MDM) Apps Business Service Innovation (MEAP, IAM, MAM)14 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  51. 51. Market ShiftCA Security Focus on Mobile Apps & Data Solutions Data-Centric IT Security Data Device Management (Encryption, DLP) (MDM) Apps Business Service Innovation (MEAP, IAM, MAM)15 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  52. 52. Market Shift CA Security Focus on Mobile Apps & Data Solutions Data-Centric IT Security Data Device Management (Encryption, DLP) (MDM) Data Protection Apps Access API Management Management Business Service Advanced Innovation App Wrapping Authentication (MEAP, IAM, MAM)16 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  53. 53. Mobile Security FrameworkBalancing security with business enablementAccessManagement Advanced Authentication Containerization Data Protection API Management17 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  54. 54. Reference Architecture
  55. 55. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 1 Access Management • AuthN, AuthZ Mobile 19 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  56. 56. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 1 Access Management • AuthN, AuthZ API Web • Multi-channel support • Central policies • 360 degree view of users Mobile 20 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  57. 57. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 1 Access Management • AuthN, AuthZ API Web • Multi-channel support • Central policies • 360 degree view of users • SSO • OpenID,OAuth2.0 Mobile 21 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  58. 58. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 2 Advanced 1 Access Management Authentication • AuthN, AuthZ • Multi-factor AuthN API Web • Multi-channel support • ID, Geographic • Central policies • Risk-based Auth • 360 degree view of users • Soft tokens • SSO • OpenID,OAuth2.0 Mobile 22 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  59. 59. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 2 Advanced 1 Access Management Authentication • AuthN, AuthZ • Multi-factor AuthN API Web • Multi-channel support • ID, Geographic • Central policies • Risk-based Auth • 360 degree view of users • Soft tokens • SSO • OpenID,OAuth2.0 Mobile 3 App Wrapping • App AuthN, AuthZ & Audit • Support for custom and 3rd party apps • Connected and offline security 23 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  60. 60. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 2 Advanced 1 Access Management Authentication • AuthN, AuthZ • Multi-factor AuthN API Web • Multi-channel support • ID, Geographic • Central policies • Risk-based Auth • 360 degree view of users • Soft tokens • SSO • OpenID,OAuth2.0 Mobile 3 App Wrapping • App AuthN, AuthZ & Audit Email 4 • Support for custom Data Protection and 3rd party apps • In-motion & at-rest • Connected and • Classification offline security • Encryption • Intelligent data-centric security Files 24 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  61. 61. Mobile Security Framework Balancing security with business enablementInside Organization Cloud Services 2 Advanced 1 Access Management Authentication • AuthN, AuthZ • Multi-factor AuthN API Web • Multi-channel support • ID, Geographic • Central policies • Risk-based Auth • 360 degree view of users • Soft tokens • SSO • OpenID,OAuth2.0 Mobile 3 App Wrapping • App AuthN, AuthZ & Audit Email 4 • Support for custom Data Protection and 3rd party apps • In-motion & at-rest • Connected and • Classification offline security • Encryption • Intelligent data-centric security Files 5 Web Service Protection • Secure API • Audit integration • Threat Protection Web Applications 25 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  62. 62. Mobile Security Framework Balancing security with business enablementInside Organization CA AuthMinder Cloud Services & RiskMinder CA SiteMinder 2 Advanced 1 Access Management Authentication • AuthN, AuthZ • Multi-factor AuthN API Web • Multi-channel support • ID, Geographic • Central policies • Risk-based Auth • 360 degree view of users • Soft tokens • SSO • OpenID,OAuth2.0 Mobile 3 Future CA DataMinder App Wrapping • App AuthN, AuthZ & Audit Email 4 • Support for custom Data Protection and 3rd party apps • In-motion & at-rest • Connected and • Classification offline security • Encryption • Intelligent data-centric security Files 5 Web Service Protection • Secure API • Audit integration CA SiteMinder • Threat Protection Web Applications 26 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  63. 63. Benefits ENABLE MOBILE ENGAGEMENT REDUCE RISKS • Support access across range of • Mitigate the risk of physical access channels: platforms, OS, apps • Enable secure access to cloud • 360° view of the user enhances each services moment of engagement • Intelligent data-centric security • Seamless and convenient experience reduces human error • End-to-end security stays through life of the data BYOD • Separate corp. & personal apps and data • Support corp. data investigation, user privacy expectations and reduction in corp. liability27 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
  64. 64. Thank You!
  65. 65. legal notice© Copyright CA 2012. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to theirrespective companies. No unauthorized use, copying or distribution permitted.THIS MEDIA IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of theinformation. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS MEDIA “AS IS” WITHOUT WARRANTY OF ANYKIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with thispresentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA isexpressly advised of the possibility of such damages.Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affectthe rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreementrelating to any CA software product; or (ii) amend any product documentationor specifications for any CA software product. Thedevelopment, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.Notwithstanding anything in this media to the contrary, upon the general availability of any future CA product release referenced inthis media, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularlyscheduled major product release. Such releases may be made available to current licensees of such product who are currentsubscribers to CA maintenance and support on a when and if-available basis. Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted29
  66. 66. Mobile APIs And The New GovernanceK Scott MorrisonCTOFebruary 2013
  67. 67. Democracy  is  the  worst  form   of  government,     except  for  all  those  other   forms  that  have  been  tried   from  9me  to  9me.   Sir Winston Churchill
  68. 68. Governance
  69. 69. Governance appealsto the architect in us!
  70. 70. Yet there is an imbalance between! run time and design time governance!
  71. 71. Vendors arehappy to providetooling Firewall Trading Partner Directory PEPApplication Servers Workflow Registry DMZ Repository Secure Zone Enterprise Network
  72. 72. But  this  never  caught  on  with  the  developers  
  73. 73. Controlling,  not  enabling  
  74. 74. Change  Agent  
  75. 75. Client Server
  76. 76. Contractor Regular
  77. 77. Outside Inside
  78. 78. Partner Enterprise
  79. 79. No Affiliation Enterprise Partner
  80. 80. Them Us
  81. 81. Here is the new group to manage!
  82. 82. The New Roles! API Client API Server Developers External Internal Developers
  83. 83. Governance Fails Here
  84. 84. Marketing is taking control! Product API CMO Manager Developer Business Security Manager Officer
  85. 85. IT  Needs  To   Own  This  
  86. 86. Learn from modern development!
  87. 87. Agile!Simple!Courageous!
  88. 88. Bug Report:! File properties.xml isn’t, well, XML…!
  89. 89. It’s aboutthe app!
  90. 90. But simple canunder define!
  91. 91. Look to habit!
  92. 92. Combine componentsto solve problems!
  93. 93. What do we really need?
  94. 94. The Client! Discovery   Search   Sign  up   CMS   Learning   Wiki   Experimen9ng   Browser/Explorer   Social   Forum   Promo9on   Blog   This  is  SDLC,  21st  century-­‐style  
  95. 95. Don’t reinvent!
  96. 96. Let’s Build It.
  97. 97. The Challenge API Client Phone User Firewall 1 Firewall 2 iPhone Developer API Server Enterprise Network
  98. 98. First We Need Identity API Client Firewall 1 Firewall 2 iPhone Developer API Server Enterprise SiteMinder Network
  99. 99. We could try this todeal with firewalls… API Client Firewall 1 Firewall 2 iPhone Developer API Server Enterprise SiteMinder Network
  100. 100. An API Gateway IsA Better Solution API Client Firewall 1 API Proxy Firewall 2 iPhone Developer API Server Enterprise SiteMinder Network
  101. 101. Now Add ClientDeveloper LibrariesFor Authentication API Client Firewall 1 API Proxy Firewall 2 iPhone Developer API Server Enterprise SiteMinder Network
  102. 102. Finally, Add In An APIPortal To Enable TheNew Governance API Client Firewall 1 API Proxy Firewall 2 iPhone Developer API Server API Portal Enterprise SiteMinder Network
  103. 103. Our customersled us here!
  104. 104. Have we swungtoo far outsidethe enterprise?!
  105. 105. 50%
  106. 106. The New Governance! Old   New  Documenta9on   WSDL   Wiki/Blog  Discovery   Reg/Rep   Search  Approval   G10  PlaQorm   Email  Enforcement   Gateway   Gateway  User  Provisioning   IAM   Portal  Community   What’s  that?   Forum  
  107. 107. Simple wins! (But simple takes courage.)!
  108. 108. Democracy wins!
  109. 109. The Forrester Wave™: API Management Platforms, Q1 2013 By Eve Maler and Jeffrey S. Hammond, February 5, 2013 Free Copy for all Attendees! Everyone who has attended today’s workshop will receive a free copy of this report in a follow up email from Layer 7. Keep an eye on your inbox. The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forresters call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Layer 7 Confidential 44
  110. 110. Picture  Credits  ²  Antelope  Canyon  4  by  klsmith–  stock.exchg  ²  Band  silhoue=es  by  mr_basmt–  stock.exchg  
  111. 111. For further information: K. Scott Morrison Chief Technology Officer Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 scott@layer7.com http://www.layer7.comSeptember 2012

×