CIS13: APIs, Identity, and Securing the Enterprise

3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3 Confidential •  Hi! •  Former CEO of VC-Backed database startup, Drawn to Scale. Built a distributed SQL database, Spire, from scratch. •  Does a lot of work in big data, distributed systems, and APIs. •  Now running Developer Evangelism + Platforms @ Ping! Bradford Intro

4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4 Confidential •  Hi as well! •  Built financial infrastructure at NASDAQ, an eCommerce startup, Invited Expert work at W3C and now APIs & Mobile Apps •  Spent a few years focusing heavily on distributed systems and NOSQL databases — nosqltapes.com and nosqlsummer.org •  Now running Developer Programs @ Apigee! Tim Intro

9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9 Confidential The Enterprise Must Open API Growth Rate •  Open APIs –  We just hit the 7,000 API mark –  8,000 by year end –  16,000 by 2015 •  Dark APIs –  Dark APIs are 5x+/- Open API growth rate –  80,000 by 2015

10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10 Confidential The Enterprise Must Open •  Internal apps must be refactored •  Close collaboration with Partners •  Explosion of different channels and devices •  Everything is more social

12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12 Confidential The never-ending battle •  Security is a never-ending battle between collaboration and secrets … to get work done •  Once we’ve chosen where we fall on the spectrum, how do you keep security around it?

15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15 Confidential Authentication •  Answers “How can you prove who you are?” •  Responding to a challenge •  Private shared secrets, best if known only to user (Private Key)

16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16 Confidential Authorization •  Answers “What are you allowed to do?” •  Token/Ticket Mechanism •  Certain tokens are allowed certain abilities •  Enforcing the principle of least privilege

17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17 Confidential Encryption •  Answers “How can we keep this secret?” •  Only authorized parties can understand data •  Non-symmetric algorithms ‘mask’ data – ‘impossible’ to reverse engineer

18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18 Confidential Accounting •  Answers “Who did what, when?” •  Typically use a logging mechanism (Splunk) •  “Closes the loop” between Authentication and Authorization •  Essential in identifying gaps and postmortems

19. Copyright ©2013 Ping Identity Corporation. All rights reserved.19 Confidential So what is API Security? •  A Secure API only allows the right people the right amount of access to resources and data •  Has to balance collaboration in an open-by-default world vs. keeping important secrets •  Many, many ways to do this

20. Copyright ©2013 Ping Identity Corporation. All rights reserved.20 Confidential Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X ActiveDirectory X X (partial) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (partial) OAuth 1.0 OAuth 1.0a X (partial) OAuth 2.0 X (partial) OpenID X OpenID Connect X SAML X X (partial) Shiro or other framework X X Splunk or other logging X Roll your own Recap

22. Copyright ©2013 Ping Identity Corporation. All rights reserved.22 Confidential •  Use-cases –  Internal APIs –  Partner APIs –  Public APIs (consumer, open, mobile etc.) •  Tiers (legs) –  Server-to-Server (internal, partner) usually 2-legged authentication –  End-user (consumer, mobile, open) usually requires 3-legged authentication API Types

24. Copyright ©2013 Ping Identity Corporation. All rights reserved.24 Confidential •  Malicious Apps •  Well-intentioned but vulnerable App •  Well-intentional App with Malicious Users Common Security Concerns

27. Copyright ©2013 Ping Identity Corporation. All rights reserved.27 Confidential 1.  Registration Wall –  Knowing is half the battle! –  Identify problematic apps or users –  Isolate them from other traffic –  Provide means of communicating with well-intentioned users Human & Business Remedies

28. Copyright ©2013 Ping Identity Corporation. All rights reserved.28 Confidential 2.  Proof –  Enhance registration by requiring proof the account was not automatically created (captcha) or has a legit email address (activation link) –  Phone Activation –  Driver’s license, … Human & Business Remedies

29. Copyright ©2013 Ping Identity Corporation. All rights reserved.29 Confidential 3.  Traffic Shaping –  Quotas –  Throttling –  Tiered Traffic –  Dynamic IP Filters –  Dynamic ISP Filters –  Up to & including blocking –  Processes not technologies! Human & Business Remedies

30. Copyright ©2013 Ping Identity Corporation. All rights reserved.30 Confidential 4.  Audits & Certifications –  More useful than you think –  Checks for dark corners in your organization –  PCI-DSS and ISO 2700X series Human & Business Remedies

31. Copyright ©2013 Ping Identity Corporation. All rights reserved.31 Confidential •  Which of these should you implement? •  All of them? (Again, security vs. freedom.) •  Don’t forget to impose those human & business rules on internal users! –  80.123456% of DDoS cases come from inside the house. Human & Business Remedies

32. Copyright ©2013 Ping Identity Corporation. All rights reserved.32 Confidential •  Identity •  Authentication •  Authorization •  Encryption (Channel Security) •  Accounting (Auditing) Technical Remedies!

33. Copyright ©2013 Ping Identity Corporation. All rights reserved.33 Confidential Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (deﬁnitions) ActiveDirectory X X (deﬁnitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own Recap

35. Copyright ©2013 Ping Identity Corporation. All rights reserved.35 Confidential 2.  Identity Providers –  LDAP –  ActiveDirectory (provides authorization as well) –  User table in your database… –  Third party: Google, Twitter, etc. — still usually maps to a user record in your internal tables. –  Every other combination of solutions will use one of the first three in this list! Technical Remedies!

36. Copyright ©2013 Ping Identity Corporation. All rights reserved.36 Confidential 3.  Network Channel Security –  LAN level: 801.1X –  Beyond: use VPN/IPSec –  Both provide machine authentication and point- to-point channel encryption –  Both would rely on a RADIUS or Diameter server for user authentication and authorization management Technical Remedies!

38. Copyright ©2013 Ping Identity Corporation. All rights reserved.38 Confidential 4.  Authentication –  Basic/Digest Auth (over SSL) –  Login form then API key –  Optional 2-factor (code generator, keyfob, etc.) –  Plugged to LDAP, or table of API keys or hardcoded master login (bad). –  All or nothing keys: like giving every app full access to your facebook account Technical Remedies!

39. Copyright ©2013 Ping Identity Corporation. All rights reserved.39 Confidential 4.  Authentication/Authorization with OAuth –  OAuth fundamentally tries to solve this problem, by doing authentication but allowing to segment authorization per app –  “Valet Key” analogy: the App has access to the system as you, but cannot do certain things (like change your password) –  That valet key is a token, that automatically expires after a certain time –  Allows for “3-legged Authentication”, not just API and App or (API and User), but API, App and User •  Use for revokes and accounting –  You still end up doing a regular authentication somewhere in the middle (Basic auth, login form, etc.) Technical Remedies!

40. Copyright ©2013 Ping Identity Corporation. All rights reserved.40 Confidential –  OAuth 1 •  Do not use OAuth 1.0: logically insecure •  OAuth 1.0a (RFC edition) fixes that, works nicely, in use at Twitter •  Signatures are hard (made so you don’t have to rely on SSL/TLS though) •  Malicious Apps can be kicked out and all their tokens revoked •  Web authentication flow can use keyfobs or other multi- factor auth systems •  Very web-centric. The ideal use-case when it was designed was “allow Twitter to access my Flickr photos” Technical Remedies!

41. Copyright ©2013 Ping Identity Corporation. All rights reserved.41 Confidential –  OAuth 2.0 •  Lead author famously walked out, not all bad though! •  Hard to implement correctly, in a secure manner •  Lots of grant types •  Not as interoperable as OAuth 1 — really a framework, for security, not a protocol anymore •  Formalizes “scopes” for specific permissions (like “post to wall”, “see friends”, etc.) •  Introduces refresh tokens — stay away •  Introduces compatibility with SAML and JWT — stay away •  2 token types: Bearer and MAC Technical Remedies!

42. Copyright ©2013 Ping Identity Corporation. All rights reserved.42 Confidential –  OAuth 2.0 Bearer Tokens •  only ones used in practice •  as insecure as a Bearer Bond •  Heavily rely on channel being secure, which is rarely the case, even over HTTPS •  No client binding –  App B could use a token issued for App A to log in as you to App A –  Facebook wrote its own extension to deal with that •  Stay away from refresh tokens, it only serves a very narrow use-case where two-tier refreshes are necessary. Technical Remedies!

43. Copyright ©2013 Ping Identity Corporation. All rights reserved.43 Confidential 5.  Authorization –  Shiro — a Java framework to enforce authorization rules in your apps –  SAML — full XML protocol to handle authentication and authorization Technical Remedies!

44. Copyright ©2013 Ping Identity Corporation. All rights reserved.44 Confidential Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (deﬁnitions) ActiveDirectory X X (deﬁnitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own Recap

45. Copyright ©2013 Ping Identity Corporation. All rights reserved.45 Confidential Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (deﬁnitions) ActiveDirectory X X (deﬁnitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own Connect 5!

46. Copyright ©2013 Ping Identity Corporation. All rights reserved.46 Confidential Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (deﬁnitions) ActiveDirectory X X (deﬁnitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own Connect 5!

47. Copyright ©2013 Ping Identity Corporation. All rights reserved.47 Confidential •  Use-cases –  Internal APIs –  Partner APIs –  Public APIs (consumer, open, mobile etc.) •  Tiers (legs) –  Server-to-Server (internal, partner) usually 2-legged authentication –  End-user (consumer, mobile, open) usually requires 3-legged authentication API Types (again) `

48. Copyright ©2013 Ping Identity Corporation. All rights reserved.48 Confidential •  Internal, Server-to-Server APIs –  Use OAuth 2.0 with Bearer Tokens obtained through a Client Credentials grant (only 2-legged requirement) –  Alternatives: 802.1X with RADIUS/Diameter, X.509 •  Partner, Server-to-Server APIs –  Use OAuth 2.0 with Bearer obtained through a Client Credentials grant (only 2-legged requirement) –  Alternatives: VPN/IPSec with RADIUS/Diameter, X.509 •  Consumer, Open or End-user Internal/Partner –  Consumer/Open APIs: use OAuth 2.0 with Bearer Tokens, using Authentication Code or Implicit Grant flow (better support for advanced authentication options, less trust on clients) •  Mobile APIs –  use Oauth 2.0 (3-legged requirement) with Bearer Tokens obtained through a Resource Owner grant or OS integration if available (better UX) Recommendations

49. Copyright ©2013 Ping Identity Corporation. All rights reserved.49 Confidential •  Security vs. Freedom •  Devil’s advocate OAuth 1.0a isn’t all bad, and tons of people implement it for Twitter. •  How badly do you want to protect this vs. how badly do you want people to use it? •  All the way to physically securing the interface… In conclusion…