CIS13: APIs, Identity, and Securing the Enterprise

819 views

Published on

Bradford Stephens, Developer Evangelist, Ping Identity
APIs are the glue of the web, and Enterprise APIs are driving innovation inside and out of the cloud. Now that information is being shared more freely, how can we secure those APIs? Data silos are falling across the enterprise and needs for interoperability are rising -- but how do you manage access in a de-siloed world? This talk will mix best practices and real-world examples for examining how to secure your APIs.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
819
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS13: APIs, Identity, and Securing the Enterprise

  1. 1. Copyright ©2013 Ping Identity Corporation. All rights reserved.1 Confidential API Security Bradford Stephens (Ping) & Tim Anglade (Apigee)
  2. 2. Copyright ©2013 Ping Identity Corporation. All rights reserved.2 Confidential •  Intros •  The “Platform Imperative” •  What does Security Mean? •  Solutions •  Wrap-Up Contents
  3. 3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3 Confidential •  Hi! •  Former CEO of VC-Backed database startup, Drawn to Scale. Built a distributed SQL database, Spire, from scratch. •  Does a lot of work in big data, distributed systems, and APIs. •  Now running Developer Evangelism + Platforms @ Ping! Bradford Intro
  4. 4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4 Confidential •  Hi as well! •  Built financial infrastructure at NASDAQ, an eCommerce startup, Invited Expert work at W3C and now APIs & Mobile Apps •  Spent a few years focusing heavily on distributed systems and NOSQL databases — nosqltapes.com and nosqlsummer.org •  Now running Developer Programs @ Apigee! Tim Intro
  5. 5. Copyright ©2013 Ping Identity Corporation. All rights reserved.5 Confidential Business Software is Changing CRM Sales Analytics Sharepoint Website Transactions Marketing Biz Apps
  6. 6. Copyright ©2013 Ping Identity Corporation. All rights reserved.6 Confidential Business Software is Changing Biz Apps Salesforce Box AWS Shopify Omniture Google Apps
  7. 7. Copyright ©2013 Ping Identity Corporation. All rights reserved.7 Confidential Business Software is Changing Biz Apps Salesforce Box AWS Shopify Omniture Google Apps API API API API API API API
  8. 8. Copyright ©2013 Ping Identity Corporation. All rights reserved.8 Confidential The Enterprise Must Open Understanding the API Economy—the billionaire club
  9. 9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9 Confidential The Enterprise Must Open API Growth Rate •  Open APIs –  We just hit the 7,000 API mark –  8,000 by year end –  16,000 by 2015 •  Dark APIs –  Dark APIs are 5x+/- Open API growth rate –  80,000 by 2015
  10. 10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10 Confidential The Enterprise Must Open •  Internal apps must be refactored •  Close collaboration with Partners •  Explosion of different channels and devices •  Everything is more social
  11. 11. Copyright ©2013 Ping Identity Corporation. All rights reserved.11 Confidential What even is security? What does security mean in this open-default world?
  12. 12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12 Confidential The never-ending battle •  Security is a never-ending battle between collaboration and secrets … to get work done •  Once we’ve chosen where we fall on the spectrum, how do you keep security around it?
  13. 13. Copyright ©2013 Ping Identity Corporation. All rights reserved.13 Confidential Major Concepts •  Identity •  Authentication •  Authorization •  Encryption •  Accounting
  14. 14. Copyright ©2013 Ping Identity Corporation. All rights reserved.14 Confidential Identity •  Answers “Who are you?” •  UserIDs, Digital Certificates, ATM Cards •  A public claim asserting yourself
  15. 15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15 Confidential Authentication •  Answers “How can you prove who you are?” •  Responding to a challenge •  Private shared secrets, best if known only to user (Private Key)
  16. 16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16 Confidential Authorization •  Answers “What are you allowed to do?” •  Token/Ticket Mechanism •  Certain tokens are allowed certain abilities •  Enforcing the principle of least privilege
  17. 17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17 Confidential Encryption •  Answers “How can we keep this secret?” •  Only authorized parties can understand data •  Non-symmetric algorithms ‘mask’ data – ‘impossible’ to reverse engineer
  18. 18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18 Confidential Accounting •  Answers “Who did what, when?” •  Typically use a logging mechanism (Splunk) •  “Closes the loop” between Authentication and Authorization •  Essential in identifying gaps and postmortems
  19. 19. Copyright ©2013 Ping Identity Corporation. All rights reserved.19 Confidential So what is API Security? •  A Secure API only allows the right people the right amount of access to resources and data •  Has to balance collaboration in an open-by-default world vs. keeping important secrets •  Many, many ways to do this
  20. 20. Copyright ©2013 Ping Identity Corporation. All rights reserved.20 Confidential   Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM   X   X   802.1X   X   X   LDAP X         ActiveDirectory X   X (partial)     Database Table X         RADIUS/Diameter   X X   X VPN / IPSec   X   X   X.509 X X     SSL, TLS, DTS       X   Basic/Digest Auth, Login X X       2-factor   X       Master login X X       API keys   X X (partial)     OAuth 1.0           OAuth 1.0a   X (partial)     OAuth 2.0   X (partial)     OpenID   X       OpenID Connect   X       SAML   X X (partial)     Shiro or other framework   X X     Splunk or other logging         X Roll your own           Recap
  21. 21. Copyright ©2013 Ping Identity Corporation. All rights reserved.21 Confidential Topology Database App Layer API User A App 1 User B App 2 User C App 3
  22. 22. Copyright ©2013 Ping Identity Corporation. All rights reserved.22 Confidential •  Use-cases –  Internal APIs –  Partner APIs –  Public APIs (consumer, open, mobile etc.) •  Tiers (legs) –  Server-to-Server (internal, partner) usually 2-legged authentication –  End-user (consumer, mobile, open) usually requires 3-legged authentication API Types
  23. 23. Copyright ©2013 Ping Identity Corporation. All rights reserved.23 Confidential Topology Database App Layer API User A App 1 User B App 2 User C App 3
  24. 24. Copyright ©2013 Ping Identity Corporation. All rights reserved.24 Confidential •  Malicious Apps •  Well-intentioned but vulnerable App •  Well-intentional App with Malicious Users Common Security Concerns
  25. 25. Copyright ©2013 Ping Identity Corporation. All rights reserved.25 Confidential Topology Database App Layer API User A App 1 User B App 2 User C App 3
  26. 26. Copyright ©2013 Ping Identity Corporation. All rights reserved.26 Confidential •  Two classes –  Human & Business –  Technologies •  Secure APIs use both! Remedies
  27. 27. Copyright ©2013 Ping Identity Corporation. All rights reserved.27 Confidential 1.  Registration Wall –  Knowing is half the battle! –  Identify problematic apps or users –  Isolate them from other traffic –  Provide means of communicating with well-intentioned users Human & Business Remedies
  28. 28. Copyright ©2013 Ping Identity Corporation. All rights reserved.28 Confidential 2.  Proof –  Enhance registration by requiring proof the account was not automatically created (captcha) or has a legit email address (activation link) –  Phone Activation –  Driver’s license, … Human & Business Remedies
  29. 29. Copyright ©2013 Ping Identity Corporation. All rights reserved.29 Confidential 3.  Traffic Shaping –  Quotas –  Throttling –  Tiered Traffic –  Dynamic IP Filters –  Dynamic ISP Filters –  Up to & including blocking –  Processes not technologies! Human & Business Remedies
  30. 30. Copyright ©2013 Ping Identity Corporation. All rights reserved.30 Confidential 4.  Audits & Certifications –  More useful than you think –  Checks for dark corners in your organization –  PCI-DSS and ISO 2700X series Human & Business Remedies
  31. 31. Copyright ©2013 Ping Identity Corporation. All rights reserved.31 Confidential •  Which of these should you implement? •  All of them? (Again, security vs. freedom.) •  Don’t forget to impose those human & business rules on internal users! –  80.123456% of DDoS cases come from inside the house. Human & Business Remedies
  32. 32. Copyright ©2013 Ping Identity Corporation. All rights reserved.32 Confidential •  Identity •  Authentication •  Authorization •  Encryption (Channel Security) •  Accounting (Auditing) Technical Remedies!
  33. 33. Copyright ©2013 Ping Identity Corporation. All rights reserved.33 Confidential   Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM   X   X   802.1X   X   X   LDAP X   X (definitions)     ActiveDirectory X   X (definitions)     Database Table X         RADIUS/Diameter   X X   X VPN / IPSec   X   X   X.509 X X     SSL, TLS, DTS       X   Basic/Digest Auth, Login X X       2-factor   X       Master login X X       API keys   X X (primitives)     OAuth 1.0           OAuth 1.0a   X (primitives)     OAuth 2.0   X (primitives)     OpenID   X       OpenID Connect   X       SAML   X X (primitives)     Shiro or other framework   X X     Splunk or other logging         X Roll your own           Recap
  34. 34. Copyright ©2013 Ping Identity Corporation. All rights reserved.34 Confidential 1.  Dedicated ATM connection –  You laugh, but… Technical Remedies!
  35. 35. Copyright ©2013 Ping Identity Corporation. All rights reserved.35 Confidential 2.  Identity Providers –  LDAP –  ActiveDirectory (provides authorization as well) –  User table in your database… –  Third party: Google, Twitter, etc. — still usually maps to a user record in your internal tables. –  Every other combination of solutions will use one of the first three in this list! Technical Remedies!
  36. 36. Copyright ©2013 Ping Identity Corporation. All rights reserved.36 Confidential 3.  Network Channel Security –  LAN level: 801.1X –  Beyond: use VPN/IPSec –  Both provide machine authentication and point- to-point channel encryption –  Both would rely on a RADIUS or Diameter server for user authentication and authorization management Technical Remedies!
  37. 37. Copyright ©2013 Ping Identity Corporation. All rights reserved.37 Confidential 4.  Application/HTTP Channel Security –  SSL, TLS –  X.509 Technical Remedies!
  38. 38. Copyright ©2013 Ping Identity Corporation. All rights reserved.38 Confidential 4.  Authentication –  Basic/Digest Auth (over SSL) –  Login form then API key –  Optional 2-factor (code generator, keyfob, etc.) –  Plugged to LDAP, or table of API keys or hardcoded master login (bad). –  All or nothing keys: like giving every app full access to your facebook account Technical Remedies!
  39. 39. Copyright ©2013 Ping Identity Corporation. All rights reserved.39 Confidential 4.  Authentication/Authorization with OAuth –  OAuth fundamentally tries to solve this problem, by doing authentication but allowing to segment authorization per app –  “Valet Key” analogy: the App has access to the system as you, but cannot do certain things (like change your password) –  That valet key is a token, that automatically expires after a certain time –  Allows for “3-legged Authentication”, not just API and App or (API and User), but API, App and User •  Use for revokes and accounting –  You still end up doing a regular authentication somewhere in the middle (Basic auth, login form, etc.) Technical Remedies!
  40. 40. Copyright ©2013 Ping Identity Corporation. All rights reserved.40 Confidential –  OAuth 1 •  Do not use OAuth 1.0: logically insecure •  OAuth 1.0a (RFC edition) fixes that, works nicely, in use at Twitter •  Signatures are hard (made so you don’t have to rely on SSL/TLS though) •  Malicious Apps can be kicked out and all their tokens revoked •  Web authentication flow can use keyfobs or other multi- factor auth systems •  Very web-centric. The ideal use-case when it was designed was “allow Twitter to access my Flickr photos” Technical Remedies!
  41. 41. Copyright ©2013 Ping Identity Corporation. All rights reserved.41 Confidential –  OAuth 2.0 •  Lead author famously walked out, not all bad though! •  Hard to implement correctly, in a secure manner •  Lots of grant types •  Not as interoperable as OAuth 1 — really a framework, for security, not a protocol anymore •  Formalizes “scopes” for specific permissions (like “post to wall”, “see friends”, etc.) •  Introduces refresh tokens — stay away •  Introduces compatibility with SAML and JWT — stay away •  2 token types: Bearer and MAC Technical Remedies!
  42. 42. Copyright ©2013 Ping Identity Corporation. All rights reserved.42 Confidential –  OAuth 2.0 Bearer Tokens •  only ones used in practice •  as insecure as a Bearer Bond •  Heavily rely on channel being secure, which is rarely the case, even over HTTPS •  No client binding –  App B could use a token issued for App A to log in as you to App A –  Facebook wrote its own extension to deal with that •  Stay away from refresh tokens, it only serves a very narrow use-case where two-tier refreshes are necessary. Technical Remedies!
  43. 43. Copyright ©2013 Ping Identity Corporation. All rights reserved.43 Confidential 5.  Authorization –  Shiro — a Java framework to enforce authorization rules in your apps –  SAML — full XML protocol to handle authentication and authorization Technical Remedies!
  44. 44. Copyright ©2013 Ping Identity Corporation. All rights reserved.44 Confidential   Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM   X   X   802.1X   X   X   LDAP X   X (definitions)     ActiveDirectory X   X (definitions)     Database Table X         RADIUS/Diameter   X X   X VPN / IPSec   X   X   X.509 X X     SSL, TLS, DTS       X   Basic/Digest Auth, Login X X       2-factor   X       Master login X X       API keys   X X (primitives)     OAuth 1.0           OAuth 1.0a   X (primitives)     OAuth 2.0   X (primitives)     OpenID   X       OpenID Connect   X       SAML   X X (primitives)     Shiro or other framework   X X     Splunk or other logging         X Roll your own           Recap
  45. 45. Copyright ©2013 Ping Identity Corporation. All rights reserved.45 Confidential   Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM   X   X   802.1X   X   X   LDAP X   X (definitions)     ActiveDirectory X   X (definitions)     Database Table X         RADIUS/Diameter   X X   X VPN / IPSec   X   X   X.509 X X     SSL, TLS, DTS       X   Basic/Digest Auth, Login X X       2-factor   X       Master login X X       API keys   X X (primitives)     OAuth 1.0           OAuth 1.0a   X (primitives)     OAuth 2.0   X (primitives)     OpenID   X       OpenID Connect   X       SAML   X X (primitives)     Shiro or other framework   X X     Splunk or other logging         X Roll your own           Connect 5!
  46. 46. Copyright ©2013 Ping Identity Corporation. All rights reserved.46 Confidential   Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM   X   X   802.1X   X   X   LDAP X   X (definitions)     ActiveDirectory X   X (definitions)     Database Table X         RADIUS/Diameter   X X   X VPN / IPSec   X   X   X.509 X X     SSL, TLS, DTS       X   Basic/Digest Auth X X       2-factor   X       Master login X X       API keys   X X (primitives)     OAuth 1.0           OAuth 1.0a   X (primitives)     OAuth 2.0   X (primitives)     OpenID   X       OpenID Connect   X       SAML   X X (primitives)     Shiro or other framework   X X     Splunk or other logging         X Roll your own           Connect 5!
  47. 47. Copyright ©2013 Ping Identity Corporation. All rights reserved.47 Confidential •  Use-cases –  Internal APIs –  Partner APIs –  Public APIs (consumer, open, mobile etc.) •  Tiers (legs) –  Server-to-Server (internal, partner) usually 2-legged authentication –  End-user (consumer, mobile, open) usually requires 3-legged authentication API Types (again) `
  48. 48. Copyright ©2013 Ping Identity Corporation. All rights reserved.48 Confidential •  Internal, Server-to-Server APIs –  Use OAuth 2.0 with Bearer Tokens obtained through a Client Credentials grant (only 2-legged requirement) –  Alternatives: 802.1X with RADIUS/Diameter, X.509 •  Partner, Server-to-Server APIs –  Use OAuth 2.0 with Bearer obtained through a Client Credentials grant (only 2-legged requirement) –  Alternatives: VPN/IPSec with RADIUS/Diameter, X.509 •  Consumer, Open or End-user Internal/Partner –  Consumer/Open APIs: use OAuth 2.0 with Bearer Tokens, using Authentication Code or Implicit Grant flow (better support for advanced authentication options, less trust on clients) •  Mobile APIs –  use Oauth 2.0 (3-legged requirement) with Bearer Tokens obtained through a Resource Owner grant or OS integration if available (better UX) Recommendations
  49. 49. Copyright ©2013 Ping Identity Corporation. All rights reserved.49 Confidential •  Security vs. Freedom •  Devil’s advocate OAuth 1.0a isn’t all bad, and tons of people implement it for Twitter. •  How badly do you want to protect this vs. how badly do you want people to use it? •  All the way to physically securing the interface… In conclusion…
  50. 50. Copyright ©2013 Ping Identity Corporation. All rights reserved.50 Confidential •  Questions, comments: bstephens@pingidentify.com tim.a@apigee.com Thanks!

×