CIS14: API Security for the Cloud: Tales from the Trenches

835 views

Published on

Ross Garrett, Axway
Examples of how organizations are securing APIs, examining the API security state of play for the cloud, including how they are implementing OAuth, managing keys, and handling API security in the real world.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
835
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS14: API Security for the Cloud: Tales from the Trenches

  1. 1. © 2014 Axway | Confidential 1 API Security for the Cloud Ross Garrett rgarrett@axway.com | @gssor Cloud Identity Summit 2014
  2. 2. © 2014 Axway | Confidential 2 Access Control isn’t this simple
  3. 3. © 2014 Axway | Confidential 3 Modern Enterprises have many open windows
  4. 4. © 2014 Axway | Confidential 4 Web APIs power the Open Enterprise
  5. 5. © 2014 Axway | Confidential 5 Identity is key to protecting APIs    
  6. 6. © 2014 Axway | Confidential 6 Identity is key to protecting APIs     ?  
  7. 7. © 2014 Axway | Confidential 7 User Experience is actually key    
  8. 8. © 2014 Axway | Confidential 8 There are many layers to a complete Security Solution API Gateway MDM   MAM   Firewalling   IAM   API   Security  
  9. 9. © 2014 Axway | Confidential 9 The Role of the API Gateway •  Threat Protection •  Encryption •  Authentication •  Authorization •  Policy Enforcement (E.g. Throttling)
  10. 10. © 2014 Axway | Confidential 10 A simple API Security example
  11. 11. © 2014 Axway | Confidential 11 The Role of the API Gateway Basic throttling or rate limiting, can prevent malicious access to public APIs
  12. 12. © 2014 Axway | Confidential 12 Basic Identity Federation
  13. 13. © 2014 Axway | Confidential 13 The Role of the API Gateway •  Securely bridging identity across domains –  Mediating between token formats •  Provide an STS overlay on top of existing IAM infrastructure –  Enabling the extension of identity assets to the cloud •  Track and audit usage
  14. 14. © 2014 Axway | Confidential 14 The password anti-pattern
  15. 15. © 2014 Axway | Confidential 15 Solving this problem with OAuth
  16. 16. © 2014 Axway | Confidential 16 The Role of the API Gateway •  Provide an OAuth façade on top of legacy IAM •  Clients should not be storing user passwords –  OAuth Tokens represent explicit authorization for a specific task •  Provide a centralized way to de-authorize clients –  Low latency token store
  17. 17. © 2014 Axway | Confidential 17 Leveraging Social Login
  18. 18. © 2014 Axway | Confidential 18 Leveraging Social Login
  19. 19. © 2014 Axway | Confidential 19 The Role of the API Gateway •  Apply Social Login at an infrastructure level –  Bringing API Access and SSO together •  Monitoring and Reporting –  Trends over time –  Audit trail •  Enterprise Identity Management Integration –  Adapters to directories, Web Access Management
  20. 20. © 2014 Axway | Confidential 20© 2014 Axway | Confidential 20 Some Customer Examples
  21. 21. © 2014 Axway | Confidential 21 Leading pharmacuetical company – SSO Solu6on   API Gateway API   Intranet Site Oracle Access Manager SharePoint Active Directory Web Browser •  Users have two passwords (one for Intranet, one for Sharepoint) •  Two user authentication technologies (Oracle and Microsoft) Challenge  
  22. 22. © 2014 Axway | Confidential 22 Large US Health Plan – Mobile Access Iden)ty  Management   Integra)on   Mobile  Devices   Solution SAML   Secure connection Oracle  SOA     Web  APIs   API Gateway API   •  Manage mobile (tablet, phone) access to medical systems •  Consolidate across Oracle and IBM identity systems Challenge  
  23. 23. © 2014 Axway | Confidential 23 Mutual fund provider Solution API Gateway Secure connection Check cookie Leading Mutual Fund Provider – Cloud Access •  Must authenticate clients against CA SiteMinder •  Must expose internal systems as APIs for Mobile apps to access •  Secure Connection to Salesforce Challenge   Encrypted Data
  24. 24. © 2014 Axway | Confidential 24 Thank-­‐you!   Ross Garrett rgarrett@axway.com | @gssor

×