Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise API Security & Data Loss Prevention - Intel

2,925 views

Published on

Published in: Technology, Business
  • Be the first to comment

Enterprise API Security & Data Loss Prevention - Intel

  1. 1. Enterprise API Security: AuthN, DLP, Validation Controls Security Layers Application Layer 7+ API Gateway Design Pattern Focus Protocol Layer 4-6 Network Layer 1-3Dan Woods - CTO, Technology AnalystChad Holmes - McAfee DLPBlake Dournaee - Intel Application Security & Identity Products 1
  2. 2. Today’s Agenda • Why are APIs en vogue • API Security Layers - What applies today? • Why Threat Protection & DLP are Important • Blending API Gateway & DLP Deployments Agenda • Example technical solution flows 2
  3. 3. Dan WoodsCTO, Technology Analyst 3
  4. 4. Who is Dan Woods? Over a Dozen Books on Enterprise Architecture 4
  5. 5. APIs are In Vogue According to Programmable Web 5
  6. 6. API Security Layers to Consider Token Authentication of Payload • Users and data • OAuth AuthN at time of app handshake • X509 Cert, SAML, SSL Datacenter Data Users Authorization • XACML • Decoupled from app point of use Trust Control Perimeter Defense Perimeter Defense: • Combat DNS, code injection, malware, data leaks • Countermeasures- Data validation, input validation, pattern-based Consume Expose scanning, heuristics, anti-virus, and malware Service/API Level • Centralized, monitored access to code • Versioning & change control policy Coordinated management of these security concerns across departments, developers, and architects is problematic 6
  7. 7. Five Enterprise API Usage Patterns • Supporting Partners with APIs and Web Services • Supporting Mobile Use of Enterprise Services • Controlling Use of Cloud Infrastructure as a Service • Controlling and Securing Platform as a Service Applications • Supporting Use of Valuable Data in the Cloud 7
  8. 8. Supporting Mobile Use of Enterprise Services 8
  9. 9. Controlling Use of Cloud Infrastructure as a Service 9
  10. 10. Chad HolmesEnterprise Security ArchitectMcAfee DLP 10
  11. 11. Data Protection Challenges Regulated Data Enabling Business 2.0 Sensitive Data • Comply with multiple • Support supply chain • Protect intellectual regulations & partner integration property • Reduce costs • Support safe, flexible • Maintain competitive associated with audit use of business data advantage • Protect reputation & • Enable safe, two-way, • Ensure appropriate reduce penalties B2B/C communication chain of custody 11
  12. 12. The Reason for a Data Loss ProgramVerizon Data Breach Investigations Report 12
  13. 13. Verticals Ahead Of The DLP WaveREGULATIONSECRET DATA 13
  14. 14. Data Types per Verticals Health Codes Patient Records Drug FormulasREGULATION MRI Images Social Security Numbers Account Numbers Routing Numbers Revenue CCN Employee Data Gov. Forms Source code Gov. ID Numbers CCN Government Secrets Pipelines Docs Control Data Design SchemasSECRET DATA Power and Performance Data Source code Source code Trade Secrets Designs Employee Data Patents Price Lists 14
  15. 15. Data Types per Data Loss PercentageVerizon Data Breach Investigations Report 15
  16. 16. Framing The Data Loss Problem Data Types Data Loss Vectors Solution Data-in-Motion Network Email Web Post Network IM Chat Data-at-Rest File Share Network & Database Desktop Endpoint Laptop Data-in-Use Removable Printer Screen Clipboard Endpoint Media 16
  17. 17. McAfee Data Loss Prevention Solution Data-At-Rest Egress Point Data-In-Motion Data-In-Use Span/Tap McAfee DLP Endpoint Connected or Disconnected McAfee DLP Discover McAfee DLP Monitor McAfee DLP Prevent PC/Laptop McAfee Web Gateway McAfee Email Gateway Protection RulesFile Shares Databases McAfee ePO/Manager Management Data Connection Server Farm 17
  18. 18. Gateway Design Pattern Native mobile Enterprise Gateway – Security Decoupling Application applications and partner services When • Architectural best practice for exposing and consuming API communication • Product agnostic • Relies on indirection to solve security, performance and management problems • Applies nicely for app to app trafficAll problems in computer science can be solved by another level of indirection - David Wheeler"...except for the problem of too many layers of indirection.“ – Kevlin Henny 18
  19. 19. Blake DournaeeProduct ManagementIntel Application Security & Identity Products 19
  20. 20. Mobile-enabling a legacy SOAP service in 6 steps 20
  21. 21. Mobile-enabling a legacy SOAP service in 6 steps Receive REST call Structural and semantic threats Throttle and rate shape OAuth authentication and ID extraction REST to SOAP Augment and Transform Invoke legacy SOAP backendStructural andsemantic threats Trap data leaks and Malware back to the client 21
  22. 22. Example: API Authentication with OAuth Policy-Driven Security • Reduces coding • Improves consistency • Centralizes policies • Improves security • Enterprise grade 22
  23. 23. Service Gateway: Delivers API Gateway Pattern Service API Data Mediation Security Transformation Enterprise “Very Strong Developer – Focused Product” - Analyst -Analyst Review Any Protocol Offload Security Certifications Codeless Policy Design • OWASP top 10 • Common Criteria EAL 4+ • Route Services• REST, SOAP, JSON • • ID Brokering DOD STIG PKI • Complex Exception• XML, non XML • Message & transport • HSM PKI Key Storage Handling• Http, FTP, TCP • Attachment Scanning • Tamper proof hardware • Configuration not code • DOS & Malware • Cavium Crypto 23
  24. 24. Modern SaaS Application Architecture with API Gateway 24
  25. 25. New API White Paper 50% Coupon Code for On-demand API Dan’s API Strategy Webinars Guide (ebook) Discount code: ADAPSTG shop.oreilly.com www.cloudsecurity.intel.com www.mcafee.com/cloudsecurity 25

×