SlideShare a Scribd company logo

Unified Security for Mobile, APIs and the Web

Download as PPTX, PDF
Akana
Akana

This presentation explains the varioius security scenarios for your mobile and Web applications, and APIs. We go into the specifics of OAuth, SAML, SSO, authentication/authorization, policy, protection and a host of other related issues that will help you understand how to keep your data secure.

Technology
1 of 15
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Unified Security Mobile, Web and APIs
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Security Landscape • Authentication, Authorization, SSO • Licensing • Quota Management • Protection • Role of Policy Au/Az/SSO Licensing Quota Management Protection
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO • Confusing array of standards: – OAuth – SAML – OpenID – SCIM • A variety of App types – Desktop – Mobile – Web • Enterprise SSO and its set of legacy systems
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Use Cases • Enterprise support for public credentials – Tiered service • Providing APIs for Web applications • Enabling a new API digital channels using OAuth. Perhaps in conjunction with: – SAML – OpenID • Extending/modernizing Enterprise SSO via: – OpenID Connect – SAML
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Combining SAML and OAuth 1. Try to get OAuth Token 2. Redirect with SAML Authentication Request 3. Log the user in, create the SAML assertion and redirect again 4. Verify SAML token and issue OAuth token 5. App makes call to API 6. Gateway validates OAuth token and performs fine grained authorization
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing • You may want to enable a business model based on different: – Operations or resources – Levels of service • The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing - Flow Validate OAuth Token Authorize API Call Determine License Licenses provides QoS policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management • You probably want different licenses with different levels of service • The levels of service are: – Throughput – Bandwidth consumed over time – Concurrency – Availability • Apps could either be cut-off or events generated when quotas are exceeded. Events can be used for overage billing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Protection • Denial of Service • Injection Attacks • XSS • Viruses
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Role of Policy Lower cost and risk: • Separate functional and non- functional • Decouple changing standards from your implementation • Provide multiple options depending on the channel • Mediate
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Role of Policy • An API is exposed externally that has a security policy of: – OAuth with SAML2 • Internally, the security policy is: – WSS/SAML • The system can use these declarative policies to automatically convert the OAuth token inbound to the WSS/SAML token that is required by downstream services
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software’s API Platform
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Platform • Measure the impact of your programsAnalytics • Build your developer and partner ecosystem Developer Engagement • Secure and protect your systemsGateway Services • Simplify and speed up development Service Integration • Build the right services & APIs the right way Lifecycle Management
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. In the Cloud or On-Premise
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Thanks… Alistair Farquharson, CTO, SOA Software www.soa.com @afarqu @SOASoftwareInc

Recommended

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and Hacks
CloudIDSummit
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
Distil Networks
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
Paulo Eduardo Sibalde
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 

Recommended

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
CIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and HacksCIS14: Protecting Your APIs from Threats and Hacks
CIS14: Protecting Your APIs from Threats and Hacks
CloudIDSummit
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API Security
Distil Networks
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
Paulo Eduardo Sibalde
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
himajareddys
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass Overview
JoAnna Cheshire
 
Is live chat safe?
Is live chat safe?Is live chat safe?
Is live chat safe?
Shubhangi Swami
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to Know
CloudIDSummit
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
Will Tran
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?
Akana
 
Confronting API Security in the Brave New Open Banking Era
Confronting API Security in the Brave New Open Banking EraConfronting API Security in the Brave New Open Banking Era
Confronting API Security in the Brave New Open Banking Era
Akana
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
CloudIDSummit
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
Akana
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
Akana
 

More Related Content

What's hot

DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
Akana
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 

What's hot (17)

12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
ClearPass Overview
ClearPass OverviewClearPass Overview
ClearPass Overview
 
Is live chat safe?
Is live chat safe?Is live chat safe?
Is live chat safe?
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to Know
 
Are APIs and SOA Converging?
Are APIs and SOA Converging?Are APIs and SOA Converging?
Are APIs and SOA Converging?
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?
 
Confronting API Security in the Brave New Open Banking Era
Confronting API Security in the Brave New Open Banking EraConfronting API Security in the Brave New Open Banking Era
Confronting API Security in the Brave New Open Banking Era
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
 

Similar to Unified Security for Mobile, APIs and the Web

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
Akana
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
Akana
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
Sachin Agarwal
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
Akana
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Building A Business-Facing Mobile Developer Community
Building A Business-Facing Mobile Developer CommunityBuilding A Business-Facing Mobile Developer Community
Building A Business-Facing Mobile Developer Community
ProgrammableWeb
 
XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)
Pasquale Tursi
 

Similar to Unified Security for Mobile, APIs and the Web (20)

API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
The Datacenter API
The Datacenter APIThe Datacenter API
The Datacenter API
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
 
Building A Business-Facing Mobile Developer Community
Building A Business-Facing Mobile Developer CommunityBuilding A Business-Facing Mobile Developer Community
Building A Business-Facing Mobile Developer Community
 
XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)XO _Hosted Security Product Overview__v.21 (1)
XO _Hosted Security Product Overview__v.21 (1)
 
MultiValue Gets SaaS-y
MultiValue Gets SaaS-yMultiValue Gets SaaS-y
MultiValue Gets SaaS-y
 

More from Akana

Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
Akana
 
Lifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle APILifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle API
Akana
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT EnterpriseThe API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
Akana
 
Using APIs for better Business Partnerships
Using APIs for better Business PartnershipsUsing APIs for better Business Partnerships
Using APIs for better Business Partnerships
Akana
 

More from Akana (20)

API Description Languages: Which is the Right One for Me?
API Description Languages: Which is the Right One for Me?API Description Languages: Which is the Right One for Me?
API Description Languages: Which is the Right One for Me?
 
Is it time for a Connector-less Approach to Cloud Integration?
Is it time for a Connector-less Approach to Cloud Integration? Is it time for a Connector-less Approach to Cloud Integration?
Is it time for a Connector-less Approach to Cloud Integration?
 
Delivering on Personalization with the Power of APIs
Delivering on Personalization with the Power of APIsDelivering on Personalization with the Power of APIs
Delivering on Personalization with the Power of APIs
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your Mesh
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
API Frenzy: API Strategy 101
API Frenzy: API Strategy 101API Frenzy: API Strategy 101
API Frenzy: API Strategy 101
 
API Description Languages
API Description LanguagesAPI Description Languages
API Description Languages
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
 
Lifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle APILifecycle Manager and the Lifecycle API
Lifecycle Manager and the Lifecycle API
 
Realizing SOA and API Convergence
Realizing SOA and API ConvergenceRealizing SOA and API Convergence
Realizing SOA and API Convergence
 
Intermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and DemoIntermediary for Microsoft: Product Overview and Demo
Intermediary for Microsoft: Product Overview and Demo
 
Driving Business Partner Adoption with APIs
Driving Business Partner Adoption with APIsDriving Business Partner Adoption with APIs
Driving Business Partner Adoption with APIs
 
Jumping Ahead with Enterprise APIs
Jumping Ahead with Enterprise APIsJumping Ahead with Enterprise APIs
Jumping Ahead with Enterprise APIs
 
Turbo Charge DataPower to Reach Your SOA Goals
Turbo Charge DataPower to Reach Your SOA Goals Turbo Charge DataPower to Reach Your SOA Goals
Turbo Charge DataPower to Reach Your SOA Goals
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT EnterpriseThe API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
 
Using APIs
Using APIsUsing APIs
Using APIs
 
Using APIs for better Business Partnerships
Using APIs for better Business PartnershipsUsing APIs for better Business Partnerships
Using APIs for better Business Partnerships
 
Best Practices: The Role of API Management
Best Practices: The Role of API ManagementBest Practices: The Role of API Management
Best Practices: The Role of API Management
 
API Management - A Transformation
API Management - A TransformationAPI Management - A Transformation
API Management - A Transformation
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Unified Security for Mobile, APIs and the Web

  • 1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Unified Security Mobile, Web and APIs
  • 2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Security Landscape • Authentication, Authorization, SSO • Licensing • Quota Management • Protection • Role of Policy Au/Az/SSO Licensing Quota Management Protection
  • 3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO • Confusing array of standards: – OAuth – SAML – OpenID – SCIM • A variety of App types – Desktop – Mobile – Web • Enterprise SSO and its set of legacy systems
  • 4. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Use Cases • Enterprise support for public credentials – Tiered service • Providing APIs for Web applications • Enabling a new API digital channels using OAuth. Perhaps in conjunction with: – SAML – OpenID • Extending/modernizing Enterprise SSO via: – OpenID Connect – SAML
  • 5. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Combining SAML and OAuth 1. Try to get OAuth Token 2. Redirect with SAML Authentication Request 3. Log the user in, create the SAML assertion and redirect again 4. Verify SAML token and issue OAuth token 5. App makes call to API 6. Gateway validates OAuth token and performs fine grained authorization
  • 6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing • You may want to enable a business model based on different: – Operations or resources – Levels of service • The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
  • 7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing - Flow Validate OAuth Token Authorize API Call Determine License Licenses provides QoS policies
  • 8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management • You probably want different licenses with different levels of service • The levels of service are: – Throughput – Bandwidth consumed over time – Concurrency – Availability • Apps could either be cut-off or events generated when quotas are exceeded. Events can be used for overage billing
  • 9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Protection • Denial of Service • Injection Attacks • XSS • Viruses
  • 10. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Role of Policy Lower cost and risk: • Separate functional and non- functional • Decouple changing standards from your implementation • Provide multiple options depending on the channel • Mediate
  • 11. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The Role of Policy • An API is exposed externally that has a security policy of: – OAuth with SAML2 • Internally, the security policy is: – WSS/SAML • The system can use these declarative policies to automatically convert the OAuth token inbound to the WSS/SAML token that is required by downstream services
  • 12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. SOA Software’s API Platform
  • 13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Platform • Measure the impact of your programsAnalytics • Build your developer and partner ecosystem Developer Engagement • Secure and protect your systemsGateway Services • Simplify and speed up development Service Integration • Build the right services & APIs the right way Lifecycle Management
  • 14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. In the Cloud or On-Premise
  • 15. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Thanks… Alistair Farquharson, CTO, SOA Software www.soa.com @afarqu @SOASoftwareInc