Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Data Driven API Security 
Subra Kumaraswamy @subrak 
Michael Russo
Don’t Let Your APIs get Naked! 
2
What’s Keeping You Up at Night? 
3 
Key Theft 
Man-in-the-Middle
Legacy design can also haunt you.. 
4
How APIs are Protected? 
5 
OAuth Quota Rate Limit Threat Protection 
90 
80 
70 
60 
50 
40 
30 
20 
10 
0
Apigee Edge – Take Care of the Basics 
6 
Security & Identity 
Capabilities 
Threat Protection 
Traffic Protection 
Backen...
Hide the Complexity of API Security 
Secure API Exposure 
Authentication & 
Authorization 
7 
Backend 
Service 
Authentica...
Take Security away from Developers 
8 
Communication 
Security 
Backend 
Service 
Security for App Developers 
Single Sign...
Configure and Not Code Security 
Security for API Developers 
9 
Authentication & 
Authorization 
Identity & 
Authenticati...
API Data Driven Approach
Am I Secure Now? 
11 
Security Policies Configured
Need to rethink the traditional coarse control security 
12 12 
Backend 
Service 
Legitimate Traffic 
API Bots 
IP Blackli...
We need a new approach… 
13
Continuous Data Driven API Threat Management 
14 
Activity Bursts 
Anomalous 
Behavior 
Patterns 
Data Scraping Geo Locati...
Apigee enables: 
API security hygiene 
Continuous data driven security that 
scales! 
15
Thank you
Upcoming SlideShare
Loading in …5
×

Data-driven API Security

1,900 views

Published on

Standard API security approaches and best practices that harden your API security can ensure safe and secure operations. However, these approaches may not be enough to protect your backend from sophisticated data extrusion through API key attacks, low and slow data scrapping that blend with your legitimate traffic. Enter data driven security. This session at I Love APIs 2014 covered how your API data can help you gain insights to traffic anomalies and security/privacy abuse. And how you can mitigate risks using data driven API security controls.

Published in: Software
  • Be the first to comment

Data-driven API Security

  1. 1. Data Driven API Security Subra Kumaraswamy @subrak Michael Russo
  2. 2. Don’t Let Your APIs get Naked! 2
  3. 3. What’s Keeping You Up at Night? 3 Key Theft Man-in-the-Middle
  4. 4. Legacy design can also haunt you.. 4
  5. 5. How APIs are Protected? 5 OAuth Quota Rate Limit Threat Protection 90 80 70 60 50 40 30 20 10 0
  6. 6. Apigee Edge – Take Care of the Basics 6 Security & Identity Capabilities Threat Protection Traffic Protection Backend Service Apps Security for API Consumption Authentication & Authorization TLS
  7. 7. Hide the Complexity of API Security Secure API Exposure Authentication & Authorization 7 Backend Service Authentication & Authorization Identity Services Logging & Auditing Security Analytics TLS Apps Security & Identity Capabilities
  8. 8. Take Security away from Developers 8 Communication Security Backend Service Security for App Developers Single Sign-On Developers TLS Security & Identity Capabilities Application Key Security
  9. 9. Configure and Not Code Security Security for API Developers 9 Authentication & Authorization Identity & Authentication Data Masking Logging & Auditing Developers API Team TLS RBAC Security & Identity Capabilities Apps
  10. 10. API Data Driven Approach
  11. 11. Am I Secure Now? 11 Security Policies Configured
  12. 12. Need to rethink the traditional coarse control security 12 12 Backend Service Legitimate Traffic API Bots IP Blacklist Apps
  13. 13. We need a new approach… 13
  14. 14. Continuous Data Driven API Threat Management 14 Activity Bursts Anomalous Behavior Patterns Data Scraping Geo Location Bot Content Scraping Information Theft Bot Bot Bot Analyze API Requests Tag Throttle Block Detect Anomalies
  15. 15. Apigee enables: API security hygiene Continuous data driven security that scales! 15
  16. 16. Thank you

×