SlideShare a Scribd company logo

Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)

Download as PPTX, PDF
Nordic APIs
Nordic APIs

This is a session given by Jonas Markström at Nordic APIs 2016 Platform Summit on October 26th, in Stockholm Sweden. Description: So you’ve decided to go down the API path. You’re fitting your enterprise’s architecture with the best in REST services, micro services, and API gateways. You’ve convinced your management that opening up your most precious assets – your data – to the outside world will have considerable benefits. Just imagine: your partners, customers, and contractors will all be able to interact with your systems. Now, of course, there is just this little nagging doubt in your head: did you code that service correctly? Are you positive only the right people have access to the relevant data? Did you thoroughly test that 10,000-line code that implements access control? Of course you didn’t… Because you didn’t hard-code the authorization. You went for Attribute Based Access Control, the weapon of choice of API Ninjas. Right? In this talk, we will cover the basics of externalizing authorization using ABAC and how it can be applied to your APIs: – Secure API endpoints no matter the technology – Control access to API functionality – Control access to data: dynamic data masking – Implement access control as centrally-managed policies – Reuse the access control across other technologies in the stack. Benefits include: – Leaner APIs – Slashed development time – Faster time-to-market

Technology
1 of 26
Lean & Mean - Authorization for kick-ass APIs Jonas Markström API Security Ninja
© Axiomatics 2016 2 Feeling lonely?
© Axiomatics 2016 3 Not one but many monoliths
© Axiomatics 2016 4 Time to rethink the plumbing…
© Axiomatics 2016 5
© Axiomatics 2016 6
© Axiomatics 2016 7 Feeling pretty happy?
© Axiomatics 2016 8 A single entry into the kingdom
© Axiomatics 2016 9 Open up to business
© Axiomatics 2016 10 Before & After ⁃ From the monolith to... ⁃ The decoupled approach Acme Enterprise Firewall Web Container Processes Data Acme Enterprise Firewall Web Container Processes Data API API API Gateway Third Party API
© Axiomatics 2016 11 Is your access control broken?
© Axiomatics 2016 12 Who gets to decide?
© Axiomatics 2016 13 Who gets to decide? User API I, Alice, want to view bank accounts Can Alice view account #123? Data
© Axiomatics 2016 14 The Guardian Angel
© Axiomatics 2016 15 Authorization as Infrastructure User API I, Alice, want to view bank accounts Can Alice view account #123? Data APIGateway ABAC Authorization Service SQLProxy Which data can be retrieved?
© Axiomatics 2016 16 Did you say ABAC? Externalized Centralized Policy Driven Attribute Based Standardized
© Axiomatics 2016 17 Attributes are labels that describe anyone and anything
© Axiomatics 2016 18 Attributes are Multi-Dimensional Who What Where When Why How
© Axiomatics 2016 19 Policies bring attributes together to make it all work
© Axiomatics 2016 20 “Managers can view accounts in their region” “Customers can create transfers up to $1,000” “A user cannot approve a transfer they requested” “Tellers can view transactions in their own region”
© Axiomatics 2016 21 Policies that apply to a specific API or service Policies that apply across the enterprise / API sets Policies can be local or global
© Axiomatics 2016 22 Use ABAC to implement... Time-based policies “Deny access to the API outside office hours”
© Axiomatics 2016 23 Use ABAC to implement... Location-based policies “Dutch Employees cannot view Singapore client data”
© Axiomatics 2016 24 Use ABAC to implement... Dynamic access control “Managers can view accounts that are in the same branch.”
© Axiomatics 2016 25 Use ABAC to implement... Dynamic Segregation of Duty “Employees cannot approve transactions they initiate.”
© Axiomatics 2016 26 Secure APIs start with ABAC... Any API Any Policy Any Attribute

Recommended

The adventure of enabling API management in a large enterprise (Josh Wang)
The adventure of enabling API management in a large enterprise (Josh Wang)The adventure of enabling API management in a large enterprise (Josh Wang)
The adventure of enabling API management in a large enterprise (Josh Wang)
Nordic APIs
 
Automotive Grade APIs – designing for longevity
Automotive Grade APIs – designing for longevityAutomotive Grade APIs – designing for longevity
Automotive Grade APIs – designing for longevity
Nordic APIs
 
AppSphere 15 - Monitoring Cloud & Asynchronous Applications
AppSphere 15 - Monitoring Cloud & Asynchronous ApplicationsAppSphere 15 - Monitoring Cloud & Asynchronous Applications
AppSphere 15 - Monitoring Cloud & Asynchronous Applications
AppDynamics
 
Enough talking - it's time to start doing
Enough talking - it's time to start doingEnough talking - it's time to start doing
Enough talking - it's time to start doing
Apigee | Google Cloud
 
Microservices vs History
Microservices vs History Microservices vs History
Microservices vs History
Kong Inc.
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
Apigee | Google Cloud
 
Managing private, partner & public APIs (Nordic APIS April 2014)
Managing private, partner & public APIs (Nordic APIS April 2014)Managing private, partner & public APIs (Nordic APIS April 2014)
Managing private, partner & public APIs (Nordic APIS April 2014)
Nordic APIs
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are Key
Apigee | Google Cloud
 

Recommended

The adventure of enabling API management in a large enterprise (Josh Wang)
The adventure of enabling API management in a large enterprise (Josh Wang)The adventure of enabling API management in a large enterprise (Josh Wang)
The adventure of enabling API management in a large enterprise (Josh Wang)
Nordic APIs
 
Automotive Grade APIs – designing for longevity
Automotive Grade APIs – designing for longevityAutomotive Grade APIs – designing for longevity
Automotive Grade APIs – designing for longevity
Nordic APIs
 
AppSphere 15 - Monitoring Cloud & Asynchronous Applications
AppSphere 15 - Monitoring Cloud & Asynchronous ApplicationsAppSphere 15 - Monitoring Cloud & Asynchronous Applications
AppSphere 15 - Monitoring Cloud & Asynchronous Applications
AppDynamics
 
Enough talking - it's time to start doing
Enough talking - it's time to start doingEnough talking - it's time to start doing
Enough talking - it's time to start doing
Apigee | Google Cloud
 
Microservices vs History
Microservices vs History Microservices vs History
Microservices vs History
Kong Inc.
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
Apigee | Google Cloud
 
Managing private, partner & public APIs (Nordic APIS April 2014)
Managing private, partner & public APIs (Nordic APIS April 2014)Managing private, partner & public APIs (Nordic APIS April 2014)
Managing private, partner & public APIs (Nordic APIS April 2014)
Nordic APIs
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are Key
Apigee | Google Cloud
 
Dynamic Content From Cyclops
Dynamic Content From CyclopsDynamic Content From Cyclops
Dynamic Content From Cyclops
stevewreford
 
SEI: Faster innovation and better performance for the innovative sei wealth p...
SEI: Faster innovation and better performance for the innovative sei wealth p...SEI: Faster innovation and better performance for the innovative sei wealth p...
SEI: Faster innovation and better performance for the innovative sei wealth p...
Dynatrace
 
IT agility is no longer an oxymoron
IT agility is no longer an oxymoron IT agility is no longer an oxymoron
IT agility is no longer an oxymoron
Apigee | Google Cloud
 
Orchestrating microservices like a ninja
Orchestrating microservices like a ninjaOrchestrating microservices like a ninja
Orchestrating microservices like a ninja
Apigee | Google Cloud
 
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Big Apps, Big Data, and Why "Connected Things" are not the IoTBig Apps, Big Data, and Why "Connected Things" are not the IoT
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Apigee | Google Cloud
 
Road to Black Friday 2015: How L.L.Bean Prepares for Traffic Spikes
Road to Black Friday 2015: How L.L.Bean Prepares for Traffic SpikesRoad to Black Friday 2015: How L.L.Bean Prepares for Traffic Spikes
Road to Black Friday 2015: How L.L.Bean Prepares for Traffic Spikes
Apigee | Google Cloud
 
Deep-Dive: API Analytics and Business KPIs - Measure what matters
Deep-Dive: API Analytics and Business KPIs - Measure what mattersDeep-Dive: API Analytics and Business KPIs - Measure what matters
Deep-Dive: API Analytics and Business KPIs - Measure what matters
Apigee | Google Cloud
 
Vtug hybrid cloud
Vtug hybrid cloudVtug hybrid cloud
Vtug hybrid cloud
Rich Casselberry
 
Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)
Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)
Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)
Apigee | Google Cloud
 
Webinar The New Automation+ developed for Net-ops agility- Appviewx
Webinar The New Automation+ developed for Net-ops agility- AppviewxWebinar The New Automation+ developed for Net-ops agility- Appviewx
Webinar The New Automation+ developed for Net-ops agility- Appviewx
AppViewX
 
Anthony Pappas - MoDev UX Presentation - 2014
Anthony Pappas - MoDev UX Presentation - 2014Anthony Pappas - MoDev UX Presentation - 2014
Anthony Pappas - MoDev UX Presentation - 2014
Pappas Group a DMI Company
 
APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...
APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...
APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...
apidays
 
CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...
CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...
CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...
Capgemini
 
APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...
APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...
APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...
apidays
 
Making Microservices work at Netflix
Making Microservices work at NetflixMaking Microservices work at Netflix
Making Microservices work at Netflix
Sangeeta Narayanan
 
We built this city: Behind the scenes of Apigee Edge
We built this city: Behind the scenes of Apigee EdgeWe built this city: Behind the scenes of Apigee Edge
We built this city: Behind the scenes of Apigee Edge
Apigee | Google Cloud
 
Analytics Services: Measuring Anything, Anywhere...
Analytics Services: Measuring Anything, Anywhere...Analytics Services: Measuring Anything, Anywhere...
Analytics Services: Measuring Anything, Anywhere...
Apigee | Google Cloud
 
APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...
APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...
APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...
apidays
 
Visa Europe Drives Innovation in Commerce and Payments with API Management
Visa Europe Drives Innovation in Commerce and Payments with API ManagementVisa Europe Drives Innovation in Commerce and Payments with API Management
Visa Europe Drives Innovation in Commerce and Payments with API Management
CA Technologies
 
APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...
APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...
APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...
apidays
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentation
sflynn073
 
Moving Toward a Modular Enterprise - All About the API Conference 2016
Moving Toward a Modular Enterprise - All About the API Conference 2016Moving Toward a Modular Enterprise - All About the API Conference 2016
Moving Toward a Modular Enterprise - All About the API Conference 2016
LaunchAny
 

More Related Content

What's hot

SEI: Faster innovation and better performance for the innovative sei wealth p...
SEI: Faster innovation and better performance for the innovative sei wealth p...SEI: Faster innovation and better performance for the innovative sei wealth p...
SEI: Faster innovation and better performance for the innovative sei wealth p...
Dynatrace
 
IT agility is no longer an oxymoron
IT agility is no longer an oxymoron IT agility is no longer an oxymoron
IT agility is no longer an oxymoron
Apigee | Google Cloud
 
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Big Apps, Big Data, and Why "Connected Things" are not the IoTBig Apps, Big Data, and Why "Connected Things" are not the IoT
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Apigee | Google Cloud
 
Deep-Dive: API Analytics and Business KPIs - Measure what matters
Deep-Dive: API Analytics and Business KPIs - Measure what mattersDeep-Dive: API Analytics and Business KPIs - Measure what matters
Deep-Dive: API Analytics and Business KPIs - Measure what matters
Apigee | Google Cloud
 

What's hot (20)

Dynamic Content From Cyclops
Dynamic Content From CyclopsDynamic Content From Cyclops
Dynamic Content From Cyclops
 
SEI: Faster innovation and better performance for the innovative sei wealth p...
SEI: Faster innovation and better performance for the innovative sei wealth p...SEI: Faster innovation and better performance for the innovative sei wealth p...
SEI: Faster innovation and better performance for the innovative sei wealth p...
 
IT agility is no longer an oxymoron
IT agility is no longer an oxymoron IT agility is no longer an oxymoron
IT agility is no longer an oxymoron
 
Orchestrating microservices like a ninja
Orchestrating microservices like a ninjaOrchestrating microservices like a ninja
Orchestrating microservices like a ninja
 
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Big Apps, Big Data, and Why "Connected Things" are not the IoTBig Apps, Big Data, and Why "Connected Things" are not the IoT
Big Apps, Big Data, and Why "Connected Things" are not the IoT
 
Road to Black Friday 2015: How L.L.Bean Prepares for Traffic Spikes
Road to Black Friday 2015: How L.L.Bean Prepares for Traffic SpikesRoad to Black Friday 2015: How L.L.Bean Prepares for Traffic Spikes
Road to Black Friday 2015: How L.L.Bean Prepares for Traffic Spikes
 
Deep-Dive: API Analytics and Business KPIs - Measure what matters
Deep-Dive: API Analytics and Business KPIs - Measure what mattersDeep-Dive: API Analytics and Business KPIs - Measure what matters
Deep-Dive: API Analytics and Business KPIs - Measure what matters
 
Vtug hybrid cloud
Vtug hybrid cloudVtug hybrid cloud
Vtug hybrid cloud
 
Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)
Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)
Deep-Dive: How Can APIs Help You Innovate? (Partner Ecosystems)
 
Webinar The New Automation+ developed for Net-ops agility- Appviewx
Webinar The New Automation+ developed for Net-ops agility- AppviewxWebinar The New Automation+ developed for Net-ops agility- Appviewx
Webinar The New Automation+ developed for Net-ops agility- Appviewx
 
Anthony Pappas - MoDev UX Presentation - 2014
Anthony Pappas - MoDev UX Presentation - 2014Anthony Pappas - MoDev UX Presentation - 2014
Anthony Pappas - MoDev UX Presentation - 2014
 
APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...
APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...
APIdays Helsinki 2019 - Enabling New Business Models with Lonneke Dikmans, eP...
 
CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...
CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...
CWIN17 Toulouse / Enhance the efficiency of your field operations with augmen...
 
APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...
APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...
APIdays Helsinki 2019 - Interoperability and Partnerships in MaaS - Working E...
 
Making Microservices work at Netflix
Making Microservices work at NetflixMaking Microservices work at Netflix
Making Microservices work at Netflix
 
We built this city: Behind the scenes of Apigee Edge
We built this city: Behind the scenes of Apigee EdgeWe built this city: Behind the scenes of Apigee Edge
We built this city: Behind the scenes of Apigee Edge
 
Analytics Services: Measuring Anything, Anywhere...
Analytics Services: Measuring Anything, Anywhere...Analytics Services: Measuring Anything, Anywhere...
Analytics Services: Measuring Anything, Anywhere...
 
APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...
APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...
APIdays Helsinki 2019 - APIs and Cross-Border Data Exchange in E-Government C...
 
Visa Europe Drives Innovation in Commerce and Payments with API Management
Visa Europe Drives Innovation in Commerce and Payments with API ManagementVisa Europe Drives Innovation in Commerce and Payments with API Management
Visa Europe Drives Innovation in Commerce and Payments with API Management
 
APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...
APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...
APIdays Paris 2019 - Microservices Architectures Agility vs Complexity, by Pr...
 

Viewers also liked

API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentation
sflynn073
 
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Nordic APIs
 
Public Transport APIs – How we are using and creating long lasting APIs at No...
Public Transport APIs – How we are using and creating long lasting APIs at No...Public Transport APIs – How we are using and creating long lasting APIs at No...
Public Transport APIs – How we are using and creating long lasting APIs at No...
Nordic APIs
 
API Creation to Iteration without the Frustration
API Creation to Iteration without the FrustrationAPI Creation to Iteration without the Frustration
API Creation to Iteration without the Frustration
Nordic APIs
 
The end of polling (Audrey Neveu)
The end of polling (Audrey Neveu)The end of polling (Audrey Neveu)
The end of polling (Audrey Neveu)
Nordic APIs
 
Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)
Nordic APIs
 

Viewers also liked (20)

API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentation
 
Moving Toward a Modular Enterprise - All About the API Conference 2016
Moving Toward a Modular Enterprise - All About the API Conference 2016Moving Toward a Modular Enterprise - All About the API Conference 2016
Moving Toward a Modular Enterprise - All About the API Conference 2016
 
実践サーバレスアーキテクチャ
実践サーバレスアーキテクチャ実践サーバレスアーキテクチャ
実践サーバレスアーキテクチャ
 
DNAD 2015 - Como a arquitetura emergente de sua aplicação pode jogar contra ...
DNAD 2015 - Como a arquitetura emergente de sua aplicação pode jogar contra ...DNAD 2015 - Como a arquitetura emergente de sua aplicação pode jogar contra ...
DNAD 2015 - Como a arquitetura emergente de sua aplicação pode jogar contra ...
 
State of APIs: API trends from Nordic APIs Copenhagen & Sundsvall
State of APIs: API trends from Nordic APIs Copenhagen & SundsvallState of APIs: API trends from Nordic APIs Copenhagen & Sundsvall
State of APIs: API trends from Nordic APIs Copenhagen & Sundsvall
 
Running an API 24/365
Running an API 24/365Running an API 24/365
Running an API 24/365
 
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
 
Public Transport APIs – How we are using and creating long lasting APIs at No...
Public Transport APIs – How we are using and creating long lasting APIs at No...Public Transport APIs – How we are using and creating long lasting APIs at No...
Public Transport APIs – How we are using and creating long lasting APIs at No...
 
Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...
Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...
Pre-Con Ed: CA API Gateway: How to Deploy Your Gateway Across Multiple Enviro...
 
API Creation to Iteration without the Frustration
API Creation to Iteration without the FrustrationAPI Creation to Iteration without the Frustration
API Creation to Iteration without the Frustration
 
Whitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-ServicesWhitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-Services
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 
Why should i care about hypermedia
Why should i care about hypermediaWhy should i care about hypermedia
Why should i care about hypermedia
 
The end of polling (Audrey Neveu)
The end of polling (Audrey Neveu)The end of polling (Audrey Neveu)
The end of polling (Audrey Neveu)
 
Oracle API Gateway Installation
Oracle API Gateway InstallationOracle API Gateway Installation
Oracle API Gateway Installation
 
Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)Versioning strategy for a complex internal API (Konstantin Yakushev)
Versioning strategy for a complex internal API (Konstantin Yakushev)
 
API Management - The Value of the Management Part
API Management - The Value of the Management PartAPI Management - The Value of the Management Part
API Management - The Value of the Management Part
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
 
Apinf Open Api Management
Apinf Open Api Management Apinf Open Api Management
Apinf Open Api Management
 

Similar to Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)

Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...
Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...
Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...
Akamai Developers & Admins
 
Webinar: Vodafone and The Connected Customer Journey [10.19.2017]
Webinar: Vodafone and The Connected Customer Journey [10.19.2017]Webinar: Vodafone and The Connected Customer Journey [10.19.2017]
Webinar: Vodafone and The Connected Customer Journey [10.19.2017]
Acquia
 

Similar to Lean and Mean – Authorization for kick-ass APIs (Jonas Markström) (20)

OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
 
Next generation access controls
Next generation access controlsNext generation access controls
Next generation access controls
 
Modernise your IT landscape with APIs and Microservices
Modernise your IT landscape with APIs and MicroservicesModernise your IT landscape with APIs and Microservices
Modernise your IT landscape with APIs and Microservices
 
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
Acquiaご紹介(クラウドファーストとオープンソースで進めるデジタル変革)[動画あり]
 
Getting Started with User and API Management Features
Getting Started with User and API Management FeaturesGetting Started with User and API Management Features
Getting Started with User and API Management Features
 
Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...
Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...
Cloudlets and DevOps - A Dangerously Powerful Combination to Extend Capabilit...
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
 
Secure Real-Time Customer Communications with AWS
Secure Real-Time Customer Communications with AWSSecure Real-Time Customer Communications with AWS
Secure Real-Time Customer Communications with AWS
 
DataEngConf: Apache Kafka at Rocana: a scalable, distributed log for machine ...
DataEngConf: Apache Kafka at Rocana: a scalable, distributed log for machine ...DataEngConf: Apache Kafka at Rocana: a scalable, distributed log for machine ...
DataEngConf: Apache Kafka at Rocana: a scalable, distributed log for machine ...
 
Open Banking APIs on AWS
Open Banking APIs on AWSOpen Banking APIs on AWS
Open Banking APIs on AWS
 
IT-as-a-Service: Ushering the New Era of Service Aware Cloud - Session Sponso...
IT-as-a-Service: Ushering the New Era of Service Aware Cloud - Session Sponso...IT-as-a-Service: Ushering the New Era of Service Aware Cloud - Session Sponso...
IT-as-a-Service: Ushering the New Era of Service Aware Cloud - Session Sponso...
 
Measuring what matters
Measuring what mattersMeasuring what matters
Measuring what matters
 
Edge 2016 measuring what matters
Edge 2016 measuring what mattersEdge 2016 measuring what matters
Edge 2016 measuring what matters
 
Optimizing your API to Perform at Scale
Optimizing your API to Perform at ScaleOptimizing your API to Perform at Scale
Optimizing your API to Perform at Scale
 
API Management - Practical Enterprise Implementation Experience
API Management - Practical Enterprise Implementation ExperienceAPI Management - Practical Enterprise Implementation Experience
API Management - Practical Enterprise Implementation Experience
 
IoT Deep Dive - Be an IoT Developer for an Hour
IoT Deep Dive - Be an IoT Developer for an HourIoT Deep Dive - Be an IoT Developer for an Hour
IoT Deep Dive - Be an IoT Developer for an Hour
 
Big Data LDN 2018: DELIVERING ON THE OPERATIONAL DATA WAREHOUSE PROMISE
Big Data LDN 2018: DELIVERING ON THE OPERATIONAL DATA WAREHOUSE PROMISEBig Data LDN 2018: DELIVERING ON THE OPERATIONAL DATA WAREHOUSE PROMISE
Big Data LDN 2018: DELIVERING ON THE OPERATIONAL DATA WAREHOUSE PROMISE
 
Multi accountstrategy | david lewthwaite
Multi accountstrategy | david lewthwaiteMulti accountstrategy | david lewthwaite
Multi accountstrategy | david lewthwaite
 
Webinar: Vodafone and The Connected Customer Journey [10.19.2017]
Webinar: Vodafone and The Connected Customer Journey [10.19.2017]Webinar: Vodafone and The Connected Customer Journey [10.19.2017]
Webinar: Vodafone and The Connected Customer Journey [10.19.2017]
 
Akamai 2016 Investor Relations Summit Presentation
Akamai 2016 Investor Relations Summit PresentationAkamai 2016 Investor Relations Summit Presentation
Akamai 2016 Investor Relations Summit Presentation
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
Nordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Nordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
Nordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Nordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
Nordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)

  • 1. Lean & Mean - Authorization for kick-ass APIs Jonas Markström API Security Ninja
  • 2. © Axiomatics 2016 2 Feeling lonely?
  • 3. © Axiomatics 2016 3 Not one but many monoliths
  • 4. © Axiomatics 2016 4 Time to rethink the plumbing…
  • 7. © Axiomatics 2016 7 Feeling pretty happy?
  • 8. © Axiomatics 2016 8 A single entry into the kingdom
  • 9. © Axiomatics 2016 9 Open up to business
  • 10. © Axiomatics 2016 10 Before & After ⁃ From the monolith to... ⁃ The decoupled approach Acme Enterprise Firewall Web Container Processes Data Acme Enterprise Firewall Web Container Processes Data API API API Gateway Third Party API
  • 11. © Axiomatics 2016 11 Is your access control broken?
  • 12. © Axiomatics 2016 12 Who gets to decide?
  • 13. © Axiomatics 2016 13 Who gets to decide? User API I, Alice, want to view bank accounts Can Alice view account #123? Data
  • 14. © Axiomatics 2016 14 The Guardian Angel
  • 15. © Axiomatics 2016 15 Authorization as Infrastructure User API I, Alice, want to view bank accounts Can Alice view account #123? Data APIGateway ABAC Authorization Service SQLProxy Which data can be retrieved?
  • 16. © Axiomatics 2016 16 Did you say ABAC? Externalized Centralized Policy Driven Attribute Based Standardized
  • 17. © Axiomatics 2016 17 Attributes are labels that describe anyone and anything
  • 18. © Axiomatics 2016 18 Attributes are Multi-Dimensional Who What Where When Why How
  • 19. © Axiomatics 2016 19 Policies bring attributes together to make it all work
  • 20. © Axiomatics 2016 20 “Managers can view accounts in their region” “Customers can create transfers up to $1,000” “A user cannot approve a transfer they requested” “Tellers can view transactions in their own region”
  • 21. © Axiomatics 2016 21 Policies that apply to a specific API or service Policies that apply across the enterprise / API sets Policies can be local or global
  • 22. © Axiomatics 2016 22 Use ABAC to implement... Time-based policies “Deny access to the API outside office hours”
  • 23. © Axiomatics 2016 23 Use ABAC to implement... Location-based policies “Dutch Employees cannot view Singapore client data”
  • 24. © Axiomatics 2016 24 Use ABAC to implement... Dynamic access control “Managers can view accounts that are in the same branch.”
  • 25. © Axiomatics 2016 25 Use ABAC to implement... Dynamic Segregation of Duty “Employees cannot approve transactions they initiate.”
  • 26. © Axiomatics 2016 26 Secure APIs start with ABAC... Any API Any Policy Any Attribute

Editor's Notes

  1. The IT landscape is big, vast, ever-expanding -much like the universe. The number of applications is growing fast like stars and like planets. There is no stopping to the business’ hunger for: better processes, new and better apps, and more data… So many business analysts and stakeholders… One architect, you…
  2. Historically each and every app exists independently one of another. Information is exchanged record by record manually in a process that is: tedious lengthy and error-prone We are in the late nineties and IT is painful and it is preventing the business from connecting the dots… (its not business friendly, it doesn’t enable the business)
  3. Three letters: E… A… I… Enterprise Application Integration: integration framework comprised of a collection of technologies and services forming a middleware or "middleware framework“, to enable integration of systems and applications across the enterprise. Integrate applications together, exchange data, extend business processes.
  4. and you integrate within the enterprise and even beyond the enterprise boundaries. You invite your customers, partners, contractors - agents, legal bodies –you invite them all to the party. And you share the processes & you share the data.
  5. EAI morphed into SOA or Service-Oriented Architecture. And SOA brought about a plethora of standards and tools to implement EAI/SOA. Such standards include SOAP, WS-*, SAML, and so on. XML was the new kid on the block and it was cool.
  6. Yes, SOAP was liberating (and, huh, clean). Large companies, they started building SOA strategies driven by SOAP and WS-*. It was relatively successful. But progress was slow and integration difficult. The promise of interoperability wasn’t fulfilled. The .NET stack struggled to talk to other stacks e.g. Java. Different protocols emerged and competed e.g. WS-Eventing and WS-Notification. XML processing was heavier than previously thought. Authentication and trust establishment was a cryptic nightmare. So is that little boy laughing because it was a piece of cake or because it was still painful?
  7. To have this happen, a new breed of products emerged some ten years ago: XML gateways. The heavy-weight champions of security. The likes of IBM’s Datapower. XML fortresses in a sense. Masters of SAML and WS-Security. Yeah, a great step forward but still not that agile. We needed something more lightweight, easier to use. More dedicated. Not an all-in-one Swiss Army knife.
  8. Banks. Banks are among the ones that want to open up. From a legacy system where a single web portal would get access to internal data & processes, banks are now moving to an API-first design where small APIs, micro-service-style! This can enable simple customer-facing mobile applications or can be means for a partner or another vendor to access (and therefore buy) bank data. This helps banks get more buck for their data. And actually, banks don’t just do it for the money. In Europe they will also have to start complying with consumer-enabling legislation. APIs will be great cornerstone of a long-lasting strategy.
  9. Now that you expose more data. More openly, you need to really think about security, and about access control in particular. Do you bake the access control inside the API itself? If so, then how do you make sure your API is secure but also future-proof: flexible enough to adapt to future needs? How do you make sure your API complies with national and international regulations? The regulations of today and those of tomorrow. Yes, these are rethorical questions ;)
  10. So one of the main challenges when building APIs, business layers, applications, and data stores is that it is unclear where authorization decisions should be made and by whom. Should developers implement the logic? If so, where? As SQL statements? As logic inside a business process? Inside the application’s logic itself? Or within the API? What if we have different ways of consuming the same data sets? Does this require implementing different logic in different places? And how do I get a good overview of what is allowed, what isn’t? How do I prove I am compliant?
  11. Let’s look at a flow. Imagine a user Alice on the left-hand side trying to access data via an API on the right-hand side. Who gets to decide whether the call should be allowed? The API can handle authentication and basic authorization e.g. OAuth scopes. But what about finer-grained authorization? Who does the data belong to?
  12. Oh look, it’s the guardian angel! We’ve heard many names for that component. And yes we’ve even heard Guardian Angel. This is the component you query in order to get a decision, an authorization decision. Can I do this? Yes, you can. No you cannot! The Guardian Angel is the one central point of decision making you go to in the enterprise. It is the same central point no matter the layer you are in, no matter the technology. It knows it all.
  13. ABAC or Attribute-Based Access Control is the new authorization model flexible enough to secure your APIs, applications, and data stores all in one go, from one central place, in a consistent manner. ABAC is also a NIST-backed initiative as well as a standard. XACML is the standard implementation for ABAC
  14. Attributes are key-value pairs. They can be used to describe anything and anyone. Attributes can be multi-valued. For instance citizenship = ‘Swedish’ and ‘Norwegian’. Attributes can be typed. An attribute could be a string, a number, a boolean, or a date.
  15. Attributes can relate to who, what, where, when, why, and how. Attributes cover all the grammatical functions of a sentence: the subject (who), the verb (what action), the object (what resource), and the contextual information (why, how, when, where…) Attributes can be sourced from multiple locations: databases, other APIs, the API message itself, authentication tokens (SAML, JWT…)
  16. Attributes alone though are not enough. We need something to bring the attributes all together. We need a bit of chemistry. If we try do an analogy, then: Policies are like the natural language Attributes are like the vocabulary Use policies to bind attributes together to create the authorization spark. Use policies to combine attributes and determine whether access should be granted or denied.
  17. Examples
  18. Policies can grant access… and deny access
  19. Dynamic access control that is applied on the fly based on the context of the interaction. Location and time as previously seen but also relationship: does the user own the data? Have a relationship to the data?
  20. Dynamic access control that is applied on the fly based on the context of the interaction. Location and time as previously seen but also relationship: does the user own the data? Have a relationship to the data?