Topics§  Define API’s§  How are they being used§  What are the issues§  Whats being used§  One approach
Web API    =Technology
Mobile and API identity – The NewChallengesAran WhiteSolution Architectawhite@layer7.com
Is it a Web API?REST/JSON? Yes.SOAP/XML? Yes. HTTP/CSV? Yes.
Modern Timeline of Web APIs                                    2005                    2004                             20...
How have they grown, or exploded
Mobile is driving API publishers
The enterprise model:Start with private APIs…
…consider going publicin the future
API’s From Internal Services§  Create a new shiny API or enable our existing services§  Integration for messages and sec...
Applications Or Users§  We don’t just want to trust the user what about the application?§  Developers  -  On boarding  -...
Single sign on issues§  Multiple Applications§  Multiple devices§  Multiple APIs§  Multiple API providers§  Integrati...
How are we tackling this§  New security models§  Oauth§  Open ID connect§  SAML§  Tried and tested approaches  -  SSL...
OAuth§  Drafts keep changing (or did !!)§  Can be complex§  Picking the correct flow§  Components which do I use.§  E...
Open ID Connet§  OAuth based solution for authentication§  Gives access to attributes.§  Giving access to identities ou...
SAML§  Still there as a very valid solution§  Supported for federated SSO such as SFDC§  Can be considered heavyweight ...
Flexibility is the new challengeSAML                            PKI     LDAP            WS-­‐*	  
The primary API managementchallenge:          Balancing   Control and Accessibility
API publishers want to encourageutilization
Low barriers to accessSelf serviceSelf documenting
But, API publishers also want torestrict access to APIs
Smart rate limitingSecurity enforcementBrand control
Architects want API gateways                           API            Gateway                           API
Thank you   Aran Whiteawhite@layer7.com
Mobile and API identity – The New Challenges
Mobile and API identity – The New Challenges
Upcoming SlideShare
Loading in …5
×

Mobile and API identity – The New Challenges

708 views

Published on

With the ever increasing growth of mobile applications and API technologies the topics of identity management, authentication and authorisation are as important as ever. The technologies mean that those responsible for identity management and security increasingly have more to consider when deploying and enforcing security. With rapid time to market demands from the business there is much to consider when delivering an open but secure environment for the business and their users.
This session will look at some of the considerations and issues faced in designing and delivering IdM in this emerging space. We will look at how topics such as OAuth, OpenID connect and single sign on play their part in these policies and how governance plays a key role alongside security to protect the environment.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
708
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mobile and API identity – The New Challenges

  1. 1. Topics§  Define API’s§  How are they being used§  What are the issues§  Whats being used§  One approach
  2. 2. Web API =Technology
  3. 3. Mobile and API identity – The NewChallengesAran WhiteSolution Architectawhite@layer7.com
  4. 4. Is it a Web API?REST/JSON? Yes.SOAP/XML? Yes. HTTP/CSV? Yes.
  5. 5. Modern Timeline of Web APIs 2005 2004 2010 First Web 2.0 Programmable web.com Salesforce Conference adds HTTP API launched 2002 54 APIs Amazon API registered. 2005 2000 ebay makes 2008 2012 Salesforce API APIs free Programmable ebay API Programmable web.com has web.com has 2004 2006 1000 registered 7144 registered Flickr API Twitter API APIs APIs Facebook API Google (Maps) Sources: apievangelist.com programmableweb.com API internetarchive.com Steve Yegge Rant oreilly.com
  6. 6. How have they grown, or exploded
  7. 7. Mobile is driving API publishers
  8. 8. The enterprise model:Start with private APIs…
  9. 9. …consider going publicin the future
  10. 10. API’s From Internal Services§  Create a new shiny API or enable our existing services§  Integration for messages and security§  Internal security verses external security§  Who is using the service the most§  How do we control the use
  11. 11. Applications Or Users§  We don’t just want to trust the user what about the application?§  Developers -  On boarding -  Controlling access -  Monitoring -  Managing§  Will you allow application to store user credentials? Long term or per session§  Do we trust all devices or platforms?§  Do we trust Jail broken devices?
  12. 12. Single sign on issues§  Multiple Applications§  Multiple devices§  Multiple APIs§  Multiple API providers§  Integration with cloud services
  13. 13. How are we tackling this§  New security models§  Oauth§  Open ID connect§  SAML§  Tried and tested approaches -  SSL, Basic Auth, WS Security, XML security -  Standard threats§  Multiple approaches per API§  Brokering between the new world and the existing security
  14. 14. OAuth§  Drafts keep changing (or did !!)§  Can be complex§  Picking the correct flow§  Components which do I use.§  Extensions§  Brokering with existing security
  15. 15. Open ID Connet§  OAuth based solution for authentication§  Gives access to attributes.§  Giving access to identities outside the enterprise§  Helps scale and agility§  Who is coming through the door§  Tracking and audit
  16. 16. SAML§  Still there as a very valid solution§  Supported for federated SSO such as SFDC§  Can be considered heavyweight and complex§  B2B solutions still like SAML§  STS deployments
  17. 17. Flexibility is the new challengeSAML PKI LDAP WS-­‐*  
  18. 18. The primary API managementchallenge: Balancing Control and Accessibility
  19. 19. API publishers want to encourageutilization
  20. 20. Low barriers to accessSelf serviceSelf documenting
  21. 21. But, API publishers also want torestrict access to APIs
  22. 22. Smart rate limitingSecurity enforcementBrand control
  23. 23. Architects want API gateways API Gateway API
  24. 24. Thank you Aran Whiteawhite@layer7.com

×