I this presentation enterprises will get a practical overview of what they need to know when approaching APIs and technologies like OAuth.
Mobile and Cloud initiatives are driving enterprises to expose data and applications to the outside world. Whether SOAP, REST or JSON, these APIs give enterprises an efficient way to open up information to services running in the Cloud and apps running on mobile devices like the iPad.
However, securing and governing the lifecycle and operation of these APIs is not straightforward. It requires new approaches to access, protection and management. This invariably requires adoption of new technologies such as OAuth, which are not yet well understood.
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
API Security and OAuth for the Enterprise
1. A Practical Guide to API Security and OAuth
for the Enterprise
K. Scott Morrison Eve Maler
CTO and Chief Architect Principal Analyst
Layer 7 Technologies, Inc. Forrester Research, Inc.
2. Housekeeping
Questions
- Chat any questions you have and we’ll answer them at the end of this call
Twitter facebook.com/layer7
- Today’s event hashtag:
layer7.com/linkedin
- #L7webinar
layer7.com/blogs
- Follow us on Twitter as well:
- @KScottMorrison
- @xmlgrrl
- @layer7
- @forrester
Layer 7 Confidential 2
5. “API economy” technologies and
habits are trickling down into the
enterprise.
Leverage OAuth’s strengths for modern
service and app security scenarios while
steering clear of its dangers.
Layer 7 Confidential 5
6. Agenda
Web services are opening up — and paying a security price.
OAuth is a powerhouse of API security and SSO solutions.
Leverage OAuth’s ascendance while minding its weaknesses.
Layer 7 Confidential 6
9. A variety of pressures make traditional security and
access control methods less viable
Layer 7 Confidential 9
10. Agenda
Web services are opening up — and paying a security price.
OAuth is a powerhouse of API security and SSO solutions.
Leverage OAuth’s ascendance while minding its weaknesses.
Layer 7 Confidential 10
11. Web 2.0 players originally invented OAuth simply
to solve the ―password antipattern‖
Layer 7 Confidential 11
12. At base, OAuth lets a person delegate constrained
access from one app to another
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 12
13. Using the OAuth approach helps manage risk, cost, and
complexity in environments that need Zero Trust
Gets client apps out of the business of storing passwords
Allows for a variety of user authentication methods
Allows app access to be tracked and revoked on a per-client basis
Allows for least-privilege access to API features
Can capture explicit user authorization for access
Lowers the cost of secure app development
Bonus: solves a much larger class of needs around security, identity, access,
and privacy
Layer 7 Confidential 13
14. In consumer-facing scenarios, services can audit who
made each API call on whose behalf
Third parties offer
productivity apps to
eBay sellers that list
items and do other
tasks through the eBay
API
These apps never see
the seller’s eBay
credentials
They don’t merely
“impersonate” the seller
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 14
15. In extranet and SaaS integration scenarios, services can
consume SAML
Partner apps integrate
with the construction
firm’s valve-design
service
On-site partner
engineers log in to their
home systems through
a tablet
They can then use
apps that call the
valve-design service
through SAML SSO
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 15
16. OAuth-native SSO is ―off label‖ but popular for
unifying user-present and user-absent experiences
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 16
17. ―Two-legged‖ userless A2A scenarios enable uniform
auditing and compliance for low-level services
Including services such
as:
- Calculating sales tax
- Formatting shipping
labels
- Verifying credit card
numbers
- Performing HTML
code checking
Most scenarios
separate these two
server functions
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 17
18. Agenda
Web services are opening up — and paying a security price.
OAuth is a powerhouse of API security and SSO solutions.
Leverage OAuth’s ascendance while minding its weaknesses.
Layer 7 Confidential 18
19. Simplicity doesn’t have to equal insecurity — if you use
and insist on good OAuth practices
Server-side Client-side
Establish UX standards Store OAuth tokens
for users’ “consent and other secrets
ceremonies.” securely.
Use the strongest Fully protect the use of
protocol options your your callback endpoint.
ecosystem will tolerate.
If your use of OAuth
If you depend on involves cryptographic
password algorithms, reuse a
authentication, well-tested library.
remember you’re not
immune from user
credential-stealing risks
such as phishing.
Layer 7 Confidential 19
20. So how can you maximize value in an
OAuth-enabled future?
Determine which scenarios resonate with your
organization’s needs.
Ask which SaaS providers are in a position to force
your hand.
If you will be publishing your own web APIs, catalog
your client app requirements and constraints.
Partner with enterprise architects to plan how OAuth
token handling and your current SOA infrastructure
need to interact.
Accept some volatility around OAuth’s evolution — and
even embrace it.
Layer 7 Confidential 20
23. A Practical Guide to API Security and OAuth
for the Enterprise
K. Scott Morrison
CTO and Chief Architect
24. First Let’s Nail the Terminology…
Client
Resource Owner
(RO) Authorization
Server (AS)
Resource
Server (RS)
(a.k.a., the User)
Layer 7 Confidential 24