SlideShare a Scribd company logo

APIC/DataPower security

Shiu-Fun Poon
Shiu-Fun Poon

This is covered during the tech conference. It covers high-level security. The best practice for deployment for gateway (what was known as last-mile) is covered at the end.

Technology
1 of 37
Download to read offline
Integration Technical Conference 2019 Security Best Practice APIConnect&DataPower ShiuFunPoon, STSM shiufun@us.ibm.com KrithikaPrakash,STSM krithika.p@ibm.com
Important Disclaimers • IBM Confidential. Unless specifically advised otherwise, you should assume that all the information in this presentation (whether given in writing or orally) is IBM Confidential and restrict access to this information in accordance with the confidentiality terms in place between your organization and IBM. • Content Authority. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. • Performance. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. • Customer Examples. Any customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. • Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates
Trademark Acknowledgements • IBM, IBM API Connect, IBM DataPower Gateway are trademarks of International Business Machines Corporation, registered in many jurisdictions • Other company, product and service names may be trademarks, registered marks or service marks of their respective owners. A current list of IBM trademarks is available on the web at "Copyright and trademark information" ibm.com/legal/copytrade.html
Security • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
Security • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
API Security API Gateway: • Decoupling/routing • Traffic management • Security • Translation Developer portal: • API discovery • Self subscription/administration • Account usage analytics • Monetization • Security API Manager: • Plan/product design • Policy administration • API plan usage analytics • API Governance • Security https://www.ibm.com/support/knowledgecenter/en/SSMNED_ 2018/com.ibm.apic.install.doc/capic_deploy_overview.html
Management Server
APIc under the hook • Internal services communicating vs mTLS • Quorum, with 3 being the magic number • APIc is the match maker, it introduces each subsystem to each others • APIM, Portal, Analytics, Gateway • How does APIM <-> Portal • How does APIM <-> Analytics • How does APIM <-> Gateway • How does Portal <-> Analytics • How does Gateway <-> Analytics • Configurable, extensible
API Manager • User Registry support • Authenticate URL • LDAP (supports group authentication) • Search DN • Compose DN • Compose UPN • Local User Registry (LUR) • Protection against timing attack • Protection against brute force attack • OIDC/Social Login (Federated Identity) • Portal • Admin/Provider Organization • OOTB : Google, Facebook, Linkedin, Slack, WindowLive, Github, Standard • Public Key for Code Exchange • Nonce • Proxy tokens • How is OIDC/Social Login difference from v5 • Implication ?
API Manager • User Registry support • Authenticate URL • LDAP (supports group authentication) • Search DN • Compose DN • Compose UPN • Local User Registry (LUR) • Protection against timing attack • Protection against brute force attack • OIDC/Social Login (Federated Identity) • Portal • Admin/Provider Organization • OOTB : Google, Facebook, Linkedin, Slack, WindowLive, Github, Standard • Public Key for Code Exchange • Nonce • Proxy tokens • How is OIDC/Social Login difference from v5 • Implication ?
API Manager • Token (JWT) • OAuth 2.0 (no basicauth, no more cookie) • Role • Custom role • Token ttl (invitation, oauth 2) • ttl • Data at Rest • Data at Transit • Introduction of microservices to each others • Webhook
API Manager • API are published • Publish in openapi v2 format • apim vs consumer • WebGUI/toolkits/portal/BYO • RateLimit Drinking Our Own Champagne Get an access_token access_token must contain the right scope Permission is checked Is token valid Token contains necessary scope ? Does User has the proper permission ?
Hardened Portal Security Supports OpenID Connect for accelerated developer on-boarding and social login Enable PSD2/ Open Banking compliance to programmatically onboard consumers using REST Management APIs and OpenID Connect Enhanced spam protection against spam bots with CAPTCHA and honeypot Detect and prevent malicious attacks with perimeter and DNS check Detect and prevent flood attacks
Configure Portal Behavior
APIManager with Gateway • Gateway must be 24 * 7 (without API manager) • API gateway introduce a gateway director manager • Using clustering technology to track configuration from APIM • Heartbeat from APIm to make sure Gateway will have the latest information • 911 protocol to handle catastrophic failure • Gateway director allows auto scaling of the additional gateway • Configuration/Key Materials • State of the processing
17 • Istio Integration for improved performance & security by passing API header and tokens into Istio • Open API V3 support to meet security industry standards (i.e. PSD2) & improve reuse • OpenBanking & PSD2 Compliant including flexible JWT and OAuth features • 5X Improved Performance with cloud-native API-centric Gateway Service • Fast Time to Value through Out of the Box policies for API Gateway Service • Enterprise Specific Security Support through OAuth flow customization • Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check on Portal, etc. Performant and Secure
API Security leveraging AI and Machine Learning 18 Power your APIs with API Behavioral Security (ABS), integrated with Ping Intelligence to detect attacks against your APIs Detect and block cyberattacks that target APIs, such as: • Data, Application and System attacks • API DDoS attacks • Login Attacks (credential stuffing, fuzzing, stolen cookies & tokens) Easily enable AI-powered threat protection on every API using Global Policy support + https://www.pingidentity.com/en/platform/api-security.html https://developer.ibm.com/apiconnect/2019/02/12/ping-identity-and-ibm-partner-to-protect-against-api-cyberattacks/
Under the hook 19 Pre-req : ase-token Global Policy (x-correlationid) Pre-hook : is request ok ? authorization header ? appId ? cookie ? Post-hook : backend response redact (record) for learning
Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs Data & Application Attacks Advanced Persistent Threats, Data exfiltration, Deletion DoS & DDoS Attacks DDoS API attack, Login service DDoS attack, Botnet attacking API Login Attacks Stolen tokens or cookies, Credential stuffing, fuzzing, Message Security JSON/XML threat protection, SQL injection, XSS, Schema validation, Encryption & signature, Redaction, AV scanning Access Control Authentication, Authorization, Token Translation Rate Limiting Client throttling, Provider throttling, Quotas Network Privacy SSL/TLS PingIntelligence for APIs Comprehensive API Security with Ping and IBM Copyright ©2018 Ping Identity Corporation. All rights reserved.1
Secure & Manage GraphQL Endpoints Next-Gen evolution of Gateway technology beyond Web services and REST with GraphQL support Secure and Manage APIs with GraphQL backends, efficiently managing compute intensive services Threat Protection against cyberattacks using advance query complexity analysis to prevent API-based attacks Rate Limit GraphQL queries with consumer plans based on number of API calls & backend compute time https://www.ibm.com/blogs/research/2019/02/graphql-api-management/ https://developer.github.com/v4/guides/resource-limitations/
1. Access Control • Who can access the data and what data • APIc • Client credential (application) • User credential (who) 2. Load Control • How much effort for the server to fulfill the request • Complexity • Type (object type) • Resolve • nesting GraphQL Endpoints security breakdown
Up to 5X+ increased performance with natively built API Gateway using purpose-built technology for native OpenAPI/Swagger REST and SOAP APIs Multi-cloud scalability and extensibility to help meet SLAs and improve client user experience Optimized drag & drop built-in policies for security, traffic control and mediation including flexible OAuth, enhanced JSON & XML threat protection Secure to the core with self-contained signed & encrypted image to minimize risk, plus proven security policies to quickly protect APIs Before: DP Multi protocol Gateway Service API call Backend New: Native API Gateway Service API call Backend Cloud-Native API Gateway Service in DataPower API GW service
Policies for Enforcement on API Gateway Service Gateway Script and XSLT policy support provides flexible message mediation & dynamic security enforcement Dynamic Routing support through Conditional Policy Enforce strong security through Parse, JSON and XML Schema Validation policy OpenID Connect support to enable banks to meet PSD2 / Open Banking regulations OAuth Token revocation to enable self- service token management Foundational Security Mediation Invoke API Key Map Activity Log JWT Validate JSON-XML Rate Limit JWT Generate Gateway Script Throw OAuth Policy XSLT Set Variable Parse (Threat Detection) Conditional Validate User Security OpenID Connect Built-in policies
Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs Meeting Security Needs through New Flexible OAuth Provider
Feature list of OAuth in APIC V5, v2018+V5GW, v2018+APIGW Features V4 V5 v2018 + V5 CompatGW v2018 + APIGW Basic OAuth Support Distinct Client ids and Secrets ⤫ Separate API ⤫ Access Control ⤫ ⤫ Seamless packaging within product ⤫ Tight coupling with Provider ⤫ ⤫ * PKCE, Metadata, Token introspection, Revocation/Token Management, Advanced scope handling ⤫ Customize OAuth Assembly ⤫ ⤫ ⤫ Dynamic configuration updates ⤫ ⤫ ** ⤫ ** Context variable driven ⤫ ⤫ ⤫ Independent Resource Owner Security ⤫ ⤫ ⤫ Out of the box OIDC support ⤫ ⤫ *** ⤫ *** Out of the box JWT Authorization Grant ⤫ ⤫ ** ⤫ ** * Tight coupling is only at the APIManager API level, not in the backend V5 Gateway ** Can be done with gateway extension *** Supported by a set of rule in the assembly
Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs Meeting Security Needs through New Flexible OAuth Provider
Out of the box JWT Grant Type Support
Out of the box OIDC Support
Customizable Ease of use • Crypto material on per OAuth native provider (vs gateway level) • End user credential gathering (context variable) * • Consent handling • Global Policy (and thus inject context variable for processing) * • Token handling (white listing) • Flexibility • ….
What should I do • Monitoring IBM PSIRT for IBM APIC (APIm, Portal, Analytics), IBM DataPower • https://www.ibm.com/security/secure-engineering/process.html • Timely upgrade/migration to a new version of firmware • Balance your security needs vs platform offered (hardware vs ova vs docker vs ..) • How about cloud ? ICP ? • APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& ( • Security vs ease of use vs compatibility • Performance/usage spike • HA (rule of 3) • Stateless (especially across Availability Zone) • Gateway when used as part of APIC 2018, the configuration can be stored as in-memory (default) vs flash (persist) - Note that the sensitive information is available and exposed to the admin who has access to the gateway - Recommendation : in-memory
Gateway specific • Is WebGUI needed for production (or any ports) • Isolate application request traffic from admin request traffic • Automate deployment (which APIc solves) • Monitoring gateway (DataPower Operations Dashboard) • Set up RBM • Set up Backup administrator (do NOT loss password) • ACL • mTLS with your backend services (with right cipher, protocol 1.2, with EC, PFS)
Gateway specific • Message validation (payload, size, nest level ..) • Streaming vs no Streaming • Payload redact • SLM • WhiteList vs BlackList • Monitor tool (like DPOD), latency, cpu, memory .. • Noisy neighbor (tenant vs application domain – work load isolation) - Different version of DP is running - Protect against noisy neighbor
Gateway specific • GWS is expensive • Context variable access is expensive • Most of DP extension function is not available thru GWS • Debug level is expensive (especially probe – payload sensitive data can leak) • Log is best effort only (except audit event) • By default, GW will ship what we consider as the secure setting • Key material can be stored in local:///, this means the crypto material can be exported with domain export. Do consider keeping key material (especially private key and shared secret) in cert:/// sharedcert:///. Those 2 directories are with roach motel, the key material cannot be exported by GW. It can only be accessible thru secure backup and restore, which is protected by a couple keys, and only another DataPower can import and access the data. (roach motel model) • Use HSM if paranoid is needed
From you, our audiences • Your feedbacks ? • What would you like to see ? • What can you share with each others on your experience ? Good or Bad
Thank you. Merci. Gracias.
Thank You

Recommended

APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
Kellton Tech Solutions Ltd
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)
Shiu-Fun Poon
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWE
sandipg123
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance Benchmarks
IBM DataPower Gateway
 
What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019
IBM DataPower Gateway
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateway
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018
Chris Phillips
 

Recommended

APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
Kellton Tech Solutions Ltd
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)
Shiu-Fun Poon
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWE
sandipg123
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance Benchmarks
IBM DataPower Gateway
 
What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019
IBM DataPower Gateway
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateway
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018
Chris Phillips
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
Rui Santos
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
Jagadish Vemugunta
 
What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018
IBM API Connect
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdive
Shiu-Fun Poon
 
IBM API Connect - overview
IBM API Connect - overviewIBM API Connect - overview
IBM API Connect - overview
Ramy Bassem
 
Data power Performance Tuning
Data power Performance TuningData power Performance Tuning
Data power Performance TuningKINGSHUK MAJUMDER
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservices
sandipg123
 
IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation
khawkwf
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
Karen Broughton-Mabbitt
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credential
Shiu-Fun Poon
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered Backends
Apigee | Google Cloud
 
AWS Lambda Features and Uses
AWS Lambda Features and UsesAWS Lambda Features and Uses
AWS Lambda Features and Uses
GlobalLogic Ukraine
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Serverless Microservices
Serverless MicroservicesServerless Microservices
Serverless Microservices
Amazon Web Services
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays
 

More Related Content

What's hot

IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
Rui Santos
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
Jagadish Vemugunta
 
What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018
IBM API Connect
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdive
Shiu-Fun Poon
 
IBM API Connect - overview
IBM API Connect - overviewIBM API Connect - overview
IBM API Connect - overview
Ramy Bassem
 
Data power Performance Tuning
Data power Performance TuningData power Performance Tuning
Data power Performance TuningKINGSHUK MAJUMDER
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservices
sandipg123
 
IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation
khawkwf
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
Karen Broughton-Mabbitt
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credential
Shiu-Fun Poon
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered Backends
Apigee | Google Cloud
 
AWS Lambda Features and Uses
AWS Lambda Features and UsesAWS Lambda Features and Uses
AWS Lambda Features and Uses
GlobalLogic Ukraine
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Serverless Microservices
Serverless MicroservicesServerless Microservices
Serverless Microservices
Amazon Web Services
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 

What's hot (20)

IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdive
 
IBM API Connect - overview
IBM API Connect - overviewIBM API Connect - overview
IBM API Connect - overview
 
Data power Performance Tuning
Data power Performance TuningData power Performance Tuning
Data power Performance Tuning
 
IBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservicesIBM Datapower Security Scenarios - Using JWT to secure microservices
IBM Datapower Security Scenarios - Using JWT to secure microservices
 
IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation IBM Cloud Pak for Integration 2020.2.1 installation
IBM Cloud Pak for Integration 2020.2.1 installation
 
Data power use cases
Data power use casesData power use cases
Data power use cases
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credential
 
Bringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered BackendsBringing API Management to AWS Powered Backends
Bringing API Management to AWS Powered Backends
 
AWS Lambda Features and Uses
AWS Lambda Features and UsesAWS Lambda Features and Uses
AWS Lambda Features and Uses
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparison
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
 
Serverless Microservices
Serverless MicroservicesServerless Microservices
Serverless Microservices
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 

Similar to APIC/DataPower security

Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
Akana
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
Rob Convery
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
Jack Carnes
 
Api management customer
Api management customerApi management customer
Api management customer
nick_garrod
 
Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...
Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...
Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...
Arthur De Magalhaes
 
IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015
Sreeni Pamidala
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services
 
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
Karen Broughton-Mabbitt
 
Soa security2
Soa security2Soa security2
Soa security2
wardell henley
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
ForgeRock
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
The Power of IBM API Management. API connect 2016 Vegas
The Power of IBM API Management. API connect 2016 VegasThe Power of IBM API Management. API connect 2016 Vegas
The Power of IBM API Management. API connect 2016 Vegas
SaaS-Journal
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
2449 rapid prototyping of innovative io t solutions
2449 rapid prototyping of innovative io t solutions2449 rapid prototyping of innovative io t solutions
2449 rapid prototyping of innovative io t solutions
Eric Cattoir
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
Amazon Web Services
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
WSO2
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
Amazon Web Services Korea
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays
 

Similar to APIC/DataPower security (20)

Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
 
Api management customer
Api management customerApi management customer
Api management customer
 
Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...
Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...
Design, Auto-Generate and Expose RESTful Microservices Using Open Source and ...
 
IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
 
Soa security2
Soa security2Soa security2
Soa security2
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
The Power of IBM API Management. API connect 2016 Vegas
The Power of IBM API Management. API connect 2016 VegasThe Power of IBM API Management. API connect 2016 Vegas
The Power of IBM API Management. API connect 2016 Vegas
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
2449 rapid prototyping of innovative io t solutions
2449 rapid prototyping of innovative io t solutions2449 rapid prototyping of innovative io t solutions
2449 rapid prototyping of innovative io t solutions
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
 
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...
 

More from Shiu-Fun Poon

GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL Security
Shiu-Fun Poon
 
IBM APIc API security protection mechanism
IBM APIc API security protection mechanismIBM APIc API security protection mechanism
IBM APIc API security protection mechanism
Shiu-Fun Poon
 
Cheatsheet to run DP docker
Cheatsheet to run DP dockerCheatsheet to run DP docker
Cheatsheet to run DP docker
Shiu-Fun Poon
 
DataPower as PCI
DataPower as PCIDataPower as PCI
DataPower as PCI
Shiu-Fun Poon
 
How to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIcHow to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIc
Shiu-Fun Poon
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
Shiu-Fun Poon
 
IBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheetIBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheet
Shiu-Fun Poon
 
DataPower DoS/DDoS
DataPower DoS/DDoSDataPower DoS/DDoS
DataPower DoS/DDoS
Shiu-Fun Poon
 
Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)
Shiu-Fun Poon
 
White vs Black list
White vs Black listWhite vs Black list
White vs Black list
Shiu-Fun Poon
 
Open Banking via APIc 2018
Open Banking via APIc 2018Open Banking via APIc 2018
Open Banking via APIc 2018
Shiu-Fun Poon
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 

More from Shiu-Fun Poon (12)

GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL Security
 
IBM APIc API security protection mechanism
IBM APIc API security protection mechanismIBM APIc API security protection mechanism
IBM APIc API security protection mechanism
 
Cheatsheet to run DP docker
Cheatsheet to run DP dockerCheatsheet to run DP docker
Cheatsheet to run DP docker
 
DataPower as PCI
DataPower as PCIDataPower as PCI
DataPower as PCI
 
How to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIcHow to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIc
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
 
IBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheetIBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheet
 
DataPower DoS/DDoS
DataPower DoS/DDoSDataPower DoS/DDoS
DataPower DoS/DDoS
 
Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)
 
White vs Black list
White vs Black listWhite vs Black list
White vs Black list
 
Open Banking via APIc 2018
Open Banking via APIc 2018Open Banking via APIc 2018
Open Banking via APIc 2018
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 

Recently uploaded

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

Recently uploaded (20)

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 

APIC/DataPower security

  • 1. Integration Technical Conference 2019 Security Best Practice APIConnect&DataPower ShiuFunPoon, STSM shiufun@us.ibm.com KrithikaPrakash,STSM krithika.p@ibm.com
  • 2. Important Disclaimers • IBM Confidential. Unless specifically advised otherwise, you should assume that all the information in this presentation (whether given in writing or orally) is IBM Confidential and restrict access to this information in accordance with the confidentiality terms in place between your organization and IBM. • Content Authority. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. • Performance. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. • Customer Examples. Any customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. • Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates
  • 3. Trademark Acknowledgements • IBM, IBM API Connect, IBM DataPower Gateway are trademarks of International Business Machines Corporation, registered in many jurisdictions • Other company, product and service names may be trademarks, registered marks or service marks of their respective owners. A current list of IBM trademarks is available on the web at "Copyright and trademark information" ibm.com/legal/copytrade.html
  • 4. Security • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
  • 5. Security • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
  • 6. API Security API Gateway: • Decoupling/routing • Traffic management • Security • Translation Developer portal: • API discovery • Self subscription/administration • Account usage analytics • Monetization • Security API Manager: • Plan/product design • Policy administration • API plan usage analytics • API Governance • Security https://www.ibm.com/support/knowledgecenter/en/SSMNED_ 2018/com.ibm.apic.install.doc/capic_deploy_overview.html
  • 8. APIc under the hook • Internal services communicating vs mTLS • Quorum, with 3 being the magic number • APIc is the match maker, it introduces each subsystem to each others • APIM, Portal, Analytics, Gateway • How does APIM <-> Portal • How does APIM <-> Analytics • How does APIM <-> Gateway • How does Portal <-> Analytics • How does Gateway <-> Analytics • Configurable, extensible
  • 9.
  • 10. API Manager • User Registry support • Authenticate URL • LDAP (supports group authentication) • Search DN • Compose DN • Compose UPN • Local User Registry (LUR) • Protection against timing attack • Protection against brute force attack • OIDC/Social Login (Federated Identity) • Portal • Admin/Provider Organization • OOTB : Google, Facebook, Linkedin, Slack, WindowLive, Github, Standard • Public Key for Code Exchange • Nonce • Proxy tokens • How is OIDC/Social Login difference from v5 • Implication ?
  • 11. API Manager • User Registry support • Authenticate URL • LDAP (supports group authentication) • Search DN • Compose DN • Compose UPN • Local User Registry (LUR) • Protection against timing attack • Protection against brute force attack • OIDC/Social Login (Federated Identity) • Portal • Admin/Provider Organization • OOTB : Google, Facebook, Linkedin, Slack, WindowLive, Github, Standard • Public Key for Code Exchange • Nonce • Proxy tokens • How is OIDC/Social Login difference from v5 • Implication ?
  • 12. API Manager • Token (JWT) • OAuth 2.0 (no basicauth, no more cookie) • Role • Custom role • Token ttl (invitation, oauth 2) • ttl • Data at Rest • Data at Transit • Introduction of microservices to each others • Webhook
  • 13. API Manager • API are published • Publish in openapi v2 format • apim vs consumer • WebGUI/toolkits/portal/BYO • RateLimit Drinking Our Own Champagne Get an access_token access_token must contain the right scope Permission is checked Is token valid Token contains necessary scope ? Does User has the proper permission ?
  • 14. Hardened Portal Security Supports OpenID Connect for accelerated developer on-boarding and social login Enable PSD2/ Open Banking compliance to programmatically onboard consumers using REST Management APIs and OpenID Connect Enhanced spam protection against spam bots with CAPTCHA and honeypot Detect and prevent malicious attacks with perimeter and DNS check Detect and prevent flood attacks
  • 16. APIManager with Gateway • Gateway must be 24 * 7 (without API manager) • API gateway introduce a gateway director manager • Using clustering technology to track configuration from APIM • Heartbeat from APIm to make sure Gateway will have the latest information • 911 protocol to handle catastrophic failure • Gateway director allows auto scaling of the additional gateway • Configuration/Key Materials • State of the processing
  • 17. 17 • Istio Integration for improved performance & security by passing API header and tokens into Istio • Open API V3 support to meet security industry standards (i.e. PSD2) & improve reuse • OpenBanking & PSD2 Compliant including flexible JWT and OAuth features • 5X Improved Performance with cloud-native API-centric Gateway Service • Fast Time to Value through Out of the Box policies for API Gateway Service • Enterprise Specific Security Support through OAuth flow customization • Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check on Portal, etc. Performant and Secure
  • 18. API Security leveraging AI and Machine Learning 18 Power your APIs with API Behavioral Security (ABS), integrated with Ping Intelligence to detect attacks against your APIs Detect and block cyberattacks that target APIs, such as: • Data, Application and System attacks • API DDoS attacks • Login Attacks (credential stuffing, fuzzing, stolen cookies & tokens) Easily enable AI-powered threat protection on every API using Global Policy support + https://www.pingidentity.com/en/platform/api-security.html https://developer.ibm.com/apiconnect/2019/02/12/ping-identity-and-ibm-partner-to-protect-against-api-cyberattacks/
  • 19. Under the hook 19 Pre-req : ase-token Global Policy (x-correlationid) Pre-hook : is request ok ? authorization header ? appId ? cookie ? Post-hook : backend response redact (record) for learning
  • 20. Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs Data & Application Attacks Advanced Persistent Threats, Data exfiltration, Deletion DoS & DDoS Attacks DDoS API attack, Login service DDoS attack, Botnet attacking API Login Attacks Stolen tokens or cookies, Credential stuffing, fuzzing, Message Security JSON/XML threat protection, SQL injection, XSS, Schema validation, Encryption & signature, Redaction, AV scanning Access Control Authentication, Authorization, Token Translation Rate Limiting Client throttling, Provider throttling, Quotas Network Privacy SSL/TLS PingIntelligence for APIs Comprehensive API Security with Ping and IBM Copyright ©2018 Ping Identity Corporation. All rights reserved.1
  • 21. Secure & Manage GraphQL Endpoints Next-Gen evolution of Gateway technology beyond Web services and REST with GraphQL support Secure and Manage APIs with GraphQL backends, efficiently managing compute intensive services Threat Protection against cyberattacks using advance query complexity analysis to prevent API-based attacks Rate Limit GraphQL queries with consumer plans based on number of API calls & backend compute time https://www.ibm.com/blogs/research/2019/02/graphql-api-management/ https://developer.github.com/v4/guides/resource-limitations/
  • 22. 1. Access Control • Who can access the data and what data • APIc • Client credential (application) • User credential (who) 2. Load Control • How much effort for the server to fulfill the request • Complexity • Type (object type) • Resolve • nesting GraphQL Endpoints security breakdown
  • 23. Up to 5X+ increased performance with natively built API Gateway using purpose-built technology for native OpenAPI/Swagger REST and SOAP APIs Multi-cloud scalability and extensibility to help meet SLAs and improve client user experience Optimized drag & drop built-in policies for security, traffic control and mediation including flexible OAuth, enhanced JSON & XML threat protection Secure to the core with self-contained signed & encrypted image to minimize risk, plus proven security policies to quickly protect APIs Before: DP Multi protocol Gateway Service API call Backend New: Native API Gateway Service API call Backend Cloud-Native API Gateway Service in DataPower API GW service
  • 24. Policies for Enforcement on API Gateway Service Gateway Script and XSLT policy support provides flexible message mediation & dynamic security enforcement Dynamic Routing support through Conditional Policy Enforce strong security through Parse, JSON and XML Schema Validation policy OpenID Connect support to enable banks to meet PSD2 / Open Banking regulations OAuth Token revocation to enable self- service token management Foundational Security Mediation Invoke API Key Map Activity Log JWT Validate JSON-XML Rate Limit JWT Generate Gateway Script Throw OAuth Policy XSLT Set Variable Parse (Threat Detection) Conditional Validate User Security OpenID Connect Built-in policies
  • 25. Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs Meeting Security Needs through New Flexible OAuth Provider
  • 26. Feature list of OAuth in APIC V5, v2018+V5GW, v2018+APIGW Features V4 V5 v2018 + V5 CompatGW v2018 + APIGW Basic OAuth Support Distinct Client ids and Secrets ⤫ Separate API ⤫ Access Control ⤫ ⤫ Seamless packaging within product ⤫ Tight coupling with Provider ⤫ ⤫ * PKCE, Metadata, Token introspection, Revocation/Token Management, Advanced scope handling ⤫ Customize OAuth Assembly ⤫ ⤫ ⤫ Dynamic configuration updates ⤫ ⤫ ** ⤫ ** Context variable driven ⤫ ⤫ ⤫ Independent Resource Owner Security ⤫ ⤫ ⤫ Out of the box OIDC support ⤫ ⤫ *** ⤫ *** Out of the box JWT Authorization Grant ⤫ ⤫ ** ⤫ ** * Tight coupling is only at the APIManager API level, not in the backend V5 Gateway ** Can be done with gateway extension *** Supported by a set of rule in the assembly
  • 27. Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs Meeting Security Needs through New Flexible OAuth Provider
  • 28. Out of the box JWT Grant Type Support
  • 29. Out of the box OIDC Support
  • 30. Customizable Ease of use • Crypto material on per OAuth native provider (vs gateway level) • End user credential gathering (context variable) * • Consent handling • Global Policy (and thus inject context variable for processing) * • Token handling (white listing) • Flexibility • ….
  • 31. What should I do • Monitoring IBM PSIRT for IBM APIC (APIm, Portal, Analytics), IBM DataPower • https://www.ibm.com/security/secure-engineering/process.html • Timely upgrade/migration to a new version of firmware • Balance your security needs vs platform offered (hardware vs ova vs docker vs ..) • How about cloud ? ICP ? • APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& ( • Security vs ease of use vs compatibility • Performance/usage spike • HA (rule of 3) • Stateless (especially across Availability Zone) • Gateway when used as part of APIC 2018, the configuration can be stored as in-memory (default) vs flash (persist) - Note that the sensitive information is available and exposed to the admin who has access to the gateway - Recommendation : in-memory
  • 32. Gateway specific • Is WebGUI needed for production (or any ports) • Isolate application request traffic from admin request traffic • Automate deployment (which APIc solves) • Monitoring gateway (DataPower Operations Dashboard) • Set up RBM • Set up Backup administrator (do NOT loss password) • ACL • mTLS with your backend services (with right cipher, protocol 1.2, with EC, PFS)
  • 33. Gateway specific • Message validation (payload, size, nest level ..) • Streaming vs no Streaming • Payload redact • SLM • WhiteList vs BlackList • Monitor tool (like DPOD), latency, cpu, memory .. • Noisy neighbor (tenant vs application domain – work load isolation) - Different version of DP is running - Protect against noisy neighbor
  • 34. Gateway specific • GWS is expensive • Context variable access is expensive • Most of DP extension function is not available thru GWS • Debug level is expensive (especially probe – payload sensitive data can leak) • Log is best effort only (except audit event) • By default, GW will ship what we consider as the secure setting • Key material can be stored in local:///, this means the crypto material can be exported with domain export. Do consider keeping key material (especially private key and shared secret) in cert:/// sharedcert:///. Those 2 directories are with roach motel, the key material cannot be exported by GW. It can only be accessible thru secure backup and restore, which is protected by a couple keys, and only another DataPower can import and access the data. (roach motel model) • Use HSM if paranoid is needed
  • 35. From you, our audiences • Your feedbacks ? • What would you like to see ? • What can you share with each others on your experience ? Good or Bad
  • 36. Thank you. Merci. Gracias.