SlideShare a Scribd company logo

Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo

Download as PPTX, PDF
Nordic APIs
Nordic APIs

A presentation given by Andrew Carlson, Principal Field Architect at Apollo, at our 2024 Austin API Summit, March 12-13. Session Description: GraphQL is more than just a way to let client teams ship features faster or for backend teams to reuse their existing services efficiently. When used as a layer to aggregate and orchestrate existing APIs, it’s an ideal location in our architecture to centralize access control and authorization down to the field level, providing field-level observability into which clients request what data. Learn different ways of measuring the tradeoffs between authorization at each layer in the stack, and how to get column-level observability into who is requesting what data.

Technology
1 of 46
API Summit 2024 Granular Data Access Control with GraphQL
I champion intent Andrew I. Carlson Principal Field Architect at Apollo linkedin.com/in/andrewicarlson/ andrew@apollographql.com
Boundaries
https://www.marketsandmarkets.com/Market-Reports/data-centric-security-market- 1504980.html DATA SECURITY MARKET: $12,300,000,000 by 2027
Aggregation Persistence Presentation Services Our systems are complex
Aggregation Presentation Services Difficult to evolve and audit Persistence
What if we could apply security, declaratively?
Sentinel Rise of policy-as-code Zanzibar
vs. 🤠 Policies prevent cowboys
But where do we apply these policies? Aggregation Presentation Services Persistence
But where do we apply these policies? Aggregation Presentation Services Persistence
But where do we apply these policies? Aggregation Presentation Services Persistence
It depends
It depends Everywhere
It depends Defense in Depth
Authorization versatility by location Flexibility (how easy is it to update?) Granularity (how specific can we be?)
Aggregation Where do we apply these policies? API Gateway Services Persistence
Applying policies closest to the data Aggregation API Gateway Services ❌ Flexible ❌ Granular Persistence
Applying policies closest to the data Aggregation API Gateway Services ❌ Flexible ❌ Granular Persistence Trade-offs: 1. General roles 2. Broad rules, eg: table-level 3. Rarely the granularity we need for consumer facing apps
Applying policies closest to the user ✔️ Flexible ❌ Granular Aggregation API Gateway Services Persistence
Applying policies closest to the user ✔️ Flexible ❌ Granular Aggregation API Gateway Services Persistence Trade-offs: 1. Broad policies 2. Allow or reject entire services
Applying policies in individual services ❌ Flexible ✔️ Granular Aggregation API Gateway Services Persistence
Applying policies in individual services ❌ Flexible ✔️ Granular Aggregation API Gateway Services Persistence Trade-offs: 1. Bespoke logic per service 2. Auth “sprawl” 3. New code, tests, and deployments
Only securing the Persistence boundary Flexibility (how easy is it to update?) Granularity (how specific can we be?) Persistence
Only securing the API Gateway boundary Flexibility (how easy is it to update?) Granularity (how specific can we be?) Persistence API Gateway
Only securing the Service-level boundary Flexibility (how easy is it to update?) Granularity (how specific can we be?) Persistence API Gateway Services
GraphQL @ FB 2012 Federation 2019 Schema stitching 2017 Open-sourced 2015 Today 2024 GraphQL is more than just an API Apollo Router 2022
Customer Product Reviews Quote Order Price A unified boundary
In the middle ✔️ Flexible ✔️ Granular Aggregation API Gateway Services Persistence
How can we control data access in GraphQL?
Resolvers
Resolvers Schemas
A GraphQL schema is a Goldilocks Zone
Demo
Tools and tech
Processes
Json Web Token (JWT)
OPA Policy
Unauthorized flow Persistence Locations API Apollo Router Client ❌ Unauthorized request Persistence Reviews API ❌ Unauthorized subquery ❌ Unauthorized subquery
Unauthorized flow
Authorized flow Persistence Locations API Apollo Router Client ✅ Authorized request Persistence Reviews API ✅ Authorized subquery ✅ Authorized subquery
Authorized flow
Partially authorized flow Persistence Locations API Apollo Router Client ⚠️ Partially Authorized request Persistence Reviews API ❌ Unauthorized subquery ✅ Authorized subquery
Partially authorized flow
A GraphQL boundary is flexible and granular Flexibility (how easy is it to update?) Granularity (how specific can we be?) Persistence API Gateway GraphQL Services
1000+ API architects & engineers building better together champions@apollographql.com

Recommended

CARE initiative technical prospectus
CARE initiative technical prospectusCARE initiative technical prospectus
CARE initiative technical prospectusMartin Geddes
 
The challenges of monitoring an integration solution today!
The challenges of monitoring an integration solution today!The challenges of monitoring an integration solution today!
The challenges of monitoring an integration solution today!Adam Walhout
 
apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...
apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...
apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...apidays
 
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)Jeremy Gray
 
Service Virtualization + API Management together
Service Virtualization + API Management togetherService Virtualization + API Management together
Service Virtualization + API Management togetherPablo Gutierrez
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynoteElasticsearch
 
Keys to establish sustainable DW and analytics on the cloud -Impetus webinar
Keys to establish sustainable DW and analytics on the cloud -Impetus webinarKeys to establish sustainable DW and analytics on the cloud -Impetus webinar
Keys to establish sustainable DW and analytics on the cloud -Impetus webinarImpetus Technologies
 
What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019IBM DataPower Gateway
 

Recommended

CARE initiative technical prospectus
CARE initiative technical prospectusCARE initiative technical prospectus
CARE initiative technical prospectusMartin Geddes
 
The challenges of monitoring an integration solution today!
The challenges of monitoring an integration solution today!The challenges of monitoring an integration solution today!
The challenges of monitoring an integration solution today!Adam Walhout
 
apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...
apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...
apidays Paris 2022 - HitchHackers Guide to Application Connectivity, Mark Che...apidays
 
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)Jeremy Gray
 
Service Virtualization + API Management together
Service Virtualization + API Management togetherService Virtualization + API Management together
Service Virtualization + API Management togetherPablo Gutierrez
 
Public sector keynote
Public sector keynotePublic sector keynote
Public sector keynoteElasticsearch
 
Keys to establish sustainable DW and analytics on the cloud -Impetus webinar
Keys to establish sustainable DW and analytics on the cloud -Impetus webinarKeys to establish sustainable DW and analytics on the cloud -Impetus webinar
Keys to establish sustainable DW and analytics on the cloud -Impetus webinarImpetus Technologies
 
What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019IBM DataPower Gateway
 
Uber's new mobile architecture
Uber's new mobile architectureUber's new mobile architecture
Uber's new mobile architectureDhaval Patel
 
Making Networks More Agile, Open, and Application Centric - Cisco Insights
Making Networks More Agile, Open, and Application Centric - Cisco InsightsMaking Networks More Agile, Open, and Application Centric - Cisco Insights
Making Networks More Agile, Open, and Application Centric - Cisco InsightsCisco Service Provider
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
xConf-2022-api-gateway-service-mesh.pdf
xConf-2022-api-gateway-service-mesh.pdfxConf-2022-api-gateway-service-mesh.pdf
xConf-2022-api-gateway-service-mesh.pdfWesley Reisz
 
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...Amazon Web Services
 
Cisco and F5 accelerate Application Delivery
Cisco and F5 accelerate Application DeliveryCisco and F5 accelerate Application Delivery
Cisco and F5 accelerate Application DeliveryShashi Kiran
 
Breaking silos between DevOps and SecOps with Elastic
Breaking silos between DevOps and SecOps with ElasticBreaking silos between DevOps and SecOps with Elastic
Breaking silos between DevOps and SecOps with ElasticElasticsearch
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for GoviesAmazon Web Services
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays
 
Driving Customer Experience, TrueCar [FutureStack16]
Driving Customer Experience, TrueCar [FutureStack16]Driving Customer Experience, TrueCar [FutureStack16]
Driving Customer Experience, TrueCar [FutureStack16]New Relic
 
Elastic Cloud keynote
Elastic Cloud keynoteElastic Cloud keynote
Elastic Cloud keynoteElasticsearch
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summits
 
Cloud testing solutions
Cloud testing solutions Cloud testing solutions
Cloud testing solutions V2Soft2
 
How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)Amazon Web Services
 
DEM16 Cisco ACI Anywhere – AWS Extensions
DEM16 Cisco ACI Anywhere – AWS ExtensionsDEM16 Cisco ACI Anywhere – AWS Extensions
DEM16 Cisco ACI Anywhere – AWS ExtensionsAmazon Web Services
 
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016Amazon Web Services Korea
 
4 Changes We're Making to Help you be Successful in the Cloud
4 Changes We're Making to Help you be Successful in the Cloud4 Changes We're Making to Help you be Successful in the Cloud
4 Changes We're Making to Help you be Successful in the CloudAtlassian
 
Digital Supply Chains & the Internet of Things
Digital Supply Chains & the Internet of ThingsDigital Supply Chains & the Internet of Things
Digital Supply Chains & the Internet of ThingsKevin Ross
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 

More Related Content

Similar to Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo

Uber's new mobile architecture
Uber's new mobile architectureUber's new mobile architecture
Uber's new mobile architectureDhaval Patel
 
Making Networks More Agile, Open, and Application Centric - Cisco Insights
Making Networks More Agile, Open, and Application Centric - Cisco InsightsMaking Networks More Agile, Open, and Application Centric - Cisco Insights
Making Networks More Agile, Open, and Application Centric - Cisco InsightsCisco Service Provider
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
xConf-2022-api-gateway-service-mesh.pdf
xConf-2022-api-gateway-service-mesh.pdfxConf-2022-api-gateway-service-mesh.pdf
xConf-2022-api-gateway-service-mesh.pdfWesley Reisz
 
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...Amazon Web Services
 
Cisco and F5 accelerate Application Delivery
Cisco and F5 accelerate Application DeliveryCisco and F5 accelerate Application Delivery
Cisco and F5 accelerate Application DeliveryShashi Kiran
 
Breaking silos between DevOps and SecOps with Elastic
Breaking silos between DevOps and SecOps with ElasticBreaking silos between DevOps and SecOps with Elastic
Breaking silos between DevOps and SecOps with ElasticElasticsearch
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for GoviesAmazon Web Services
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays
 
Driving Customer Experience, TrueCar [FutureStack16]
Driving Customer Experience, TrueCar [FutureStack16]Driving Customer Experience, TrueCar [FutureStack16]
Driving Customer Experience, TrueCar [FutureStack16]New Relic
 
Elastic Cloud keynote
Elastic Cloud keynoteElastic Cloud keynote
Elastic Cloud keynoteElasticsearch
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summits
 
Cloud testing solutions
Cloud testing solutions Cloud testing solutions
Cloud testing solutions V2Soft2
 
How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)Amazon Web Services
 
DEM16 Cisco ACI Anywhere – AWS Extensions
DEM16 Cisco ACI Anywhere – AWS ExtensionsDEM16 Cisco ACI Anywhere – AWS Extensions
DEM16 Cisco ACI Anywhere – AWS ExtensionsAmazon Web Services
 
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016Amazon Web Services Korea
 
4 Changes We're Making to Help you be Successful in the Cloud
4 Changes We're Making to Help you be Successful in the Cloud4 Changes We're Making to Help you be Successful in the Cloud
4 Changes We're Making to Help you be Successful in the CloudAtlassian
 
Digital Supply Chains & the Internet of Things
Digital Supply Chains & the Internet of ThingsDigital Supply Chains & the Internet of Things
Digital Supply Chains & the Internet of ThingsKevin Ross
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
 

Similar to Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo (20)

Uber's new mobile architecture
Uber's new mobile architectureUber's new mobile architecture
Uber's new mobile architecture
 
Making Networks More Agile, Open, and Application Centric - Cisco Insights
Making Networks More Agile, Open, and Application Centric - Cisco InsightsMaking Networks More Agile, Open, and Application Centric - Cisco Insights
Making Networks More Agile, Open, and Application Centric - Cisco Insights
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
xConf-2022-api-gateway-service-mesh.pdf
xConf-2022-api-gateway-service-mesh.pdfxConf-2022-api-gateway-service-mesh.pdf
xConf-2022-api-gateway-service-mesh.pdf
 
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
How to Say Yes to Self-Service in the Cloud and Become an IT Hero (ENT217) | ...
 
Cisco and F5 accelerate Application Delivery
Cisco and F5 accelerate Application DeliveryCisco and F5 accelerate Application Delivery
Cisco and F5 accelerate Application Delivery
 
Breaking silos between DevOps and SecOps with Elastic
Breaking silos between DevOps and SecOps with ElasticBreaking silos between DevOps and SecOps with Elastic
Breaking silos between DevOps and SecOps with Elastic
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
 
Driving Customer Experience, TrueCar [FutureStack16]
Driving Customer Experience, TrueCar [FutureStack16]Driving Customer Experience, TrueCar [FutureStack16]
Driving Customer Experience, TrueCar [FutureStack16]
 
Elastic Cloud keynote
Elastic Cloud keynoteElastic Cloud keynote
Elastic Cloud keynote
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
 
Cloud testing solutions
Cloud testing solutions Cloud testing solutions
Cloud testing solutions
 
How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)
 
DEM16 Cisco ACI Anywhere – AWS Extensions
DEM16 Cisco ACI Anywhere – AWS ExtensionsDEM16 Cisco ACI Anywhere – AWS Extensions
DEM16 Cisco ACI Anywhere – AWS Extensions
 
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
AWS 클라우드가 이끄는 공공기관 혁신 :: Brad Coughlan :: AWS Summit Seoul 2016
 
4 Changes We're Making to Help you be Successful in the Cloud
4 Changes We're Making to Help you be Successful in the Cloud4 Changes We're Making to Help you be Successful in the Cloud
4 Changes We're Making to Help you be Successful in the Cloud
 
Digital Supply Chains & the Internet of Things
Digital Supply Chains & the Internet of ThingsDigital Supply Chains & the Internet of Things
Digital Supply Chains & the Internet of Things
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo

Editor's Notes

  1. Hey everyone, it’s nice to be here today! My name is Andrew Carlson. I’m the Principal Field Architect at Apollo, and prior to that I spent over a decade helping companies like Ford, Sherwin-Williams, and Unilever design and execute on digital transformations. I care a lot about intentional design. Everything we ship has an architecture. Everything is designed. All we get is the choice about whether we want to be intentional about those designs, or not. I recommend that we are. Today we’re going to chat about a very important topic, securing the data in our applications. But we can’t talk about security without talking about: [next slide]
  2. Boundaries. The boundaries we set in our personal lives help us make decisions about what we spend our time on and our connection to our core values. Without it, we can become lost or waste our limited resource, time The boundaries that we have in our architectures help us make intentional decisions about the best places to do things like protect our organizations most valuable digital resource: data. [next slide]
  3. Data is the lifeblood of our organizations, and protecting that data is expensive. So expensive, and so valuable, that by 2027, companies are forecast to spend 12.3 billion dollars securing and protecting that data. That’s a lot of bbq. In fact, I did the math. That’s over 350 million pounds of brisket from Terry Blacks (which you should definitely try while you’re in Austin by the way.) The data security market is so big in part because our applications are complex, and that can make them harder to secure. [next slide]
  4. And the complexity in our tech stacks can be a result of any number of things. New clients that we need to support, mergers and acquisitions, and new technologies that are gradually adopted anywhere in the stack. Say you get a mandate from your C-Suite – you need to explore vector databases and figure out how to use them in your stack. Well, that’s a new technology for your persistence layer. But even though we can neatly label different tiers here, it’s not really that neat in reality. [next slide]
  5. I mean look at this. As soon as you start hooking those clients up to different aggregation services and pulling data across your organization it can turn into a mess pretty quickly. This lack of clean boundaries, especially between the presentation and application tier, can make it challenging to secure the access to our data. And when we need to go in and manually secure APIs, databases, and even BFFs it can be incredibly difficult to evolve and audit what is secured, where, and from whom? [next slide]
  6. So some very smart people across the industry came together and asked a simple question: rather than implementing one-off access control and security in various services and databases, what if you could apply the declarative style that we know and love from infrastructure as code to security policies at different layers of our stack? [next slide]
  7. And the rest is history. From that point forward we’ve seen a rise in the governance-as-code toolchain with excellent tooling like Casbin, Open Policy Agent now a graduated CNCF project, Sentinel, cedar, zanzibar and more. All great options for applying declarative security to our stacks [next slide]
  8. And these tools, this pattern is so powerful because instead of going in and manually changing a string here, and a credential there, we can manage and audit our security policies just like we do code. And we all know what the alternative is: hoping you have the right credentials to the right database and don’t fat finger something along the way. That sounds an awful lot like cowboy coding to me, which doesn’t sound very intentional. I think we can do better! [next slide]
  9. So declarative policies are great. We can make edits easily, audit them, and ensure they get the rigor as other areas of our code base. But where should we apply these policies? The persistence layer, where our data rests? [next slide]
  10. The services tier, where we apply the bulk of our business logic? [next slide]
  11. Maybe the aggregation tier? Well… [next slide]
  12. It depends. [next slide]
  13. Just kidding, you didn’t come all this way for a consultants answer. The real answer is, almost everywhere. [next slide]
  14. This is also sometimes called “Defense in Depth” Most orgs will benefit from this defense in depth motion, securing each layer of the stack, left to right. But we’re here to talk about intentional design, right? After all, software architecture is about making principled decisions about things that are hard to change later. And this is one of those things. We want to be sure we’re applying policies in the right place. So with policy-as-code specifically, how can we reason about the different boundaries that we can attach these policies to? [next slide]
  15. Well when in doubt, I like to draw a matrix. In this case we should measure at least two things, flexibility on the x-axis (how easy is it to update) and granularity on the y-axis (how specific can we be). And we can call this the authorization versatility by location And our goal here is to evaluate the value and trade-offs that we can get from securing different layers in our stack. We can then layer on the topology of our architecture against this matrix to find the benefit of applying authorization policies, whether declaratively through a tool like Open Policy Agent, or even imperatively by hardcoding. [next slide]
  16. So let’s take a step back and simplify what we were looking at before, and just talk about the topology of our architecture. We can drop the Presentation layer, push it right off to the left of the screen, because we’re talking APIs and, well, we should never trust the client. So that leaves us left to right with the API Gateway, Aggregation, Services or Application, and Data [next slide]
  17. Let’s go from the outside in, we’ll start by evaluating applying policies closest to the data. We’ll consider a database for brevity, but it can be any type of persistent storage, whether S3, PostgreSQL, or a data warehouse wrapping a database, like DataBricks wrapping MySQL. As the system of record for the data, applying data access policies at the storage layer is a logical place to start. [next slide]
  18. However, the trade-off of only using security policies at the data storage layer is that they trend towards general roles, whether that’s through a username and password, certificate, LDAP, or other authentication protocol. These are enforced directly at the storage layer, such as through PostgreSQL Authentication, authorizing table-level access at best. This type of low-level access rarely represents the permissions and scopes we want and need for a consumer-facing application. [next slide]
  19. So let’s move to the other side of the spectrum. We just talked about the layer closest to the data, now let’s talk closest to the user. We can do this either service-by-service, or more commonly, through an API gateway like Kong or AWS API Gateway. Using policies at the API Gateway level can be a boon because we can fine-tune them to business requirements more comprehensively than at the database level. [next slide]
  20. However, policies and authorization implemented at the service level using a tool like Kong are still broadly enforcing an entire service at a time, rejecting an entire request if the policy agent identifies an unmatched rule. So for example if you have a User service you can block access to the entire request, but can’t guard individual attributes within the request body as easily. [next slide]
  21. So next up, if we apply policies on a service-by-service basis, we can increase the granularity of the data we protect. [next slide]
  22. However, we must write unique and bespoke logic in each service, decreasing the flexibility of adjustments because every change will require new code, tests, and deployments, and we end up with policies all over the place. [next slide]
  23. So let’s go back to our matrix and take a look at these three options. If we only secure the persistence boundary, It’s not particularly granular, and really not all that flexible. [next slide]
  24. Only securing the API Gateway is fairly flexible, you can secure big swaths of fields that may cross different tables, but it’s not very granular. [next slide]
  25. Securing individual services can be granular, but not super flexible. You need to get in the weeds and manually adjust policies within each individual service. And you all know where I’m going with this. One layer left to explore… but before I get there, let’s talk about GraphQL. This is a part of the GraphQL track after all. [next slide]
  26. Now you may be thinking, as I used to, that GraphQL is just another option for our APIs… It’s REST v GraphQL or GraphQL v rpc… In 2012 that may have been the case, but over the last decade there’s been a lot of evolution in the space After GraphQL was open-sourced in 2015 it saw rapid adoption and we started running into side effects of running GraphQL at scale. Schema stitching hit the scene in 2017 and then new architectural patterns like federated graphql emerged and have taken GraphQL by storm. Just a few short years later and companies like Netflix, MLB, etc are all deploying highly available, GraphQL at Scale using Apollo Router. [next slide]
  27. The reason for that, is that Federated architectures enable teams to deliver GraphQL’s benefits at a greater scale, transforming it from just another API to a layer in a stack that sits on top of existing services. This graph of graphs provides access to any number of services with a single endpoint. It also enables teams to share entities and domain models across those subgraphs. Rather than exposing a sprawl of backends-for-frontends (BFFs) or experience APIs, service teams gain a central unified boundary, remember? Securing our applications is all ensuring we have adequate boundaries… [next slide]
  28. GraphQL, especially when implemented as a federated architecture, offers a unique opportunity to apply query and even column-level authorization and access policies within a single request that can span any service and any database. In a federated GraphQL architecture, teams can maintain their own individual APIs. This pattern provides the simplicity of a GraphQL monolith for client teams but the modularity of a more decoupled approach for service teams. This supergraph — a graph of graphs — orchestrates these services to provide a central access point for data while retaining field-level granularity. Of course, we can apply policies in GraphQL, even without federation, but federation provides a boundary in an architecture that amplifies the benefits of declarative authorization. [next slide]
  29. Ok, we’ve been talking a lot about why it’s such a helpful boundary, but lets dig into the how a little bit. What are the ways we can apply these declarative authorization policies in our GraphQL layer? Applying declarative policies in GraphQL is a nascent space, but it has tremendous potential upside thanks to the flexibility and granularity we can gain in our security posture. There are generally two ways this can be done today: [next slide]
  30. Manually in each resolver or centralized in the schema with a custom directive. Each with benefits and tradeoffs. Applying policies one-by-one in resolvers, for example creating policy bundles that allow fine-grained and context-aware policies with OPA is simpler – just update the resolvers! But not very flexible. Honestly it’s fairly similar to the service-by-service data-access process. [next slide]
  31. Another option for applying policies is by customizing our schemas directly. Declaring policies in our schemas requires custom directives. Custom directives are an advanced GraphQL feature, but it is the most declarative and clean way of applying these rules. Some emerging products on the market offer pre-built custom directives that reduce some of the complexity of building and maintaining them [next slide]
  32. A GraphQL layer can be a Goldilocks zone in our architecture because it is possible to apply broad rules, for example, to entire services, groups of services, or granular rules inside a query. By applying these policies declaratively at this level, we can define granular and flexible authorization and even design for more complex patterns like returning partial responses (returning data that a user can access, and an error for requested data they don’t have permission to retrieve). [next slide]
  33. Ok, enough talking, Let’s make this real. Let’s take a look at a demo of applying declarative authorization policies directly within your GraphQL schemas. [next slide]
  34. Now, as you can imagine, demoing authorization takes a few tools and I only have a couple minutes left so I’ve trimmed this down as much as I could, and I’ve tried to use common tools wherever possible. We’ll use Postman to issue our GraphQL queries, Open Policy agent to validate or reject our policies, VS Code to add policies to our schemas, JWTs or Json Web Tokens to contain authorization details about our request, and Apollo Router to compose and federate our GraphQL subgraphs. And we’ll look at three examples: [next slide]
  35. Finally, before I click play on the demo, JWTs are really hard to demo. They’re a base64 encoded string that is impossible to read. This is the JWT I’m using for this demo. If the username is “Alice,” they have permission to query the “Locations” subgraph. If they don’t have that username, then they should be blocked. Again, simplified for the purposes of this demo, but you can imagine a JWT with a much larger or more complex payload than this. [next slide]
  36. The first, is a fully unauthorized flow. In this example the client will pass a bad JWT, or even no JWT at all, in the GraphQL request. The Apollo Router will coordinate with OPA and reject all requests to the subgraphs. [next slide]
  37. The next example is an authorized flow. In this instance, the client will issue a valid JWT in the bearer token and the Open Policy Agent will return a successful response to the router, allowing the subgraph requests to complete. [next slide]
  38. And because I don’t trust the demo gods, I created this quick recording to walk through those three scenarios. Unauthorized Authorized Partially authorized
  39. And the third example is one that I personally find most compelling. Partial authorization. This one is very interesting because we can declaratively authorize _part_ of a request and still return the data the user has access to! So in this example, the client will pass a JWT token that satisfies part of a request. The router will continue brokering with Open Policy Agent and then will intelligently issue requests to the subgraphs and fields that are satisfied by the declarative policies we’ve set. I think this is super cool. [next slide]
  40. And because I don’t trust the demo gods, I created this quick recording to walk through those three scenarios. Unauthorized Authorized Partially authorized
  41. A strong security strategy requires a plan for every layer of our stack, and applying policies in GraphQL can give us flexibility and granularity that we haven’t seen before. By building on the rules we’ve already applied at our persistence layers and API gateways to include authorization policies in GraphQL, we can use it as a centralized boundary for implementing nuanced, field-level access control and authorization.
  42. If you’d like to learn more, we’d love to have you! We have a community of >1000 API eng and architects from around the world sharing their experience transforming their stacks, finding ways to manage API sprawl, and establishing useful boundaries in the architectures. Come join us!