The document discusses the importance of API security for modern enterprises, emphasizing the role of API gateways in protecting data through threat protection, authentication, and authorization. It highlights the integration of identity management, OAuth for secure access, and the leveraging of social login to enhance user experience. Additionally, it presents various customer examples showcasing successful implementations of API security solutions.

1. © 2014 Axway | Confidential 1
API Security for the Cloud
Ross Garrett
rgarrett@axway.com | @gssor
Cloud Identity Summit 2014

2. © 2014 Axway | Confidential 2
Access Control isn’t this simple

3. © 2014 Axway | Confidential 3
Modern Enterprises have many open
windows

4. © 2014 Axway | Confidential 4
Web APIs power the Open Enterprise

5. © 2014 Axway | Confidential 5
Identity is key to protecting APIs

6. © 2014 Axway | Confidential 6
Identity is key to protecting APIs
?

7. © 2014 Axway | Confidential 7
User Experience is actually key

8. © 2014 Axway | Confidential 8
There are many layers to a complete
Security Solution
API Gateway
MDM
MAM
Firewalling
IAM
API
Security

9. © 2014 Axway | Confidential 9
The Role of the API Gateway
• Threat Protection
• Encryption
• Authentication
• Authorization
• Policy Enforcement (E.g. Throttling)

10. © 2014 Axway | Confidential 10
A simple API Security example

11. © 2014 Axway | Confidential 11
The Role of the API Gateway
Basic throttling or rate limiting, can prevent malicious
access to public APIs

12. © 2014 Axway | Confidential 12
Basic Identity Federation

13. © 2014 Axway | Confidential 13
The Role of the API Gateway
• Securely bridging identity across domains
– Mediating between token formats
• Provide an STS overlay on top of existing IAM
infrastructure
– Enabling the extension of identity assets to the cloud
• Track and audit usage

14. © 2014 Axway | Confidential 14
The password anti-pattern

15. © 2014 Axway | Confidential 15
Solving this problem with OAuth

16. © 2014 Axway | Confidential 16
The Role of the API Gateway
• Provide an OAuth façade on top of legacy IAM
• Clients should not be storing user passwords
– OAuth Tokens represent explicit authorization for a
specific task
• Provide a centralized way to de-authorize clients
– Low latency token store

17. © 2014 Axway | Confidential 17
Leveraging Social Login

18. © 2014 Axway | Confidential 18
Leveraging Social Login

19. © 2014 Axway | Confidential 19
The Role of the API Gateway
• Apply Social Login at an infrastructure level
– Bringing API Access and SSO together
• Monitoring and Reporting
– Trends over time
– Audit trail
• Enterprise Identity Management Integration
– Adapters to directories, Web Access Management

20. © 2014 Axway | Confidential 20© 2014 Axway | Confidential 20
Some Customer Examples

21. © 2014 Axway | Confidential 21
Leading pharmacuetical company – SSO
Solu6on
API Gateway
API
Intranet
Site
Oracle Access
Manager
SharePoint
Active
Directory
Web Browser
• Users have
two
passwords
(one for
Intranet, one
for
Sharepoint)
• Two user
authentication
technologies
(Oracle and
Microsoft)
Challenge

22. © 2014 Axway | Confidential 22
Large US Health Plan – Mobile Access
Iden)ty
Management
Integra)on
Mobile
Devices
Solution
SAML
Secure connection
Oracle
SOA
Web
APIs
API Gateway
API
• Manage
mobile (tablet,
phone)
access to
medical
systems
• Consolidate
across Oracle
and IBM
identity
systems
Challenge

23. © 2014 Axway | Confidential 23
Mutual fund
provider
Solution
API Gateway
Secure
connection
Check cookie
Leading Mutual Fund Provider – Cloud Access
• Must
authenticate
clients against
CA SiteMinder
• Must expose
internal
systems as
APIs for
Mobile apps
to access
• Secure
Connection to
Salesforce
Challenge
Encrypted
Data

24. © 2014 Axway | Confidential 24
Thank-­‐you!
Ross Garrett
rgarrett@axway.com | @gssor