Melbourne API Management Seminar

API Management Breakfast Seminar

Francois Lascelles Devon Winkworth Mike Amundsen
Chief Architect Solutions Architect, APAC Principal API Architect

Agenda

API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up

Challenges for the Modern Enterprise

X-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs
 Publish Public APIs Reliably
 Real-time Supply Chain
 Build Developer Ecosystems
 X-agency information sharing
 Monetize Internal Information
 Media Syndication
 Socialize Applications
 Trading Platforms

Cloud Access & Integration Connect Enterprise to Mobile Apps
Login

 SaaS Access Password
 BYOD Employee Enablement
 IaaS Integration & Governance  Field Enablement
 Hybrid Private / Public  API Developer Communities
 Burst to the Cloud  Smart Grid

Why APIs? The Rebirth of Applications

Enterprise API

Customers & Partners

Traditional “Closed” APIs

Divisions

Cloud

Enterprise
API

Mobile

Partners

The New “Open” API

Divisions

Cloud

Open
API

Mobile

Partners

Third Parties are Key

Divisions

Cloud

Open
API

Mobile

Partners

API Management Scope

Developer

Developer Portal

API
App

API Gateway

API Management Infrastructure

 API Lifecycle  Access control
 Discovery, documentation  SLA enforcement
 Developer onboarding  Threat protection
 Performance, scaling  Analytics
 Integration  Monetization

Attending to the Hockey Sticks
 More Devices
 More Apps
 More APIs

API Developers
 Developers are your target audience
 They need great tools to use your API
 They know what works
 And they tell others about it

Developers are your Target Audience
 APIs
 Developers
 Apps
 Users

They need great tools to use your API
 Docs
 Getting started
 Sandbox
 Registration
 Samples

Developers know what works…
 30 min to a quick win or else
“It was easy for me to get started with this API.”
 Make them look good to peers and superiors
“Hey, I know just the API we can use to solve this problem.”
 Make it easy for them to use/promote your API
“Company X has a great API, you should try it.”
 Make it hard for them to mis-use/break your API
“This API is very intuitive.”

…And they tell others about it.
 Conferences
100+ developers, designers, project leaders
 Code-a-thons
100- developers, API publishers, API hosts
 Meetups
Local developers, designers, leadership
- User Groups (~50)
- Pub Nights (~25)
 Online
Wide range of highly targeted communities
- Forums
- Chat rooms
- Social media

Reaching out means…
 Know your target audience
 Give them the tools they need…
 To do their jobs well…
 So they will spread the good word.

Example: Australia Sports API
 Sample API: Professional sports information aggregation
- Teams
- News
- Results

Layer 7 Gateway

Ensure Privacy & Security Compliance: Optimize API Traffic:

Authorization & Data Leak Prevention Rate Limiting API Key Management
Authentication

SOAP REST
XML JSON
Attack Prevention Browser Exploit Blocking
Traffic Control Transformations

Security Control

Demo: Exposing an API with the Layer 7 Gateway

Gateway

API
endpoint

REST Client

Policy Manager

Layer 7 Gateway Capabilities

• Authentication: for different IAM, SAML, Oauth,
• Authorization including Oauth, XACML
Access Control • Token translation / SAML STS
• Horizon call back into enterprise
• Identity federation across service zones

• API threat protection
• XML / JSON schema validation
Security • Data filtering, redaction
• Data privacy: message- and field-level encryption
• Data integrity: digital signatures, hashing, validation

• Throttling, rate limiting, x-cluster message counter
• Prioritization, traffic shaping and QoS
Metering/SLA • Content caching to reduce latency overhead
• Monitoring, reporting on API usage
• Activity reporting to IT management systems

• Format conversion: SOAP/REST/JSON/XML
• Protocol mediation: HTTP(S), messaging, file-based, SSH
Abstraction/Mediation • Dynamic content- and context-based routing
• Composite services: in-line callouts, message enrichment
• Workflow: fan-in, fan-out, looping, synch/asynch

Layer 7 Gateway Form Factors

Hardware Appliance VMWare Virtual Appliance

Rack mountable 1-U device Packaged virtual image of hardware appliance
Common criteria EAL 4+ certification, FIPS 140/2 level 3 “VMWare-ready” certified
Optional hardware accelerator modules for XML, crypto Open Virtualization Format (OVF)

Software AWS Virtual Appliance

Instantiate from your AMI catalog
Software installation for Linux or Solaris based systems
Integrate with EC2, RDS, Auto Scale, ELB

Layer 7 API Portal Objectives

Drive Developer Adoption: Provide Insight for all Stakeholders:

Developer API Docs Analytics Rankings
Enrollment

45%

28%

Forums API Explorer
Quotas Task Tracking

Onboarding Reporting

Demo: API Portal
 Developer portal
- Discover an API
- Try the API
- Register as a developer
- Register an application
- Get an API key
- Metrics
- Community
 Demo

Layer 7 API Portal Capabilities

• Self-service registration and colleague enrollment
Developer • Plans are provided to help you stratify developers into tiers
• Account managers assigned to help manage specific, high‐value partners
Management • Manage the generation of API keys/OAuth secrets for each developer
application

• Discussion Forums, integrated messaging, FAQs, Announcements to
foster community among developers
Developer • API Documentation, sample code/applications
• API Explorer to allow you to submit queries and see API responses
Support interactively
• Reports that measure API usage, application usage and API latency

• Out‐of‐the‐box templates for API documents, landing pages, etc.
• Content can be versioned and rolled back
Content • Personalized default dashboard for all developer and publisher users
Management • Look and feel easily changed (i.e. logos, fonts, colors, etc.)
• Control access to documentation and forums based on API status (i.e.
private vs. public)

• Account tiers defined to allow for developer grouping and actions
• Define unique and/or standard plans for each API
Business • Define quotas, rate limits and other features for each API plan
Management • Applications tracked as they move from development to test to production
• Application usage measured providing developer understanding and info
for planning

API access control

 You got an API key, now what?
- An app is sometimes identified at runtime by including its API key in
a query parameter
- (that doesn’t count as access control)
- Typically, the user of the mobile app needs to be authenticated
- Standard: OAuth 2.0
- Multiple grant types possible
- Opaque, bearer tokens is the most common approach

OAuth Toolkit

 Better Integration
– Leverage Existing Assets
 Faster Time to Market
OAuth 1 OAuth 2  Scaling
– Interpreted vs. Stateful Tokens
– Caching

2 & 3-legged OAuth OpenID Connect

API
Protection

Anatomy of an OAuth handshake
(one of many possible grant types illustrated)

OAuth Authorization Server

Subscriber
(resource owner) consent
1
Authorization endpoint

1

+autz code

2 Token endpoint
Mobile App
(client) +access token

This is a shared secret

Why exchange a secret with an OAuth authorization
server in the first place?

OAuth Provider
 A: In order to consume an API
OAuth Authorization Server

Consume REST API
OAuth Resource Server
With access token from handshake
API endpoint

 access token -> app, user
 Enforce access control policies

OAuth: Leverage existing identity, existing SSO

 API Management
- Get SSO cookie, integrate with policy server
(web agent)

<handshake> - Associate SSO cookie with access token

SSO token

Check SSO session

Maintain my SSO
experience!

 SSO Policy Server

Token Monitoring, Revocation
 Track usage of live tokens
 Integrate with portals, BI, provider tooling through open API
 Expose token revocation to the right parties

Token Management Look for
unusual
usage
revoke patterns
Dev portal revoke

revoke
check
BI

API Provider
Subscriber portal
FAIL!

exploit
compromise

Layer 7 Mobile Access Gateway
 A lightweight, low-latency mobile gateway for solving critical mobile challenges in the
following areas:

Demo - Mobile Access Gateway

 Mobile Access Gateway
- http/websocket/xmpp/push
- Mobile notification hookup
(APNS, Android)
- Targeted notifications
 Demo

Layer 7 Mobile Access Gateway Capabilities

• Map Web SSO & SAML to mobile-friendly OAuth, OpenID Connect and JSON
Web Tokens
Identity • Create granular access policies at user, app and device levels
• Build composite access policies combining geolocation, message content etc.
• Simplify PKI-based certificate delivery and provisioning

• Protect REST, SOAP and OData APIs against DoS and API attacks
• Proxy API streaming protocols like HTML5 Web Sockets and XMPP messaging
Security • Enforce FIPS 140-2 grade data privacy and integrity
• Validate data exchanges, including all JSON, XML, header and parameter
content

• Surface any legacy application or database as RESTful APIs
• Quickly map between data formats such as XML and JSON
Adoption • Recompose & virtualize APIs to specific mobile identities, apps and devices
• Orchestrate API mashups with configurable workflow

• Cache calls to backend applications
• Recompose small backend calls into efficiently aggregated mobile requests
Optimisation • Compress traffic to minimize bandwidth costs and improve user experience
• Pre-fetch content for hypermedia-based API calls

• Proxy and manage app interactions with social networks
• Broker call-outs to cloud services like Salesforce.com
Integration • Bridge connectivity to iPhone, Windows and Android notification services
• Integrate with legacy applications using ESB capabilities

Layer 7 API Management Implemented at 200+ Enterprise and
Government Customers
Financial Services Communications Public Sector Select Others

Case Study: Publishing Telecom APIs
 Problem: publicly exposing Telecom APIs presents some unique challenges around
how they get packaged, secured and managed for easy consumption
 Solution: SecureSpan Networking Gateway policy-based controls allowed Orange to
define the message, identity and interface level security for their APIs; track usage;
monitor interface health; and update APIs without breaking client applications

“ Making Nursery [Telecom APIs]
available to local, 3rd world
partners has allowed Orange to
overcome many of the barriers
that had previously limited our “
growth in emerging markets.
Benoît Herard, Orange Labs

 Results: Orange has created an agile IT platform on which to develop new offerings
faster and at less cost by reusing/recomposing existing services

Case Study: APIs Expanding Market Reach
 Problem: wanted to securely expose existing services to third party developers in
order to expand their market reach
 Solution: Layer 7 API Proxy allows Alaska to securely expose and manage their
APIs, while caching Sabre requests

 Results: significantly grew market reach, while controlling costs associated with
constantly pulling data from Sabre to service Developer requests

Case Study: APIs Enabling the Enterprise
 Problem: reduce cost and delay in processing Medicaid member information by
bringing the process online
 Solution: SOA Gateway allows iPad application to securely connect to backend
APIs; provides data routing & guards APIs against intrusion with strict authentication,
authorization and comprehensive threat protection

 Results: improves Amerigroup’s health care coverage and member services, while
increasing the effectiveness and efficiency of its Medicaid program

Case Study: Publishing Information Service APIs
 Problem: allow customers and partners to use Google Apps to access multiple,
existing information services
 Solution: CloudControl authorizes users and applies rate limiting; converts REST
queries to SOAP, and provides API aggregation & orchestration

“ Layer 7 offered us the closest fit to our
business requirements in a single “
product. No other vendor was even
close.
SOA Architect, World’s leading publisher of
science and health information

 Results: implemented business logic in policy (not code), decreasing maintenance
costs; customers and partners can now obtain richer results to their queries from
their platform of choice, simplifying and speeding information gathering

Case Study: SaaS & Mobile Integration
 Problem: securely integrate to SaaS services such as Salesforce.com and
Workday, as well as secure mobile payments for Mastercard’s MoneySend service
 Solution: Layer 7 securely gates all interactions with cloud-based SaaS providers
and mobile applications, authenticating and authorizing all inbound/outbound
interactions

 Results: users manage only a single login/password for all systems; administrators
manage a single LDAP, thereby enhancing security and lowering administration costs

Layer 7 – One Solution for 4 Hybrid Problem Spaces

Across Divisions & Partners Outside Developer Communities
 Simplify Information Sharing  Build a developer channel
 Enable Centralized Shared Services  Monetize information assets
 Improve B2B  Improve customer reach
 Bridge ESB Domains Improve customer retention
SOA Gateway 
API Portal

Cloud Access
 Help Enterprises Connect To
Across Mobile
The Cloud
 Mobile Developer Onboarding
 Help Service Providers Deliver
 BYOD
New Services
 Mobile application management
 Deploy Security-as-a-cloud
CloudConnect
Service
Mobile Access Gateway
 App security

Established Leader
The Forrester Wave: Gartner Magic Quadrant
SOA & API Application Gateways, Nov 2011 For SOA & API Governance Technologies, Oct 2011
Risky Strong
Bets Contenders Performers Leaders
challengers leaders
Strong

Intel
Vordel Software AG
Forum Systems
IBM Oracle
IBM
HP
Progress Software

ability to execute
Layer 7
Progress Software Tibco Software
Vordel
Current Software AG SOA Software
Offering Crosscheck Networks
Mashery
Bee Ware Managed Methods
WS02
Tibco Software Intel

Market Presence

Weak

Weak Strategy Strong niche players visionaries
“Layer 7 SecureSpan is strong across the board. SecureSpan SOA Gateway “[Layer 7 has a] …. complete offering, with good coverage of general SOA
scored well in all of the major functional evaluation categories…It has the governance (on-premises and in the cloud), B2B, ESB and API management
broadest array of form factors and one of the strongest strategies for functionality…[The Company is] fast-moving, well on its way to implementing
virtualization and cloud-based deployment.” its good vision for SOA governance and the related marketplaces.”

Additional Notable Recognition

Thank You
For more information contact:
Colman McCaffery
cmccaffery@layer7tech.com
+ 61 413 776 428

Melbourne API Management Seminar

More Related Content

What's hot

Viewers also liked

Similar to Melbourne API Management Seminar

More from CA API Management

Recently uploaded

Melbourne API Management Seminar