In this deck, I cover all the new exciting security feature we have in both gateway and APIC.
We are excited about the new features, and how they can be used to help protect the customer's deployment environment.
2. IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice
and at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should
not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal
obligation to deliver any material, code or functionality. Information about potential future products may not be
incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains
at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon
many factors, including considerations such as the amount of multiprogramming in the user’s job stream,
the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be
given that an individual user will achieve results similar to those stated here.
2
Please note
5. DataPower Gateway
• New Algorithm Support
• JSONWeb Signature
– Support for RSASSA-PSS algorithm
» PS256, PS384, PS512
• OAuth/OIDC
• Allow duplicate credentials for application
• Proof Key for Code Exchange support
• Support at_hash, c_hash, s_hash
• Fine tune refresh_token handling
• Reuse or not
6. DataPower Gateway
• HSTS header for GUI
• 'Strict-Transport-Security'" value="'max-age=31536000; includeSubDomains’
• SSH
• Pre-autehntication banner -> 4 kb
• Allow selection of KEX and MAC
7. API Security
API Gateway:
• Decoupling/routing
• Traffic management
• Security
• Translation
Developer portal:
• API discovery
• Self subscription/administration
• Account usage analytics
• Monetization
API Manager:
• Plan/product design
• Policy administration
• API plan usage analytics
• API Governance
8. API Security
API Gateway:
• Decoupling/routing
• Traffic management
• Security
• Translation
Developer portal:
• API discovery
• Self subscription/administration
• Account usage analytics
• Monetization
• Security
API Manager:
• Plan/product design
• Policy administration
• API plan usage analytics
• API Governance
• Security
9. Micro services Kubernetes Cluster
Node
1
Node
2
Node
3
Master
Node 1
Master
Node 2
Master
Node 3
Gateway Service
Analytics Service
Portal Service
Management Service
APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN&
10. Micro services Kubernetes Cluster
Node
1
Node
2
Node
3
Master
Node 1
Master
Node 2
Master
Node 3
Gateway Service
Analytics Service
Portal Service
Management Service
APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& (Chris Phillips)
11. API Manager
• User Registry support
• Authenticate URL
• LDAP (supports group authentication)
• Search DN
• Compose DN
• Compose UPN
• OIDC (Federated Identity)
• Portal
• APIC/Admin (coming)
• Local User Registry (LUR)
• Protection against timing attack
• Protection against brute force attack
• Token (JWT)
• OAuth 2.0 (no basicauth)
• Role
• Custom role
• Token ttl
• ttl
• Data at Rest
• Data at Transit
• Introduction of microservices to each others
• Webhook
12. API Manager
• API are published
• Publish in openapi v2 format
• apim vs consumer
• WebGUI/toolkits
• RateLimit
DrinkingOur Own Champagne
Get an access_token
access_token must contain the right scope
Permission is checked
Is token valid
Token contains necessary scope ?
Does User has the proper permission ?
13. APIManager with Gateway
• Gateway must be 24 * 7 (without APIm)
• API gateway introduce a gateway director manager
• Using clustering technology to track configuration from APIM
• Heartbeat from APIm to make sure Gateway will have the latest information
• 911 protocol to handle catastrophic failure
• Gateway director allows auto scaling of the additional gateway
• Configuration/Key Materials
• State of the processing
14. Hardened Portal Security
Supports OpenID Connect for accelerated
developer on-boarding and social login
Enable PSD2/ Open Banking compliance to
programmatically onboard consumers using
REST Management APIs and OpenID
Connect
Enhanced spam protection against spam
bots with CAPTCHA and honeypot
Detect and prevent malicious attacks with
perimeter and DNS check
Detect and prevent flood attacks
15. Comprehensive API Security leveraging AI and Machine Learning
15
Power your APIs with API Behavioral Security
(ABS), integrated with Ping Intelligence to
detect attacks against your APIs
Detect and block cyberattacks that target APIs,
such as:
• Data, Application and System attacks
• API DDoS attacks
• Login Attacks (credential stuffing, fuzzing,
stolen cookies & tokens)
Easily enable AI-powered threat protection on
every API using Global Policy support
+
https://www.pingidentity.com/en/platform/api-security.html
https://developer.ibm.com/apiconnect/2019/02/12/ping-identity-and-ibm-partner-to-protect-against-
api-cyberattacks/
16. Under the hook
16
Pre-req : ase-token
Global policy (x-correlationid)
Pre-hook :
is request ok ?
authorization header ?
appId ?
cookie ?
Post-hook :
backend response
redact (record) for learning
18. Secure & Manage GraphQL Endpoints
Next-Gen evolution of Gateway technology
beyond Web services and REST with GraphQL
support
Secure and Manage APIs with GraphQL
backends, efficiently managing compute
intensive services
Threat Protection against cyberattacks using
advance query complexity analysis to prevent
API-based attacks
Rate Limit GraphQL queries with consumer
plans based on number of API calls & backend
compute time
https://www.ibm.com/blogs/research/2019/02/graphql-api-management/
https://developer.github.com/v4/guides/resource-limitations/
19. Secure & Manage GraphQL Endpoints
Next-Gen evolution of Gateway technology
beyond Web services and REST with GraphQL
support
Secure and Manage APIs with GraphQL
backends, efficiently managing compute
intensive services
Threat Protection against cyberattacks using
advance query complexity analysis to prevent
API-based attacks
Rate Limit GraphQL queries with consumer
plans based on number of API calls & backend
compute time
https://www.ibm.com/blogs/research/2019/02/graphql-api-management/
https://developer.github.com/v4/guides/resource-limitations/
1. Access Control
• Who can access the data and what data
• APIc
• Client credential (application)
• User credential (who)
2. Load Control
• How much effort for the server to fulfill the request
• Complexity
• Type (object type)
• Resolve
• nesting
20. Up to 5X+ increased performance with natively built
API Gateway using purpose-built technology for
native OpenAPI/Swagger REST and SOAP APIs
Multi-cloud scalability and extensibility to help meet
SLAs and improve client user experience
Optimized drag & drop built-in policies for security,
traffic control and mediation including flexible
OAuth, enhanced JSON & XML threat protection
Secure to the core with self-contained signed &
encrypted image to minimize risk, plus proven
security policies to quickly protect APIs
Before: DP Multi
protocol Gateway
Service
API call Backend
New: Native API
Gateway Service
API call Backend
Cloud-Native API Gateway Service in DataPower
API GW service
21. Policies for Enforcement on API Gateway Service
Gateway Script and XSLT policy support
provides flexible message mediation &
dynamic security enforcement
Dynamic Routing support through Conditional
Policy
Enforce strong security through Parse, JSON
and XML Schema Validation policy
OpenID Connect support to enable banks to
meet PSD2 / Open Banking regulations
OAuthToken revocation to enable self-service
token management
Foundational Security Mediation
Invoke API Key Map
Activity Log JWT Validate JSON-XML
Rate Limit JWT Generate Gateway Script
Throw OAuth Policy XSLT
Set Variable Parse
(Threat Detection)
Conditional Validate
User Security
OpenID Connect
Built-in policies
22. Rapid OAuth policy creation to quickly create
OAuth provider security without deep security
expertise
Improved governance capabilities on managing
OAuth providers with flexible administrative
access control to enforce enterprise standards
Ability to meet business demands with
customizable OAuth assembly
New User Security policy to enforce
authentication & authorization in API assembly,
adapting to unique enterprise security needs
Meeting Security Needs through New Flexible OAuth Provider
23. Rapid OAuth policy creation to quickly create
OAuth provider security without deep security
expertise
Improved governance capabilities on managing
OAuth providers with flexible administrative
access control to enforce enterprise standards
Ability to meet business demands with
customizable OAuth assembly
New User Security policy to enforce
authentication & authorization in API assembly,
adapting to unique enterprise security needs
Meeting Security Needs through New Flexible OAuth Provider
24. Customizable
Ease of use
• Crypto material on per OAuth native provider (vs gateway level)
• End user credential gathering (context variable) *
• Consent handling
• Global Policy (and thus inject context variable for processing) *
• Token handling (white/black listing)
• Flexibility
• ….
25. 25
• Istio Integration for improved performance & security by passing
API header and tokens into Istio
• Open APIV3 support to meet security industry standards (i.e.
PSD2) & improve reuse
• OpenBanking & PSD2 Compliant including flexible JWT and
OAuth features
• 5X Improved Performance with cloud-native API-centric Gateway
Service
• FastTime toValue through Out of the Box policies for API
Gateway Service
• Enterprise Specific Security Support through OAuth flow
customization
• Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check
on Portal, etc.
Performant and Secure
27. Notices and disclaimers
continued
27
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products about this
publication and cannot confirm the accuracy of performance, compatibility
or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed
to the suppliers of those products. IBM does not warrant the quality of any
third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM expressly disclaims all
warranties, expressed or implied, including but not limited to, the
implied warranties of merchantability and fitness for a purpose.
The provision of the information contained herein is not intended to, and
does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com and [names of other referenced IBM
products and services used in the presentation] are trademarks of
International Business Machines Corporation, registered in many
jurisdictions worldwide. Other product and service names might
be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at “Copyright and trademark
information” at: www.ibm.com/legal/copytrade.shtml.
29. Multi-cloud scalable API Manager & Gateway Architecture
API Manager
Gateway Cluster
API Connect V5
API Gateway
API Gateway
Gateway
Cluster Mgmt
• Gateway Cluster Management
moved from API Manager in V5 to API
Gateway in V2018.1
• API Data Replication performed
between API Gateway instances in
V2018.1, whereas in V5 it was
between API Manager and each API
Gateway instance
• Reduces runtime dependency
between the API Gateway and API
Manager in V2018.1
Cache
Cache
API Manager
Gateway Cluster
API Connect V2018.1
API Gateway
API Gateway
Gateway
Cluster Mgmt
Distributed
Cache
Distributed
Cache
Editor's Notes
Microservices allows each subsystem scale up and down independently
There are 4 subsystems, Management, Portal, Gateway, Analytic (internal communication is over mtls)management : span multiple available zone
Portal : one available zone
Analytic : one available zoneWe used kubernetes for orchestration, it helps to make sure microservices are up and enough to handle the load
Each microservice starts as docker containers, and k8s makes sure they are behaving properly (customer must use block storage, ceph, glusterfs)
K8s must have metrix gathering
Ingress network tls termination & forwarding)
4 (k8s [openshift falls under this], icp, appliance ova, apic bluemix [armada])
Management : ~9 portal : ~3
Ova :
Not locked down
No include space for data (attach a disk to the system) (disk is encrypted)
No hard code credentials (inject config via attached iso mount, credential) : cloudinit
Runs k8s inside (minus gateway)install assist (credential, ssh key, name of the host, backup, syslog forwarding ..) provide ISO image for mounting configuration
ICP (icp package assistant) OOTB, logging, analytics, storage OOTB
User information will be updated from ldap, authen-url, oidc per success login
Each failed login attempt will progressively pause on the login (start at 5 times), 15 sec, 30 sec, 1 min, 2 min, 4 min, 8 min, 16 min, 32 min (1 hour after that)
Default is 5 failed attempts for the same user in 3 hours leads you to be locked for 3 hours.
50 failed attempts irrespective of user from same IP in 3 hours and that IP is blocked for 3 hours.
All configurable.
Slightly non-intuitive is the fact it is separate to password reset in the portal - resetting the password for an account does NOT clear their temporary lock - otherwise someone could brute force someone’s password by just resetting the account every 5 attempts.
Work with ElasticBeam
DP sends the request to ASE (API Security Enforcer)API Security Enforcer syncs with API behavioral Security Engine every 10 minutes
GraphQL is originally conceived by facebook, the goal is to let the application developer to be at the driver seat – the application developer indicates the data that is needed. Not the api provider. This gives raise to an unique challenge.If provider develops the api, he or she will know the cost of a given api. For example, if the api needs to return a user information, So Ivan being the provider developer, decide that the call to get the information is too expensive. For example, the call may need to access a db2 database for the employee information, a cassandra database for the latest 50 activities that employee has interact with HR department. During the development, the developer may find out that to return 50 activities is very costly, and thus the develop may choose to return only 5. So now, we have an api which will return an employee information, the last 10 activities. The api is ready to be used.Imagine Krithika uses the api. And she finds out that she also wants to know who is the boss of the given employee. In this case, she is stucked. Because the api does not provide that information. So she has a couple choices.. One is hope that Ivan (in his wisdom) did provide another api. Or she will reach out to Ivan and ask for a new API.
GraphQL takes that concerns out of the way. GraphQL can defines query, that Krithika can use to fine tuned what she would like to see (I hope you have all attend the demo that Krithika has done an hour ago). GraphQL gives the final power to the application developer, because the application developers know what she needs.This creates a potential
GraphQL is originally conceived by facebook, the goal is to let the application developer to be at the driver seat – the application developer indicates the data that is needed. Not the api provider. This gives raise to an unique challenge.If provider develops the api, he or she will know the cost of a given api. For example, if the api needs to return a user information, So Ivan being the provider developer, decide that the call to get the information is too expensive. For example, the call may need to access a db2 database for the employee information, a cassandra database for the latest 50 activities that employee has interact with HR department. During the development, the developer may find out that to return 50 activities is very costly, and thus the develop may choose to return only 5. So now, we have an api which will return an employee information, the last 10 activities. The api is ready to be used.Imagine Krithika uses the api. And she finds out that she also wants to know who is the boss of the given employee. In this case, she is stucked. Because the api does not provide that information. So she has a couple choices.. One is hope that Ivan (in his wisdom) did provide another api. Or she will reach out to Ivan and ask for a new API.
GraphQL takes that concerns out of the way. GraphQL can defines query, that Krithika can use to fine tuned what she would like to see (I hope you have all attend the demo that Krithika has done an hour ago). GraphQL gives the final power to the application developer, because the application developers know what she needs.This creates a potential