Standard Based API Security, Access Control and AI Based Attack - API Days Paris 2018

PING IDENTITY WORKSHOP
API Days 2018, Paris, Dec. 11-12
2 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Philippe DUBUC
Principal Regional Solution Architect

3
WHEN YOU’RE
OPENING APIS,
DO IT SECURELY

Users, Hackers,
and bots
API
Security
APIs
AGENDA
1. Set the context
2. API Security based on
standards
o Authentication
o Authorization
o Best Practices
o Watch new standards
3. API Attacks Detection
o How AI and ML can help detect attacks?
Copyright ©2018 Ping Identity Corporation. All rights reserved.4

Users, Hackers,
and bots
API
Security
APIs
WHO ARE THE STAKEHOLDERS?
1. API’s developers
2. DevOps Team
3. IT Architects
4. Security Professionals
o Implement tools
o Monitor security

60% OF
COMPANIES
AGREE THAT API
INTEGRATION IS
CRITICAL TO
THEIR BUSINESS
STRATEGY

LACK OF A
COHERENT
SECURITY
STRATEGY AROUND
APIS

DIGITAL
TRANSFORMATION
DRIVING
EXPLOSION IN API
AND CREATING
** NEW **
VULNERABILITIES
“724,000 taxpayers victims of the
latest data
breach … with automated, brute
force probe using IRS's public
API ...”
–Forbes
“... individuals obtained access to
high-profile Instagram users'... by
exploiting a bug in an Instagram
API”
–Instagramstatement

SO HOW DO WE PROTECT THE
CONSUMERS/EMPLOYEES DATA?

11
STANDARDS CAN
MULTIPLY THE IMPACT
OF APIS
o More extensible
o More interoperable
o More secure
OAuth 2.0
for API security
OIDC
for scoped identity
and access

STANDARDS BASED
APPROACH
NEEDED TO
SECURE APIS
TLS
OAuth 2
OpenID Connect
Authentication
Authority
Access Authority
Intelligent API security

VERY HIGH-LEVEL VIEW OF OAUTH2
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
5
1. Request Token
2. Authenticate
3. Get Token
4. Use Token
5. Validate
Introspect
Token
Resource
Server
OAuth2
Client

ADDING ACCESS SECURITY TO API
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
o Authorization Policies
6. Forward Request
o Forward Identity
7. Optional: Validate Token
Resource
Server
OAuth2
Client
Access
Security
5
6

WHAT WE DO AT PING IDENTITY
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
o Authorization Policies
6. Forward Request
o Forward Identity
Resource
Server
OAuth2
Client
Access
Security
5
6
Authentication
Authority
Authorization
Authority

AUTHENTICATION AUTHORITY
Authenticate users and provide Single Sign-On across all your apps
Single Sign-On and Identity Federation
• SAML, OAuth, OpenID Connect, more
• Last-Mile / First Mile Integration
Authentication Policy
• Adaptive authentication policies
• Step-Up MFA & 3rd Party Integration
• Source identities attributes from any data store
User Self-Service
• Registration, profile mgmt, and password reset
• Social login and account linking
Users
On Premises Mobile SaaS
AuthenticationDat
a Sources
Step-up
MFA
Auth
Policies
Applications
Authenticate
SSO
Authentication
Authority
SMS
OTP

ACCESS SECURITY AUTHORITY
Ensure the right people have access to the right resources
Secure access at the app, API, and page/URL
level
 Protect resources on-prem and in the cloud
 Enforce policies via proxy and/or agent models
 Replace or coexist with legacy WAM
 Single logout and session control
Adaptive access policies based on user,
device, resource, context and more
 Centrally manage policies across hybrid IT
 Continuous authentication
Deploy on-prem or in your cloud
 Automated deployment & auto-scaling in AWS
Access Security
Authority
Users
Authentication
Authority
Centralized
Access Policies
Continuous
Authentication
Enforce
Everywhere
ProxyAgents
Grant/Deny
Access
Legacy/. on-
prem apps,
APIs
Cloud-based
apps, APIs
Auto-deploys
and auto-scales
in AWS

ACCESS SECURITY
PSD/2 Demo
 Protecting Open Banking API
 Payment scenario

Copyright ©2018 Ping Identity Corporation. All rights reserved.
USE CASE: PAYMENT TRANSACTION
Browser
Auth.
Authority
Customer Directory
OAuth
Tokens
4
Merchant
MFA
MFA
2
1
3
6
8
5
BANK
OPEN APIs
7Access
Security
Open Banking
Authority
20

THE KEY REQUIRED (& FUTURE)
STANDARDS

IDENTITY STACK

OAUTH2.0
MINIMUM MANDATORY !
 IETF RFC 6749 – 6750
– OAuth2.0 Specs
– Authorization Framework
– RFC 8252: OAuth 2.0 for Native Apps
 IETF RFC 7636
– Proof Key for Code Exchange by OAuth Public Clients
– PKCE, pronounced "pixy”

OAUTH2.0
To monitor its implementation
 OAuth 2.0 Token Binding
– Token Binding: Cookie, Access Tokens, Authorization Codes,
Refresh Tokens, JWT Authorization Grants, and JWT Client
Authentication
– Token Binding (TB) protocol is IETF RFC (Oct.2018): RFC
8471/2/3

FOR IOT DEVELOPERS
Coming soon

WHAT IF THE TOKEN IS STOLEN?

WHAT’S WRONG WITH OAUTH2 ACCESS
TOKEN?
Bearer Token
{
"sub":"jsmith@anycompany.org",
"uid":"jsmith@anycompany.org",
"active":true,
"iddwJson":"n/a",
"token_type":"Bearer",
"exp":1544224231,
"client_id":"ac_client",
"email":"jsmith@anycompany.org",
"username":jsmith@anycompany.org
}
1. Tokens can be revoked
o As specified in the specs,
2. New Token Binding
specs
3. But… when token or
credentials are stolen?

ATTACK DETECTION
Stolen OAuth 2.0 Access Token Demo
1 Get a token
2 Use token as
the legitimate
user

ATTACK DETECTION
1 Get a token
2 Use token as
the legitimate
user
3 Use token as
the attacker

ATTACK DETECTION
1 Get a token
2 Use token as
the legitimate
user
3 Use token as
the attacker
4
Use token as
the attacker
AI/ML is
computing the
behavior

PING IDENTITY INTELLIGENT PLATFORM
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
5.1. Attack ?
5.2. Authorization Policies &
Forward Identity
6. Forward Request
Resource
Server
OAuth2
Client
Access
Security
5
6
Authentication
Authority
Authorization
Authority
Attack Detection
5

PING IDENTITY INTELLIGENT PLATFORM
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
5.1. Attack ?
5.2. Authorization Policies &
Forward Identity
6. Forward Request
Resource
Server
OAuth2
Client
Access
Security
5
6
Attack Detection
5
PingFederate®
PingAccess®
PingIntelligence
for APIs

Security Beyond Access Control
Security Beyond WAF
ADDRESSING API SECURITY GAP
 Extending Foundational API security
to protect against cyberattacks on APIs
 Security needs beyond existing security:
• Login/Identity attacks detection
• API-specific DoS/DDoS attacks protection
• Detecting Cyberattacks on data, apps,
systems
 Need full API activity reporting at scale
API SECURITY TODAY
Access Control and WAF
Tokens,Authentication/Authorization/AttackSignatures
Rate Limiting
Clientthrottling,quotas
Network Privacy
SSL/TLS
THE MISSING PIECES
Data, Application, System Attacks
APTs, DataExfiltration,Deletion…etc.
API DoS/DDoS Targeted Attacks
Compromised API Services Access
Login/OAuth/Authentication Attacks
Credential Stuffing,Fuzzing,Stolen Cookies andTokens

DO YOU HAVE VISIBILITY INTO API
TRAFFIC?
Do you know Who’s/What’s connected to
your APIs at all times?
API activity needs tracking & reporting
 APIs accessed by Who / What / When
 Command/method activity on each API
 Timeline
 Anomalous Behavior
Dumping logs for tracking does not work
– BIG DATA PROBLEM –
APIs
/login
/query
/update
/account
/order
WHAT IS HAPPENING
WITH YOUR APIS?

Users, Hackers,
and bots
PingIntelligence
for APIs
APIs
Copyright ©2018 Ping Identity Corporation. All rights reserved.
AI-powered Cyber Security
• API auto-discovery identifies all active APIs
• API activity audit trails for deep insight – compliance
and forensic reports
• Identifies cyberattacks on APIs and data/systems
• API deception instantly detects hacking
• Automatically blocks API threats
INTRODUCING PINGINTELLIGENCE FOR
APIS
AI/ML Solution for Deep API Visibility and Attack
Protection

PINGINTELLIGENCE FOR APIS
Blocks Cyber Attacks and Provides Deep Insight
into API Usage
APICybersecuritywithartificialintelligence
• Self-learned security – no policies or rules to write
• Deep traffic inspection
• On premise, hybrid and public clouds
OperationalSimplicity
• Elastic scaling with Smart Clusters
• Self-learning / auto-configuration principles
• For REST and WebSocket APIs
On Premise or Cloud
deployment
API Behavioral
Cyber Security
API Security
Enforcer
Artificial
Intelligence
Engine
APIs

DEPLOYMENT OPTIONS
Inline
with API Gateways or App Servers
Sideband
with API Gateways or
PingAccess
Out-of-Band
with Span/Mirror Port
APIGateway
--and/or--
PingAccess®
APIs
Users and
Devices
API Security
Enforcer
API Behavioral
Security Engine
API
Traffic
API Gateway
APIs
Users and
Devices
API Security
Enforcer
API Behavioral
Security Engine
API
Traffic
Users and
Devices
API Security
Enforcer
API Behavioral
Security Engine
API
Traffic
APIGateway
--and/or--
PingAccess®
APIs
API
Gateway
API Gateway
or
PingAccess
API Gateway
or
PingAccess

AUTOMATED ATTACK DETECTION AND BLOCKING
Protecting APIs with Artificial Intelligence and Real-Time Engines
Smart Cluster
Meta-Data
Capture
Terminate
Access
API
Security
Enforcer
API
Security
Enforcer
Artificial
Intelligence
Engine/Cluster
Users and
Devices
API
Traffic
APIs Continuous Protection
• Automatedthreat detection & blocking
• AI-poweredAPI cyberattacksdetection
• Loginservicesbreaches, stolen cookies or tokens
• Data theft,deletion,poisoning,system takeover, API memory attacks,
API code injection, etc.
• CookieorWebSocketsessionmanagementattacks
• API-specificlayer7 DDoSattacks – multiple types
• Protectsagainstnew andchanging attacks
Not reliant on specific patterns
• Automatedattack blocking acrossDCsand Clouds

PINGINTELLIGENCE API DECEPTION
Tracks Hacking Behavior
Users and
Devices
APIs
Decoy
API
1. Decoy APIs attract probing hackers
2. Source identified instantly
3. Blocks access to production APIs
/finance
/query/date
/account
/query/name
PingIntelligence
for APIs
Instant Hacking Detection
APIs
Decoy
API

TRAFFIC VISIBILITY AND ATTACK
REPORTING
API SecurityDashboard
• Automatically discovers active APIs
• Deep API traffic visibility – just about
everything on API traffic
• Reports for attack forensics, compliance,
DevOps
• Complements API Gateway analytics
• Dashboard and JSON reports
• APIs to integrate with 3rd party systems
API Auto-Discovery and
Deep API Activity Visibility
JSONAttack Forensics&
Compliance
Reports

API SECURITY DASHBOARD – DIVING
INTO ONE API

API DECEPTION
Real Time Detection : Hacker probing APIs

API SECURITY IS
NOT A ONE-TIME
PROJECT
* Source: Gartner

Q&A

Standard Based API Security, Access Control and AI Based Attack - API Days Paris 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Standard Based API Security, Access Control and AI Based Attack - API Days Paris 2018

Similar to Standard Based API Security, Access Control and AI Based Attack - API Days Paris 2018 (20)

More from Ping Identity

More from Ping Identity (18)

Recently uploaded

Recently uploaded (20)

Standard Based API Security, Access Control and AI Based Attack - API Days Paris 2018

Editor's Notes