Tales from the Trenches – Leveraging Agile on Fixed Fee Projects
CIS14: API Security for the Cloud: Tales from the Trenches
-
Upload
cloudidsummit -
Category
Technology
-
view
429 -
download
2
description
Transcript of CIS14: API Security for the Cloud: Tales from the Trenches
© 2014 Axway | Confidential 1
API Security for the Cloud Ross Garrett [email protected] | @gssor Cloud Identity Summit 2014
© 2014 Axway | Confidential 2
Access Control isn’t this simple
© 2014 Axway | Confidential 3
Modern Enterprises have many open windows
© 2014 Axway | Confidential 4
Web APIs power the Open Enterprise
© 2014 Axway | Confidential 5
Identity is key to protecting APIs
© 2014 Axway | Confidential 6
Identity is key to protecting APIs
?
© 2014 Axway | Confidential 7
User Experience is actually key
© 2014 Axway | Confidential 8
There are many layers to a complete Security Solution
API Gateway
MDM MAM Firewalling IAM API Security
© 2014 Axway | Confidential 9
The Role of the API Gateway • Threat Protection
• Encryption
• Authentication
• Authorization
• Policy Enforcement (E.g. Throttling)
© 2014 Axway | Confidential 10
A simple API Security example
© 2014 Axway | Confidential 11
The Role of the API Gateway
Basic throttling or rate limiting, can prevent malicious access to public APIs
© 2014 Axway | Confidential 12
Basic Identity Federation
© 2014 Axway | Confidential 13
The Role of the API Gateway
• Securely bridging identity across domains – Mediating between token formats
• Provide an STS overlay on top of existing IAM infrastructure – Enabling the extension of identity assets to the cloud
• Track and audit usage
© 2014 Axway | Confidential 14
The password anti-pattern
© 2014 Axway | Confidential 15
Solving this problem with OAuth
© 2014 Axway | Confidential 16
The Role of the API Gateway
• Provide an OAuth façade on top of legacy IAM
• Clients should not be storing user passwords – OAuth Tokens represent explicit authorization for a
specific task
• Provide a centralized way to de-authorize clients – Low latency token store
© 2014 Axway | Confidential 17
Leveraging Social Login
© 2014 Axway | Confidential 18
Leveraging Social Login
© 2014 Axway | Confidential 19
The Role of the API Gateway • Apply Social Login at an infrastructure level
– Bringing API Access and SSO together
• Monitoring and Reporting – Trends over time – Audit trail
• Enterprise Identity Management Integration – Adapters to directories, Web Access Management
© 2014 Axway | Confidential 20 © 2014 Axway | Confidential 20
Some Customer Examples
© 2014 Axway | Confidential 21
Leading pharmacuetical company – SSO Solu6on
API Gateway
API
Intranet Site Oracle Access
Manager
SharePoint Active Directory
Web Browser
• Users have
two passwords (one for Intranet, one for Sharepoint)
• Two user
authentication technologies (Oracle and Microsoft)
Challenge
© 2014 Axway | Confidential 22
Large US Health Plan – Mobile Access
Iden)ty Management Integra)on
Mobile Devices
Solution
SAML
Secure connection
Oracle SOA
Web APIs API Gateway
API
• Manage
mobile (tablet, phone) access to medical systems
• Consolidate across Oracle and IBM identity systems
Challenge
© 2014 Axway | Confidential 23
Mutual fund provider
Solution
API Gateway Secure
connection
Check cookie
Leading Mutual Fund Provider – Cloud Access • Must
authenticate clients against CA SiteMinder
• Must expose internal systems as APIs for Mobile apps to access
• Secure Connection to Salesforce
Challenge
Encrypted Data