Securing your API Portfolio with API Management

World®’16

SecuringYourAPIPortfolioWithAPIManagementJeffreyNibler - VicePresident,APIManagementDivision- AcclaimConsulting

DO3X18S

DEVOPS

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

ThispresentationbyAcclaimConsultingcoversallaspectsofsecuringAPIsandhowanAPIMsolutionoffersthebestflexibilityandchancetomeetallpossiblesecurityusecases.ThediscussionwillcoverthedifferencesbetweenanAPIMsolutionandtypicalWAMsolutions,specialsecurityconsiderationsaroundmobilesecurity(includingdeviceregistrationwithtwo-factorauthentication)andSingle-PageWebApplicationsecurity,alongwithanoverviewofOpenIDConnect,OAuth2,WS-SecurityandJWTs.Lastly,abriefcasestudywillbepresentedonhowVerizonandDukeEnergyleveragethesecurityfeaturesofCAAPIManagementtoprotecttheirbusinesses.

JeffreyNibler

AcclaimConsultingVP,APIManagement


AgendaTHEIMPORTANCEOFFLEXIBILITY

APIM VSWAM

SECURINGAPIS FORMOBILE,IOT,ANDSPA

JWT

OPENID CONNECTVSOAUTH

JOSE– “WS-SECURITY”FORRESTAPIS

1

2

3

4

5

6

REAL-WORLDAPI SECURITYUSE-CASES7


TheImportanceofFlexibility

Yes,but……..

ShouldAPIPublishersDictateAPISecurity?



Yes,but……..




Yes,but……..

Rulesarewrittentobebroken,by:§ Customers

§ Systems(3rd partyapplications)

§ Internaldepartments

§ Clients

§ Timelines




YouneedacentralizedsystemtohandleAPIsecurityforallAPIs,thatisflexibleandeasytoimplement&change.

Youneedsomethingtomasktheauthenticationmechanismsofyourback-end,toyourfront-end

YouwanttoremovesecuritylogicfromyourAPIs

ThisiswhereanAPIGatewaycomesin


Simple/Light:JWT/Oauth

Morecomplex

Gateway

InternalNetwork

UserAgent


APIMvsWAMWhydoIneedAPIMifIhaveWAM?

§ WAM

– DesignedforWEBAccessManagement

§ APIM

– DesignedspecificallyforAPIManagementandAPISecurity

APIM WAM


APIMvsWAMWhyDoINeedAPIMifIHaveWAM?

OVERLAP

§ IdentityandAuthentication

– User,Group

§ AccessManagement

– Resource-Based

– Cookies/Sessions

§ SSO/Federation

– SAML,OAUTH,Kerberos


APIMvsWAMWhyDoINeedAPIMifIHaveWAM?SOMECOMMONDIFFERENTIATORS

§ IdentityandAuthentication– APIM’scanleverageEnterpriseActiveDirectoriesorinternalIdentityProviders

§ AccessManagement– Bettersupportfornon-cookiebasedidentificationschemes

– AccesscontrolbyapplicationinsteadofUser

– APIMprovidesfine-grainaccesscontrolforSOAPandRESTfulservices

– APIPlans– Ratelimiting,quotas,commoditizing

§ MessagePayloadSecurity– Removesensitiveelementsfrommessageresponsesbasedonuser/role/app

– Threatdetection

§ Mobile&IoT UseCases– MobileDeviceRegistration– Programmaticcertification/CSRmanagement

– MobileSDK

Gateway

WAM

MobileApp

Directory

WAM:SystemofRecordAPIM:PointofEnforcement


JWTJSONWebToken– Pronounced“JOT”

WhatArethey?

§ Compact,URL-safemechanismforrepresentingclaimstransferredbetweentwoparties– Cancontainpre-definedreservedandpublicclaims,aswellasprivateclaims

§ JSON-formatted,standardizedtokens– SmallerandeasiertoimplementthanSAML/XML/SOAP

– Easyformobileapplicationstoworkwith

§ Safe– Can’tbemodifiedbyclientapp– UsesJWSorJWEtosignorencrypt,symmetricorasymmetric

§ Self-contained- contentsarereadable– Idealformicroservices

– Highperforming– NoadditionalDBorAPIcallstovalidateorfetchdata

§ Small,andveryAPI-friendly– Idealforenablingstateincross-applicationscenarios


OpenIDConnectVsOAUTHWhat’stheDifference?

OAUTH

§ DelegatedAuthorizationProtocol

§ Foruseinathreeorfourpartymodel:– User

– Website/Application(useragent)

– AuthorizationServer

– ProtectedResource(mostofteninsamedomainastheauthorizationserver)

§ NOTaboutAuthentication

OPENIDCONNECT

§ InteroperableAuthenticationProtocol

§ Allowsclientapplicationdeveloperstooutsourceidentitymanagementtothirdparties(suchasFacebookorGoogle)

§ UsedtoAuthenticateandassertidentityofauser

§ OpenIDConnectTokenishuman-readable(JWT)andallrequiredclaimsareincludedwithin,savingadditionalcallstoDBsorAPIstoretrievethisdata

§ Tokencanberestrictedtoanaudience

§ Stateless


OpenIDConnectVsOAUTHWhen/WhereDoIUsethem?

OAUTH

§ WhenyouwanttoallowathirdpartyapplicationtoviewyourFacebookFriends

§ Whenyouwanttoallowathirdpartywebsitetomaketwitterpostsonyourbehalf

§ IfyouaretheResourceProviderandyouwanttoallowyouruserstodelegateaccesstotheirinformationtothirdpartyapplicationsanduser-agents

OPENIDCONNECT

§ Whenyouwanttoauthenticateauser– ViayourownIDP

– ViathirdpartyIDP

§ Whenyouwantareadable(ifnotencrypted),application-agnostic,JSONformattedauthenticationtokenthatcaneasilybepassedbackandforthinAPIcalls

§ WhenyoudonotwanttopasslogincredentialswitheachAPIcall


OpenIDConnectVsOAUTHWhyShouldn’tIUseOAUTHforAuthentication?

§ OAUTHtokensaregenerallylong-lived

§ OAUTHtokenscontainnoreadableinformation,claims,orexpiry– notevenaUserID

§ WhenOAUTHisusedforAuthentication,clientapplicationshaveimplicittrustthattheholderoftheAccessTokenistheresourceowner(theuser),whenamalicioussitecouldholdthetoken– OnceanAccessTokenisobtained,amalicioususerorsitecouldusethe

tokentoimpersonatetheuseronanywebsitethatusesOAUTHAccessTokensasproofofauthentication(usingtheclient-flow).

§ FacebookandGooglehaveimplementedsomeproprietarywork-aroundsforsomeoftheseissuesbutOpenIDConnectisasecurestandard


JOSE:“WS-Security”forRESTAPIsAFrameworkIntendedtoProvideaMethodtoSecurelyTransferClaimsBetweenParties

§ WS-SecurityispartoftheSOAPspecificationthatdescribesstructuresforcryptographickeys,anddefinescryptographicalgorithmstobeusedformessagesigningandmessageencryption

§ JOSEprovidesthesame,butinJSONformatmakingitidealforRESTservices


ThePowerofTwo-WaySSLHangUp!

§ Hackerstrytopenetratesystemsthroughdiscovery– WhatAPIsdoyouhave?

– Whatistheirendpoint?

– Whatdataelementsdotheycontain?

– Dotheyrequireauthentication?

– Aretheyvulnerabletoinjection,overflow,etc?

§ Ifahackerdoesn’thaveavalidclient-certificate,theyarestoppedattheconnectionlevel,beforehavingtheabilitytoattack


Two-WaySSLforMobileApplicationsCAMobileAPIGateway

§ Webbrowsersandmobiledevicesarenotwell-suitedforTwo-WaySSLduetothemanualprocessesinvolvedinkeypairmanagement,CSRgeneration,certificatesigning,establishingtrustbetweentwoparties,andmanagingcertificateexpiry

§ CAMobileAPIGatewaysolvesthis– Programmaticallysignandestablishtrustforclientcerts

MobileAPIGateway

MOBILE

API

GATEWAY


Two-WaySSLforMobileApplicationsCAMobileAPIGatewaywith2-FactorAuthentication

MobileAPIGatewayMobileDevice EnterpriseDirectory

UserID&PWAuthenticationAPICall

ValidatewithLDAP

ReturnSuccessAuth Token&MaskedUserPhoneNumbers

CRM

ObtainUserPhoneNumbers

SubmitRequestforRegistrationCode,withMaskedPhoneNumber&Auth Token

GWMapsMaskedPhonetoActualPhone,SubmitstoCRM

CRMGeneratesRegistrationCodeandsendsSMStouser

MobileDeviceGeneratesRSA2048KeyPair,usingUser’sID+DeviceIDasCN,thenCSR,Base-64encodingCSR,submitAPIcalltoGWwithAuth

TokenandRegistrationCode

GWValidatesRegCodewithCRM&onSuccess,SignstheCSRWithit’sKeyPair,andAddstheKey

PairtotheGW’sTrustStore

GWReturnsSignedCSR,Base64EncodedtoMobileDeviceWhichStoresit

AllSubsequentCallstoAPIsmadeovermSSL

GWValidatesCertandAllowsAccessToProtectedAPIs


APISecurityBest-PracticesCheat-SheetBest-PracticesinGeneral

• UseTLSforEverything• IfUnabletoLeverageTransportLayerEncryption

• MessageSigningifMessageContentsare“public”(JWS)• MessageEncryptionifMessageContentsare“private”(JWE)

• AuthorizationDelegation• OAUTH2

• PersistenceacrossAPIs• OpenIDConnect/JWT

• Authentication(AuthN)• API-Based• OpenIDConnect• ExistingEnterpriseDirectorythroughtheGateway

• AccessControl(AuthZ)• LeverageexistingEnterpriseWAMsystemthroughtheGW,orusetheGW

alone• ContinuousAuthentication

• Patterns– IPchange,geolocation,multipleconnections,differentapplications

• ThreatPrevention• Throttling/RateLimiting


APISecurityBest-PracticesCheat-SheetBest-PracticesbyUse-Case

Mobile&IoT Apps

MutualSSL

Two-factorAuth +OpenIDConnect

SinglePageApps

OpenIDConnectwithAPI-Basedloginexposedbythegateway,leveraginganIDP

AllAPIcallsfromSPAroutethroughAPIGateway

B2B:MutualSSL

BetterthanjustanAPIkeyorsharedsecret- APIkeymustbesentwitheachrequestandcanbeeasilystolen


DukeEnergyisthelargestelectricpowerholdingcompanyintheUnitedStates,supplyinganddeliveringenergytoapproximately7.3millionU.S.customers

ACCELERATEDIT:• APIGWsolutionallowedmobileapplication

tobequicklyputintouseinthefield

TRANSFORMEDIT:• Eliminatedhelpdesk,manualpaperwork-order

process,andmultiplesign-ons.EnabledinternalANDexternalfieldworkerstouseelectronicworkorders

SECUREDIT:• SecuredserviceswithMutualSSL.• UtilizedtokenswithKerberosticketsforSSOtoMaximo

andArcGIS

§ APIGateway,MobileAPIGateway,DeveloperPortal

§ MobileDeviceRegistration

§ UtilizedAPIGWtoprovideSSOtonon-linkedmultipleback-endsystemsviatoken

§ Fieldworkersmustlogintothreeseparatesystemswhileinthefieldtoviewworkorders

§ Third-partyfieldworkersmaynotaccessVPNsoacostly,manualpaperwork-orderprocessisutilized

§ NewmobileapplicationwillresultintheexternalexposureofAPIswhichmustbehighlysecured

CHALLENGE SOLUTION RESULTS


VerizonTelematicsisaleadingtelematicsproviderprovidingservicestotheHumbyVerizonproduct,NetworkFleet,MercedesBenzMbrace,VWCar-Net,andNissanConnectedCar

ACCELERATEDIT:• Two-phaseroll-outallowedmultipleclients

toadoptnewsecuritywithintheiridealprojecttimeline

TRANSFORMEDIT:• Providedasinglepointofentryintoallbusiness

serviceswhileleveragingexistingenterpriseAccessManagementandAuthorizationsystems.

SECUREDIT:• AllAPIshavetrackedsessions,threatdetection,

MutualSSL,andfine-grainaccesscontrol

§ APIGateway,MobileAPIGateway,DeveloperPortal

§ MobileDeviceRegistrationwithTwo-FactorAuthenticationandMutualSSL

§ Method-LevelAccessControlforSOAPservices

§ Largerapidlyexpanding/evolvingAPIPortfoliowithamixofSOAPandRESTfulservices

§ Manysecuritycomponentsembeddedinthebusinesslogicoftheservicesorwithinthemobileapplications

CHALLENGE SOLUTION RESULTS


Questions?


Stayconnectedatcommunities.ca.com

Thankyou.

@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.26 @CAWORLD#CAWORLD

DevOps– APIManagementandApplicationDevelopment

FormoreinformationonDevOps– APIManagementandApplicationDevelopment,pleasevisit:http://cainc.to/DL8ozQ

Securing your API Portfolio with API Management

Technology

Transcript of Securing your API Portfolio with API Management