cis14: api security for the cloud: tales from the trenches
DESCRIPTION
Ross Garrett, Axway Examples of how organizations are securing APIs, examining the API security state of play for the cloud, including how they are implementing OAuth, managing keys, and handling API security in the real world.TRANSCRIPT
© 2014 Axway | Confidential 1
API Security for the Cloud Ross Garrett [email protected] | @gssor Cloud Identity Summit 2014
© 2014 Axway | Confidential 2
Access Control isn’t this simple
© 2014 Axway | Confidential 3
Modern Enterprises have many open windows
© 2014 Axway | Confidential 4
Web APIs power the Open Enterprise
© 2014 Axway | Confidential 5
Identity is key to protecting APIs
© 2014 Axway | Confidential 6
Identity is key to protecting APIs
?
© 2014 Axway | Confidential 7
User Experience is actually key
© 2014 Axway | Confidential 8
There are many layers to a complete Security Solution
API Gateway
MDM MAM Firewalling IAM API Security
© 2014 Axway | Confidential 9
The Role of the API Gateway • Threat Protection
• Encryption
• Authentication
• Authorization
• Policy Enforcement (E.g. Throttling)
© 2014 Axway | Confidential 10
A simple API Security example
© 2014 Axway | Confidential 11
The Role of the API Gateway
Basic throttling or rate limiting, can prevent malicious access to public APIs
© 2014 Axway | Confidential 12
Basic Identity Federation
© 2014 Axway | Confidential 13
The Role of the API Gateway
• Securely bridging identity across domains – Mediating between token formats
• Provide an STS overlay on top of existing IAM infrastructure – Enabling the extension of identity assets to the cloud
• Track and audit usage
© 2014 Axway | Confidential 14
The password anti-pattern
© 2014 Axway | Confidential 15
Solving this problem with OAuth
© 2014 Axway | Confidential 16
The Role of the API Gateway
• Provide an OAuth façade on top of legacy IAM
• Clients should not be storing user passwords – OAuth Tokens represent explicit authorization for a
specific task
• Provide a centralized way to de-authorize clients – Low latency token store
© 2014 Axway | Confidential 17
Leveraging Social Login
© 2014 Axway | Confidential 18
Leveraging Social Login
© 2014 Axway | Confidential 19
The Role of the API Gateway • Apply Social Login at an infrastructure level
– Bringing API Access and SSO together
• Monitoring and Reporting – Trends over time – Audit trail
• Enterprise Identity Management Integration – Adapters to directories, Web Access Management
© 2014 Axway | Confidential 20 © 2014 Axway | Confidential 20
Some Customer Examples
© 2014 Axway | Confidential 21
Leading pharmacuetical company – SSO Solu6on
API Gateway
API
Intranet Site Oracle Access
Manager
SharePoint Active Directory
Web Browser
• Users have
two passwords (one for Intranet, one for Sharepoint)
• Two user
authentication technologies (Oracle and Microsoft)
Challenge
© 2014 Axway | Confidential 22
Large US Health Plan – Mobile Access
Iden)ty Management Integra)on
Mobile Devices
Solution
SAML
Secure connection
Oracle SOA
Web APIs API Gateway
API
• Manage
mobile (tablet, phone) access to medical systems
• Consolidate across Oracle and IBM identity systems
Challenge
© 2014 Axway | Confidential 23
Mutual fund provider
Solution
API Gateway Secure
connection
Check cookie
Leading Mutual Fund Provider – Cloud Access • Must
authenticate clients against CA SiteMinder
• Must expose internal systems as APIs for Mobile apps to access
• Secure Connection to Salesforce
Challenge
Encrypted Data