© 2014 Axway | Confidential 1

API Security for the Cloud Ross Garrett rgarrett@axway.com | @gssor Cloud Identity Summit 2014

© 2014 Axway | Confidential 2

Access Control isn’t this simple

© 2014 Axway | Confidential 3

Modern Enterprises have many open windows

© 2014 Axway | Confidential 4

Web APIs power the Open Enterprise

© 2014 Axway | Confidential 5

Identity is key to protecting APIs

   

© 2014 Axway | Confidential 6

Identity is key to protecting APIs

    ?  

© 2014 Axway | Confidential 7

User Experience is actually key

   

© 2014 Axway | Confidential 8

There are many layers to a complete Security Solution

API Gateway

MDM   MAM   Firewalling   IAM   API  Security  

© 2014 Axway | Confidential 9

The Role of the API Gateway •  Threat Protection

•  Encryption

•  Authentication

•  Authorization

•  Policy Enforcement (E.g. Throttling)

© 2014 Axway | Confidential 10

A simple API Security example

© 2014 Axway | Confidential 11

The Role of the API Gateway

Basic throttling or rate limiting, can prevent malicious access to public APIs

© 2014 Axway | Confidential 12

Basic Identity Federation

© 2014 Axway | Confidential 13

The Role of the API Gateway

•  Securely bridging identity across domains –  Mediating between token formats

•  Provide an STS overlay on top of existing IAM infrastructure –  Enabling the extension of identity assets to the cloud

•  Track and audit usage

© 2014 Axway | Confidential 14

The password anti-pattern

© 2014 Axway | Confidential 15

Solving this problem with OAuth

© 2014 Axway | Confidential 16

The Role of the API Gateway

•  Provide an OAuth façade on top of legacy IAM

•  Clients should not be storing user passwords –  OAuth Tokens represent explicit authorization for a

specific task

•  Provide a centralized way to de-authorize clients –  Low latency token store

© 2014 Axway | Confidential 17

Leveraging Social Login

© 2014 Axway | Confidential 18

Leveraging Social Login

© 2014 Axway | Confidential 19

The Role of the API Gateway •  Apply Social Login at an infrastructure level

–  Bringing API Access and SSO together

•  Monitoring and Reporting –  Trends over time –  Audit trail

•  Enterprise Identity Management Integration –  Adapters to directories, Web Access Management

© 2014 Axway | Confidential 20 © 2014 Axway | Confidential 20

Some Customer Examples

© 2014 Axway | Confidential 21

Leading pharmacuetical company – SSO Solu6on  

API Gateway

API  

Intranet Site Oracle Access

Manager

SharePoint Active Directory

Web Browser

•  Users have

two passwords (one for Intranet, one for Sharepoint)

•  Two user

authentication technologies (Oracle and Microsoft)

Challenge  

© 2014 Axway | Confidential 22

Large US Health Plan – Mobile Access

Iden)ty  Management  Integra)on  

Mobile  Devices  

Solution

SAML  

Secure connection

Oracle  SOA    

Web  APIs   API Gateway

API  

•  Manage

mobile (tablet, phone) access to medical systems

•  Consolidate across Oracle and IBM identity systems

Challenge  

© 2014 Axway | Confidential 23

Mutual fund provider

Solution

API Gateway Secure

connection

Check cookie

Leading Mutual Fund Provider – Cloud Access •  Must

authenticate clients against CA SiteMinder

•  Must expose internal systems as APIs for Mobile apps to access

•  Secure Connection to Salesforce

Challenge  

Encrypted Data

© 2014 Axway | Confidential 24

Thank-­‐you!  

Ross Garrett rgarrett@axway.com | @gssor