Download - OAuth: The Next Big Thing in Security
![Page 1: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/1.jpg)
OAuth: The Next Big Thing in Security
Sam Ramji @sramjiApigee [email protected]
+1-510-913-6495
groups.google.com/group/api-craft
![Page 2: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/2.jpg)
THE PLATFORMIMPERATIVE
![Page 3: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/3.jpg)
Every market in history has had intermediaries
![Page 4: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/4.jpg)
Business CustomersIntermediaries
![Page 5: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/5.jpg)
These intermediaries connect buyers and sellers by knowing what both want and creating convenient ways to transact
![Page 6: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/6.jpg)
Apps are the new intermediaries.
![Page 7: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/7.jpg)
Business CustomersApps
![Page 8: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/8.jpg)
They occupy many niches already and continue to multiply
![Page 9: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/9.jpg)
Data from Wikipedia
0
100,000
200,000
300,000
400,000
500,000
600,000
0
2000000000
4000000000
6000000000
8000000000
10000000000
12000000000
App Store Growth 2008-2011
Apps AvailableTotal App Down-loads
![Page 10: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/10.jpg)
As do devices.
![Page 11: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/11.jpg)
Mary MeekerKleiner Perkins
![Page 12: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/12.jpg)
Companies cannot build for all these niches as each one requires distinct expertise in design and development, and there are too many niches.
![Page 13: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/13.jpg)
As Marc Andreessen observed recently
![Page 14: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/14.jpg)
Marc Andreessen
“ In short, software is eating the world.
We are in the middle of a dramatic and broad technological and economic shift in which software companies are poised to take over large swathes of the economy.
![Page 15: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/15.jpg)
Evans, Hagiu, and Schmalensee explored this deeply in 2006
![Page 16: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/16.jpg)
![Page 17: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/17.jpg)
And Annabelle Gawer has formalized the solution
![Page 18: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/18.jpg)
![Page 19: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/19.jpg)
The platform business model.
![Page 20: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/20.jpg)
PLATFORMSAREOPEN
![Page 21: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/21.jpg)
As we’ve learned from digital natives like
![Page 22: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/22.jpg)
![Page 23: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/23.jpg)
open platforms grow the fastest.
![Page 24: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/24.jpg)
Visualization by Apigee
![Page 25: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/25.jpg)
In the API era of competition, speed is crucial because critical mass leads rapidly to market dominance.
![Page 26: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/26.jpg)
[Ecosystem Competition]
Kishore S. Swaminathan, Chief Scientist, Accenture
![Page 27: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/27.jpg)
Open platforms mean that apps can be built by developers quickly
without formal commitment to joint research, joint development, and joint marketing.
![Page 28: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/28.jpg)
Open platforms decouple partners from the platform provider’s business cycles.
![Page 29: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/29.jpg)
This reduces the cost of innovation,
enabling many more experiments to be made more quickly,
increasing the chance of a major improvement to the platform business, its customers, and its intermediaries.
![Page 30: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/30.jpg)
This is low-friction innovation.
![Page 31: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/31.jpg)
OPENDOES NOT MEANSECURE
![Page 32: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/32.jpg)
This takes us to the stakes required for a digital business in the API era.
![Page 33: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/33.jpg)
For an intermediary to connect a buyer and seller, there must be trust.
![Page 34: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/34.jpg)
The intermediary must be trustworthy, and the transaction must be trustworthy.
![Page 35: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/35.jpg)
In modern businesses, buyers (users)have accounts with sellers (providers)
which are filled with data as well as transaction privileges.
![Page 36: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/36.jpg)
without breaking their relationship with the seller.
For the system to function well,buyers must be able to fire their intermediary
![Page 37: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/37.jpg)
With apps as the intermediary, new dynamics exist on top of the historical foundation.
![Page 38: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/38.jpg)
Apps are new.
They are often short-lived.
Their business model depends on building a high volume of users.
They must have some way to attain their first transaction and be proven or else improved.
![Page 39: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/39.jpg)
And this way must align with the loose coupling philosophy at the heart of an open platform
otherwise we’ve just secured our way back into old-fashioned closed businesses
and killed our platform opportunity.
![Page 40: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/40.jpg)
James GovernorRedmonk
“ 20th Century IT was about raising barriers to entry for competitors.
21st Century IT is about lowering barriers to participation.
![Page 41: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/41.jpg)
So how do you build a trustworthy system in an open world?
![Page 42: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/42.jpg)
It takes an open security architecture.
![Page 43: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/43.jpg)
INTRODUCINGOAUTH
![Page 44: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/44.jpg)
![Page 45: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/45.jpg)
and it’s the right choice for securing open platforms.
It’s a free and open protocol
built on licenses from the Open Web Foundation
![Page 46: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/46.jpg)
The Valet Key Metaphor
![Page 47: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/47.jpg)
Eran Hammer-Lahav compares the OAuth model to a valet key.
This is an apt metaphor.
![Page 48: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/48.jpg)
![Page 49: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/49.jpg)
![Page 50: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/50.jpg)
![Page 51: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/51.jpg)
A Valet Key for Open Platforms
![Page 52: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/52.jpg)
The heart of OAuth is an authorization token with limited rights
which the user can revoke at any timeshould they become suspicious or dissatisfied with the app they’re using to access your business.
![Page 53: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/53.jpg)
When the token is first granted
the business shows the user what rights the app is asking for
![Page 54: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/54.jpg)
![Page 55: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/55.jpg)
and this negotiation is invisible to the app.
![Page 56: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/56.jpg)
A perfect design for bootstrapping trust.
![Page 57: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/57.jpg)
Just Enough Permission
![Page 58: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/58.jpg)
An app should have just enough permission to do the things the user wants it to.
![Page 59: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/59.jpg)
![Page 60: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/60.jpg)
OAuth allows for granular access to the user’s account.
The current alternative is all or none
Give the app your username and password – which gives the app access to everything about you.
![Page 61: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/61.jpg)
In OAuth, permissions can be gracefully upgraded as well.
If the user tries to do something in an app and they haven’t authorized the corresponding permission, the business can give the users the option to add that permission, using the bootstrapping sequence used to grant the token in the first place.
![Page 62: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/62.jpg)
Just Enough Responsibility
![Page 63: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/63.jpg)
App developers are not security experts.
![Page 64: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/64.jpg)
A developer’s job is to make software that does what it is supposed to do.
A security expert’s job is to make sure software never does what it is not supposed to do.
![Page 65: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/65.jpg)
App developers DO NOT WANT the responsibility of holding a user’s secret information.
Usernames and passwords, Credit card and banking information,Lifetime history of everyone you’ve emailed
These are heavy secrets and require heavy security.
![Page 66: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/66.jpg)
The right place for these is within your own business, secured by your own experts and your own infrastructure investments.
![Page 67: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/67.jpg)
Decoupling partners from these challenges
keeps security consistent
with the open platform potential for low-friction innovation.
![Page 68: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/68.jpg)
THE OAUTHIMPERATIVE
![Page 69: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/69.jpg)
The most popular intermediariesare connecting buyers with several complementary sellers at the same time
![Page 70: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/70.jpg)
![Page 71: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/71.jpg)
![Page 72: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/72.jpg)
That increases their value to the buyer
but also multiplies the difficulty and risk of security
![Page 73: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/73.jpg)
If one app holds secrets for many businesses
that app becomes the highest-risk part of the system.
![Page 74: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/74.jpg)
As more businesses follow the platform imperative and add APIs
![Page 75: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/75.jpg)
there is an imperative for the healthy growth of the market through the new intermediaries.
![Page 76: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/76.jpg)
The imperative is to make it easy for developers to build great apps that can delight users and grow businesses.
![Page 77: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/77.jpg)
The imperative is for businessesto standardize on OAuth.
![Page 78: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/78.jpg)
“We have our own version of OAuth”
![Page 79: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/79.jpg)
“We invented something that’s kind of like OAuth”
![Page 80: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/80.jpg)
The imperative is to make it easy for developers to build great apps that can delight users and grow businesses.
![Page 81: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/81.jpg)
The imperative is for businessesto standardize on OAuth.
![Page 82: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/82.jpg)
No developers were harmed in the production of this presentation.
![Page 83: OAuth: The Next Big Thing in Security](https://reader033.vdocument.in/reader033/viewer/2022061211/547a7b72b37959822b8b49a1/html5/thumbnails/83.jpg)
THANK YOUQuestions and ideas to:
@[email protected] +1-510-913-6495
groups.google.com/group/api-craft