mobile and api identity – the new challenges
DESCRIPTION
With the ever increasing growth of mobile applications and API technologies the topics of identity management, authentication and authorisation are as important as ever. The technologies mean that those responsible for identity management and security increasingly have more to consider when deploying and enforcing security. With rapid time to market demands from the business there is much to consider when delivering an open but secure environment for the business and their users. This session will look at some of the considerations and issues faced in designing and delivering IdM in this emerging space. We will look at how topics such as OAuth, OpenID connect and single sign on play their part in these policies and how governance plays a key role alongside security to protect the environment.TRANSCRIPT
![Page 1: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/1.jpg)
![Page 2: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/2.jpg)
![Page 3: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/3.jpg)
Topics § Define API’s
§ How are they being used
§ What are the issues
§ What's being used
§ One approach
![Page 4: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/4.jpg)
Web API =
Technology
![Page 5: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/5.jpg)
Mobile and API identity – The New Challenges Aran White Solution Architect [email protected]
![Page 6: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/6.jpg)
Is it a Web API?
REST/JSON? Yes. SOAP/XML? Yes. HTTP/CSV? Yes.
![Page 7: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/7.jpg)
Modern Timeline of Web APIs
2000 Salesforce API ebay API
2002 Amazon API
2004 Flickr API
2006 Twitter API Facebook API Google (Maps) API
2012 Programmableweb.com has 7144 registered APIs
Sources: apievangelist.com programmableweb.com
internetarchive.com Steve Yegge Rant
oreilly.com
2005 ebay makes APIs free
2004 First Web 2.0 Conference
2010 Salesforce adds HTTP API
2008 Programmableweb.com has 1000 registered APIs
2005 Programmableweb.com launched 54 APIs registered.
![Page 8: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/8.jpg)
How have they grown, or exploded
![Page 9: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/9.jpg)
Mobile is driving API publishers
![Page 10: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/10.jpg)
The enterprise model: Start with private APIs…
![Page 11: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/11.jpg)
…consider going public in the future
![Page 12: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/12.jpg)
API’s From Internal Services § Create a new shiny API or enable our existing services
§ Integration for messages and security
§ Internal security verses external security
§ Who is using the service the most
§ How do we control the use
![Page 13: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/13.jpg)
Applications Or Users § We don’t just want to trust the user what about the application?
§ Developers
- On boarding
- Controlling access
- Monitoring
- Managing
§ Will you allow application to store user credentials? Long term or per session
§ Do we trust all devices or platforms?
§ Do we trust Jail broken devices?
![Page 14: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/14.jpg)
Single sign on issues § Multiple Applications
§ Multiple devices
§ Multiple APIs
§ Multiple API providers
§ Integration with cloud services
![Page 15: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/15.jpg)
How are we tackling this § New security models
§ Oauth
§ Open ID connect
§ SAML
§ Tried and tested approaches
- SSL, Basic Auth, WS Security, XML security
- Standard threats
§ Multiple approaches per API
§ Brokering between the new world and the existing security
![Page 16: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/16.jpg)
OAuth § Drafts keep changing (or did !!)
§ Can be complex
§ Picking the correct flow
§ Components which do I use.
§ Extensions
§ Brokering with existing security
![Page 17: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/17.jpg)
Open ID Connet § OAuth based solution for authentication
§ Gives access to attributes.
§ Giving access to identities outside the enterprise
§ Helps scale and agility
§ Who is coming through the door
§ Tracking and audit
![Page 18: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/18.jpg)
SAML § Still there as a very valid solution
§ Supported for federated SSO such as SFDC
§ Can be considered heavyweight and complex
§ B2B solutions still like SAML
§ STS deployments
![Page 19: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/19.jpg)
SAML
WS-‐*
Flexibility is the new challenge
LDAP
PKI
![Page 20: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/20.jpg)
The primary API management challenge:
Balancing Control and Accessibility
![Page 21: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/21.jpg)
API publishers want to encourage utilization
![Page 22: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/22.jpg)
Low barriers to access Self service Self documenting
![Page 23: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/23.jpg)
But, API publishers also want to restrict access to APIs
![Page 24: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/24.jpg)
Smart rate limiting Security enforcement Brand control
![Page 25: Mobile and API identity – The New Challenges](https://reader030.vdocument.in/reader030/viewer/2022020207/559c74611a28ab92088b47fc/html5/thumbnails/25.jpg)
Architects want API gateways
Gateway
API
API