trust no one: the new security model for web apis - sector talk by greg kliewer principal...
TRANSCRIPT
![Page 1: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/1.jpg)
© 2013 CA. All rights reserved.
Trust No One The New Security Model for Web APIs
Greg KliewerPrincipal Consultant, Solutions ArchitectLayer 7, a CA Technologies companyOctober 8, 2013
![Page 2: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/2.jpg)
What are Web APIs?
![Page 3: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/3.jpg)
3 © 2013 CA. All rights reserved.
Old School APIs: Application Programming Interfaces
APIs are for connecting “software machines” Modules within a program Programs on a server Programs over local networks
My CodeYour Code
My API
My ServerYour Client
![Page 4: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/4.jpg)
4 © 2013 CA. All rights reserved.
Web APIs are for connecting “web machines”
Over the World Wide Web
Exploiting a globally-connected network
My API
![Page 5: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/5.jpg)
How Web APIs Evolved
![Page 6: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/6.jpg)
6 © 2013 CA. All rights reserved.
Before there were Web APIs, there were Web Apps
APIs protected by network separation
No programmatic access from the Public Internet
Safety through total isolation and control
![Page 7: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/7.jpg)
7 © 2013 CA. All rights reserved.
Then came Web ServicesSOA / SOAP services
BUT there was some limited uptake of SOAP web services for allowing programmatic access to core services by business partners and corporate customers
Used web technologies like HTTP, SSL/TLS, and language-independent, text-based grammar
Applied mostly for internal application integration, like old school APIs
![Page 8: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/8.jpg)
8 © 2013 CA. All rights reserved.
Security for Web ServicesThe model most of us are familiar with
Establish TRUST with public key infrastructure
– Private key / public certificate pairs
– Have certificates signed by recognized CA / RA
– Exchange that certificate with similarly-assured certificate from partners
Apply asymmetric crypto at runtime to validate digital signatures / decrypt encrypted content
– SSL/TLS Mutual Authentication
– XML-DSIG/XML-ENC applied to SOAP documents
TRUST partner / corporate customer to treat crypto material with care and caution
Partner Company
CA
Partner Company
SIGN VERIFY
SSL/TLS
VALIDATE
![Page 9: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/9.jpg)
9 © 2013 CA. All rights reserved.
But now the disrupters are here
My Business
![Page 10: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/10.jpg)
10 © 2013 CA. All rights reserved.
Mobile, Social, Cloud, and Embedded Applications
Require programmatic access
Do not support PKI / Asymmetric Crypto
*to prove their identity
*
![Page 11: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/11.jpg)
11 © 2013 CA. All rights reserved.
How can we safelyexpose Web APIs?
![Page 12: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/12.jpg)
The new security model for Web APIs
![Page 13: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/13.jpg)
13 © 2013 CA. All rights reserved.
In the new worldthere are exponentially more Apps to be served
Enterprise Apps, Portals, and Web Apps are being decomposed into Apps…
calendar
notes
![Page 14: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/14.jpg)
14 © 2013 CA. All rights reserved.
In the new worldthere are exponentially more Apps to be served
…and released into the wild
![Page 15: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/15.jpg)
15 © 2013 CA. All rights reserved.
So if we are going to publish APIs to these new Apps…
My API
![Page 16: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/16.jpg)
16 © 2013 CA. All rights reserved.
…we had better require more regular and active scrutiny of the Apps’ access privileges…
First of all, DO NOT issue long-lasting certificates to the Apps (e.g. x.509 expires in 1 yr) Instead, issue short-lived access tokens that can be revoked at any time
CISOSecurity
Architect
How long should the Apps have access without re-
authenticating?
1 hour for info services
5 mins for financial txns
Request Access
access token
![Page 17: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/17.jpg)
17 © 2013 CA. All rights reserved.
…we had better require more regular and active scrutiny of the Apps’ access privileges…
Next, include the end user in authenticating / authorizing the App Explicitly grant access To a limited scope
This App would like to access your profile data and bill to your account.
Request Access
Declare Scope
access token
grant
![Page 18: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/18.jpg)
18 © 2013 CA. All rights reserved.
This App would like to access your profile data and bill to your account.
Request Access
Declare Scope
access token
grant
Introducing OAuthThe new security model for Web APIs Open standard specification by IETF WG
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
”“
Requests with access token
OAuth Auth Server
![Page 19: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/19.jpg)
19 © 2013 CA. All rights reserved.
OAuth adoptionThe big guys…
![Page 20: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/20.jpg)
20 © 2013 CA. All rights reserved.
OAuth adoption…and YOU
![Page 21: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/21.jpg)
How to learn more
![Page 22: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/22.jpg)
22 © 2013 CA. All rights reserved.
Where to learn more
Come talk to us!
– Booth #505
– We’re here today and tomorrow
API Academy
– Online resources
– Workshops
OAuth Online
– http://oauth.net/
– https://www.ietf.org/mailman/listinfo/oauth
Primers
– By Aaron Parecki
– By Jakob Jenkov
Publications
– The 5 OAuth essentials
Blogs
– By Francois Lascelles
![Page 23: Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliewer Principal Consultant/Solutions Architect, CA Technologies](https://reader034.vdocument.in/reader034/viewer/2022042821/55d56d14bb61eb0f128b45db/html5/thumbnails/23.jpg)
Principal Consultant, Systems Architect
@cainc
slideshare.net/CAinc
linkedin.com/company/ca-technologies
ca.com
Greg Kliewer