Post on 19-Jul-2015
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Innovate and IntegrateModernising API Security
Jason Macy, Chief Technology Officer
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Discussion Points
• What is an API
• Data externalization and modernization
• Anatomy of API (information border) security
• Secure agility via architecture design
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
What is an API?
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
What is an API?
The ServiceMobile, B2B, Portal, Data …
(HTML, XML, SOAP, REST, JSON, …)
API is the access point (interface) to the service or data
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
APIs are Everywhere
APIsThe Integration Point of Innovation
Externalization Modernization
Cloud | Web ApplicationsExposed and consumed via standards-based technology for rapid integration and adoption
Mobile| AppsUse web services for calls to back-end servers delivering data and logic
Big Data| AnalysisBig data analytic engines expose and monetize results via APIs
Portals| UsersPersonalized experience, seamless and unified access to information resources
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Externalization and Modernization
Open new channelsAnd new revenue
Deliver Integration and Service Maintain Security
Services and AssetsClients and Consumers
CreateConsumeInternal APIs
External APIs
• Integrate• Subscribe• Invoke
• Promote• Monitor• Secure
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
The Agility of API Abstraction
Mobile Device
Web Portal
B2B Partner
Cloud App
Web Site
Sat Link
Company Assets and Services
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Anatomy of Modern API Security
The ServiceMobile, B2B, Portal, Data …
(HTML, XML, SOAP, REST, JSON, …)
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Anatomy of Modern API Security
Threat Mitigation• Content-Aware (SOAP, REST, …)• Intrusion Detection and Prevention• Data Leakage • Embedded Malware
Transport Security• SSL/TLS• IP, Port, URL
Data Privacy• Content Encryption• Content Decryption
Attribute Based Access Control• Subject, Object, Environment
Role-Based Access Control• AuthN, AuthZ
Integrity and Trust • Digital Signature• Signature Verification• Schema Validation
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Agile API Security – Decouple from Service
The ServiceMobile, B2B, Portal, Data …
(HTML, XML, SOAP, REST, JSON, …)
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Security Gateway
Agile API Security – Decouple from Service
The ServiceMobile, B2B, Portal, Data …
(HTML, XML, SOAP, REST, JSON, …)
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Security Gateway
Agile API Security – Decouple from Service
Role-Based Access Control
Threat Mitigation
Transport Security
Attribute-Based Access Control
Data Privacy
Integrity and Trust The Service
Mobile, B2B, Portal, Data …(HTML, XML, SOAP, REST, JSON, …)
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Modernise the IT Security Architecture
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
WAF
IDS
SIEM
SOAVirtual ESBApps Portals
Endpoint Services and Data
Firewall
Mobile B2B Cloud / 3rd PartyBrowsers
Legacy IT Security Architecture
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Firewall
WAF
IDS
SIEM
SOAVirtual ESBApps Portals
Internet / DMZ boundary DMZ / Extranet boundary DMZ / Intranet boundary Extranet / Intranet boundary Intranet / internal-enclave boundary
API Security Gateway
SECURITY• Protocol-Break Security• Deep Content-Inspection• Data Validation• Threat Analysis• Antivirus Scanning• Accelerated Cryptography
Endpoint Services and Data
IDENTITY• ABAC, RBAC, CBAC• SSO• Integrated SAML & OAuth
Mobile B2B Cloud / 3rd PartyBrowsers
The API Gateway Modern Architecture
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Security Gateway
Combining Security with Identity
ABAC, RBAC, CBAC
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Gateway – Centralized ABAC, RBAC, CBAC
API Security Gateway
SOA
Virtual
ESB
Apps
Portals
Publish APIs for Consumption
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Gateway – Centralized ABAC, RBAC, CBAC
Content Inspection (CBAC)SOAP, XML, REST, JSON, HTML, URL
client
Virtual API(Protocol break)
API Security Gateway
SOA
Virtual
ESB
Apps
Portals
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
SOA
Virtual
ESB
Apps
Portals
API Security Gateway
Content Inspection (CBAC)SOAP, XML, REST, JSON, HTML, URL
client
Virtual API(Protocol break)
API Gateway – Centralized ABAC, RBAC, CBAC
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Content Inspection (CBAC)SOAP, XML, REST, JSON, HTML, URL
ID Authentication, Authorization (Role-Based Access Control)OAuth, SAML, WS-Tokens, HTTP Form Post, HTTP Basic, HTTP Digest, NTLM, Kerberos, X509 Mutual, RSA SecureID
client
Virtual API(Protocol break)
API Gateway – Centralized ABAC, RBAC, CBAC
?#
!
EnvironmentConditions
Subject Attributes
Object Attributes
Attribute Analysis (ABAC)
API Security Gateway
SOA
Virtual
ESB
Apps
Portals
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
ID Authentication, Authorization (Role-Based Access Control)OAuth, SAML, WS-Tokens, HTTP Form Post, HTTP Basic, HTTP Digest, NTLM, Kerberos, X509 Mutual, RSA SecureID
Content Inspection (CBAC)SOAP, XML, REST, JSON, HTML, URL
Virtual API(Protocol break)
client
API Gateway – Centralized ABAC, RBAC, CBAC
?#
!
EnvironmentConditions
Subject Attributes
Object Attributes
Attribute Analysis (ABAC)
API Security Gateway
SOA
Virtual
ESB
Apps
Portals
Broker client request
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Authorization (Response RBAC)• Correlate inbound identity with response information• Allow, Filter, or Reject
Deep Content Inspection (Response CBAC)• SOAP, XML, REST, JSON, HTML, URL
client
API Gateway – Centralized RBAC + CBAC + SSO
API Security Gateway
SOA
Virtual
ESB
Apps
Portals
Broker service response
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Security Gateway
Key Considerations
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Security Gateway – Key Considerations
Build vs Buy• Remove complexities of interoperability and leverage
purpose-built industry proven security over home-grown coded solutions
Flexible form factors• Virtual and physical to support deployment in any
computing environment
No Code SAML and OAuth• Legacy and modern system enablement of SAML and
OAuth SSO without writing a single line of code
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
API Security Gateway – Key Considerations
Vendor Agnostic• Enables technology choices that improve agility, rather
than stifle it
Standard-Based• Out of the box support for all modern industry protocol
and messaging standards (SOAP, XML, JSON, etc)
Edge Facing• API Security Gateway built on secure architecture
enables Tier 0 deployment to unify identity with security
Forum Systems | www.forumsys.com | 888.811.0060 | 199 Wells Ave., Suite 105, Newton, MA 02459
Thank You
More Info:www.forumsys.com