Best Practices in Deploying API Gateways
-
Upload
forum-systems -
Category
Technology
-
view
83 -
download
2
Transcript of Best Practices in Deploying API Gateways
![Page 1: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/1.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
BestPrac*cesinDeployingAPIGatewaysAPIWorld2017
GregDiFruscioDirectorofSupport
![Page 2: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/2.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Why they are an essential component of a secure, robust and scalable API infrastructure.
Best practices and common deployment scenarios of API Gateways.
![Page 3: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/3.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
TYPESofAPIGATEWAYS
![Page 4: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/4.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
#1 APIGatewayBasics
Deployedsimilartoareverseproxy(protocolbreak)ThegatewayrepresentstheendpointAPIandappearstotheconsumerasifitistheapplica*onorserviceitselfCanbelocatedon-premiseorincloudMovethesecurity,iden*ty,andmanagementprocessingouttotheAPIGateway*er–lettheAPIsfocusonthebusinessrequirementWhileAPIGatewaysexposetheAPIs,notallAPIGatewaystrulysecuretheAPIs
![Page 5: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/5.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
IAM(Iden*tyandAccessManagement)designedforIden*tyandAccessControlandcentralizingIAMagentsIAMGatewayproductssupportlimitedAPItypes(i.e.REST)Limitedsupportfornetworkprotocols(i.e.RESTAPIsoverHTTP)VeryliUleornoabilitytoprovideinforma*onassuranceoftheAPIdataTypicallybuiltoninsecureplaVorms–soWwareonlyorunhardenedvirtualappliance
#2 APIIAMGateways
![Page 6: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/6.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Moreversa*lethanIAMGatewayswithbroadersupportforAPItypesandnetworkprotocols
EvolvedfromESBintegra*onplaVormswhereintegra*onandpayloadconversionarecorefunc*ons
Usuallydevelopercentric
OWenprovidedeveloperportalsforAPIconsumers,selfdocumen*ngAPIs
TypicallybuiltonopenplaVormsdesignedforflexibility
Inherentlysuscep*bletoaUackandcompromise
#3 APIManagementGateways
![Page 7: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/7.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Securityfirstfocus–productformfactorsandfeaturesetsProductshardenedagainstcyberaUack–closedsystems
IncludeAPIIden*tyfeaturesfromIAMspace
IncludeAPIGovernancefeaturesfromAPIManagementspace
IncludeAPISecurityfromCybersecurityspace
SupportforwidearrayofAPItypesandnetworkprotocols
Focusoncontentlayersecurity(e.g.schemavalida*on,encryp*on,dsig)inaddi*ontoTLS
Bi-direc*onalscanningtopreventthreatsaswellasdataleakage
#4 APISecurityGateways
![Page 8: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/8.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
WhichtypeofAPIGatewayisrightforyou?IsHTTP/Sonlyprotocolsufficient?
AreRESTAPIservicestheonlytypeyouwillneedtosupport?AreyouconcernedaboutmalwareandotherAPIexploitsembeddedwithinthepayloads?
Doyouneedtosupportlegacyapplica*onsandservices?
Areyouconcernedwithdataleakageandsensi*veinforma*onloss?
![Page 9: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/9.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
DEPLOYINGAPIGATEWAYS
![Page 10: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/10.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
On-Premiseorcloud?
Hardware,virtual,soWware,AMI,other?
#1 Loca*onandFormFactor
Wherearetheservices?
Wherearetheclients?
Wherearetheuseriden*tyrepositories?
![Page 11: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/11.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
APItypes(e.g.REST,SOAP,XML,WebPortals,etc.)Networkprotocols(HTTP/S,SFTP,JMS,SMTP,AMQP1.0,mixing)
Iden*ty,accesscontrol,andSSOrequirements(Iden*tyRepositories)
APIsecurityrequirements(TLS,Schemavalida*on,AVscanning,parametervalida*on,methodvalida*on,etc.)
APIintegra*on/media*onrequirements(JSONto/fromXML,etc.)
Loggingrequirements
CustomErrorhandling
#2 UseCaseDiscussion
![Page 12: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/12.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
SimpleisbeUer(pointandclick,nocodingnecessary)Erroronthesideofsecurity
Startbasicandaddprocessinglayers
Reusingpolicyobjects
Policynamingconven*ons
Propaga*onofpoliciesacrossenvironments
Automa*onviaAPIs
#4 PolicyConfigura*onandManagement
![Page 13: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/13.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
AskyourvendorforasecurityreviewofyourpoliciesCheckforsensi*veinforma*oninlogs
CheckforweakciphersandTLS/SSLprotocols
Posi*veandnega*vetes*ng
Reviewerrorsgeneratedongatewayanderrorsreturnedfromapplica*ons
Doitbeforemovingintoproduc*on
SchedulethemoWen
#4 SecurityReview
![Page 14: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/14.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
BESTPRACTICESINAPISECURITY
![Page 15: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/15.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
SecureOS–theinfrastructureisatarget
Securepolicy/configura*onstorage
Protectyourprivatekeys
#1 ProductSecurity
![Page 16: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/16.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
#2 APISecurityPolicy
![Page 17: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/17.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Aimforagentlessapproach
Protectiden*tyrepositories
UseSSOandFedera*on
#3 APIIden*tyMul*-Contextauthen*ca*onandauthoriza*on
Reducedependenciesonvendorspecificimplementa*ons
![Page 18: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/18.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Rewri*ngURLs–obfuscateyourpathMappingpayloadformats–forintegra*onaswellassecurity
MappinguseraUributeinforma*onretrievedfromiden*tycall
QueryingLDAP,Databases,APIs(t-junc*onprocessing)
Networkprotocolmedia*on(e.g.HTTPSto/fromAc*veMQ)
#4 APIIntegra*on
![Page 19: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/19.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
IntegratewithcentralSIEM/loggingsystem(e.g.Splunk,ELK,Graylog,etc.)
Buildreal*meDashboardsfromgatewaylogs
Leveragebigdataanaly*csforalerts,trends,reports
#3 APIMonitoring
![Page 20: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/20.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
ChoosetherighttypeofAPIGatewayforyourcurrentandfutureneeds
DecidewheretheAPIGateway(s)willliveandwhatformfactorsarecorrectforyourenvironment
Spendthe*meupfronttoarchitectthesolu*onandbuildthepoliciesinaccordancetoyourplan
YourAPIsandyourAPIinfrastructurearetargets–APISecuritymeanssecurityfeaturesaswellassecurearchitecture
Conclusions
![Page 21: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/21.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
ForumOS™.FIPS140-2LevelIIpurpose-builtchassis.NIAPNDPPCerPfied.PatentedcryptographicacceleraPon
FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableAmazonAMI
Windows,Linux,orSolarisdeployableinanycompuPngecosystem(single-packageinstallwithnodependencies)
FORMFACTORS
APISecurityGateway
FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableOVAVMWareimage
Hardware
Virtual
Cloud
SoWware
![Page 22: Best Practices in Deploying API Gateways](https://reader034.fdocuments.us/reader034/viewer/2022042600/5a676d637f8b9a8a378b48b3/html5/thumbnails/22.jpg)
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Tolearnmorevisitusath[p://info.forumsys.com/api_world