Managing API Security Liam Lyncha y c
Chief Security Strategist, eBay
Founder and Identity Strategist, CSA
Feb 23, 2011
Web services securityyLarge scale public services need scale but also granular
security as well
Service fabrics such as Rest are valuable for agile development
Many consumer's of services can’t use SOAP or other forms of XML request response
Whatever the protocol there needs to be protection and dynamic service delivery
Service protectionEarly on protection for service was SSL and access tokens
Typical use case was 3rd party iframe invocation in clientTypical use case was 3rd party iframe invocation in client browsers
REST was a step up in protection but the typical use caseREST was a step up in protection but the typical use case was still dangerous
Full SOAP/XML based services using standards (XMLFull SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case
Until…
Service abstractionService abstraction allows for denial of service protection
Abstraction allows older services to be upgraded withoutAbstraction allows older services to be upgraded without rewriting code
Abstraction allows for integrated service deliveryAbstraction allows for integrated service delivery
Abstraction allows for upgrading security and service standardsstandards
Abstraction allows for increased security by coordinating withwith…
Service orchestrationOrchestration provides a capability to bring in service
delivery components just in time
Security level orchestration leverages abstraction to enable evaluation at run time
The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions
Policies for access can be orchestrated from a variety of d di li t d th f t hsources depending on client access and other factors such
as service authorization
SummaryyService protection has a history of proprietary and
troublesome interoperability issues
Service abstraction enables better service security by introducing a standards based layer in front of service platforms
Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation
Managing API SecurityCommon Patterns and Case Studies
K. Scott Morrison
CTO and Chief Architect, Layer 7
Feb 23, 2011
, y
LargeCorporation.com Has A Problem…g p
Internal HostsFirewall-2
The API
Firewall-1
Internal Data Center
The Internet
DMZ
Partner
How can LargeCorp SecurelyHow can LargeCorp Securely publish and manage their new
API?
Cloud-based Security & Management Is Too Remotey g
Internal HostsFirewall-2
The API
Firewall-1Cloud Security
Offering
Internal Data CenterThe last 1000 miles…
DMZ
H kHackers
Layer 7: The Enterprise Solution For Service Protectiony p
The APIKeep Security and Mgmt. Close to the
API
Internal Data Center
Operator
DMZ
Partner
Military-grade security for REST and SOAP APIs/Services Complete visibility into use patterns y Integration into existing infrastructure Identity & Access Mgmt, Portals, Operations, billings, etc
Case Study: Publishing Web-based APIsy g Problem: A leading European car portal wanted to securely expose auto and
ecommerce information to third party developers
S l ti L 7 th i / th ti t thi d t d l tt hi t Solution: Layer 7 authorizes/authenticates third party developers attaching to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets
Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile-focused Web service APIs
But Now LargeCorporation.com Has A New Problem…g p
Internal HostsFirewall-2
Firewall-1Lots of APIs
Internal Data Center
Lots of Developers
DMZ
H L C l APIHow can LargeCorp scale API management?
The Enterprise Solution For Service Abstractionp
Internal Hosts
Management of APIs the way applications
are managed
Internal Data Center
Lots of Developers
Provider View
DMZDeveloper ViView
Full policy life-cycle management Policy versioning, roll-back, audit Policy migration (dev-test-prod) Cl ti f d ti Clear separation of duties Role-based Access Control (RBAC) APIs for integration with existing
infrastructure and tools
Case Study: Publishing Information Service APIsy g
Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services
Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration
Layer 7 offered us the closest fit to our
business requirements in a single
d t N th d
“product. No other vendor was even
close. SOA Architect, World’s leading publisher of science and health information
“
Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p qtheir platform of choice, simplifying and speeding information gathering
Finally, How Will LargeCorporation.com Automate? y g p
Virtualization Infrastructure
Internal Data Center
High Usage
Volumes
DMZ
How can LargeCorp react to rapid changes in scale?
The Enterprise Solution For Service OrchestrationpVirtualization
Farm
Virtualization
Secure and automated co-ordination of all
infrastructure to maintain
Switches, Load Balancers, etc
Virtualization API
infrastructure to maintain SLAs
Internal Data Center
High Usage
Volumes
Audit DB
DMZ
Orchestration using GUI tools Fully integrated into security context Parallelized access Parallelized access Connectors to HTTP, TCP, SSH, FTP,
JMS, SNMP, SMTP, MQSeries, etc
Case Study: IaaS & PaaS API Securityy y Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self-
provision and self-manage private cloud resources without compromising the cloud provider’s virtualized infrastructurep
Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met
Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise
For further information:
K. Scott MorrisonChief Technology Officer & Chief Architect
Layer 7 Technologies1100 Melville St, Suite 405Vancouver, B.C. V6E 4A6Canada(800) 681-9377
smorrison@layer7tech com
February 23, 2011
[email protected]://www.layer7tech.com
Top Related