Weitere ähnliche Inhalte Ähnlich wie CIS14: API Security for the Cloud: Tales from the Trenches (20) Mehr von CloudIDSummit (20) Kürzlich hochgeladen (20) CIS14: API Security for the Cloud: Tales from the Trenches1. © 2014 Axway | Confidential 1
API Security for the Cloud
Ross Garrett
rgarrett@axway.com | @gssor
Cloud Identity Summit 2014
2. © 2014 Axway | Confidential 2
Access Control isn’t this simple
3. © 2014 Axway | Confidential 3
Modern Enterprises have many open
windows
4. © 2014 Axway | Confidential 4
Web APIs power the Open Enterprise
5. © 2014 Axway | Confidential 5
Identity is key to protecting APIs
6. © 2014 Axway | Confidential 6
Identity is key to protecting APIs
?
7. © 2014 Axway | Confidential 7
User Experience is actually key
8. © 2014 Axway | Confidential 8
There are many layers to a complete
Security Solution
API Gateway
MDM
MAM
Firewalling
IAM
API
Security
9. © 2014 Axway | Confidential 9
The Role of the API Gateway
• Threat Protection
• Encryption
• Authentication
• Authorization
• Policy Enforcement (E.g. Throttling)
10. © 2014 Axway | Confidential 10
A simple API Security example
11. © 2014 Axway | Confidential 11
The Role of the API Gateway
Basic throttling or rate limiting, can prevent malicious
access to public APIs
12. © 2014 Axway | Confidential 12
Basic Identity Federation
13. © 2014 Axway | Confidential 13
The Role of the API Gateway
• Securely bridging identity across domains
– Mediating between token formats
• Provide an STS overlay on top of existing IAM
infrastructure
– Enabling the extension of identity assets to the cloud
• Track and audit usage
14. © 2014 Axway | Confidential 14
The password anti-pattern
15. © 2014 Axway | Confidential 15
Solving this problem with OAuth
16. © 2014 Axway | Confidential 16
The Role of the API Gateway
• Provide an OAuth façade on top of legacy IAM
• Clients should not be storing user passwords
– OAuth Tokens represent explicit authorization for a
specific task
• Provide a centralized way to de-authorize clients
– Low latency token store
19. © 2014 Axway | Confidential 19
The Role of the API Gateway
• Apply Social Login at an infrastructure level
– Bringing API Access and SSO together
• Monitoring and Reporting
– Trends over time
– Audit trail
• Enterprise Identity Management Integration
– Adapters to directories, Web Access Management
20. © 2014 Axway | Confidential 20© 2014 Axway | Confidential 20
Some Customer Examples
21. © 2014 Axway | Confidential 21
Leading pharmacuetical company – SSO
Solu6on
API Gateway
API
Intranet
Site
Oracle Access
Manager
SharePoint
Active
Directory
Web Browser
• Users have
two
passwords
(one for
Intranet, one
for
Sharepoint)
• Two user
authentication
technologies
(Oracle and
Microsoft)
Challenge
22. © 2014 Axway | Confidential 22
Large US Health Plan – Mobile Access
Iden)ty
Management
Integra)on
Mobile
Devices
Solution
SAML
Secure connection
Oracle
SOA
Web
APIs
API Gateway
API
• Manage
mobile (tablet,
phone)
access to
medical
systems
• Consolidate
across Oracle
and IBM
identity
systems
Challenge
23. © 2014 Axway | Confidential 23
Mutual fund
provider
Solution
API Gateway
Secure
connection
Check cookie
Leading Mutual Fund Provider – Cloud Access
• Must
authenticate
clients against
CA SiteMinder
• Must expose
internal
systems as
APIs for
Mobile apps
to access
• Secure
Connection to
Salesforce
Challenge
Encrypted
Data
24. © 2014 Axway | Confidential 24
Thank-‐you!
Ross Garrett
rgarrett@axway.com | @gssor