SlideShare a Scribd company logo

The Magic Behind Enterprise Apps: How to Expose Reliable, Scalable and Secure Enterprise APIs?

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1cM9vrh. Blake Dournaee covers the often forgotten back-end architecture for mobile apps which should expose cross-platform APIs to mitigate some of the effects of mobile O/S fragmentation. Filmed at qconsf.com. Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and a frequent speaker at API & PCI-DSS conferences throughout the US and Europe.

Technology
1 of 29
The Magic Behind Enterprise Apps: How to expose Reliable, Scalable and Secure Enterprise APIs. Blake Dournaee Senior Product Manager Intel Data Center Software Division Intel Confidential — Do Not Forward
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /reliability-security-enterprise-api InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
Presented at QCon San Francisco www.qconsf.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
Warning: This talk is not “sexy” ….but it may make your life easier 2
Coding at home versus coding at work Enterprise Developer Independent Developer • • • • • • • • • • • Open source & low cost tooling Organic software development process Coolest programming language Code for fun and or profit No legal department Minimum security & compliance No “legacy” applications Complete creative control Lower or zero risk adversity Sole developer or small team Liberal use of “aaS” services • • • • • • • • • • • Mix of licensed software and open source Formalized software development process Incumbent programming languages Code for a living Legal department Formalized security & compliance “Legacy” applications Restricted creative control Higher risk adversity Larger development team Deliberate use of “aaS” services 3
API Enterprise Apps Come From APIs How do you package valuable internal data & services for internal, partner, and external dev. community app creation? Crossplatform Legacy Data
Enterprises Have Unique Requirements for Mobile Enablement Trying to get a mobile project going at your Enterprise? Does this look familiar? • Disparate middleware and database technologies • Disparate identity management silos • Disparate programming languages • Current architecture optimized for web browsers • Vertical integration prohibits cloud outsourcing • Inconsistent security model across domains • PII/PCI compliance requirements? On top of this you want: • • • • • BYOD – Any device Native application features & feel Low development & maintenance costs Fast time to market Robust security for Enterprise data
Mobile Enablement is Expensive • Our mobile reality is fragmented – iPhone, Android, Windows, Blackberry • Multiple versions of everything • Competing programming languages • Competing devices and ecosystems • How can Enterprises reduce cost drivers? Two Ways: • A standards-based way to … • write portable mobile apps • make data available to those apps So… where are most Enterprises today in this journey?
Traditional 3-Tier Architecture Web server Web server Browser Presentation Tier App server App server Database Master Load Balancer Web server Load Balancer Load Balancer App server Database slave 1 App server Database slave N Logic (application) Tier Persistence Tier 3-Tier Shared Nothing Architecture • Most common architecture, widely deployed • Gold standard, developed as a result of the web revolution • Problem: Designed primarily for HTML web browsers, not mobile apps Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson
What’s Happening – Two Approaches Emerging Build it: Hang APIs for mobile off my ESB Outsource it: Buy a cloud service & outsource app creation Back-end as a Service
Existing Approaches - Challenges ESB Approach - Challenges Outsourced Approach - Challenges  Lack of Perimeter Security  Loss of Control  Trust mediation, especially for legacy systems  Vendor / SDK Lock-in  Scalability  Data Portability  Resource protection  Development Costs  High costs of success*  Secure cloud brokering  Requires new business relationships Is there another way?
Wait a Minute…. Mobile apps thin the server business logic Processing is pushed to the client Client / Server? Crap… We’re back to Client / Server Almost…
2-Tier, App-Optimized Architecture API API Database Master Load Balancer Load Balancer APIs Database slave 1 API HTML5 & Native Apps Database slave N Data Services and Delivery Layer Persistence Tier 2-Tier Data Services (API) Architecture • Emerging standard for app enablement • Pushes view/presentation to client side • Enterprise Data is made available through a data service layer
“New” 3-Tier Architecture API API Database Master Load Balancer API Governance, Management and Security Load Balancer Load Balancer APIs Database slave 1 API HTML5 & Native Apps Delivery & Governance Tier Database slave N Data Service Layer Persistence Tier 3-Tier API-optimized architecture • Emerging standard for app enablement • Pushes view/presentation to client side • Delivery tier focuses on integration, mediation, and security instead
Proxy Design Pattern When • • • • Architectural best practice for API or web services communication Product agnostic Relies on indirection to solve security, performance and management problems Ideal for application to application traffic HTTP HTTP Governance Gateway Gateway Layer Client HTTP/JSON API JSON/XML/ *L All problems in computer science can be solved by another level of indirection – David Wheeler "...except for the problem of too many layers of indirection.“ – Kevlin Henny
New Developer AuthN Requirements API & Mobile Authentication Mechanisms Authenticating Credential Secret API Key API Key API Key Shared Secret OAuth Consumer Key OAuth Consumer Secret Username Password Username One-time Password Enterprise Authentication Mechanisms ? Authenticating Credential Secret Username Password Certificate Private Key Kerberos Ticket Password SAML Assertion Password or Private Key Username One-time Password Enterprises can’t afford another identity silo Consumer & BYOD Existing Enterprise IDM systems
“New” 3-Tier Architecture • • • • Low development costs HTML5/ JavaScript programming Rich UI with access to native device features Stateless synchronous API calls Full-duplex communications (Websockets) Step-up authentication, including OAuth and Enterprise login support Transport level security API Load Balancer API Database Master Database slave 1 API HTML5 & Native Apps • API Governance, Management and Security Load Balancer Load Balancer APIs Data Service Layer Delivery & Governance Tier • • • • • • • • • • Massive scalability for millions of devices Hardware or software Enforces OAuth/API key authentication Supports synchronous API calls and Websockets SSL/TLS Acceleration PII/PCI data protection on inbound/outbound data Perimeter security, threat defense Enterprise IDM support, LDAP/AD Dynamic API key security for HTML5 JSONP and CORS support • • • Database slave N Persistence Tier APIs serve application data, and responses Can be in legacy formats – XML, SOAP, binary, text Any protocol, HTTP/SOAP, JMS, FTP, Raw TCP • • • Enterprise persistency tier – RDMS or NOSQL Generally interfaces with application server Can serve data directly through the service gateway
Build it now or it will come… (1 of 2) Yammer Architecture 16
Build it now or it will come… (2 of 2) LiveOps Architecture 17
Why HTML5 Is Great for Apps HTML5 is Advanced • Proven web technologies with advanced features • Intel takes HTML5 further with new APIs and Parallel JavaScript* HTML5 is Open • Built on open web technologies and W3C standards • More than two million HTML5 developers worldwide • Intel advances HTML5 via open source projects and the W3C HTML5 is Everywhere • More than one billion mobile devices with HTML5 browsers in 2013 • 40% app developers use HTML5 today, another 40% plan to in the future Create Apps Faster, Better and at Lower Cost Intel Confidential
Cross-origin Resource Sharing (CORS) Need CORS support API A1 Domain A API B Domain B • CORS – Standards based, W3C protocol, meant to replace JSONP • Client is allowed to share resources from one page to another in the same domain. • But restrictions for a page to access resource from other domains. • Meant to protect the client; Server can allow origins Client: (XmlHttpRequest2 or XDomainRequest) Server: Access-Control-Allow-Origin: <domains> Use the CORS protocol to control client access across servers in multiple domains
HTML5 Websocket Websockets • Full duplex communication with a persistent socket connection • Replaces HTTP half-duplex communication • Dramatically reduces overhead compared to polling (as much as 2K per HTTP response) • Sounds good, but what about tradeoffs? • Lack of header information changes the security model – message level security no longer possible • More emphasis on SSL/TLS acceleration and enforcement • Requires authentication during “connection upgrade” • Can be done against Enterprise identity management systems • Drives increased need for perimeter defense, content scanning • Establishes requirements on load balancers for stickiness
HTML5 API Key Security HTML5 Application Deployment Model HTTP Request Server HTML5/JavaScript API Key Security Concern • • • • • HTML5 apps are pushed to the client, including all API keys API Keys for cross-platform requests will be distributed to all clients Clients can view source to obtain API keys Solution #1: Obfuscate API key – may work for low value APIs Solution #2: Replace API key with function call to API layer for step-up authentication
Use Case: Conference Room Finder
Demo: Conference Room Finder Siloed Corp App Legacy Heat Sensor Data Mashup API BYOD Demands
Architecture 24
Enterprise Conference Room Application
Intel Confidential — Do Not Forward
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/reliability -security-enterprise-api

Recommended

Bottlenecks exposed web app db servers
Bottlenecks exposed web app db serversBottlenecks exposed web app db servers
Bottlenecks exposed web app db serversUpender Dravidum
 
Auto loans
Auto loansAuto loans
Auto loansPriyankasingh_72
 
Cprogramming tutorial
Cprogramming tutorialCprogramming tutorial
Cprogramming tutorialvinay_resource
 
Sesiã³n 1 de 6 desarrollo de proyectos ixtapaluca
Sesiã³n 1 de 6 desarrollo de proyectos ixtapalucaSesiã³n 1 de 6 desarrollo de proyectos ixtapaluca
Sesiã³n 1 de 6 desarrollo de proyectos ixtapalucaUSET
 
F bmled
F bmledF bmled
F bmledOscar Bonilla
 
The impact of information and communication technology on sustainable competi...
The impact of information and communication technology on sustainable competi...The impact of information and communication technology on sustainable competi...
The impact of information and communication technology on sustainable competi...Alexander Decker
 
Scrum in 30 seconds!
Scrum in 30 seconds!Scrum in 30 seconds!
Scrum in 30 seconds!Global Business Solutions SME
 
Codigo ASME SECC IX ESpanol
Codigo ASME SECC IX ESpanolCodigo ASME SECC IX ESpanol
Codigo ASME SECC IX ESpanolJose De la Fuente
 

Recommended

Bottlenecks exposed web app db servers
Bottlenecks exposed web app db serversBottlenecks exposed web app db servers
Bottlenecks exposed web app db serversUpender Dravidum
 
Auto loans
Auto loansAuto loans
Auto loansPriyankasingh_72
 
Cprogramming tutorial
Cprogramming tutorialCprogramming tutorial
Cprogramming tutorialvinay_resource
 
Sesiã³n 1 de 6 desarrollo de proyectos ixtapaluca
Sesiã³n 1 de 6 desarrollo de proyectos ixtapalucaSesiã³n 1 de 6 desarrollo de proyectos ixtapaluca
Sesiã³n 1 de 6 desarrollo de proyectos ixtapalucaUSET
 
F bmled
F bmledF bmled
F bmledOscar Bonilla
 
The impact of information and communication technology on sustainable competi...
The impact of information and communication technology on sustainable competi...The impact of information and communication technology on sustainable competi...
The impact of information and communication technology on sustainable competi...Alexander Decker
 
Scrum in 30 seconds!
Scrum in 30 seconds!Scrum in 30 seconds!
Scrum in 30 seconds!Global Business Solutions SME
 
Codigo ASME SECC IX ESpanol
Codigo ASME SECC IX ESpanolCodigo ASME SECC IX ESpanol
Codigo ASME SECC IX ESpanolJose De la Fuente
 
Plan de Negocios de un campo deportivo
Plan de Negocios de un campo deportivoPlan de Negocios de un campo deportivo
Plan de Negocios de un campo deportivoJorge Aparicio
 
Hojas de calculo libres y comerciales y basadas en la web.
Hojas de calculo libres y comerciales y basadas en la web.Hojas de calculo libres y comerciales y basadas en la web.
Hojas de calculo libres y comerciales y basadas en la web.San Luis Obispo Chamber of Commerce
 
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...Smart Villages
 
BDD-Driven Microservices
BDD-Driven MicroservicesBDD-Driven Microservices
BDD-Driven MicroservicesJohn Ferguson Smart Limited
 
3 Tier Architecture
3 Tier Architecture3 Tier Architecture
3 Tier Architectureguestd0cc01
 
Arquitectura 3 Capas
Arquitectura 3 CapasArquitectura 3 Capas
Arquitectura 3 CapasFani Calle
 
Architectures n-tiers
Architectures n-tiersArchitectures n-tiers
Architectures n-tiersHeithem Abbes
 
Open Data. (Re)Définir les services publics digitaux
Open Data. (Re)Définir les services publics digitauxOpen Data. (Re)Définir les services publics digitaux
Open Data. (Re)Définir les services publics digitauxAgence du Numérique (AdN)
 
Figaronron - Chimay 2007 (Partie 02)
Figaronron - Chimay 2007 (Partie 02)Figaronron - Chimay 2007 (Partie 02)
Figaronron - Chimay 2007 (Partie 02)Figaronron Figaronron
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 

More Related Content

Viewers also liked

Plan de Negocios de un campo deportivo
Plan de Negocios de un campo deportivoPlan de Negocios de un campo deportivo
Plan de Negocios de un campo deportivoJorge Aparicio
 
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...Smart Villages
 
3 Tier Architecture
3 Tier Architecture3 Tier Architecture
3 Tier Architectureguestd0cc01
 
Arquitectura 3 Capas
Arquitectura 3 CapasArquitectura 3 Capas
Arquitectura 3 CapasFani Calle
 
Architectures n-tiers
Architectures n-tiersArchitectures n-tiers
Architectures n-tiersHeithem Abbes
 
Open Data. (Re)Définir les services publics digitaux
Open Data. (Re)Définir les services publics digitauxOpen Data. (Re)Définir les services publics digitaux
Open Data. (Re)Définir les services publics digitauxAgence du Numérique (AdN)
 
Figaronron - Chimay 2007 (Partie 02)
Figaronron - Chimay 2007 (Partie 02)Figaronron - Chimay 2007 (Partie 02)
Figaronron - Chimay 2007 (Partie 02)Figaronron Figaronron
 

Viewers also liked (9)

Plan de Negocios de un campo deportivo
Plan de Negocios de un campo deportivoPlan de Negocios de un campo deportivo
Plan de Negocios de un campo deportivo
 
Hojas de calculo libres y comerciales y basadas en la web.
Hojas de calculo libres y comerciales y basadas en la web.Hojas de calculo libres y comerciales y basadas en la web.
Hojas de calculo libres y comerciales y basadas en la web.
 
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
Bunaken Island | Nov-15 | Various new and renewable energies, (Kebijakan dan ...
 
BDD-Driven Microservices
BDD-Driven MicroservicesBDD-Driven Microservices
BDD-Driven Microservices
 
3 Tier Architecture
3 Tier Architecture3 Tier Architecture
3 Tier Architecture
 
Arquitectura 3 Capas
Arquitectura 3 CapasArquitectura 3 Capas
Arquitectura 3 Capas
 
Architectures n-tiers
Architectures n-tiersArchitectures n-tiers
Architectures n-tiers
 
Open Data. (Re)Définir les services publics digitaux
Open Data. (Re)Définir les services publics digitauxOpen Data. (Re)Définir les services publics digitaux
Open Data. (Re)Définir les services publics digitaux
 
Figaronron - Chimay 2007 (Partie 02)
Figaronron - Chimay 2007 (Partie 02)Figaronron - Chimay 2007 (Partie 02)
Figaronron - Chimay 2007 (Partie 02)
 

More from C4Media

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 

More from C4Media (20)

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

The Magic Behind Enterprise Apps: How to Expose Reliable, Scalable and Secure Enterprise APIs?

  • 1. The Magic Behind Enterprise Apps: How to expose Reliable, Scalable and Secure Enterprise APIs. Blake Dournaee Senior Product Manager Intel Data Center Software Division Intel Confidential — Do Not Forward
  • 2. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /reliability-security-enterprise-api InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
  • 3. Presented at QCon San Francisco www.qconsf.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  • 4. Warning: This talk is not “sexy” ….but it may make your life easier 2
  • 5. Coding at home versus coding at work Enterprise Developer Independent Developer • • • • • • • • • • • Open source & low cost tooling Organic software development process Coolest programming language Code for fun and or profit No legal department Minimum security & compliance No “legacy” applications Complete creative control Lower or zero risk adversity Sole developer or small team Liberal use of “aaS” services • • • • • • • • • • • Mix of licensed software and open source Formalized software development process Incumbent programming languages Code for a living Legal department Formalized security & compliance “Legacy” applications Restricted creative control Higher risk adversity Larger development team Deliberate use of “aaS” services 3
  • 6. API Enterprise Apps Come From APIs How do you package valuable internal data & services for internal, partner, and external dev. community app creation? Crossplatform Legacy Data
  • 7. Enterprises Have Unique Requirements for Mobile Enablement Trying to get a mobile project going at your Enterprise? Does this look familiar? • Disparate middleware and database technologies • Disparate identity management silos • Disparate programming languages • Current architecture optimized for web browsers • Vertical integration prohibits cloud outsourcing • Inconsistent security model across domains • PII/PCI compliance requirements? On top of this you want: • • • • • BYOD – Any device Native application features & feel Low development & maintenance costs Fast time to market Robust security for Enterprise data
  • 8. Mobile Enablement is Expensive • Our mobile reality is fragmented – iPhone, Android, Windows, Blackberry • Multiple versions of everything • Competing programming languages • Competing devices and ecosystems • How can Enterprises reduce cost drivers? Two Ways: • A standards-based way to … • write portable mobile apps • make data available to those apps So… where are most Enterprises today in this journey?
  • 9. Traditional 3-Tier Architecture Web server Web server Browser Presentation Tier App server App server Database Master Load Balancer Web server Load Balancer Load Balancer App server Database slave 1 App server Database slave N Logic (application) Tier Persistence Tier 3-Tier Shared Nothing Architecture • Most common architecture, widely deployed • Gold standard, developed as a result of the web revolution • Problem: Designed primarily for HTML web browsers, not mobile apps Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson
  • 10. What’s Happening – Two Approaches Emerging Build it: Hang APIs for mobile off my ESB Outsource it: Buy a cloud service & outsource app creation Back-end as a Service
  • 11. Existing Approaches - Challenges ESB Approach - Challenges Outsourced Approach - Challenges  Lack of Perimeter Security  Loss of Control  Trust mediation, especially for legacy systems  Vendor / SDK Lock-in  Scalability  Data Portability  Resource protection  Development Costs  High costs of success*  Secure cloud brokering  Requires new business relationships Is there another way?
  • 12. Wait a Minute…. Mobile apps thin the server business logic Processing is pushed to the client Client / Server? Crap… We’re back to Client / Server Almost…
  • 13. 2-Tier, App-Optimized Architecture API API Database Master Load Balancer Load Balancer APIs Database slave 1 API HTML5 & Native Apps Database slave N Data Services and Delivery Layer Persistence Tier 2-Tier Data Services (API) Architecture • Emerging standard for app enablement • Pushes view/presentation to client side • Enterprise Data is made available through a data service layer
  • 14. “New” 3-Tier Architecture API API Database Master Load Balancer API Governance, Management and Security Load Balancer Load Balancer APIs Database slave 1 API HTML5 & Native Apps Delivery & Governance Tier Database slave N Data Service Layer Persistence Tier 3-Tier API-optimized architecture • Emerging standard for app enablement • Pushes view/presentation to client side • Delivery tier focuses on integration, mediation, and security instead
  • 15. Proxy Design Pattern When • • • • Architectural best practice for API or web services communication Product agnostic Relies on indirection to solve security, performance and management problems Ideal for application to application traffic HTTP HTTP Governance Gateway Gateway Layer Client HTTP/JSON API JSON/XML/ *L All problems in computer science can be solved by another level of indirection – David Wheeler "...except for the problem of too many layers of indirection.“ – Kevlin Henny
  • 16. New Developer AuthN Requirements API & Mobile Authentication Mechanisms Authenticating Credential Secret API Key API Key API Key Shared Secret OAuth Consumer Key OAuth Consumer Secret Username Password Username One-time Password Enterprise Authentication Mechanisms ? Authenticating Credential Secret Username Password Certificate Private Key Kerberos Ticket Password SAML Assertion Password or Private Key Username One-time Password Enterprises can’t afford another identity silo Consumer & BYOD Existing Enterprise IDM systems
  • 17. “New” 3-Tier Architecture • • • • Low development costs HTML5/ JavaScript programming Rich UI with access to native device features Stateless synchronous API calls Full-duplex communications (Websockets) Step-up authentication, including OAuth and Enterprise login support Transport level security API Load Balancer API Database Master Database slave 1 API HTML5 & Native Apps • API Governance, Management and Security Load Balancer Load Balancer APIs Data Service Layer Delivery & Governance Tier • • • • • • • • • • Massive scalability for millions of devices Hardware or software Enforces OAuth/API key authentication Supports synchronous API calls and Websockets SSL/TLS Acceleration PII/PCI data protection on inbound/outbound data Perimeter security, threat defense Enterprise IDM support, LDAP/AD Dynamic API key security for HTML5 JSONP and CORS support • • • Database slave N Persistence Tier APIs serve application data, and responses Can be in legacy formats – XML, SOAP, binary, text Any protocol, HTTP/SOAP, JMS, FTP, Raw TCP • • • Enterprise persistency tier – RDMS or NOSQL Generally interfaces with application server Can serve data directly through the service gateway
  • 18. Build it now or it will come… (1 of 2) Yammer Architecture 16
  • 19. Build it now or it will come… (2 of 2) LiveOps Architecture 17
  • 20. Why HTML5 Is Great for Apps HTML5 is Advanced • Proven web technologies with advanced features • Intel takes HTML5 further with new APIs and Parallel JavaScript* HTML5 is Open • Built on open web technologies and W3C standards • More than two million HTML5 developers worldwide • Intel advances HTML5 via open source projects and the W3C HTML5 is Everywhere • More than one billion mobile devices with HTML5 browsers in 2013 • 40% app developers use HTML5 today, another 40% plan to in the future Create Apps Faster, Better and at Lower Cost Intel Confidential
  • 21. Cross-origin Resource Sharing (CORS) Need CORS support API A1 Domain A API B Domain B • CORS – Standards based, W3C protocol, meant to replace JSONP • Client is allowed to share resources from one page to another in the same domain. • But restrictions for a page to access resource from other domains. • Meant to protect the client; Server can allow origins Client: (XmlHttpRequest2 or XDomainRequest) Server: Access-Control-Allow-Origin: <domains> Use the CORS protocol to control client access across servers in multiple domains
  • 22. HTML5 Websocket Websockets • Full duplex communication with a persistent socket connection • Replaces HTTP half-duplex communication • Dramatically reduces overhead compared to polling (as much as 2K per HTTP response) • Sounds good, but what about tradeoffs? • Lack of header information changes the security model – message level security no longer possible • More emphasis on SSL/TLS acceleration and enforcement • Requires authentication during “connection upgrade” • Can be done against Enterprise identity management systems • Drives increased need for perimeter defense, content scanning • Establishes requirements on load balancers for stickiness
  • 23. HTML5 API Key Security HTML5 Application Deployment Model HTTP Request Server HTML5/JavaScript API Key Security Concern • • • • • HTML5 apps are pushed to the client, including all API keys API Keys for cross-platform requests will be distributed to all clients Clients can view source to obtain API keys Solution #1: Obfuscate API key – may work for low value APIs Solution #2: Replace API key with function call to API layer for step-up authentication
  • 24. Use Case: Conference Room Finder
  • 25. Demo: Conference Room Finder Siloed Corp App Legacy Heat Sensor Data Mashup API BYOD Demands
  • 28. Intel Confidential — Do Not Forward
  • 29. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/reliability -security-enterprise-api