Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1cM9vrh.
Blake Dournaee covers the often forgotten back-end architecture for mobile apps which should expose cross-platform APIs to mitigate some of the effects of mobile O/S fragmentation. Filmed at qconsf.com.
Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and a frequent speaker at API & PCI-DSS conferences throughout the US and Europe.
The Magic Behind Enterprise Apps: How to Expose Reliable, Scalable and Secure Enterprise APIs?
1. The Magic Behind Enterprise Apps:
How to expose Reliable, Scalable and Secure
Enterprise APIs.
Blake Dournaee
Senior Product Manager
Intel Data Center Software Division
Intel Confidential — Do Not Forward
2. Watch the video with slide
synchronization on InfoQ.com!
http://www.infoq.com/presentations
/reliability-security-enterprise-api
InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• News 15-20 / week
• Articles 3-4 / week
• Presentations (videos) 12-15 / week
• Interviews 2-3 / week
• Books 1 / month
3. Presented at QCon San Francisco
www.qconsf.com
Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
5. Coding at home versus coding at work
Enterprise
Developer
Independent
Developer
•
•
•
•
•
•
•
•
•
•
•
Open source & low cost tooling
Organic software development process
Coolest programming language
Code for fun and or profit
No legal department
Minimum security & compliance
No “legacy” applications
Complete creative control
Lower or zero risk adversity
Sole developer or small team
Liberal use of “aaS” services
•
•
•
•
•
•
•
•
•
•
•
Mix of licensed software and open source
Formalized software development process
Incumbent programming languages
Code for a living
Legal department
Formalized security & compliance
“Legacy” applications
Restricted creative control
Higher risk adversity
Larger development team
Deliberate use of “aaS” services
3
6. API
Enterprise Apps Come From APIs
How do you package valuable
internal data & services for
internal, partner, and external
dev. community app creation?
Crossplatform
Legacy Data
7. Enterprises Have Unique Requirements
for Mobile Enablement
Trying to get a mobile project going at your Enterprise?
Does this look familiar?
• Disparate middleware and database
technologies
• Disparate identity management silos
• Disparate programming languages
• Current architecture optimized for web
browsers
• Vertical integration prohibits cloud
outsourcing
• Inconsistent security model across domains
• PII/PCI compliance requirements?
On top of this you want:
•
•
•
•
•
BYOD – Any device
Native application features & feel
Low development & maintenance costs
Fast time to market
Robust security for Enterprise data
8. Mobile Enablement is Expensive
• Our mobile reality is fragmented – iPhone, Android,
Windows, Blackberry
• Multiple versions of everything
• Competing programming languages
• Competing devices and ecosystems
• How can Enterprises reduce cost drivers?
Two Ways:
• A standards-based way to …
• write portable mobile apps
• make data available to those apps
So… where are most Enterprises today in this journey?
9. Traditional 3-Tier Architecture
Web server
Web server
Browser
Presentation
Tier
App server
App server
Database
Master
Load Balancer
Web server
Load Balancer
Load Balancer
App server
Database
slave 1
App server
Database
slave N
Logic
(application)
Tier
Persistence
Tier
3-Tier Shared Nothing Architecture
• Most common architecture, widely deployed
• Gold standard, developed as a result of the web revolution
• Problem: Designed primarily for HTML web browsers, not mobile apps
Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave
Patterson
10. What’s Happening – Two Approaches Emerging
Build it:
Hang APIs
for mobile off my
ESB
Outsource it:
Buy a cloud
service &
outsource app
creation
Back-end
as a
Service
11. Existing Approaches - Challenges
ESB Approach - Challenges
Outsourced Approach - Challenges
Lack of Perimeter Security
Loss of Control
Trust mediation, especially for legacy
systems
Vendor / SDK Lock-in
Scalability
Data Portability
Resource protection
Development Costs
High costs of success*
Secure cloud brokering
Requires new business relationships
Is there another way?
12. Wait a Minute….
Mobile apps thin the server business logic
Processing is pushed to the client
Client / Server? Crap… We’re back to Client / Server
Almost…
13. 2-Tier, App-Optimized Architecture
API
API
Database
Master
Load Balancer
Load Balancer
APIs
Database
slave 1
API
HTML5 &
Native Apps
Database
slave N
Data Services
and Delivery
Layer
Persistence
Tier
2-Tier Data Services (API) Architecture
• Emerging standard for app enablement
• Pushes view/presentation to client side
• Enterprise Data is made available through a data service layer
14. “New” 3-Tier Architecture
API
API
Database
Master
Load Balancer
API
Governance,
Management
and Security
Load Balancer
Load Balancer
APIs
Database
slave 1
API
HTML5 &
Native Apps
Delivery &
Governance
Tier
Database
slave N
Data Service
Layer
Persistence
Tier
3-Tier API-optimized architecture
• Emerging standard for app enablement
• Pushes view/presentation to client side
• Delivery tier focuses on integration, mediation, and security instead
15. Proxy Design Pattern
When
•
•
•
•
Architectural best practice for API or web services communication
Product agnostic
Relies on indirection to solve security, performance and management problems
Ideal for application to application traffic
HTTP
HTTP
Governance
Gateway
Gateway
Layer
Client
HTTP/JSON
API
JSON/XML/
*L
All problems in computer science can be solved by another level of indirection – David Wheeler
"...except for the problem of too many layers of indirection.“ – Kevlin Henny
16. New Developer AuthN Requirements
API & Mobile Authentication
Mechanisms
Authenticating
Credential
Secret
API Key
API Key
API Key
Shared Secret
OAuth Consumer
Key
OAuth Consumer
Secret
Username
Password
Username
One-time Password
Enterprise Authentication
Mechanisms
?
Authenticating
Credential
Secret
Username
Password
Certificate
Private Key
Kerberos Ticket
Password
SAML Assertion
Password or Private
Key
Username
One-time Password
Enterprises can’t afford
another identity silo
Consumer & BYOD
Existing Enterprise
IDM systems
17. “New” 3-Tier Architecture
•
•
•
•
Low development costs
HTML5/ JavaScript
programming Rich UI with
access to native device
features
Stateless synchronous API
calls
Full-duplex communications
(Websockets)
Step-up authentication,
including OAuth and
Enterprise login support
Transport level security
API
Load Balancer
API
Database
Master
Database
slave 1
API
HTML5 &
Native Apps
•
API
Governance,
Management
and Security
Load Balancer
Load Balancer
APIs
Data Service
Layer
Delivery &
Governance
Tier
•
•
•
•
•
•
•
•
•
•
Massive scalability for millions
of devices
Hardware or software
Enforces OAuth/API key
authentication
Supports synchronous API calls
and Websockets
SSL/TLS Acceleration
PII/PCI data protection on
inbound/outbound data
Perimeter security, threat
defense
Enterprise IDM support,
LDAP/AD
Dynamic API key security for
HTML5
JSONP and CORS support
•
•
•
Database
slave N
Persistence
Tier
APIs serve application data,
and responses
Can be in legacy formats –
XML, SOAP, binary, text
Any protocol, HTTP/SOAP,
JMS, FTP, Raw TCP
•
•
•
Enterprise persistency tier –
RDMS or NOSQL
Generally interfaces with
application server
Can serve data directly
through the service
gateway
18. Build it now or it will come… (1 of 2)
Yammer Architecture
16
19. Build it now or it will come… (2 of 2)
LiveOps Architecture
17
20. Why HTML5 Is Great for Apps
HTML5 is Advanced
• Proven web technologies with advanced features
• Intel takes HTML5 further with new APIs and Parallel JavaScript*
HTML5 is Open
• Built on open web technologies and W3C standards
• More than two million HTML5 developers worldwide
• Intel advances HTML5 via open source projects and the W3C
HTML5 is Everywhere
• More than one billion mobile devices with HTML5 browsers in 2013
• 40% app developers use HTML5 today, another 40% plan to in the future
Create Apps Faster, Better and at Lower Cost
Intel Confidential
21. Cross-origin Resource Sharing (CORS)
Need CORS
support
API A1
Domain A
API B
Domain B
• CORS – Standards based, W3C protocol, meant to replace JSONP
• Client is allowed to share resources from one page to another in the same
domain.
• But restrictions for a page to access resource from other domains.
• Meant to protect the client; Server can allow origins
Client: (XmlHttpRequest2 or XDomainRequest)
Server: Access-Control-Allow-Origin: <domains>
Use the CORS protocol to control client access across servers in multiple domains
22. HTML5 Websocket
Websockets
• Full duplex communication with a persistent socket connection
• Replaces HTTP half-duplex communication
• Dramatically reduces overhead compared to polling
(as much as 2K per HTTP response)
• Sounds good, but what about tradeoffs?
•
Lack of header information changes the security model – message level security no
longer possible
•
More emphasis on SSL/TLS acceleration and enforcement
•
Requires authentication during “connection upgrade”
•
Can be done against Enterprise identity management systems
•
Drives increased need for perimeter defense, content scanning
•
Establishes requirements on load balancers for stickiness
23. HTML5 API Key Security
HTML5 Application Deployment Model
HTTP
Request
Server
HTML5/JavaScript
API Key Security Concern
•
•
•
•
•
HTML5 apps are pushed to the client, including all API keys
API Keys for cross-platform requests will be distributed to
all clients
Clients can view source to obtain API keys
Solution #1: Obfuscate API key – may work for low value APIs
Solution #2: Replace API key with function call to
API layer for step-up authentication