7. • Cloud / SaaS & Social
• Mobile Ubiquity
• Embedded, Wearable
• Smart Meters
• Industry Automation
• Home Automation
• Retail & Consumer
Automation
Internet of Things
11. Consequence
Traditional firewall and enterprise domain-based security cannot deal with
Cloud, Mobile & IoT – Users, Applications or Devices.
IDENTITY IS THE NEW PERIMETER
FIREWALL
17. • 3rd party client store user
passwords
• Teaches users to be
indiscriminate with
passwords
• No multi-factor or federated
authentication
• No granularity
• No differentiation
• No revocation
Drawbacks
Password anti-pattern
19. • Secure API authorization
– simple & standard,
secure-enough (Bearer)
– for desktop, mobile, web,
IoT
• Delegated access
– mitigates password anti-
pattern
• Issue tokens for granular
access
– Without divulging your
credentials
Characteristics
OAuth 2.0 Protocol Framework
20. Open Redirect somewhere
in RP website
+
RP website uses federated
SSO for user login
+
SSO Token callback from
IDP to website is
configurable
=>
Assume the following
Intermezzo: Covert Redirect
Lesson: don’t forward messages that
were meant for you to anyone else…
26. Client
SOAP/REST
API
• HTTP – basic/digest…
• SOAP - WS-Security/WS-
Trust
• REST - ?
• Token-based
– Obtain
– Use
– Validate
Methods
API Access
Token
27. • Separate protocols for SSO
and API security
• Heavyweight - in payload and
processing
• Complex – develop and
manage
• Manual trust bootstrapping and
certificate management
• SSO and API security in one
• Lightweight – mobile
• Simple – developer friendly
• Auto client registration and key
management
SAML and OpenID Connect
SAML OpenID Connect
Editor's Notes
Deprecated way of dealing with API access: hand out your password to a client or third party service.
Bad: store pwd, indiscriminate, no multi-factor, no granularity, no differentation, no revocation.
Need something better.
Enter Oauth 2.0: a protocol for secure API authorization.
Simple standard or framework, based on REST and JSON, meant for the mobile web world.
Delegated authorization, tokens are issued, obtained and used to mitigate the anti-password pattern.
Granular, revokable access to specified parties, without exposing your credentials.
How would you secure web apis:
SOAP: WS-Security
REST: nothing there yet until recently. Only passwords.
What we need is a token based method to access APIs: will explain in the next slide.