In an API Economy, everyone and everything has an API. That means 26 billion APIs by the year 2015. What is your organization doing to prepare for this fundamental shift in IT infrastructure? In this webinar, KuppingerCole´s Distinguished Analyst Craig Burton and Layer 7 Technologies CTO Scott Morrison explain the API Economy and the role of Identity for your organization.
2. Identity in an API Economy
The API Economy and SAML
• Introduction to the The API Economy Ecosystem
• The Cambrian Explosion of Everything
• An API for Everyone and Everything
• Admin-based mapping is broken
• E2S (Entity to Service) automation—beyond SAML
• Summary
2
3. Identity in an API Economy
The API Economy
• The Five KuppingerCole API tenets
1. Everything and everyone will be API-enabled
2. The API Ecosystem is core to any cloud strategy
3. Baking core competency in an API-set is an economic imperative
4. Enterprise inside-out
5. Enterprise outside-in
3
4. The API Ecosystem
Understanding the API Ecosystem
• The API Ecosystem is divided into to type of API designs
– The API Provider—the enterprise inside-out
– The API Consumer—the enterprise outside-in
4
5. The API Ecosystem
Understanding the API Ecosystem
• The API Provider—the enterprise inside-out
– API types
• Open APIs—published APIs for public consumption
• Dark APIs—unpublished APIs for closed consumption
• The API Consumer—the enterprise outside-in
– API types
• Open APIs—published APIs for public consumption
• Dark APIs—unpublished APIs for closed consumption
• Internal APIs—legacy applications with traditional information and
resources
5
7. The API Ecosystem
Understanding the API Economy—Twitter unpacked
• 13 billion API calls a day
• 54 million+ calls an hour
• 900,000+ calls per minute
• 15,000+ calls per second
Twitter traffic drove 2012 Olympic Coverage—All API-driven
7
10. The API Ecosystem
API Growth Rate
• Open APIs
– We just hit the 7,000 API mark
– 8,000 by year end
– 16,000 by 2015
• Dark APIs
– Dark APIs are 5x+/- Open API growth rate
– 80,000 by 2015
10
11. The Cambrian Explosion of Everything
Growth In the Cambrian Era—unprecedented growth of life
11
12. The Cambrian Explosion of Everything
Apple’s numbers
• 400 million iOS devices
• 700,000 apps
• Average person uses 100+ apps per device
• 84 million iPads
• 68% market share in 2012
• 17 million iPads sold in April-June 2012
• More iPads than any PC vendor’s entire product line
• 94% of Fortune 500 are investing in or deploying iPads at work
12
13. The Cambrian Explosion of Everything
Cisco’s predictions and KC API tenet #1
• 2.8x devices per person on the planet by 2015
• 19.6b devices
• 7 billion people
• Tenet #1: Everyone and Everything is API-enabled
– 26.6 billion APIs
13
14. Broken Model
The Admin-based mapping model Is broken
• Identity model for ALL current SAML-based systems do not scale
• Identity model is Admin-based
• All entities are mapped to services by people (Admins)
• The Math
– Mapping 26.6 billion entities to just one service
– 640,000 admins 24 hours a day for 5 years
– Apple numbers 100+/10 apps per device
• Broken
14
15. Federation is evolving
Approach IdPs SPs Type of IdP
1:1 – e.g. with a specific 1 1 Owned by federation partner
supplier
1:n – e.g. authN to many 1 n Owned by company
cloud services
n:1 – e.g. a service for many n 1 Owned by many federation
suppliers or cloud service partners
customers
n:1 – e.g. supporting n 1 Owned by whomever –
different logins Facebook, enterprise,
government (eID),…
n:n – reality, if you look at the n n Look at all the federations of
big picture your company and you have a
mix
15
18. E2S Automation
e2s (Entity to Service) Automation—Beyond Admin-based SAML
• Scalable SAML will require automation
• Automation is enabled via APIs
• The future of e2s identity mapping must be API-based to meet today’s
demand
– 400 million+ iOS devices
– 26.6 billion APIs
– These numbers are conservative
18
19. E2S Automation
e2s (Entity to Service) Automation—Beyond Admin-based SAML
• OpenID Connect is SAML’s API future
– Tractability unknown
– No vendor is using it for automation yet
– No vendor is doing e2s automation yet
• SCIM (System for Cross-domain Identity Management) is potential e2s
automation protocol
• Note: Salesforce Identity gives both of these standards a boost of reality.
19
20. Identity in the API Economy
Summary
• SAML will not support all use cases (but some)
• Other standards are not as mature
• That means:
– Don’t rely on an approach that is focused on traditional approaches
– Understand these approaches as a subset of the big picture
– Design your architecture for hat big picture
– Start with the subset you need
– Look for technology which is built for (or who’s suppliers are devoted to)
the big picture
20
21. Identity, Access and Privacy Using
SecureSpan
Simple, Scalable Solutions for OAuth, OpenID Connect, and SCIM
K. Scott Morrison
CTO
Oct 2012
22. The Old Enterprise
Line of
Formal and structured security & connectivity business
VPNs & prop. Protocols for thick clients servers
HTTP(s) for browsers
SOAP+WS-* for B2B
Firewall
VPN
Enterprise
Road Network
Warriors with
VPN
SSL WS-S
Browser Formal
Clients Trading
Partners
23. The New Hybrid Enterprise
Line of
Highly agile security & connectivity business Internal
REST, OAuth, OpenID Connect, SCIM servers Directories
Firewall
Client
Directories
Enterprise
Mobile Network
Devices
Recall: Change Drivers
are Social, Mobile & Cloud
Clouds From: CB
Informal,
API-driven
integrations
24. The Hybrid Enterprise Is Made Possible By APIs
API
Server
Mobile App
An API is a
RESTful service
Web Client
Web App
24
25. A Fundamental Shift is Occurring
The Old Enterprise The New Hybrid Enterprise
This is the secret to
achieve scale and
agile federation
26. The Problem:
How to we bridge the gap
between the need, and a
concrete implementation?
Issues
• Agility
• Scalability
• Distribution
27. First Consider The Foundation Technologies
OAuth To get access to an API.
OpenID To share information about users.
Connect
SCIM APIs for Identity Provisioning and
Management Across Domains.
Now prioritize these
considering maturity and
available infrastructure
29. How to Make OAuth Easy
Simple, drop-in virtual or hardware Protected
gateway SecureSpan
Resource
Acts as both Authorization Server (AS) and Gateway
Protecting RS
Resource Server (RS)
Advanced security on all APIs
Directory
Threat detection, audit, QoS mgmt, etc Firewall
Enterprise
Network
SecureSpan
Mobile Gateway as
Devices AS
All Authorization Grants
➠ Authorization code
Clouds,
Webapps, etc ➠ Implicit
Informal, ➠ Resource owner password
API-driven credentials
integrations
➠ Client credentials
33. How to Make OAuth Web Scale
SecureSpan Secure Zone Protected
Gateway Resource
Firewall 2
cluster RS
DMZ
Firewall 1 Directory
SecureSpan
Gateway as
Secure Token
Store
SecureSpan
Gateway
cluster as AS
34. How to Make OAuth Scale – Architecture
Resource provider
Internal (secure) network DMZ Internet
• Who is asking
• Which API?
• What scope?
• Is token valid?
Resource • etc…
Accessed when Server
API Proxy
client requests
resources
Server • Prove who you are
• Authorize entitlement
• etc…
OVP
Accessed when Authorization client
Client
client requests Server
user authorization Store
and tokens
Token Token
Store Server
• Create
• Check
IDMS • Expire
• Revoke
• etc…
Accessible through an LDAP query
Endpoints accessible through an API
Endpoints accessible through OAuth protocol API
35. Priority #2: Introduce OpenID Connect
Resource provider
Internal (secure) network DMZ Internet
Core
• Provide IDtoken
• Validate and return claims
Resource CheckID
Server
UserInfo • Provide access token
• Get attributes (eg:
family_name, picture,
gender, birthdate, etc)
OVP Optional
SessionMgmt
client
Client
Store Optional
1. Refresh endpoint
DynamicReg 2. End session endpoint
Token
Store
Discovery
IDMS
Accessible through an LDAP query
Endpoints accessible through an API
Endpoints accessible to outside clients
36. Priority #3: Introduce SCIM
“…make it fast, cheap, and easy to
move users in to, out of, and around
the cloud. “ http://www.simplecloud.info/
RESTful API
for user/group
CRUD
user/group
schema
37. Summary
Implement OAuth now!
- Don’t roll your own
- Plan for failure
- Plan for scale
Plan for OpenID Connect
- Understand what you need to share
- Look to integration with existing identity providers
Plan for SCIM
- Came about because of obvious need
- Maturing very fast
38. For further information:
K. Scott Morrison
Chief Technology Officer
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377
smorrison@layer7tech.com
http://www.layer7tech.com
Oct 2012