View
498
Download
1
Category
Preview:
DESCRIPTION
This presentation explains the varioius security scenarios for your mobile and Web applications, and APIs. We go into the specifics of OAuth, SAML, SSO, authentication/authorization, policy, protection and a host of other related issues that will help you understand how to keep your data secure.
Citation preview
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Drag picture to placeholder or click icon to addUnified Security
Mobile, Web and APIs
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The Security Landscape
• Authentication, Authorization, SSO• Licensing• Quota Management• Protection• Role of Policy
Au/Az/SSO
Licensing
Quota Management Protection
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Authentication/Authorization/SSO
• Confusing array of standards:– OAuth– SAML– OpenID– SCIM
• A variety of App types– Desktop– Mobile– Web
• Enterprise SSO and its set of legacy systems
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Use Cases
• Enterprise support for public credentials– Tiered service
• Providing APIs for Web applications• Enabling a new API digital channels using
OAuth. Perhaps in conjunction with:– SAML– OpenID
• Extending/modernizing Enterprise SSO via:– OpenID Connect– SAML
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Combining SAML and OAuth
1. Try to get OAuth Token2. Redirect with SAML
Authentication Request3. Log the user in, create the
SAML assertion and redirect again
4. Verify SAML token and issue OAuth token
5. App makes call to API6. Gateway validates OAuth
token and performs fine grained authorization
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing
• You may want to enable a business model based on different:– Operations or resources– Levels of service
• The licenses control:– OAuth Authorization
Scopes– Document visibility– Quota policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Licensing - Flow
Validate OAuth Token
Authorize API Call
Determine License
Licenses provides QoS policies
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Quota Management
• You probably want different licenses with different levels of service
• The levels of service are:– Throughput– Bandwidth consumed over time– Concurrency– Availability
• Apps could either be cut-off or events generated when quotas are exceeded. Events can be used for overage billing
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Protection
• Denial of Service• Injection Attacks• XSS• Viruses
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The Role of Policy
Lower cost and risk:
• Separate functional and non-functional
• Decouple changing standards from your implementation
• Provide multiple options depending on the channel
• Mediate
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
The Role of Policy
• An API is exposed externally that has a security policy of:– OAuth with SAML2
• Internally, the security policy is:– WSS/SAML
• The system can use these declarative policies to automatically convert the OAuth token inbound to the WSS/SAML token that is required by downstream services
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
SOA Software’sAPI Platform
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
API Platform
• Measure the impact of your programsAnalytics
• Build your developer and partner ecosystem
Developer Engagement
• Secure and protect your systemsGateway Services
• Simplify and speed up development
Service Integration
• Build the right services & APIs the right way
Lifecycle Management
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
In the Cloud or On-Premise
Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
Thanks…
Alistair Farquharson, CTO, SOA Softwarewww.soa.com@afarqu@SOASoftwareInc
Recommended