White Paper: Security and Agility in the API Economy

Optimizing and securing your APIs with ViewDS Identity Solutions and Layer 7

2 e sales@viewds.com | w www.viewds.com

Security and Agility in the API Economy The ‘API Economy’ is more than the latest buzz-phrase. It is the foundation of a new way for businesses to acquire customers and generate revenue, with lower acquisition and transactional costs than has ever been possible. The API Economy drives how modern web applications are designed, and how Internet commerce will work for the foreseeable future.

The technology behind the API Economy is simple, but powerful. Businesses make data and services available over the Internet by using standard web technologies, and through application programming interfaces, or APIs. Customers and partners use APIs in their own applications and services depending on the needs of the business, with or without cost. Because it leverages the power of Metcalfe’s Law (the same law that drives the growth of social media sites like Facebook), the API Economy has the potential to be a major source of profit growth for business. For example, in 2012 Salesforce realized that more than half of their $2.2 billion revenue was attained through their API, rather than their web user interface.

Web APIs – The Foundation of the API Economy A web API is simply a programming interface exposed to the Internet, which uses familiar REST (REpresentational State Transfer) technologies, the same technology browsers and web sites use. Customer programs submit well-defined requests to the interface, and receive some sort of well-defined data back as the result. The request and response can be anything; a request for a price, the location of an office, or the summary analysis of data which has already been collected.

Web API’s are everywhere and their number is growing at an impressive rate. There are currently almost 10,000 registered and publicly usable API’s registered at programmableweb (http://www.programmableweb.com), a popular public web API registry. This is only the tip of the iceberg, because programmableweb only lists public web APIs and not private ones.

The number of APIs available is impressive, and the number of transactions using those APIs is staggering. Google processes around 5 billion transactions per day through its web APIs. Twitter processes nearly 13 billion transactions per day and Amazon is closing in on a trillion transactions per day. With these kinds of numbers, you simply cannot leave the management and security of your APIs as an afterthought.

The Advantages of Web APIs Why is the notion of web APIs so appealing? Mainly, architecting applications as a set of consumable web APIs promotes agility and lets developers compose complex systems using already built services in a simple and well-defined way. Additionally, it provides a new way for organizations to provide value to customers and partners. Even if the company doesn’t drive revenue through their APIs, the enhanced level of collaboration with customers and partners can generate substantial value through increased sales and customer satisfaction.

Exposing data and services over the Internet poses enormous security risks, and poses the question: Who is accessing your data? Are they accessing it legitimately, or are they somehow cheating the system and getting it for free? Are hackers taking advantage of publically available interfaces to gain access to data and systems that you need to keep secure? Maintaining security by controlling access to your public APIs are the price of admission to the API Economy.

3 e sales@viewds.com | w www.viewds.com

Architecting for Agility and Security It’s difficult to know the best way to structure and control access to your API, and it is almost certain that you will go through several iterations before you discover what is best for you and your customers. If you want to maintain security and remain agile in the wake of changing requirements understanding, your application design should incorporate three architectural concepts:

1. Separate the API structure from the underlying service.2. Separate API security from the underlying service.3. Manage security with policy, not code.

Separating functional concerns in this way creates a system that is agile and adapts to changes in requirements. You can accomplish this with little or no change to your underlying service code by using Layer 7’s SOA Gateway to manage your APIs, and ViewDS’s Access Sentinel to provide security services.

Managing and Optimizing Your APIs with Layer 7 SOA Gateway Layer 7’s API Proxy is a virtual API gateway that gives API publishers a simple tool for securing, orchestrating and optimizing APIs and enforcing SLAs.

The API Proxy can:

§ Protect APIs against attack and misuse. § Define and enforce API rate limits and SLA metrics. § Translate between JSON and XML. § Track and report on API usage and performance. § Mediate between API versions. § Cache identity calls or messages, for improved performance. § Integrate with existing corporate security resources like LDAP, AD and SSO.

Securing your APIs with ViewDS Access Sentinel Access Sentinel is an XACML-based authorization server that stores, manages, and evaluates access control policy for your applications, such as Layer 7’s API Proxy.

ViewDS’s Access Sentinel is an XACML 3.0-compliant authorization server that; § Provides applications with externalized, policy-based access control, which allows

security to be controlled by policy, rather than be being hard coded within an application. § Allows policies to be managed easily and to have the management of policies delegated

to different user groups with different responsibilities. § Supports role-based access control (RBAC) and attribute-based access control (ABAC)

models using: § attributes about the user and the device they are using § attributes about the resource or service they are interacting with § attributes about the action they are performing § attributes from the environment, such as the time of day and location.

4 e sales@viewds.com | w www.viewds.com

Figure 1. API management and security architecture

Layer 7’s API Proxy sits between the applications of your customers and partners and your API service, receiving service requests (1) and applying translation policy to them. As each API request comes in, the Layer 7 API Proxy interprets the incoming parameters (2) and determines what kind of request it is. It then passes this information to Access Sentinel (3) to determine and apply the appropriate authorization policy (4). If request is allowed (5), the API Proxy then translates the request and passes it to the back-end service for processing (6 and 7) and the results of the service are returned to the client (8). If the policy says the request isdenied, the Layer 7 API Proxy simply returns an error to the client application.

Agility and Security – You Can Have it All with ViewDS and Layer 7 When your API requirements change for instance, accommodating for a new mobile application, you can create additional API versions without changing your back-end service software simply by changing the API policy rules in the Layer 7 API Proxy.

Or, if your authorization requirements change, such as providing certain APIs for free and other APIs only to paying customers, you can simply change the authorization policy in Access Sentinel to look up the customer’s account status without changing your back-end service code. Your API and security systems can evolve independently of your back-end service, providing agility while maintaining security.

5 e sales@viewds.com | w www.viewds.com

By combining ViewDS’ Access Sentinel and Layer 7’s API Proxy, you can reduce the time it takes to make your APIs available. This improves the security of your APIs and makes it easier to create new versions of your APIs without breaking your customer’s applications. You can also experiment with new API structures and authorization policies without rewriting your core services.

Learn More About ViewDS Access Sentinel and Layer 7 API Proxy For more information about how to design agility and security into your API project and help ensure your success in the API Economy, contact ViewDS Identity Solutions at www.viewds.com, or Layer 7 Technologies at www.layer7.com today.

About Layer 7 Technologies Layer 7 is a leading provider of security and management products for API-driven integrations, spanning the extended hybrid enterprise.

Layer 7 products simplify:

§ The management of open API for developer communities. § Partner and cross-divisional integration via SOA. § Cloud connectivity. § Enterprise mobile enablement for BYOD (bring-your-own-device) initiatives.

Layer 7 has experienced more than double-digit growth for the past five years. In 2011, Deloitte named Layer 7 as the 71st fastest growing technology company in North America. Layer 7's products have received numerous industry recognitions. In 2011, Layer 7 was the only vendor in its category to be named both a Forrester Wave Leader and a Gartner Magic Quadrant Leader.

In June 2013, Layer 7 Technologies was acquired by CA Technologies and since then, Layer 7 has complemented CA Technologies with solutions such as SiteMinder and LISA.

About Us ViewDS provides identity management infrastructure for large enterprises and government agencies world-wide, and is a recognized leader in directory and authorization technology. ViewDS products are fast, scalable, and designed for ease of use.

ViewDS’ Directory Server is a highly scalable X.500/LDAP/XML server that provides secure, searchable, fast identity search and retrieval functions for air traffic control, defense, and telecommunications companies all over the world.

ViewDS’ Access Sentinel is an XACML 3.0-compliant authorization server that provides flexible, secure authorization services for applications. It externalizes authorization policy for your application and supports role-based access control (RBAC) and attribute-based access control (ABAC) models.