Upload
forgerock
View
160
Download
0
Embed Size (px)
Citation preview
© 2016 ForgeRock. All rights reserved.
Best Practices for API Security
Ludovic Poitou, Product Management Director
© 2016 ForgeRock. All rights reserved.
API Security
?
© 2016 ForgeRock. All rights reserved.
API Security
© 2016 ForgeRock. All rights reserved.
Example:
ForgeRockIdentity Gateway
APIs
ForgeRockAccess Management
Throttling
Authorization
© 2016 ForgeRock. All rights reserved.
API Key• Use OAuth2 Tokens• Issued & managed centrally• Standard based• Access tokens are short-lived
and revocable• Scopes for finer permissions
© 2016 ForgeRock. All rights reserved.
Protecting against Disclosure• Secure End to End
• Between Client and Gateway• Between Gateway and API
• TLS• Certificate based
Authentication
© 2016 ForgeRock. All rights reserved.
Protect Against Misuse and DOS• Throttle the incoming traffic
• Overall• Per API• Per Client
• Also a monetization strategy!
https://www.flickr.com/photos/telstar/
© 2016 ForgeRock. All rights reserved.
Policy Decision and Enforcement Point
• Centralized policy management
• Introspect Token• Call ForgeRock Access
Management PDP• Border enforcement
• Specific rules and conditions• Not Found vs Forbidden
https://www.flickr.com/photos/yannickgar/
© 2016 ForgeRock. All rights reserved.
Monitoring and Auditing• Monitoring
• Status• Throughput and Response
Times statistics• Auditing
• Logs• Reporting• Billing
© 2016 ForgeRock. All rights reserved.
Summary
© 2016 ForgeRock. All rights reserved.
Throttling
Message Transformation Monitoring
Session Management Token Exchange
SSO
Scripting
Relying Party Authentication Authorization Federation (SAML /
OIDC)
Password Capture & Replay
Protected Resources
Identity Providers Data Stores
Web Applications
APIs
Services Layer
Access Layer HTTP / HTTPS OAuth2.0 | OpenID Connect | SAMLv2
External LayerDatabases
Directories
Files
Audit
ForgeRock Identity Platform: Identity Gateway
© 2016 ForgeRock. All rights reserved. 12
© 2016 ForgeRock. All rights reserved.
Best Practices for API Security
Ludovic Poitou – Product Management [email protected]
@ludomp