• Home

  • Software

  • NYC Identity Summit Tech Day: Best Practices for API Security
13
© 2016 ForgeRock. All rights reserved. Best Practices for API Security Ludovic Poitou, Product Management Director

NYC Identity Summit Tech Day: Best Practices for API Security

Embed Size (px)

Citation preview

Page 1: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Best Practices for API Security

Ludovic Poitou, Product Management Director

Page 2: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

API Security

?

Page 3: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

API Security

Page 4: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Example:

ForgeRockIdentity Gateway

APIs

ForgeRockAccess Management

Throttling

Authorization

Page 5: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

API Key• Use OAuth2 Tokens• Issued & managed centrally• Standard based• Access tokens are short-lived

and revocable• Scopes for finer permissions

Page 6: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Protecting against Disclosure• Secure End to End

• Between Client and Gateway• Between Gateway and API

• TLS• Certificate based

Authentication

Page 7: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Protect Against Misuse and DOS• Throttle the incoming traffic

• Overall• Per API• Per Client

• Also a monetization strategy!

https://www.flickr.com/photos/telstar/

Page 8: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Policy Decision and Enforcement Point

• Centralized policy management

• Introspect Token• Call ForgeRock Access

Management PDP• Border enforcement

• Specific rules and conditions• Not Found vs Forbidden

https://www.flickr.com/photos/yannickgar/

Page 9: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Monitoring and Auditing• Monitoring

• Status• Throughput and Response

Times statistics• Auditing

• Logs• Reporting• Billing

Page 10: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Summary

Page 11: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Throttling

Message Transformation Monitoring

Session Management Token Exchange

SSO

Scripting

Relying Party Authentication Authorization Federation (SAML /

OIDC)

Password Capture & Replay

Protected Resources

Identity Providers Data Stores

Web Applications

APIs

Services Layer

Access Layer HTTP / HTTPS OAuth2.0 | OpenID Connect | SAMLv2

External LayerDatabases

Directories

Files

Audit

ForgeRock Identity Platform: Identity Gateway

Page 12: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved. 12

Page 13: NYC Identity Summit Tech Day: Best Practices for API Security

© 2016 ForgeRock. All rights reserved.

Best Practices for API Security

Ludovic Poitou – Product Management [email protected]

@ludomp

mailto:[email protected]

Federated Identity API User Guide

Federated Identity API User Guide

Documents
Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7

Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7

Documents
API-Craft NYC - Overview of the Twitter APIs with demos

API-Craft NYC - Overview of the Twitter APIs with demos

Technology
Cisco Identity Services Engine API Reference Guide, Release 2Contents iv Cisco Identity Services Engine API Reference Guide, Release 2.x ActiveList API Output Schema 2-5 Invoking the

Cisco Identity Services Engine API Reference Guide, Release 2Contents iv Cisco Identity Services Engine API Reference Guide, Release 2.x ActiveList API Output Schema 2-5 Invoking the

Documents
OpenID Connect & OAuth 2.0 Server for the Enterprise · API access management identity provision identity ... Modern token based security for web, ... User authentication

OpenID Connect & OAuth 2.0 Server for the Enterprise · API access management identity provision identity ... Modern token based security for web, ... User authentication

Documents
Identity Management Trends Best Practices NYC

Identity Management Trends Best Practices NYC

Documents
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike Ellis Intro)

NYC Identity Summit Business Day: Identity is the Center of Everything (Mike Ellis Intro)

Software
SoundCloud API Learnings @ Startup Weekend NYC 2011

SoundCloud API Learnings @ Startup Weekend NYC 2011

Technology
CLOUD NATIVE CONNECTED CARS. · Web Gateway User Mgmt Identity Store Weather Office News Main Core BMW Online Vehicle API Gen 5 In-Vehicle API Web REST API Clients Gateways Frontends

CLOUD NATIVE CONNECTED CARS. · Web Gateway User Mgmt Identity Store Weather Office News Main Core BMW Online Vehicle API Gen 5 In-Vehicle API Web REST API Clients Gateways Frontends

Documents
A Common API & UI for Building Next Generation Identity Services

A Common API & UI for Building Next Generation Identity Services

Technology
Privileged Identity PowerShell API GUide · 2019-10-08 · Asuccessfulloginprovidesthecallinguseranauthenticationtoken.Thistokenispassedtoallsubsequentcallsas AuthenticationToken

Privileged Identity PowerShell API GUide · 2019-10-08 · Asuccessfulloginprovidesthecallinguseranauthenticationtoken.Thistokenispassedtoallsubsequentcallsas AuthenticationToken

Documents
The API Economy: API Provider Perspective / European Identity Summit 2012

The API Economy: API Provider Perspective / European Identity Summit 2012

Technology
KONSTANTIN HYPPÖNEN Open Mobile Identity - UEFepublications.uef.fi/pub/urn_isbn_978-951-27-0112-4/urn_isbn_978... · KONSTANTIN HYPPÖNEN Open Mobile Identity ... API application

KONSTANTIN HYPPÖNEN Open Mobile Identity - UEFepublications.uef.fi/pub/urn_isbn_978-951-27-0112-4/urn_isbn_978... · KONSTANTIN HYPPÖNEN Open Mobile Identity ... API application

Documents
Cisco Identity Services Engine API Reference Guide ... · Cisco Identity Services Engine API Reference Guide, Release 1.0.4 OL-25996-01 1 Introduction to the Cisco ISE REST APIs The

Cisco Identity Services Engine API Reference Guide ... · Cisco Identity Services Engine API Reference Guide, Release 1.0.4 OL-25996-01 1 Introduction to the Cisco ISE REST APIs The

Documents
Raw API Documentation API Documentation.pdf · Digital Identity ApS, Bakkedraget 1, 8362 Hørning 3 / 58 4.11.2 Response ..... 38

Raw API Documentation API Documentation.pdf · Digital Identity ApS, Bakkedraget 1, 8362 Hørning 3 / 58 4.11.2 Response ..... 38

Documents
The “I” in API is for Identity (Nordic APIS April 2014)

The “I” in API is for Identity (Nordic APIS April 2014)

Software
Mobile and API identity – The New Challenges

Mobile and API identity – The New Challenges

Documents
ingFederate Server 9.1 - docs.pingidentity.com · identity security, API security, and social identity integration. Browser-based SSO extends employee, customer and partner identities

ingFederate Server 9.1 - docs.pingidentity.com · identity security, API security, and social identity integration. Browser-based SSO extends employee, customer and partner identities

Documents
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC

Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC

Technology
NYC Identity Summit Tech Day: Authorization for the Modern World

NYC Identity Summit Tech Day: Authorization for the Modern World

Software
Financial-grade API (FAPI) and CIBA · 2019-09-19 · OAuth 2.0 API authorization OpenID Connect (OIDC) verifiable user identity Financial-grade API (FAPI) higher security The Financial-grade

Financial-grade API (FAPI) and CIBA · 2019-09-19 · OAuth 2.0 API authorization OpenID Connect (OIDC) verifiable user identity Financial-grade API (FAPI) higher security The Financial-grade

Documents
Cisco Identity Services Engine API Reference Guide, …...Contents v Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 AcctStatus API Call Data 3-13 CHAPTER

Cisco Identity Services Engine API Reference Guide, …...Contents v Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 AcctStatus API Call Data 3-13 CHAPTER

Documents
Cisco Identity Services Engine API Reference Guide, Release 1 · United States and certain other countries. ... Guest REST API 6-1 An API for Guest User Resources 6-1 Sponsor Authentication

Cisco Identity Services Engine API Reference Guide, Release 1 · United States and certain other countries. ... Guest REST API 6-1 An API for Guest User Resources 6-1 Sponsor Authentication

Documents
NYC Identity Summit Business Day: Continuous Security

NYC Identity Summit Business Day: Continuous Security

Software
WSO2 - Identity Server & API Manager - TeamOpenBravo - IF4050

WSO2 - Identity Server & API Manager - TeamOpenBravo - IF4050

Software
Using API calls for Session Management - Cisco · 2-3 Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 Chapter 2 Using API Calls for Session Management

Using API calls for Session Management - Cisco · 2-3 Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 Chapter 2 Using API Calls for Session Management

Documents
WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 API Manager

WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 API Manager

Technology
Using API calls for Session Management - Cisco · 2-6 Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 Chapter 2 Using API Calls for Session Management

Using API calls for Session Management - Cisco · 2-6 Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 Chapter 2 Using API Calls for Session Management

Documents
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy

NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy

Software
Ping + Mulesoft...Ping Identity integrates with the MuleSoft Anypoint Platform to protect against unique API vulnerabilities by giving organizations: • Complete visibility into API

Ping + Mulesoft...Ping Identity integrates with the MuleSoft Anypoint Platform to protect against unique API vulnerabilities by giving organizations: • Complete visibility into API

Documents