22
Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494 Best Prac*ces in Deploying API Gateways API World 2017 Greg DiFruscio Director of Support [email protected]

Best Practices in Deploying API Gateways

Embed Size (px)

Citation preview

Page 1: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

BestPrac*cesinDeployingAPIGatewaysAPIWorld2017

GregDiFruscioDirectorofSupport

[email protected]

Page 2: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

Why they are an essential component of a secure, robust and scalable API infrastructure.

Best practices and common deployment scenarios of API Gateways.

Page 3: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

TYPESofAPIGATEWAYS

Page 4: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

#1 APIGatewayBasics

Deployedsimilartoareverseproxy(protocolbreak)ThegatewayrepresentstheendpointAPIandappearstotheconsumerasifitistheapplica*onorserviceitselfCanbelocatedon-premiseorincloudMovethesecurity,iden*ty,andmanagementprocessingouttotheAPIGateway*er–lettheAPIsfocusonthebusinessrequirementWhileAPIGatewaysexposetheAPIs,notallAPIGatewaystrulysecuretheAPIs

Page 5: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

IAM(Iden*tyandAccessManagement)designedforIden*tyandAccessControlandcentralizingIAMagentsIAMGatewayproductssupportlimitedAPItypes(i.e.REST)Limitedsupportfornetworkprotocols(i.e.RESTAPIsoverHTTP)VeryliUleornoabilitytoprovideinforma*onassuranceoftheAPIdataTypicallybuiltoninsecureplaVorms–soWwareonlyorunhardenedvirtualappliance

#2 APIIAMGateways

Page 6: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

Moreversa*lethanIAMGatewayswithbroadersupportforAPItypesandnetworkprotocols

EvolvedfromESBintegra*onplaVormswhereintegra*onandpayloadconversionarecorefunc*ons

Usuallydevelopercentric

OWenprovidedeveloperportalsforAPIconsumers,selfdocumen*ngAPIs

TypicallybuiltonopenplaVormsdesignedforflexibility

Inherentlysuscep*bletoaUackandcompromise

#3 APIManagementGateways

Page 7: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

Securityfirstfocus–productformfactorsandfeaturesetsProductshardenedagainstcyberaUack–closedsystems

IncludeAPIIden*tyfeaturesfromIAMspace

IncludeAPIGovernancefeaturesfromAPIManagementspace

IncludeAPISecurityfromCybersecurityspace

SupportforwidearrayofAPItypesandnetworkprotocols

Focusoncontentlayersecurity(e.g.schemavalida*on,encryp*on,dsig)inaddi*ontoTLS

Bi-direc*onalscanningtopreventthreatsaswellasdataleakage

#4 APISecurityGateways

Page 8: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

WhichtypeofAPIGatewayisrightforyou?IsHTTP/Sonlyprotocolsufficient?

AreRESTAPIservicestheonlytypeyouwillneedtosupport?AreyouconcernedaboutmalwareandotherAPIexploitsembeddedwithinthepayloads?

Doyouneedtosupportlegacyapplica*onsandservices?

Areyouconcernedwithdataleakageandsensi*veinforma*onloss?

Page 9: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

DEPLOYINGAPIGATEWAYS

Page 10: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

On-Premiseorcloud?

Hardware,virtual,soWware,AMI,other?

#1 Loca*onandFormFactor

Wherearetheservices?

Wherearetheclients?

Wherearetheuseriden*tyrepositories?

Page 11: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

APItypes(e.g.REST,SOAP,XML,WebPortals,etc.)Networkprotocols(HTTP/S,SFTP,JMS,SMTP,AMQP1.0,mixing)

Iden*ty,accesscontrol,andSSOrequirements(Iden*tyRepositories)

APIsecurityrequirements(TLS,Schemavalida*on,AVscanning,parametervalida*on,methodvalida*on,etc.)

APIintegra*on/media*onrequirements(JSONto/fromXML,etc.)

Loggingrequirements

CustomErrorhandling

#2 UseCaseDiscussion

Page 12: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

SimpleisbeUer(pointandclick,nocodingnecessary)Erroronthesideofsecurity

Startbasicandaddprocessinglayers

Reusingpolicyobjects

Policynamingconven*ons

Propaga*onofpoliciesacrossenvironments

Automa*onviaAPIs

#4 PolicyConfigura*onandManagement

Page 13: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

AskyourvendorforasecurityreviewofyourpoliciesCheckforsensi*veinforma*oninlogs

CheckforweakciphersandTLS/SSLprotocols

Posi*veandnega*vetes*ng

Reviewerrorsgeneratedongatewayanderrorsreturnedfromapplica*ons

Doitbeforemovingintoproduc*on

SchedulethemoWen

#4 SecurityReview

Page 14: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

BESTPRACTICESINAPISECURITY

Page 15: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

SecureOS–theinfrastructureisatarget

Securepolicy/configura*onstorage

Protectyourprivatekeys

#1 ProductSecurity

Page 16: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

#2 APISecurityPolicy

Page 17: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

Aimforagentlessapproach

Protectiden*tyrepositories

UseSSOandFedera*on

#3 APIIden*tyMul*-Contextauthen*ca*onandauthoriza*on

Reducedependenciesonvendorspecificimplementa*ons

Page 18: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

Rewri*ngURLs–obfuscateyourpathMappingpayloadformats–forintegra*onaswellassecurity

MappinguseraUributeinforma*onretrievedfromiden*tycall

QueryingLDAP,Databases,APIs(t-junc*onprocessing)

Networkprotocolmedia*on(e.g.HTTPSto/fromAc*veMQ)

#4 APIIntegra*on

Page 19: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

IntegratewithcentralSIEM/loggingsystem(e.g.Splunk,ELK,Graylog,etc.)

Buildreal*meDashboardsfromgatewaylogs

Leveragebigdataanaly*csforalerts,trends,reports

#3 APIMonitoring

Page 20: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

ChoosetherighttypeofAPIGatewayforyourcurrentandfutureneeds

DecidewheretheAPIGateway(s)willliveandwhatformfactorsarecorrectforyourenvironment

Spendthe*meupfronttoarchitectthesolu*onandbuildthepoliciesinaccordancetoyourplan

YourAPIsandyourAPIinfrastructurearetargets–APISecuritymeanssecurityfeaturesaswellassecurearchitecture

Conclusions

Page 21: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

ForumOS™.FIPS140-2LevelIIpurpose-builtchassis.NIAPNDPPCerPfied.PatentedcryptographicacceleraPon

FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableAmazonAMI

Windows,Linux,orSolarisdeployableinanycompuPngecosystem(single-packageinstallwithnodependencies)

FORMFACTORS

APISecurityGateway

FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableOVAVMWareimage

Hardware

Virtual

Cloud

SoWware

Page 22: Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

Tolearnmorevisitusath[p://info.forumsys.com/api_world


Policy APIs: Getting Started GuideThis API endpoint allows you to configure multiple objects (Segments, Gateways, Security Policies etc.) using a single API call. A very high-level

Policy APIs: Getting Started GuideThis API endpoint allows you to configure multiple objects (Segments, Gateways, Security Policies etc.) using a single API call. A very high-level

Documents
New Aethra MCUs and Gateways The new Aethra MCUs and Gateways

New Aethra MCUs and Gateways The new Aethra MCUs and Gateways

Documents
GraphQL as an alternative approach to REST - CodeMonsters ... · API Gateway (API routing, security, policies) (-)Existing Gateways have rich support for REST, not yet GraphQL - but

GraphQL as an alternative approach to REST - CodeMonsters ... · API Gateway (API routing, security, policies) (-)Existing Gateways have rich support for REST, not yet GraphQL - but

Documents
Deploying Applications with the WebLogic Deployment API · 2020. 3. 18. · Oracle® Fusion Middleware Deploying Applications with the WebLogic Deployment API 14c (14.1.1.0.0) F18332-01

Deploying Applications with the WebLogic Deployment API · 2020. 3. 18. · Oracle® Fusion Middleware Deploying Applications with the WebLogic Deployment API 14c (14.1.1.0.0) F18332-01

Documents
DEVELOPER SURVIVAL GUIDE - express-serverless.io · deploying API proxies. Express Serverless Platform, like Apigee, allows you to build and deploy API gateways on their internal

DEVELOPER SURVIVAL GUIDE - express-serverless.io · deploying API proxies. Express Serverless Platform, like Apigee, allows you to build and deploy API gateways on their internal

Documents
API Guide Release 5 - Oracle · 2016-12-12 · • FACE REST API—API for communication and control of ISR components. For information on deploying and configuring FACE, see the

API Guide Release 5 - Oracle · 2016-12-12 · • FACE REST API—API for communication and control of ISR components. For information on deploying and configuring FACE, see the

Documents
Microservices & API Gateways

Microservices & API Gateways

Technology
Gateways - cofc.edu

Gateways - cofc.edu

Documents
solution guiDe Deploying ArubA Wireless Controllers With ... · soluTion guide deploying aruba Wireless ConTrollers WiTh miCrosofT lynC sdn api 5 Microsoft had released sDn Api 1.2

solution guiDe Deploying ArubA Wireless Controllers With ... · soluTion guide deploying aruba Wireless ConTrollers WiTh miCrosofT lynC sdn api 5 Microsoft had released sDn Api 1.2

Documents
BENEFITS - content.scytale.io · Security products such as network/application firewalls and API gateways, and authentication protocols such as Kerberos and oAuth, are not addressing

BENEFITS - content.scytale.io · Security products such as network/application firewalls and API gateways, and authentication protocols such as Kerberos and oAuth, are not addressing

Documents
API GATEWAY MANAGER · 2019-11-23 · APIIDA API Gateway Manager instantly creates an overview of the current status of managed CA API Gateways and services. The health metric is

API GATEWAY MANAGER · 2019-11-23 · APIIDA API Gateway Manager instantly creates an overview of the current status of managed CA API Gateways and services. The health metric is

Documents
Deploying Multiple Interconnected Gateways in Heterogeneous

Deploying Multiple Interconnected Gateways in Heterogeneous

Documents
OPEN White Paper v.3 © 2018 OPEN Platform, Inc. All rights ... · OPEN seeks to provide with its platform and API primarily deals with payment gateways. The OPEN API will leverage

OPEN White Paper v.3 © 2018 OPEN Platform, Inc. All rights ... · OPEN seeks to provide with its platform and API primarily deals with payment gateways. The OPEN API will leverage

Documents
CLOUD NATIVE CONNECTED CARS. · Web Gateway User Mgmt Identity Store Weather Office News Main Core BMW Online Vehicle API Gen 5 In-Vehicle API Web REST API Clients Gateways Frontends

CLOUD NATIVE CONNECTED CARS. · Web Gateway User Mgmt Identity Store Weather Office News Main Core BMW Online Vehicle API Gen 5 In-Vehicle API Web REST API Clients Gateways Frontends

Documents
Optimising clients with API gateways

Optimising clients with API gateways

Documents
GATEways 2013

GATEways 2013

Documents
API Management in 2026 - Oracle · Evolution of API Management through generations A walkthrough the evolution of API management. From the first generation API-like gateways to today’s

API Management in 2026 - Oracle · Evolution of API Management through generations A walkthrough the evolution of API management. From the first generation API-like gateways to today’s

Documents
Payment Gateways

Payment Gateways

Economy & Finance
API Gateways An overview · GraphQL is a good fit for “living” in the API Gateway §To integrate GraphQLinto an existing infrastructure, you either need to build it directly into

API Gateways An overview · GraphQL is a good fit for “living” in the API Gateway §To integrate GraphQLinto an existing infrastructure, you either need to build it directly into

Documents
Community Gateways

Community Gateways

Documents
Chapter 1 - Deploying a Spigot Server - Packt 1 - Deploying a Spigot Server Chapter 2 - Learning the Bukkit API Chapter 3 - Creating Your First Bukkit Plugin Chapter 4 - Testing on

Chapter 1 - Deploying a Spigot Server - Packt 1 - Deploying a Spigot Server Chapter 2 - Learning the Bukkit API Chapter 3 - Creating Your First Bukkit Plugin Chapter 4 - Testing on

Documents
Payment gateways(PG) and SMS gateways(SG) WELCOME · vitthal_dixit@yahoo.com 1 . Agenda Need for payment gateways. Architecture of payment gateways. Working of payment gateways.

Payment gateways(PG) and SMS gateways(SG) WELCOME · [email protected] 1 . Agenda Need for payment gateways. Architecture of payment gateways. Working of payment gateways.

Documents
Payment gateways(PG) and SMS gateways(SG) WELCOME filevitthal_dixit@yahoo.com 1 . Agenda Need for payment gateways. Architecture of payment gateways. Working of payment gateways. Benefits

Payment gateways(PG) and SMS gateways(SG) WELCOME [email protected] 1 . Agenda Need for payment gateways. Architecture of payment gateways. Working of payment gateways. Benefits

Documents
Instructions for Using New API - dinstar.com Gateways HTTP API_2.pdf · Support obtaining of basic port information 1.4 Before You Start 1) The API is based on HTTP and JSON.

Instructions for Using New API - dinstar.com Gateways HTTP API_2.pdf · Support obtaining of basic port information 1.4 Before You Start 1) The API is based on HTTP and JSON.

Documents
FINE-GRAINED AUTHORIZATION FOR THE API-ENABLED … · API Gateways are often used to protect web portals exposing different types of web services. The Axiomatics Policy Server then

FINE-GRAINED AUTHORIZATION FOR THE API-ENABLED … · API Gateways are often used to protect web portals exposing different types of web services. The Axiomatics Policy Server then

Documents
Barriers & Gateways

Barriers & Gateways

Documents
Certification - Service_API...A Certified Service API Specialist has demonstrated proficiency with the design, management, evolution and versioning of service . APIs, API gateways

Certification - Service_API...A Certified Service API Specialist has demonstrated proficiency with the design, management, evolution and versioning of service . APIs, API gateways

Documents
Building Scalable API Gateways for Microservices

Building Scalable API Gateways for Microservices

Software
Deploying ArubA Wireless Controllers With MiCrosoft lynC sDn Api

Deploying ArubA Wireless Controllers With MiCrosoft lynC sDn Api

Documents
Open-Source ools T and Frameworks - link.springer.com978-1-4842-4303-9/1.pdf · API gateways to manage, authenticate, and scale the API integration layer. The ESB framework can handle

Open-Source ools T and Frameworks - link.springer.com978-1-4842-4303-9/1.pdf · API gateways to manage, authenticate, and scale the API integration layer. The ESB framework can handle

Documents