Upload
ca-technologies
View
754
Download
5
Embed Size (px)
Citation preview
CA API Gateway: Web API and Application SecurityBen Urbanski, Advisor, API Management Presales, CA Technologies
D03X41E
DEVOPS
5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only Terms of this Presentation
6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
This session explores common web service, web API and web application security considerations and how you can use CA API Management solutions to address them.
Ben Urbanski has almost 10 years of experience with API gateways beginning at IBM in 2007, continuing at Layer 7 in 2011, and to this day at CA Technologies. During that time, he’s been a presales engineer, a senior director of presales engineering, and now an advisor on CA’s API Management Presales Center of Excellence team. He has helped many customers understand how they can simplify and accelerate the creation, security, integration and management of their web services, web APIs, web applications and mobile applications using API gateways, API portals and related products. Earlier in his career, he spent time as a software engineer at several companies, so he’s well grounded in software development practices and how they relate to API management.
Ben Urbanski
CA TechnologiesAdvisor, API Management Presales
7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
SECURING THE NEW PERIMETER
CA API MANAGEMENT SUITE AND COMMON USE CASES
DEMONSTRATION
SECURITY PROCESS
SECURITY CONSIDERATIONS AND FEATURES
WHERE TO START?
1
2
3
4
5
6
8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Digital Enterprise and Application Economy
Developer Community
Cloud ServicesPartners/Divisions
Mobile Apps
IoT / Big Data Social Registration
9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
APIs are the New Perimeter
10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA quickly and easily creates, secures and manages APIs
11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA API Management
ESMCA (Mobile) API Gateway
App Developers
Applications
CA API Developer Portal
Design Time
Runtime
MSSO SDKsMAS SDKs
CA Mobile App Services
Runtime
CA Live API Creator
API Publishers
Design Time
12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Internal Security Integration (ESB or noESB or µS) Traffic Management (SLA) API Creation
Security Gateway API Management Mobile Enablement Identity Brokering
DMZTrusted Zone
ApplicationsRuntime
MSSO SDKs
Partner App DevelopersDesign Time
Internal API and App Developers
Design TimePortal
Gateways(optionally with MAG & MAS)
GatewaysMAS SDKs
CA Live API Creatoror
Application Servers
API Academy
CA API Management Use Cases and Deployment
13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Begins with Risk Analysis
Risk Assessment
What is your risk?
Risk Management
What will you do about it?
14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What is your risk?
Assets
Threats Vulnerabilities
Risk
15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What will you do about it?
Avoidance
Reduction
Sharing
Retention
16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security
Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance
Leading edge support for industry and vendor security standards and solutions
Service Virtualization
Identification (w/Federation & Brokering), Authentication, Authorization & Auditing
Confidentiality Integrity Logging Non-repudiation Data Classification and Compliance Threat Protection
17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Common Criteria for Enterprise Service Management (Access Control and Policy Management), STIG, and FIPS 140-2 compliant, hardened, tuned and special purposed appliance– Common Criteria (CC) is the most relevant security certification for solutions in
our space; CA is the only gateway vendor with a recent certification to more relevant profiles
– FIPS 140-2 Level 1 crypto processing in all form factors by default. CA offers an optional hardware acceleration card for crypto processing that includes an on board HSM in its hardware appliance form factor for FIPS 140-2 Level 3.
– CA’s emphasis on performance allows our customers to take advantage of our many security capabilities without experiencing significant negative performance and scalability impacts.
18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Leading edge support for industry and vendor security standards and solutions– The industry and vendors are frequently creating and evolving security standards and solutions. The
standards and solutions can be difficult to understand, implement and maintain. CA wraps its expert knowledge of both in automatic and/or simple to configure policy language that keeps pace with changes.
– CA is often used to negotiate differences in security standards and solutions between consumers and providers of services. For example, consumers might want to send their credentials using WS-Security UserName tokens, and providers might expect credentials via SAML tokens. With CA in between, neither consumers nor providers need to change. Instead, CA can accept WS-Security Username tokens (and many others) from the consumer, perform authentication and authorization (and more), and include a SAML assertion in the request forwarded to the provider.
Service Virtualization– An ESB concept, but with security implications. By using CA to virtualize your services (including their
identity, protocol and interface), you effectively hide implementation details from attackers.
19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Identification, Authentication & Authorization– Many out-of-the-box methods of identification, authentication and authorization based on industry standards
and vendor proprietary mechanisms– The ability to support identity federation based on different standards, and identity brokering between
standards and vendor proprietary mechanisms– Some (but not all) supported standards include SSL with mutual authentication, FTP Credentials, HTTP Basic,
HTTP Digest, HTTP Cookies, NTLM, Kerberos, SAML, WS-SecureConversation, WS-Security, OAuth, OpenID Connect, XACML, LDAP, WS-Trust, WS-Federation, X.509 Certificates
– Some (but not all) supported vendor proprietary mechanisms include Mobile SSO, CA Single Sign-On, Tivoli Access Manager, Oracle Access Manager, Sun Java System Access Manager
– CA can easily and conditionally use one or more of the above methods in a single policy (including JDBC and other protocols for custom identity provider implementations)
– CA provides an out-of-the-box and configurable WS-Trust based STS service– CA can be an enterprise PEP, PDP, PIP and PRP for XACML– CA can be a SAML identity provider– CA can be a OAuth authorization server and an OpenID Connect server
20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Confidentiality– Easy to configure and accelerated secure transport (SSL/TLS) for point-to-point encryption and confidentiality
(both in front and behind our gateway, with and without client authentication)
– Easy to configure and accelerated end-to-end confidentiality with message or element level encryption and decryption based on industry standards (e.g. XML Encryption, WS-Security, and JWE)
Integrity– Easy to configure and accelerated end-to-end integrity with message or element level digital signature and
verification based on industry standards (e.g. XML Signature and WS-Security)
– HMAC signature support for emerging non-XML standards like REST and OAuth
21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Auditing & Logging– Automatic and configurable auditing and logging of events by category and priority level both on and off
gateways
– Gateway Audit Event viewer that can see all audit events across a cluster of multiple gateways with or without full request and response message recording
– Auditing and logging is very configurable and can be managed globally across a cluster and/or conditionally in policy
– Audit and log events can be sent remotely via syslog and/or all other outbound protocols supported by CA
Non-repudiation– CA supports non-repudiation through a combination of auditing, logging and digital signatures
22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Security Gateway / Internal Security (additional detail)
Data Classification and Compliance– Automatic XML well-formed-ness validation
– XML schema validation, Schematron, and JSON schema validation
– Many additional out-of-the-box assertions for classifying, validating, masking and filtering message content at runtime
Threat Protection– Automatic threat protection for TCP/IP Based Attacks, Coercive Parsing and XML Bomb, External Entity Attack,
Schema Poisoning, WSDL Scanning and XML Routing Detours
– Configurable threat protection for single and multi-message denial of service attacks
– Injection attack protection (both SQL and code)
– Rate limiting and SLA enforcement with high performance and accuracy across a cluster of multiple gateways
– True replay attack protection across a cluster of multiple gateways
– Virus scanning via the ICAP protocol with specific support Symantec, McAfee and Sophos
23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Mobile API Gateway
Apple Push Notification Android Push Notification Mobile SSO (API and SDK)
– Multi-user Support– Social Login– One Time Password– Dynamic App Config & Credential Provisioning– Geo-location Support– Cross Device SSO (QRC, BLE, NFC)
Enterprise Browser Samsung KNOX for APIs
API Portal
API Servers
IdM
MAG
24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
OWASP Top 10[1] Protection as Web App Proxy
A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Un-validated Redirects and Forwards
[1] https://www.owasp.org/index.php/Top_10_2013-Top_10
25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where do I start?
Reduce attack surface (expose only what’s needed; require all traffic to go through gateway)
Use a secure transport (i.e. SSL/TLS) Control access (e.g. Mutual Auth SSL, HTTP Basic Auth, OAuth, MSSO, API Key?,
etc.) Enforce a strict interface (i.e. validate protocol, resource, method, parameters,
schema) Validate (and optionally encode) input (and optionally output) parameter values Rate limit (to not exceed capacity - anywhere) Monitor (log and audit)
26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA (Mobile) API Gateway(for runtime policy enforcement)
Policy Manager(for policy authoring and administration)
ACMEWarehouse
Service
CA API Developer Portal(for discovering, exploring, registering to access
and monitoring utilization of APIs)
Demo
27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Optimize with API Insights & Monitoring
CA API ManagementTheater 3
Orchestrate and Secure APIs & Microservices
CA API ManagementTheater 3
Launch Faster with API Management in the Cloud
CA API ManagementTheater 3
Deliver Continuously with API Testing
CA API ManagementTheater 3
28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
DO3T82S Building the Digital Platform - with secure APIs 11/16/2016 at 1:00 pm
DO3X18S Securing your API Portfolio with API Management 11/16/2016 at 2:00 pm
DO3T02S Case Study: How Adobe Secures, Manages and Deploys Enterprise Mobile Apps 11/17/2016 at 1:45 pm
29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Questions?
30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Thank you.
Stay connected at communities.ca.com
@CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.31 @CAWORLD #CAWORLD
DevOps – API Management and Application Development
For more information on DevOps – API Management and Application Development, please visit: http://cainc.to/DL8ozQ