18
Managing API Security Liam Lynch Chief Security Strategist, eBay Founder and Identity Strategist, CSA Feb 23, 2011

Managing API Security in SaaS and Cloud

Embed Size (px)

DESCRIPTION

Opening SaaS applications and cloud services to outside developers is becoming critical to achieve cloud-enterprise integrations, information sharing across affiliate Web sites and enabling mobile / tablet access to data. Controlling how API's get securely exposed to different consumers requires a simple, scalable way to manage API security, address versioning and meter consumption without burdening either application developers or application consumers. Join eBay's Chief Security Strategies Liam Lynch and Layer 7's CTO Scott Morrison for this informative presentation.

Citation preview

Page 1: Managing API Security in SaaS and Cloud

Managing API Security Liam Lyncha y c

Chief Security Strategist, eBay

Founder and Identity Strategist, CSA

Feb 23, 2011

Page 2: Managing API Security in SaaS and Cloud

Web services securityyLarge scale public services need scale but also granular

security as well

Service fabrics such as Rest are valuable for agile development

Many consumer's of services can’t use SOAP or other forms of XML request response

Whatever the protocol there needs to be protection and dynamic service delivery

Page 3: Managing API Security in SaaS and Cloud

Service protectionEarly on protection for service was SSL and access tokens

Typical use case was 3rd party iframe invocation in clientTypical use case was 3rd party iframe invocation in client browsers

REST was a step up in protection but the typical use caseREST was a step up in protection but the typical use case was still dangerous

Full SOAP/XML based services using standards (XMLFull SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case

Until…

Page 4: Managing API Security in SaaS and Cloud

Service abstractionService abstraction allows for denial of service protection

Abstraction allows older services to be upgraded withoutAbstraction allows older services to be upgraded without rewriting code

Abstraction allows for integrated service deliveryAbstraction allows for integrated service delivery

Abstraction allows for upgrading security and service standardsstandards

Abstraction allows for increased security by coordinating withwith…

Page 5: Managing API Security in SaaS and Cloud

Service orchestrationOrchestration provides a capability to bring in service

delivery components just in time

Security level orchestration leverages abstraction to enable evaluation at run time

The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions

Policies for access can be orchestrated from a variety of d di li t d th f t hsources depending on client access and other factors such

as service authorization

Page 6: Managing API Security in SaaS and Cloud

SummaryyService protection has a history of proprietary and

troublesome interoperability issues

Service abstraction enables better service security by introducing a standards based layer in front of service platforms

Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation

Page 7: Managing API Security in SaaS and Cloud

Managing API SecurityCommon Patterns and Case Studies

K. Scott Morrison

CTO and Chief Architect, Layer 7

Feb 23, 2011

, y

Page 8: Managing API Security in SaaS and Cloud

LargeCorporation.com Has A Problem…g p

Internal HostsFirewall-2

The API

Firewall-1

Internal Data Center

The Internet

DMZ

Partner

How can LargeCorp SecurelyHow can LargeCorp Securely publish and manage their new

API?

Page 9: Managing API Security in SaaS and Cloud

Cloud-based Security & Management Is Too Remotey g

Internal HostsFirewall-2

The API

Firewall-1Cloud Security

Offering

Internal Data CenterThe last 1000 miles…

DMZ

H kHackers

Page 10: Managing API Security in SaaS and Cloud

Layer 7: The Enterprise Solution For Service Protectiony p

The APIKeep Security and Mgmt. Close to the

API

Internal Data Center

Operator

DMZ

Partner

Military-grade security for REST and SOAP APIs/Services Complete visibility into use patterns y Integration into existing infrastructure Identity & Access Mgmt, Portals, Operations, billings, etc

Page 11: Managing API Security in SaaS and Cloud

Case Study: Publishing Web-based APIsy g Problem: A leading European car portal wanted to securely expose auto and

ecommerce information to third party developers

S l ti L 7 th i / th ti t thi d t d l tt hi t Solution: Layer 7 authorizes/authenticates third party developers attaching to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets

Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile-focused Web service APIs

Page 12: Managing API Security in SaaS and Cloud

But Now LargeCorporation.com Has A New Problem…g p

Internal HostsFirewall-2

Firewall-1Lots of APIs

Internal Data Center

Lots of Developers

DMZ

H L C l APIHow can LargeCorp scale API management?

Page 13: Managing API Security in SaaS and Cloud

The Enterprise Solution For Service Abstractionp

Internal Hosts

Management of APIs the way applications

are managed

Internal Data Center

Lots of Developers

Provider View

DMZDeveloper ViView

Full policy life-cycle management Policy versioning, roll-back, audit Policy migration (dev-test-prod) Cl ti f d ti Clear separation of duties Role-based Access Control (RBAC) APIs for integration with existing

infrastructure and tools

Page 14: Managing API Security in SaaS and Cloud

Case Study: Publishing Information Service APIsy g

Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services

Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration

Layer 7 offered us the closest fit to our

business requirements in a single

d t N th d

“product. No other vendor was even

close. SOA Architect, World’s leading publisher of science and health information

Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p qtheir platform of choice, simplifying and speeding information gathering

Page 15: Managing API Security in SaaS and Cloud

Finally, How Will LargeCorporation.com Automate? y g p

Virtualization Infrastructure

Internal Data Center

High Usage

Volumes

DMZ

How can LargeCorp react to rapid changes in scale?

Page 16: Managing API Security in SaaS and Cloud

The Enterprise Solution For Service OrchestrationpVirtualization

Farm

Virtualization

Secure and automated co-ordination of all

infrastructure to maintain

Switches, Load Balancers, etc

Virtualization API

infrastructure to maintain SLAs

Internal Data Center

High Usage

Volumes

Audit DB

DMZ

Orchestration using GUI tools Fully integrated into security context Parallelized access Parallelized access Connectors to HTTP, TCP, SSH, FTP,

JMS, SNMP, SMTP, MQSeries, etc

Page 17: Managing API Security in SaaS and Cloud

Case Study: IaaS & PaaS API Securityy y Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self-

provision and self-manage private cloud resources without compromising the cloud provider’s virtualized infrastructurep

Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met

Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise

Page 18: Managing API Security in SaaS and Cloud

For further information:

K. Scott MorrisonChief Technology Officer & Chief Architect

Layer 7 Technologies1100 Melville St, Suite 405Vancouver, B.C. V6E 4A6Canada(800) 681-9377

smorrison@layer7tech com

February 23, 2011

[email protected]://www.layer7tech.com