Upload
ca-technologies
View
71
Download
4
Embed Size (px)
Citation preview
World®’16
SecuringYourAPIPortfolioWithAPIManagementJeffreyNibler - VicePresident,APIManagementDivision- AcclaimConsulting
DO3X18S
DEVOPS
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
ThispresentationbyAcclaimConsultingcoversallaspectsofsecuringAPIsandhowanAPIMsolutionoffersthebestflexibilityandchancetomeetallpossiblesecurityusecases.ThediscussionwillcoverthedifferencesbetweenanAPIMsolutionandtypicalWAMsolutions,specialsecurityconsiderationsaroundmobilesecurity(includingdeviceregistrationwithtwo-factorauthentication)andSingle-PageWebApplicationsecurity,alongwithanoverviewofOpenIDConnect,OAuth2,WS-SecurityandJWTs.Lastly,abriefcasestudywillbepresentedonhowVerizonandDukeEnergyleveragethesecurityfeaturesofCAAPIManagementtoprotecttheirbusinesses.
JeffreyNibler
AcclaimConsultingVP,APIManagement
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AgendaTHEIMPORTANCEOFFLEXIBILITY
APIM VSWAM
SECURINGAPIS FORMOBILE,IOT,ANDSPA
JWT
OPENID CONNECTVSOAUTH
JOSE– “WS-SECURITY”FORRESTAPIS
1
2
3
4
5
6
REAL-WORLDAPI SECURITYUSE-CASES7
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImportanceofFlexibility
Yes,but……..
ShouldAPIPublishersDictateAPISecurity?
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImportanceofFlexibility
Yes,but……..
ShouldAPIPublishersDictateAPISecurity?
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImportanceofFlexibility
Yes,but……..
Rulesarewrittentobebroken,by:§ Customers
§ Systems(3rd partyapplications)
§ Internaldepartments
§ Clients
§ Timelines
ShouldAPIPublishersDictateAPISecurity?
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImportanceofFlexibility
YouneedacentralizedsystemtohandleAPIsecurityforallAPIs,thatisflexibleandeasytoimplement&change.
Youneedsomethingtomasktheauthenticationmechanismsofyourback-end,toyourfront-end
YouwanttoremovesecuritylogicfromyourAPIs
ThisiswhereanAPIGatewaycomesin
ShouldAPIPublishersDictateAPISecurity?
Simple/Light:JWT/Oauth
Morecomplex
Gateway
InternalNetwork
UserAgent
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIMvsWAMWhydoIneedAPIMifIhaveWAM?
§ WAM
– DesignedforWEBAccessManagement
§ APIM
– DesignedspecificallyforAPIManagementandAPISecurity
APIM WAM
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIMvsWAMWhyDoINeedAPIMifIHaveWAM?
OVERLAP
§ IdentityandAuthentication
– User,Group
§ AccessManagement
– Resource-Based
– Cookies/Sessions
§ SSO/Federation
– SAML,OAUTH,Kerberos
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIMvsWAMWhyDoINeedAPIMifIHaveWAM?SOMECOMMONDIFFERENTIATORS
§ IdentityandAuthentication– APIM’scanleverageEnterpriseActiveDirectoriesorinternalIdentityProviders
§ AccessManagement– Bettersupportfornon-cookiebasedidentificationschemes
– AccesscontrolbyapplicationinsteadofUser
– APIMprovidesfine-grainaccesscontrolforSOAPandRESTfulservices
– APIPlans– Ratelimiting,quotas,commoditizing
§ MessagePayloadSecurity– Removesensitiveelementsfrommessageresponsesbasedonuser/role/app
– Threatdetection
§ Mobile&IoT UseCases– MobileDeviceRegistration– Programmaticcertification/CSRmanagement
– MobileSDK
Gateway
WAM
MobileApp
Directory
WAM:SystemofRecordAPIM:PointofEnforcement
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
JWTJSONWebToken– Pronounced“JOT”
WhatArethey?
§ Compact,URL-safemechanismforrepresentingclaimstransferredbetweentwoparties– Cancontainpre-definedreservedandpublicclaims,aswellasprivateclaims
§ JSON-formatted,standardizedtokens– SmallerandeasiertoimplementthanSAML/XML/SOAP
– Easyformobileapplicationstoworkwith
§ Safe– Can’tbemodifiedbyclientapp– UsesJWSorJWEtosignorencrypt,symmetricorasymmetric
§ Self-contained- contentsarereadable– Idealformicroservices
– Highperforming– NoadditionalDBorAPIcallstovalidateorfetchdata
§ Small,andveryAPI-friendly– Idealforenablingstateincross-applicationscenarios
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OpenIDConnectVsOAUTHWhat’stheDifference?
OAUTH
§ DelegatedAuthorizationProtocol
§ Foruseinathreeorfourpartymodel:– User
– Website/Application(useragent)
– AuthorizationServer
– ProtectedResource(mostofteninsamedomainastheauthorizationserver)
§ NOTaboutAuthentication
OPENIDCONNECT
§ InteroperableAuthenticationProtocol
§ Allowsclientapplicationdeveloperstooutsourceidentitymanagementtothirdparties(suchasFacebookorGoogle)
§ UsedtoAuthenticateandassertidentityofauser
§ OpenIDConnectTokenishuman-readable(JWT)andallrequiredclaimsareincludedwithin,savingadditionalcallstoDBsorAPIstoretrievethisdata
§ Tokencanberestrictedtoanaudience
§ Stateless
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OpenIDConnectVsOAUTHWhen/WhereDoIUsethem?
OAUTH
§ WhenyouwanttoallowathirdpartyapplicationtoviewyourFacebookFriends
§ Whenyouwanttoallowathirdpartywebsitetomaketwitterpostsonyourbehalf
§ IfyouaretheResourceProviderandyouwanttoallowyouruserstodelegateaccesstotheirinformationtothirdpartyapplicationsanduser-agents
OPENIDCONNECT
§ Whenyouwanttoauthenticateauser– ViayourownIDP
– ViathirdpartyIDP
§ Whenyouwantareadable(ifnotencrypted),application-agnostic,JSONformattedauthenticationtokenthatcaneasilybepassedbackandforthinAPIcalls
§ WhenyoudonotwanttopasslogincredentialswitheachAPIcall
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OpenIDConnectVsOAUTHWhyShouldn’tIUseOAUTHforAuthentication?
§ OAUTHtokensaregenerallylong-lived
§ OAUTHtokenscontainnoreadableinformation,claims,orexpiry– notevenaUserID
§ WhenOAUTHisusedforAuthentication,clientapplicationshaveimplicittrustthattheholderoftheAccessTokenistheresourceowner(theuser),whenamalicioussitecouldholdthetoken– OnceanAccessTokenisobtained,amalicioususerorsitecouldusethe
tokentoimpersonatetheuseronanywebsitethatusesOAUTHAccessTokensasproofofauthentication(usingtheclient-flow).
§ FacebookandGooglehaveimplementedsomeproprietarywork-aroundsforsomeoftheseissuesbutOpenIDConnectisasecurestandard
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
JOSE:“WS-Security”forRESTAPIsAFrameworkIntendedtoProvideaMethodtoSecurelyTransferClaimsBetweenParties
§ WS-SecurityispartoftheSOAPspecificationthatdescribesstructuresforcryptographickeys,anddefinescryptographicalgorithmstobeusedformessagesigningandmessageencryption
§ JOSEprovidesthesame,butinJSONformatmakingitidealforRESTservices
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThePowerofTwo-WaySSLHangUp!
§ Hackerstrytopenetratesystemsthroughdiscovery– WhatAPIsdoyouhave?
– Whatistheirendpoint?
– Whatdataelementsdotheycontain?
– Dotheyrequireauthentication?
– Aretheyvulnerabletoinjection,overflow,etc?
§ Ifahackerdoesn’thaveavalidclient-certificate,theyarestoppedattheconnectionlevel,beforehavingtheabilitytoattack
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Two-WaySSLforMobileApplicationsCAMobileAPIGateway
§ Webbrowsersandmobiledevicesarenotwell-suitedforTwo-WaySSLduetothemanualprocessesinvolvedinkeypairmanagement,CSRgeneration,certificatesigning,establishingtrustbetweentwoparties,andmanagingcertificateexpiry
§ CAMobileAPIGatewaysolvesthis– Programmaticallysignandestablishtrustforclientcerts
MobileAPIGateway
MOBILE
API
GATEWAY
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Two-WaySSLforMobileApplicationsCAMobileAPIGatewaywith2-FactorAuthentication
MobileAPIGatewayMobileDevice EnterpriseDirectory
UserID&PWAuthenticationAPICall
ValidatewithLDAP
ReturnSuccessAuth Token&MaskedUserPhoneNumbers
CRM
ObtainUserPhoneNumbers
SubmitRequestforRegistrationCode,withMaskedPhoneNumber&Auth Token
GWMapsMaskedPhonetoActualPhone,SubmitstoCRM
CRMGeneratesRegistrationCodeandsendsSMStouser
MobileDeviceGeneratesRSA2048KeyPair,usingUser’sID+DeviceIDasCN,thenCSR,Base-64encodingCSR,submitAPIcalltoGWwithAuth
TokenandRegistrationCode
GWValidatesRegCodewithCRM&onSuccess,SignstheCSRWithit’sKeyPair,andAddstheKey
PairtotheGW’sTrustStore
GWReturnsSignedCSR,Base64EncodedtoMobileDeviceWhichStoresit
AllSubsequentCallstoAPIsmadeovermSSL
GWValidatesCertandAllowsAccessToProtectedAPIs
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APISecurityBest-PracticesCheat-SheetBest-PracticesinGeneral
• UseTLSforEverything• IfUnabletoLeverageTransportLayerEncryption
• MessageSigningifMessageContentsare“public”(JWS)• MessageEncryptionifMessageContentsare“private”(JWE)
• AuthorizationDelegation• OAUTH2
• PersistenceacrossAPIs• OpenIDConnect/JWT
• Authentication(AuthN)• API-Based• OpenIDConnect• ExistingEnterpriseDirectorythroughtheGateway
• AccessControl(AuthZ)• LeverageexistingEnterpriseWAMsystemthroughtheGW,orusetheGW
alone• ContinuousAuthentication
• Patterns– IPchange,geolocation,multipleconnections,differentapplications
• ThreatPrevention• Throttling/RateLimiting
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APISecurityBest-PracticesCheat-SheetBest-PracticesbyUse-Case
Mobile&IoT Apps
MutualSSL
Two-factorAuth +OpenIDConnect
SinglePageApps
OpenIDConnectwithAPI-Basedloginexposedbythegateway,leveraginganIDP
AllAPIcallsfromSPAroutethroughAPIGateway
B2B:MutualSSL
BetterthanjustanAPIkeyorsharedsecret- APIkeymustbesentwitheachrequestandcanbeeasilystolen
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DukeEnergyisthelargestelectricpowerholdingcompanyintheUnitedStates,supplyinganddeliveringenergytoapproximately7.3millionU.S.customers
ACCELERATEDIT:• APIGWsolutionallowedmobileapplication
tobequicklyputintouseinthefield
TRANSFORMEDIT:• Eliminatedhelpdesk,manualpaperwork-order
process,andmultiplesign-ons.EnabledinternalANDexternalfieldworkerstouseelectronicworkorders
SECUREDIT:• SecuredserviceswithMutualSSL.• UtilizedtokenswithKerberosticketsforSSOtoMaximo
andArcGIS
§ APIGateway,MobileAPIGateway,DeveloperPortal
§ MobileDeviceRegistration
§ UtilizedAPIGWtoprovideSSOtonon-linkedmultipleback-endsystemsviatoken
§ Fieldworkersmustlogintothreeseparatesystemswhileinthefieldtoviewworkorders
§ Third-partyfieldworkersmaynotaccessVPNsoacostly,manualpaperwork-orderprocessisutilized
§ NewmobileapplicationwillresultintheexternalexposureofAPIswhichmustbehighlysecured
CHALLENGE SOLUTION RESULTS
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
VerizonTelematicsisaleadingtelematicsproviderprovidingservicestotheHumbyVerizonproduct,NetworkFleet,MercedesBenzMbrace,VWCar-Net,andNissanConnectedCar
ACCELERATEDIT:• Two-phaseroll-outallowedmultipleclients
toadoptnewsecuritywithintheiridealprojecttimeline
TRANSFORMEDIT:• Providedasinglepointofentryintoallbusiness
serviceswhileleveragingexistingenterpriseAccessManagementandAuthorizationsystems.
SECUREDIT:• AllAPIshavetrackedsessions,threatdetection,
MutualSSL,andfine-grainaccesscontrol
§ APIGateway,MobileAPIGateway,DeveloperPortal
§ MobileDeviceRegistrationwithTwo-FactorAuthenticationandMutualSSL
§ Method-LevelAccessControlforSOAPservices
§ Largerapidlyexpanding/evolvingAPIPortfoliowithamixofSOAPandRESTfulservices
§ Manysecuritycomponentsembeddedinthebusinesslogicoftheservicesorwithinthemobileapplications
CHALLENGE SOLUTION RESULTS
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Stayconnectedatcommunities.ca.com
Thankyou.
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.26 @CAWORLD#CAWORLD
DevOps– APIManagementandApplicationDevelopment
FormoreinformationonDevOps– APIManagementandApplicationDevelopment,pleasevisit:http://cainc.to/DL8ozQ