Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to API Management for Secure Mobile and Cloud Use
Similar to API Management for Secure Mobile and Cloud Use (20)
More from OracleIDM
More from OracleIDM (20)
Recently uploaded
Recently uploaded (20)
API Management for Secure Mobile and Cloud Use
- 1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 2. API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use Sid Mishra Sr. Principal Product Manager
- 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 4. Program Agenda API Security and Management Challenges Access Control for SOA & Cloud Services 4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 5. Market Trend: New Challenges of a Modern Enterprise Rebirth and Proliferation of APIs has introduced a new dimension. Publishing Internet APIs reliably is more important than ever. Socializing and monetizing internal information Mobile, Social and Cloud Access 5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 6. API Security Challenges Security Inside-Out Control & Assurance Cloud Security Secure the Enterprise from external threats at the perimeter. Perimeter Security Broad & Deep integration Application Security Protect from internal threats, reduce security burden on applications. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Security for hybrid infrastructure on-premise as well as in the Cloud. Consistency & Manageability Provide end-point security in heterogeneous environments. Middleware Security 6 Flexibility & Agility
- 7. Oracle Web Services and API Security First Line Of Defense OWSM Agent Shared Services Layer HTTP, SOAP, REST, XML, JMS HTTP, SOAP, REST, XML, JMS OES PDP OWSM Agent WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt OAG Extranet Counter External Threat 7 End Point Security Copyright © 2012, Oracle and/or its affiliates. All rights reserved. DMZ OWSM Agent Service Bus WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt Intranet Counter Internal Threats * - Planned Capabilities
- 8. Externalized Access Control Corporate DMZ OES PDP Corporate Network Oracle Access Manager OAM Agent Directory Services OES PDP Mobile and Social Oracle Adaptive Access Manager OES PDP Oracle API Gateway Web Services Manager Service Bus HTTP/REST/SOAP/OAuth Clients 8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. SOAP/REST and Legacy Web Services
- 9. Identity Context Service Enterprise / Work Social / Life Mobile / Presence Web Tier Smartphone WEB SSO Application Tablet Identity Federation Portal Laptop 1. Collect Claims Device Tier Application Tier Risk / Adaptive Authentication SOA Service Tier Web Services EJBs Databases Directories Server Context 9 Service Bus 2. Publish, Propagate & Evaluate claims across Oracle Fusion Middleware stack Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 10. Oracle API Gateway What’s New OAUTH 2.0 Client & Server 11gR2 Certification 10 Improved REST support with native JSON Simplified Administration & Unified Admin Console Copyright © 2012, Oracle and/or its affiliates. All rights reserved. API Key Management Parameterized Policies Oracle Business Transaction Monitor Oracle Mobile & Social Access Management
- 11. REST API Reference Architecture 1 API Portal 3 Repository Protocols HTTP, SOAP, REST, XML JMS FTP 4 Service Bus Developers REST API Clients JWT OAM, SM Basic Auth, X.509 11 External developer portal, sits on top of API repository & API gateway - provides: •Self service registration, onboarding •“API marketplace” •API documentation, forums, blogs, support •API Key delivery •API testing tools •Visualization of runtime usage metrics / monitoring •Billing Security WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt 2 API Gateway Repository API Gateway API Portal 1 2 Exposes API’s to the external world, provides: •API Key generation/validation •Access enforcement •OAUTH Server •Rate Limiting / Client Throttling •Response caching •API virtualization in the DMZ •Security token & protocol mediation •Firewalling, method/parameter whitelisting •API aggregation & mash-up •API usage measurement & reporting Copyright © 2012, Oracle and/or its affiliates. All rights reserved. SOAP/REST and Legacy Web Services 3 Provides: • API catalog • API dependency analysis • API lifecycle management 4 Service Bus Directly accessed by internal clients, provides: • Routing, mediation, versioning - abstracts backend services from internal clients • Heavy duty payload transformations • Protocol translation for legacy apps
- 12. To Summarize: The enterprise web consists of APIs - driven by cloud and mobility The security problems remain the same • It’s still about DMZ Security, Access Control, Insider Threat • Names have changed Service Protection has a history of proprietary challenges • Service abstraction and a standards based layer enables better security. Entitlements based access control helps you respond to changes much quicker. When you build APIs • Build secure and managed APIs 12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 13. Join the Oracle IDM Community Twitter twitter.com/OracleIDM Facebook facebook.com/OracleIDM Blog blogs.oracle.com/OracleIDM oracle.com/identity 13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 14. Questions? 14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 15. Don’t Miss These IDM Sessions GM Thursday, 09/26 2:00PM Marriot Marquis – Golden Gate C3 Developing Secure Mobile Applications Mark Wilcox, Oracle Thursday, 09/26, 3:30PM Zero Capital Investment by leveraging Identity Management as a Service Mike Neuenschwander, Oracle Wednesday 09/25, 11:45AM Moscone West, Room 2018 CON8823 Wednesday 09/25, 5:00PM Moscone West, Room 2018 CON8836 Thursday 09/26, 11:00AM Moscone West, Room 2018 CON 4342 Thursday 09/26, 12:30PM Moscone West, Room 2018 CON8902 CON8826 15 Roger Wigenstam, Oracle Leverage Authorization to Monetize Content and Media Subscriptions Access Management for the Internet of Things Leveraging the Cloud to simplify your Identity Management implementation Identity Services in the New GM IT CON8837 Moscone West, Room 2018 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Kanishk Mahajan, Oracle Guru Shashikumar, Oracle
- 16. Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud Complete and Integrated Web Social Mobile Best-in-class User Engagement Business Process Management Open standards Content Management Service Integration Business Intelligence Data Integration Identity Management Development Tools 16 Cloud Application Foundation Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Enterprise Management On-premise and Cloud Foundation for Oracle Fusion Applications and Oracle Cloud
- 17. 17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
- 18. 18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Editor's Notes
- So far we have discussed the authentication and device registration related aspects of our Oracle Mobile Access Management solution. Organizations build Mobile Applications to enable anywhere, anytime access for business transactions and information stored in databases, content management systems, and even mainframes somewhere in the corporate network. This information and the types of transactions that users should be able to perform from mobile devices have often only up to this point been available to internal users and applications through client devices issued by the organization – as such these systems often have little, if any, security and compliance controls built in and instead relied on an implied level of trust. Now that we need to expose the corpoate systems to devices running outside the corporate network, used by internal and external users, from unknown locations, and over potentially unsecure networks it is critical we do so in a secure way and ensure that we can control what kind of business transactions can be performed and what information leaves our corporate network under what circumstances.Mobile applications typically access corporate information through lightweight REST based API’s as the devices lack support for the more full fledged application, web services, and SOA based infrastructures based on SOAP, JMS, MQ, or even FTP based technologies that existing corporate systems often are be based on.Oracle’s complete Access Management solution has been designed to help address all these challenges. With the Oracle Enterprise Gateway we can take existing internal systems and corporate data built on the technologies we discussed and expose these as fully secure REST based API’s (using JSON based payloads) without the need for any coding (by virtualizing the existing backend SOAP, JMS etc services as REST API’s). We can transform not only the transportation protocols used but also the security tokens required for authentication, identity propagation, and user claims (attribute assertions). For example : in our REST API’s we only want to accept JWT tokens issued by Oracle’s Mobile Access Management solution but once authenticated we can convert these to SAML, Kerberos, or other tokens that are required by the backend systems. With OEG we get a large number of additional capabilities for our REST API’s – we can monitor and audit all the API access, business transactions, and the data requested. We ensure that the requests from mobile clients (or business partners, cloud applications etc) are properly formed, are free from any malicious content and threats such as SQL injection attacks, denial of service attacks (even based on message payload content), viruses, and a large number of other xml, crypto, and other types of attacks. We can also define throttling policies to ensure that certain types of clients – perhaps based on their subscription (gold, silver, bronze) – can only perform a given number of transactions per day (or other time interval), charge per usage, and ensure that a rogue client doesn’t overload the system with a large number of requests. Perhaps most importantly we have integrated the gateway with all our other Access Management technologies – Oracle’s Mobile & Social solution for authentication,and validation of user tokens , fraud detection, and Identity Context propagation, Oracle Entitlements Server for authorization and audit of REST API access and selective data redaction of the response payload, Oracle STS for centralized security token management, and also our LDAP directories for user lookup and enrichment of the message payload (adding additional user information from LDAP to the payload).NOTE to the presenter, some FAQ’s :- Is Oracle Access Manager, Entitlements Server, Mobile/Social, STS, Directory required or does OEG work with 3rd party IDM infrastructure?Oracle’s Mobile Access Management solution is pre-integrated and tested to provide a complete, end to end, highly performant and scalable solution for all your Mobile needs. None of the various components are necessarily required but are engineered to work together out of the box. OEG also provides heterogeneous support and integrations with a large number of 3rd party systems such as Siteminder, various LDAP servers, SOA and web services infrastructures etc. but none of these other technologies provide an end to end solution for all your needs. - Is OEG required to use Oracle’s Mobile / Social Access solution? Oracle’s Mobile Access Management solution is pre-integrated and tested to provide a complete, end to end, highly performant and scalable solution for all your Mobile needs. None of the various components are necessarily required but are engineered to work together out of the box. There are other gateway vendors but none of them provide the complete set of OOTB integrations with Oracle’s Access Management solutions, and when they do provide integrations these are often not as good as what we offer and cannot show support for the same set of usecases. As an example there are 3rd party gateway vendors that offer integrations with Oracle Entitlements Server but this is based on network / XACML based requests as opposed to OEG / OES where we embed the OES PDP (Policy Decision Point – the authorization engine) in the gateway itself for superfast (microsecond) response times. No other gateway vendors provide an OOTB integration with Oracle Mobile / Social, and even integrations with something like Oracle Access Manager may require a fair amount of custom work.What is the difference between OEG and Vordel’s product?Both products offer the same set of capabilities. OEG releases are generally in sync with Vordel’s but undergo rebranding and additional testing before made available. Certain roadmap items are planned to be Oracle only IP. Do we offer a hardware based appliance / form factor of OEG?OEG is tested and certified on the same set of hardware as Exalogic, and we can offer low cost hardware (4170M3) if of interest. Hardware appliances were fairly popular even two-three years ago but these days most major organizations have a virtualization strategy (you can’t virtualize an applicance). OEG and virtualization technologies can run and take advantage of the latest advances in processor technologies whereas appliances such as Datapower are based on proprietary custom ASIC chips only produced in low volumes and cannot keep up. Appliances also come with some other limitations :- Cannot be deployed in the cloud whereas OEG can be deployed– for example in Amazon EC2 - when you buy an appliance (such as IBM Datapower) it has a 3-5 year expiry date on it, and you are then forced to buy a new appliance at the same price. - Do you really want to buy and deploy expensive appliances for your dev/test/qa environments?What virtualization technologies does OEG work with?OEG works with Oracle VM, Virtual Box, VMWare (standard corporate disclaimer), EC2, and othersDoesn’t my IPS (intrusion prevention system) provide sufficent support for denial of service attacks and threats?OEG provides protection by inspecting individual elements of the message packets and request/response payload wheras an IPS generally doesn’t have any understanding of the message formats and content other than looking for certain types of general signatures (assuming it even has access to the payload) or help protect against DDOS attacks etc. OEG for example can help protect against content retrieval attacks where it monitors typical access (perhaps someone normally looks at 10 documents per day of a given type) but suddenly we see 100’s or even 1000’s of documents being requested.
- With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.