Opening SaaS applications and cloud services to outside developers is becoming critical to achieve cloud-enterprise integrations, information sharing across affiliate Web sites and enabling mobile / tablet access to data. Controlling how API's get securely exposed to different consumers requires a simple, scalable way to manage API security, address versioning and meter consumption without burdening either application developers or application consumers.
Join eBay's Chief Security Strategies Liam Lynch and Layer 7's CTO Scott Morrison for this informative presentation.
Unraveling Multimodality with Large Language Models.pdf
Manage API Security with Common Patterns and Case Studies
1. Managing API Security
Liam Lynch
a y c
Chief Security Strategist, eBay
Founder and Identity Strategist, CSA
Feb 23, 2011
2. Web services security
y
Large scale public services need scale but also granular
security as well
Service fabrics such as Rest are valuable for agile
development
Many consumer's of services can’t use SOAP or other forms
of XML request response
Whatever the protocol there needs to be protection and
dynamic service delivery
3. Service protection
Early on protection for service was SSL and access tokens
Typical use case was 3rd party iframe invocation in client
browsers
REST was a step up in protection but the typical use case
was still dangerous
Full SOAP/XML based services using standards (XML
encryption and SAML) are better but elude the typical use
case
Until…
4. Service abstraction
Service abstraction allows for denial of service protection
Abstraction allows older services to be upgraded without
rewriting code
Abstraction allows for integrated service delivery
Abstraction allows for upgrading security and service
standards
Abstraction allows for increased security by coordinating
with…
with
5. Service orchestration
Orchestration provides a capability to bring in service
delivery components just in time
Security level orchestration leverages abstraction to enable
evaluation at run time
The typical use case could be easily enabled by SAML
browser tokens and orchestration of identity provider
assertions
Policies for access can be orchestrated from a variety of
sources ddepending on client access and other f t
di li t d th factors such
h
as service authorization
6. Summary
y
Service protection has a history of proprietary and
troublesome interoperability issues
Service abstraction enables better service security by
introducing a standards based layer in front of service
platforms
Service orchestration enables better security by leveraging
service abstraction and injecting standards based security
and policy evaluation
7. Managing API Security
Common Patterns and Case Studies
K. Scott Morrison
CTO and Chief Architect, Layer 7
, y
Feb 23, 2011
8. LargeCorporation.com Has A Problem…
g p
The API Internal
Firewall-2 Hosts
Firewall-1
The Internal
Internet Data Center
Partner
DMZ
How can LargeCorp Securely
publish and manage their new
API?
9. Cloud-based Security & Management Is Too Remote
y g
The API Internal
Firewall-2 Hosts
Firewall-1
Cloud Security
Offering
Internal
The last 1000 miles…
Data Center
DMZ
Hackers
H k
10. Layer 7: The Enterprise Solution For Service Protection
y p
Keep Security and The API
Mgmt. Close to the
API
Operator
Internal
Data Center
Partner
DMZ
Military-grade security for REST and SOAP
APIs/Services
Complete visibility into use patterns
y
Integration into existing infrastructure
Identity & Access Mgmt, Portals, Operations,
billings, etc
11. Case Study: Publishing Web-based APIs
y g
Problem: A leading European car portal wanted to securely expose auto and
ecommerce information to third party developers
S l ti L
Solution: Layer 7 authorizes/authenticates thi d party d
th i / th ti t third t developers attaching t
l tt hi to
ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain
Quality of Service targets
Results: increased revenue by monetizing their APIs; increased traffic, exposure and
brand through third-party Web sites, applications and services based on automobile-
focused Web service APIs
12. But Now LargeCorporation.com Has A New Problem…
g p
Internal
Firewall-2 Hosts
Firewall-1
Lots of
APIs
Lots of
Developers
Internal
Data Center
DMZ
How can L
H LargeCorp scale API
C l
management?
13. The Enterprise Solution For Service Abstraction
p
Management of APIs Internal
the way applications Hosts
are managed
Lots of Provider
Developers View
Internal
Data Center
Developer DMZ
View
Vi
Full policy life-cycle management
Policy versioning, roll-back, audit
Policy migration (dev-test-prod)
Clear separation of duties
Cl ti f d ti
Role-based Access Control (RBAC)
APIs for integration with existing
infrastructure and tools
14. Case Study: Publishing Information Service APIs
y g
Problem: A leading global publisher needed to allow customers and partners to use
Google Apps to access multiple, existing information services
Solution: CloudControl authorizes users and applies rate limiting; converts REST
queries to SOAP, and provides API aggregation & orchestration
“ Layer 7 offered us the closest fit to our
business requirements in a single “
product. No other vendor was even
d t N th d
close.
SOA Architect, World’s leading publisher of
science and health information
Results: implemented business logic in policy (not code), decreasing maintenance
costs; customers and partners can now obtain richer results to their queries from
; p q
their platform of choice, simplifying and speeding information gathering
15. Finally, How Will LargeCorporation.com Automate?
y g p
Virtualization
Infrastructure
High
Usage
Internal
Volumes
Data Center
DMZ
How can LargeCorp react to
rapid changes in scale?
16. The Enterprise Solution For Service Orchestration
p
Virtualization
Secure and automated Farm
co-ordination of all
infrastructure to maintain Virtualization
SLAs API
Switches, Load
Balancers, etc
High Audit DB
Usage
Internal
Volumes
Data Center
DMZ
Orchestration using GUI tools
Fully integrated into security context
Parallelized access
Connectors to HTTP, TCP, SSH, FTP,
JMS, SNMP, SMTP, MQSeries, etc
17. Case Study: IaaS & PaaS API Security
y y
Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self-
provision and self-manage private cloud resources without compromising the cloud
p
provider’s virtualized infrastructure
Solution: Layer 7 provides integration with and API management for this provider’s
management and billing systems, EMC storage, and VMware vCloud Director;
provides security/ threat protection, and ensures SLA/ QoS levels are met
Results: with Layer 7 in place, the provider’s customers can create and manage their
own private cloud as if it were a true extension of their enterprise
18. For further information:
K. Scott Morrison
Chief Technology Officer & Chief Architect
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377
smorrison@layer7tech.com
smorrison@layer7tech com
http://www.layer7tech.com
February 23, 2011