A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity.
Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services.
Join to learn about:
- The role of the security officer in helping IT and business meet objectives
- How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs.
- Best practices that work for an API centric enterprise
Download podcast: http://bit.ly/1B6h3TR
14. The changing landscape
B A C K - E N D S Y S T E M S
M O B I L E
S E C U R I T Y
APIs
S O C I A L A N D S A A S
Contextual & behavioral security
Encrypt everything
Identity-as-a-Service
SaaS security/identity plugin
Fraud detection
APT security analytics
E N D P O I N T
S E C U R I T Y
Digital security is shifting from defense to
analytics (predictive) & prevention
20. 20
• End-to-end security managed
through configuration and global policies
• Data-centric controls such as encryption,
tokenization, and key management
• Leverage API for security automation activities
including patching, user and access management,
logging, and auditing
• Security verification through tool automation,
aligned with SDLC: Dev->Stage->Prod
Enabling DevOps
21. Role of digital security: enabling cloud
Compliance
Trust
Architecture
Identity and
Access
Availability
Incident
Response
Data
Protection
Governance
22. 22
• Governance of Data and Identity
• Security Architecture standard
• Technology Services & Tools to Support:
– Data Protection – Encryption/Hashing/Anonymization
– Access management – Privileged and End Users
– Threat monitoring and protection
– Compliance (PCI, HIPAA) management
– Availability Management – DDoS mitigation, Multi-
region operation
– Operational Hygiene – Patching, Logging, etc
• Establish Incident Response with service provider
Enabling cloud
23. • Most Cloud providers leverage this as their security story
• This only covers the data centers policies, employees, standards
– CCTV
– 24x7x365 security personnel
– Entry and Exits of facility
• What about
– When a server needs to be changed, it is not covered
– When new employee at cloud provider starts it is not covered
– Security Policies, Standards apply to cloud vendor
– Monitoring of the environment
– Business Continuity / Disaster Recovery
– Incident Management
– Vulnerability Penetration Testing
– Etc.
Data center security audit/assessments
25. 25
Enabling mobile
• Leveraging solutions to perform
automated scans
• There are vendors that provide both
automated and hands on reviews of mobile apps
• Performed once a new version is uploaded to the store
• Should perform
– Run-time scanning (Dynamic and app logic analysis)
– Network Scanning
– Serverside scanning
• Mobile security training
• Rogue App monitoring
26. So how does API-first architecture manifest itself?
27. API-first architecture
API Tier
All Apps
Analytics
App
Servers
ESB
Social
Apps
Web
Apps
Mobile
Apps
Backend
Services
OrchestrationPersistence Security
Internet
API services for
mobile and
cloud apps
Consistent
security
across
channels
Developers
IT security
architect
29. Information security must be able to meet governance
requirements and manage compliance when handling
PCI DSS or HIPAA use cases
30. Top technology considerations and takeaways
• Focus on data-centric controls such as masking,
encryption and hashing to protect data at rest.
• Work closely with DevOps teams to “bake in”
security controls into the orchestration layer and
cloud hosting systems.
• Leverage APIs to build consistent, secure and
scalable mobile solutions.
• Automate security monitoring and management
using APIs.
DeveloperUser APIApp API Team Backend
31. Security as a Enabler: Summary
• Security is a competitive differentiator
– IT security must remove barriers to enable
business and developers/DevOps
• DevOps (need for speed, flexibility) and InfoSec
(need for consistent protection) go hand-in-hand
• API-first architecture provides consistent security
enforcement for mobile and cloud use cases
DeveloperUser APIApp API Team Backend
35. •What drives adoption of cloud solutions within a
company
•Selecting IT solutions are as easy as reading the
numbers off your credit card
•Small implementations can lead to adoption by
other users
•Ability for mobility is key to further adoption of the
solution
•Growth leads to managing the solution
•Security is then brought in
Choices
36. SECURITY TRANSPARENCY
• Reliance on Data Center Audits
• Privacy
• White papers with no details
• Reluctant to share details citing protecting their
existing customers
• Customer audits
• Cloud Controls Matrix
• Consensus Assessments Initiative Questionnaire
• Independent 3rd party report of Saba’s policies,
standards and processes
• SOC II Type II report
• DR Executive Summary
• Policies & Standards table of contents
• Independent 3rd party penetration test
• Network and Application Vulnerability executive report
within 48 hours of request
Completecustomervisibility
37. Enabling the DevOps to securely expose the back-
end services with necessary authentication,
authorization, message security, and Auditing
38. Security considerations
• Authentication of Apps, APIs and Users: LDAP, active
directory, SAML, OAuth, two-way TLS
• User and role management
• Protect sensitive data stored and processed in the
cloud and mobile devices
• Threat management (DoS, spikes, injection attacks)
• Logging and auditing
Presenter: Tim
- Introduce myself; have Subra introduce himself (names & titles only here)
- Thank you for joining us today…..
- We do want your questions, which we will take at the end
Creative Commons Attribution-Share Alike 3.0 United States License
Presenter: Tim
Numerous videos about APIs on our YouTube channel
Presenter: Tim
Numerous presentations about APIs available on SlideShare
Presenter: Tim
- Subra – ‘Tell our audience’ something about your background / experience, and your role here at Apigee
- Tim to follow with the same (i.e., something about my background / experience, and my role here at Apigee)
Presenter: Tim
Community Health breached and 4.5 million patient records stolen by Chinese cyberspies. Heartbleed was used
http://www.thefutureorganization.com/five-trends-shaping-future-work/
And perhaps the most significant change that we’re all dealing with is that the work itself and the skills required everyday keep changing – in fact, 47% of today’s jobs won’t even exist in 20 years, and new jobs, requiring new skills will emerge.
And all these challenges and changes have to be addressed over and above the day-to-day work of attracting, developing and retaining talent.
Based on recent research report from Deloitte University, Learning and Talent professionals are dealing with a myriad of challenges including leadership development, employee engagement, diversity and inclusion, collaboration, compliance, and certification.
But one of the biggest challenges organizations face today is “overwhelmed” employees. Employees are faced with information overload, too many tools, and too many choices. This is negatively impacting their productivity and effectiveness.
Presenter: Tim
‘That said, let’s jump into API architecture considerations’
Main Points:
The path to securing the Digital World is along the Mobile Value Chain.
Script:
Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers:
The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals.
The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals.
Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users).
The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
Main Points:
The path to securing the Digital World is along the Mobile Value Chain.
Script:
Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers:
The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals.
The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals.
Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users).
The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
Main Points:
The path to securing the Digital World is along the Mobile Value Chain.
Script:
Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers:
The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals.
The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals.
Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users).
The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
And this problem doesn’t only exist in the talent management arena. We are faced with the paradox of choice in all areas of our lives. On the one hand, we love having choices; on the hand, information overload is truly overwhelming and frustrating.
This is hardly a new dilemma. In the area of consumer products, vendors have largely solved this problem by applying machine learning and intelligent recommendation technologies. For example, Netflix gets better at recommending movies to you every time you select one. Amazon does the same thing with books and technology. The Google self-driving car is actually a better driver than a human, because it processes more data faster. [optional proof point: as of April 2014, Google self-driving cars had driven over 700k miles without an accident.]
What does it mean for Talent Management?
75% of organizations are using at least one cloud service
70% of of CISOs are concerned about cloud and mobile security
Let’s talk about the major technology drivers
Presenter: Tim
‘That said, let’s jump into API architecture considerations’
Presenter: Tim
- ‘Now lets begin our discussion of how to actually achieve those API security goals’
- ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
Main Points:
The path to securing the Digital World is along the Mobile Value Chain.
Script:
Let’s start with the architecture. A typical API-centric architecture is comprised of two tiers:
The API infrastructure service, or “service exposure,” tier - Composed of API service providers (internal backend services and external partner services); services that securely transform existing backend capabilities into APIs; and new data services that power apps (mobile, social, web, and partner) and are aided by self-service API and management portals.
The API developer service, or “API consumption,” tier - Includes services that enable developers to build and deploy apps in a secure way; engage with a developer community; and help manage application life cycles via self-service API and developer portals.
Why is this view important? One of the key tenets that enable "defense in depth" security practices within an enterprise is “separation of concerns.” This design principle will make it easier to design security into the architecture and facilitate strong security management such as “separation of duties” between the service providers (the IT architect, IT security, and business) and service consumers (developers and end users).
The key benefit of following a separation of concerns principle is that developers can continue to innovate and iterate with an app-centric security model while IT security architects and operations teams can safely expose the APIs without compromising on the enterprise security standards (authentication, authorization, message security, threat mitigation, logging, and auditing).
Presenter: Tim
- ‘Now lets begin our discussion of how to actually achieve those API security goals’
- ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
My goal is to define a hierarchy of features that provides both convenient “roll-ups” that can be used by Sales (for example) and also a level of detail that allows for things like bug classification, etc.”
Presenter: Tim
- ‘Now lets begin our discussion of how to actually achieve those API security goals’
- ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
My goal is to define a hierarchy of features that provides both convenient “roll-ups” that can be used by Sales (for example) and also a level of detail that allows for things like bug classification, etc.”
Presenter: Tim
- ‘Now lets begin our discussion of how to actually achieve those API security goals’
- ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
My goal is to define a hierarchy of features that provides both convenient “roll-ups” that can be used by Sales (for example) and also a level of detail that allows for things like bug classification, etc.”
Presenter: Tim
- ‘Now lets begin our discussion of how to actually achieve those API security goals’
- ‘Subra, let’s start with explaining our two sided approach involving consumption and exposure’
Presenter: Subra
Be sure to also cover:
API tier allows decoupling of security models and creates loose coupling between applications consuming API and backend services
Consumption tier demands support for agile security functions for app developers as well as flexible security mechanism for various API consumer types. For e.g. Your mobile app accessing your employee data will have different security requirements from your application that is developed by a 3rd party developed apps available and distributed via android marketplace or Apple store.
Exposure tier on the other hand focus consistently enforcing security irrespective of what apps are connecting to the backend.
Exposure tier needs to be concerned about fine granular authorization to the API functions by the apps
Northbound / Southbound
APIs are not SOA
E: So that’s why we talk about API-first
D: Is this a new term?
E: The idea is that you use your API tier to deliver the same services to all related apps
Let’s talk about the major technology drivers
Presenter: Tim
Presenter: Tim
Presenter: Tim
Presenter: Tim
- Subra – ‘Tell our audience’ something about your background / experience, and your role here at Apigee
- Tim to follow with the same (i.e., something about my background / experience, and my role here at Apigee)
Presenter: Tim
Presenter: Tim
- “Architect” on this slide
Presenter: Tim
- Security “administrator” this slide
Presenter: Tim
‘That said, let’s jump into API architecture considerations’