SlideShare una empresa de Scribd logo

Managing API Security in SaaS and Cloud

CA API Management
CA API Management

Opening SaaS applications and cloud services to outside developers is becoming critical to achieve cloud-enterprise integrations, information sharing across affiliate Web sites and enabling mobile / tablet access to data. Controlling how API's get securely exposed to different consumers requires a simple, scalable way to manage API security, address versioning and meter consumption without burdening either application developers or application consumers. Join eBay's Chief Security Strategies Liam Lynch and Layer 7's CTO Scott Morrison for this informative presentation.

Tecnología
1 de 18
Descargar para leer sin conexión
Managing API Security  Liam Lynch a y c Chief Security Strategist, eBay Founder and Identity Strategist, CSA Feb 23, 2011
Web services security y  Large scale public services need scale but also granular security as well  Service fabrics such as Rest are valuable for agile development  Many consumer's of services can’t use SOAP or other forms of XML request response  Whatever the protocol there needs to be protection and dynamic service delivery
Service protection  Early on protection for service was SSL and access tokens  Typical use case was 3rd party iframe invocation in client browsers  REST was a step up in protection but the typical use case was still dangerous  Full SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case  Until…
Service abstraction  Service abstraction allows for denial of service protection  Abstraction allows older services to be upgraded without rewriting code  Abstraction allows for integrated service delivery  Abstraction allows for upgrading security and service standards  Abstraction allows for increased security by coordinating with… with
Service orchestration  Orchestration provides a capability to bring in service delivery components just in time  Security level orchestration leverages abstraction to enable evaluation at run time  The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions  Policies for access can be orchestrated from a variety of sources ddepending on client access and other f t di li t d th factors such h as service authorization
Summary y  Service protection has a history of proprietary and troublesome interoperability issues  Service abstraction enables better service security by introducing a standards based layer in front of service platforms  Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation
Managing API Security Common Patterns and Case Studies  K. Scott Morrison CTO and Chief Architect, Layer 7 , y Feb 23, 2011
LargeCorporation.com Has A Problem… g p The API Internal Firewall-2 Hosts Firewall-1 The Internal Internet Data Center Partner DMZ How can LargeCorp Securely publish and manage their new API?
Cloud-based Security & Management Is Too Remote y g The API Internal Firewall-2 Hosts Firewall-1 Cloud Security Offering Internal The last 1000 miles… Data Center DMZ Hackers H k
Layer 7: The Enterprise Solution For Service Protection y p Keep Security and The API Mgmt. Close to the API Operator Internal Data Center Partner DMZ  Military-grade security for REST and SOAP APIs/Services  Complete visibility into use patterns y  Integration into existing infrastructure  Identity & Access Mgmt, Portals, Operations, billings, etc
Case Study: Publishing Web-based APIs y g  Problem: A leading European car portal wanted to securely expose auto and ecommerce information to third party developers  S l ti L Solution: Layer 7 authorizes/authenticates thi d party d th i / th ti t third t developers attaching t l tt hi to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets  Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile- focused Web service APIs
But Now LargeCorporation.com Has A New Problem… g p Internal Firewall-2 Hosts Firewall-1 Lots of APIs Lots of Developers Internal Data Center DMZ How can L H LargeCorp scale API C l management?
The Enterprise Solution For Service Abstraction p Management of APIs Internal the way applications Hosts are managed Lots of Provider Developers View Internal Data Center Developer DMZ View Vi  Full policy life-cycle management  Policy versioning, roll-back, audit  Policy migration (dev-test-prod)  Clear separation of duties Cl ti f d ti  Role-based Access Control (RBAC)  APIs for integration with existing infrastructure and tools
Case Study: Publishing Information Service APIs y g  Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services  Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even d t N th d close. SOA Architect, World’s leading publisher of science and health information  Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p q their platform of choice, simplifying and speeding information gathering
Finally, How Will LargeCorporation.com Automate? y g p Virtualization Infrastructure High Usage Internal Volumes Data Center DMZ How can LargeCorp react to rapid changes in scale?
The Enterprise Solution For Service Orchestration p Virtualization Secure and automated Farm co-ordination of all infrastructure to maintain Virtualization SLAs API Switches, Load Balancers, etc High Audit DB Usage Internal Volumes Data Center DMZ  Orchestration using GUI tools  Fully integrated into security context  Parallelized access  Connectors to HTTP, TCP, SSH, FTP, JMS, SNMP, SMTP, MQSeries, etc
Case Study: IaaS & PaaS API Security y y  Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self- provision and self-manage private cloud resources without compromising the cloud p provider’s virtualized infrastructure  Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met  Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise
For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com smorrison@layer7tech com http://www.layer7tech.com February 23, 2011

Recomendados

Cloud Tools for Connected Communities
Cloud Tools for Connected CommunitiesCloud Tools for Connected Communities
Cloud Tools for Connected Communities
Peter Coffee
 
Having the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should CareHaving the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should Care
Peter Coffee
 
Enhancing and Operating Video Collaboration with your Network
Enhancing and Operating Video Collaboration with your NetworkEnhancing and Operating Video Collaboration with your Network
Enhancing and Operating Video Collaboration with your Network
Cisco Canada
 
Peter Coffee at share2010seattle
Peter Coffee at share2010seattlePeter Coffee at share2010seattle
Peter Coffee at share2010seattle
Peter Coffee
 
Building and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and InfrastructureBuilding and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and Infrastructure
Darren Cunningham
 
API Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to GuideAPI Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to Guide
CA API Management
 
Concepts integrationandbiztalksoa andbpm
Concepts integrationandbiztalksoa andbpm Concepts integrationandbiztalksoa andbpm
Concepts integrationandbiztalksoa andbpm
Sandro Pereira
 
Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds
Marcin Kotlarski
 

Recomendados

Cloud Tools for Connected Communities
Cloud Tools for Connected CommunitiesCloud Tools for Connected Communities
Cloud Tools for Connected Communities
Peter Coffee
 
Having the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should CareHaving the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should Care
Peter Coffee
 
Enhancing and Operating Video Collaboration with your Network
Enhancing and Operating Video Collaboration with your NetworkEnhancing and Operating Video Collaboration with your Network
Enhancing and Operating Video Collaboration with your Network
Cisco Canada
 
Peter Coffee at share2010seattle
Peter Coffee at share2010seattlePeter Coffee at share2010seattle
Peter Coffee at share2010seattle
Peter Coffee
 
Building and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and InfrastructureBuilding and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and Infrastructure
Darren Cunningham
 
API Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to GuideAPI Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to Guide
CA API Management
 
Concepts integrationandbiztalksoa andbpm
Concepts integrationandbiztalksoa andbpm Concepts integrationandbiztalksoa andbpm
Concepts integrationandbiztalksoa andbpm
Sandro Pereira
 
Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds
Marcin Kotlarski
 
Magpie Smart Grid Software Engineering Offering
Magpie Smart Grid Software Engineering OfferingMagpie Smart Grid Software Engineering Offering
Magpie Smart Grid Software Engineering Offering
impodgirl
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
CA API Management
 
Session Delivery Networks for the Enterprise
Session Delivery Networks for the EnterpriseSession Delivery Networks for the Enterprise
Session Delivery Networks for the Enterprise
AcmePacket
 
The SDN Opportunity
The SDN OpportunityThe SDN Opportunity
The SDN Opportunity
Juniper Networks
 
ClickPoint Software buy vs. build
ClickPoint Software buy vs. buildClickPoint Software buy vs. build
ClickPoint Software buy vs. build
ClickPoint Software
 
Beyond SPML: Access Provisioning in a Services World
Beyond SPML: Access Provisioning in a Services WorldBeyond SPML: Access Provisioning in a Services World
Beyond SPML: Access Provisioning in a Services World
Nishant Kaushik
 
Timelytrendsin appdelivery
Timelytrendsin appdeliveryTimelytrendsin appdelivery
Timelytrendsin appdelivery
Kelly Emo
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011
chaucheckpoint
 
Nuno Godinho
Nuno GodinhoNuno Godinho
Nuno Godinho
joaogoncalves
 
Corporate overview 1.2
Corporate overview 1.2Corporate overview 1.2
Corporate overview 1.2
Laxman Marpalle
 
Brochure of Luxoft telecom solutions by Luxoft software development
Brochure of Luxoft telecom solutions by Luxoft software developmentBrochure of Luxoft telecom solutions by Luxoft software development
Brochure of Luxoft telecom solutions by Luxoft software development
Luxoft
 
Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...
Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...
Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...
Mundo Contact
 
Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop
Ericsson Labs
 
HTML5 Mobile Application Framework
HTML5 Mobile Application FrameworkHTML5 Mobile Application Framework
HTML5 Mobile Application Framework
Thanh Nguyen
 
EDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web ServicesEDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web Services
bizquirk
 
360is Capabilities
360is Capabilities360is Capabilities
360is Capabilities
nickhutton
 
Dharmes Mistry Tony De Bree S O A Business Persp V1b
Dharmes Mistry Tony De Bree S O A Business Persp V1bDharmes Mistry Tony De Bree S O A Business Persp V1b
Dharmes Mistry Tony De Bree S O A Business Persp V1b
SOA Symposium
 
Datacenter
DatacenterDatacenter
Datacenter
jayconde
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs Elite
Jon G. Hall
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
Cross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San Francisco
CA API Management
 
Smart Clouds for Smart Companies
Smart Clouds for Smart CompaniesSmart Clouds for Smart Companies
Smart Clouds for Smart Companies
Peter Coffee
 

Más contenido relacionado

La actualidad más candente

ClickPoint Software buy vs. build
ClickPoint Software buy vs. buildClickPoint Software buy vs. build
ClickPoint Software buy vs. build
ClickPoint Software
 
Beyond SPML: Access Provisioning in a Services World
Beyond SPML: Access Provisioning in a Services WorldBeyond SPML: Access Provisioning in a Services World
Beyond SPML: Access Provisioning in a Services World
Nishant Kaushik
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011
chaucheckpoint
 
Dharmes Mistry Tony De Bree S O A Business Persp V1b
Dharmes Mistry Tony De Bree S O A Business Persp V1bDharmes Mistry Tony De Bree S O A Business Persp V1b
Dharmes Mistry Tony De Bree S O A Business Persp V1b
SOA Symposium
 

La actualidad más candente (19)

Magpie Smart Grid Software Engineering Offering
Magpie Smart Grid Software Engineering OfferingMagpie Smart Grid Software Engineering Offering
Magpie Smart Grid Software Engineering Offering
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
 
Session Delivery Networks for the Enterprise
Session Delivery Networks for the EnterpriseSession Delivery Networks for the Enterprise
Session Delivery Networks for the Enterprise
 
The SDN Opportunity
The SDN OpportunityThe SDN Opportunity
The SDN Opportunity
 
ClickPoint Software buy vs. build
ClickPoint Software buy vs. buildClickPoint Software buy vs. build
ClickPoint Software buy vs. build
 
Beyond SPML: Access Provisioning in a Services World
Beyond SPML: Access Provisioning in a Services WorldBeyond SPML: Access Provisioning in a Services World
Beyond SPML: Access Provisioning in a Services World
 
Timelytrendsin appdelivery
Timelytrendsin appdeliveryTimelytrendsin appdelivery
Timelytrendsin appdelivery
 
Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011Check Point75 Makes3 D Security A Reality Q22011
Check Point75 Makes3 D Security A Reality Q22011
 
Nuno Godinho
Nuno GodinhoNuno Godinho
Nuno Godinho
 
Corporate overview 1.2
Corporate overview 1.2Corporate overview 1.2
Corporate overview 1.2
 
Brochure of Luxoft telecom solutions by Luxoft software development
Brochure of Luxoft telecom solutions by Luxoft software developmentBrochure of Luxoft telecom solutions by Luxoft software development
Brochure of Luxoft telecom solutions by Luxoft software development
 
Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...
Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...
Comunicaciones Unificadas, Colaboración y Movilidad como Aplicaciones de un C...
 
Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop
 
HTML5 Mobile Application Framework
HTML5 Mobile Application FrameworkHTML5 Mobile Application Framework
HTML5 Mobile Application Framework
 
EDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web ServicesEDI WS API ECGridOS Web Services
EDI WS API ECGridOS Web Services
 
360is Capabilities
360is Capabilities360is Capabilities
360is Capabilities
 
Dharmes Mistry Tony De Bree S O A Business Persp V1b
Dharmes Mistry Tony De Bree S O A Business Persp V1bDharmes Mistry Tony De Bree S O A Business Persp V1b
Dharmes Mistry Tony De Bree S O A Business Persp V1b
 
Datacenter
DatacenterDatacenter
Datacenter
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs Elite
 

Similar a Managing API Security in SaaS and Cloud

Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
CA API Management
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
CA API Management
 
VMware Zimbra vs. Novell Groupwise
VMware Zimbra vs. Novell GroupwiseVMware Zimbra vs. Novell Groupwise
VMware Zimbra vs. Novell Groupwise
Mike K
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational Solutions
Alex Amies
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
Interop
 
How to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the CarrierHow to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the Carrier
CA API Management
 
AWS Customer Presentation - Alcatel Lucent
AWS Customer Presentation - Alcatel LucentAWS Customer Presentation - Alcatel Lucent
AWS Customer Presentation - Alcatel Lucent
Amazon Web Services
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - Chandna
Asheem Chandna
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMware
OpSource
 
F5 Value For Virtualization
F5 Value For VirtualizationF5 Value For Virtualization
F5 Value For Virtualization
Patricio Campos
 

Similar a Managing API Security in SaaS and Cloud (20)

Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
Cross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCross Platform Mobile Apps with APIs from Qcon San Francisco
Cross Platform Mobile Apps with APIs from Qcon San Francisco
 
Smart Clouds for Smart Companies
Smart Clouds for Smart CompaniesSmart Clouds for Smart Companies
Smart Clouds for Smart Companies
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
 
The Enterprise Cloud: Immediate. Urgent. Inevitable.
The Enterprise Cloud: Immediate. Urgent. Inevitable.The Enterprise Cloud: Immediate. Urgent. Inevitable.
The Enterprise Cloud: Immediate. Urgent. Inevitable.
 
VMware Zimbra vs. Novell Groupwise
VMware Zimbra vs. Novell GroupwiseVMware Zimbra vs. Novell Groupwise
VMware Zimbra vs. Novell Groupwise
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational Solutions
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 
Pulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentationPulse 2013 Mobile Build and Connect presentation
Pulse 2013 Mobile Build and Connect presentation
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
Moving Beyond Migration: Reinventing Process in the Cloud
Moving Beyond Migration: Reinventing Process in the CloudMoving Beyond Migration: Reinventing Process in the Cloud
Moving Beyond Migration: Reinventing Process in the Cloud
 
How to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the CarrierHow to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the Carrier
 
AWS Customer Presentation - Alcatel Lucent
AWS Customer Presentation - Alcatel LucentAWS Customer Presentation - Alcatel Lucent
AWS Customer Presentation - Alcatel Lucent
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - Chandna
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
 
The Cloud according to VMware
The Cloud according to VMwareThe Cloud according to VMware
The Cloud according to VMware
 
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...
 
F5 Value For Virtualization
F5 Value For VirtualizationF5 Value For Virtualization
F5 Value For Virtualization
 
Peter Coffee CIO Forum 20100406
Peter Coffee CIO Forum 20100406Peter Coffee CIO Forum 20100406
Peter Coffee CIO Forum 20100406
 

Más de CA API Management

Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
CA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
CA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
CA API Management
 

Más de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Managing API Security in SaaS and Cloud

  • 1. Managing API Security  Liam Lynch a y c Chief Security Strategist, eBay Founder and Identity Strategist, CSA Feb 23, 2011
  • 2. Web services security y  Large scale public services need scale but also granular security as well  Service fabrics such as Rest are valuable for agile development  Many consumer's of services can’t use SOAP or other forms of XML request response  Whatever the protocol there needs to be protection and dynamic service delivery
  • 3. Service protection  Early on protection for service was SSL and access tokens  Typical use case was 3rd party iframe invocation in client browsers  REST was a step up in protection but the typical use case was still dangerous  Full SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case  Until…
  • 4. Service abstraction  Service abstraction allows for denial of service protection  Abstraction allows older services to be upgraded without rewriting code  Abstraction allows for integrated service delivery  Abstraction allows for upgrading security and service standards  Abstraction allows for increased security by coordinating with… with
  • 5. Service orchestration  Orchestration provides a capability to bring in service delivery components just in time  Security level orchestration leverages abstraction to enable evaluation at run time  The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions  Policies for access can be orchestrated from a variety of sources ddepending on client access and other f t di li t d th factors such h as service authorization
  • 6. Summary y  Service protection has a history of proprietary and troublesome interoperability issues  Service abstraction enables better service security by introducing a standards based layer in front of service platforms  Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation
  • 7. Managing API Security Common Patterns and Case Studies  K. Scott Morrison CTO and Chief Architect, Layer 7 , y Feb 23, 2011
  • 8. LargeCorporation.com Has A Problem… g p The API Internal Firewall-2 Hosts Firewall-1 The Internal Internet Data Center Partner DMZ How can LargeCorp Securely publish and manage their new API?
  • 9. Cloud-based Security & Management Is Too Remote y g The API Internal Firewall-2 Hosts Firewall-1 Cloud Security Offering Internal The last 1000 miles… Data Center DMZ Hackers H k
  • 10. Layer 7: The Enterprise Solution For Service Protection y p Keep Security and The API Mgmt. Close to the API Operator Internal Data Center Partner DMZ  Military-grade security for REST and SOAP APIs/Services  Complete visibility into use patterns y  Integration into existing infrastructure  Identity & Access Mgmt, Portals, Operations, billings, etc
  • 11. Case Study: Publishing Web-based APIs y g  Problem: A leading European car portal wanted to securely expose auto and ecommerce information to third party developers  S l ti L Solution: Layer 7 authorizes/authenticates thi d party d th i / th ti t third t developers attaching t l tt hi to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets  Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile- focused Web service APIs
  • 12. But Now LargeCorporation.com Has A New Problem… g p Internal Firewall-2 Hosts Firewall-1 Lots of APIs Lots of Developers Internal Data Center DMZ How can L H LargeCorp scale API C l management?
  • 13. The Enterprise Solution For Service Abstraction p Management of APIs Internal the way applications Hosts are managed Lots of Provider Developers View Internal Data Center Developer DMZ View Vi  Full policy life-cycle management  Policy versioning, roll-back, audit  Policy migration (dev-test-prod)  Clear separation of duties Cl ti f d ti  Role-based Access Control (RBAC)  APIs for integration with existing infrastructure and tools
  • 14. Case Study: Publishing Information Service APIs y g  Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services  Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even d t N th d close. SOA Architect, World’s leading publisher of science and health information  Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p q their platform of choice, simplifying and speeding information gathering
  • 15. Finally, How Will LargeCorporation.com Automate? y g p Virtualization Infrastructure High Usage Internal Volumes Data Center DMZ How can LargeCorp react to rapid changes in scale?
  • 16. The Enterprise Solution For Service Orchestration p Virtualization Secure and automated Farm co-ordination of all infrastructure to maintain Virtualization SLAs API Switches, Load Balancers, etc High Audit DB Usage Internal Volumes Data Center DMZ  Orchestration using GUI tools  Fully integrated into security context  Parallelized access  Connectors to HTTP, TCP, SSH, FTP, JMS, SNMP, SMTP, MQSeries, etc
  • 17. Case Study: IaaS & PaaS API Security y y  Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self- provision and self-manage private cloud resources without compromising the cloud p provider’s virtualized infrastructure  Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met  Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise
  • 18. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com smorrison@layer7tech com http://www.layer7tech.com February 23, 2011