SlideShare a Scribd company logo

Kondo-ing API Authorization

Download as PPTX, PDF
Nordic APIs, profile picture
Nordic APIs

The document discusses the challenges and complexities of API authorization, emphasizing the need for a 'tidying layer' to simplify management and enhance security. It highlights various data obstacles, the importance of fine-grained access control, and the implications of consumer data regulations. The proposal advocates for decoupling authorization from individual API implementations to better streamline security processes and protect user data.

Technology
Related topics:
API Authorization Nordic APIs
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Kondo-ing API Authorization Remy Lyle OCT 2019 1 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.
HI! I’M REMY Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.2 • Global Tech Enablement Team @ Ping Identity • Denver, CO, USA • Convinced that APIs are the next frontier for identity and security • Marie Kondo is a personal hero
MARIE KONDO  Tidying Expert, Bestselling Author, Netflix Hit Show Star  NYTimes Best Selling Book, The Life Changing Magic of Tidying Up  “Does it spark joy?” Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.3
BUT… FOR API AUTHORIZATIONS? 4 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved. https://www.wsj.com/articles/kondo-ing-a- guru-of-organizing-becomes-a-verb- 11547745648
ANATOMY OF AN API Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.5 JSON GET /getData
ANATOMY OF AN API Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.6 JSON GET /getData Scopes Identity Attributes Privacy Preferences User Consents Data Regulations Zero Trust
AND HOW MANY DO YOU HAVE? Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.7 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.7
FOUR DATA OBSTACLES Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.8 1. Data is detailed and complex. 2. It’s everywhere and accessed many ways. 3. Multiple stakeholders, moving targets and ever-changing landscape of data security policies and regulation 4. Data transactions are subjected to different layers of authorization decisions
THIS IS A REAL PROBLEM  OWASP Top API Security Top 10 Risk Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.9 https://www.owasp.org/index.php/OWASP_API_Security_Project
WITH REAL-LIFE CONSEQUENCES  In 2018, a research fellow with Mozilla Foundation scraped nearly 208 million transactions on peer-to-peer payment app Venmo revealing purchase profiles of its users  In June 2019, another 7 million transactions were scraped using the company’s developer API over six months Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.10 Sources: https://www.darkreading.com/application-security/apis-get-their-own-top-10-security-list/d/d-id/1335786 https://22-8miles.com/public-by-default/ https://www.wired.com/story/i-scraped-millions-of-venmo-payments-your-data-is-at-risk/
WHO IS RESPONSIBLE? Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.11 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.11 DEVELOPERS? CLIENTS? X X
ENTER IN … A TIDYING LAYER Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.12 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.12
WHAT IF TIDYING WAS APPLIED Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.13 Scopes Identity Attr Privacy Preferences User Consents Data Regulations Zero Trust Business Defined Policies DEVELOPERS CLIENTS
WHAT IF YOU COULD PULL FROM ANY SOURCE Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved. 14 Scopes Identity Attr Privacy Preferences User Consents Data Regulations Zero Trust DBs Directory Other APIs Any state Any attribute Any authz data source
WHAT IF THE ARCHITECTS COULD WRITE THE POLICIES Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.15 Business-Derived Policies
WHAT IF ACCESS CONTROLS WERE APPLIED Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.16 Allow? Block? Filter? Obfuscate? CLIENTS FirstName LastName AccountNumber Balance FirstName LastName AccountNumber Balance OR …
DECOUPLING AUTHZ FROM IMPLEMENTATION Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.17 API Layer that enforces fine grained access control
DECOUPLING AUTHZ FROM IMPLEMENTATION Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.18 Marie Kondo API Layer Driver/Obstacle Benefits (How it Helps) 1. Fine-grained authorization policy engine Diff layers of authz decisions Remove developers from managing authz at the individual API level, and remove clients from filtering data themselves at the individual API level Reduce top API security risk Centralize authorization decisions, regardless of authorization data sources, and re- use authorization policies across multiple APIs Privacy Preferences & Consents Policies can enable delegated consent to data access & preference lookups and enforce data access decision based on customers’ wishes. Consumer Data Regulations Policies can enforce compliance with new and changing consumer data protection legislation; sometimes requiring consents. Zero Trust Set up micro-segments of data, even down to the data attribute, to enable least privilege access for sensitive data. Securing APIs Check and enforce policies and customer consents for data being accessed by a third party through a customer data API. Data is detailed Enables granular, attribute-by-attribute access control capabilities 2. GUI Trust Framework Data is everywhere Real-time connections to policy attributes anywhere (e.g. risk scores) [All Drivers] Need for ABAC & dynamic authorization Policies Many stakeholders Externalizes authorization to users for collaborative policy design Reconciling reqs Lifts burden on developers, no need to reconcile or write code
Does your API authorization model spark joy? 19 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.
PINGIDENTITY.COM 20 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.

More Related Content

PPTX
Mining API Traffic Metadata
Nordic APIs
 
PPTX
Next Generation API Management & Microservices Service Mesh
Nordic APIs
 
PPTX
Test and Protect Your API
SmartBear
 
PDF
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
PDF
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays
 
PDF
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays
 
PPTX
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
 
PPTX
Adapt or Die Sydney - API Security
Apigee | Google Cloud
 
Mining API Traffic Metadata
Nordic APIs
 
Next Generation API Management & Microservices Service Mesh
Nordic APIs
 
Test and Protect Your API
SmartBear
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays
 
apidays LIVE Paris - Driving innovation through External APIs without putting...
apidays
 
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
 
Adapt or Die Sydney - API Security
Apigee | Google Cloud
 

What's hot (20)

PDF
[WSO2 Integration Summit London 2019] Identity and Access Management in an AP...
WSO2
 
PPTX
Bigger, Better Business With OAuth
Apigee | Google Cloud
 
PPTX
APIs for... Your Mom
Carlo Longino
 
PPTX
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
PPTX
API Management Workshop (at Startupbootcamp Berlin)
3scale
 
PDF
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee | Google Cloud
 
PPTX
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
 
PDF
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Kai Wähner
 
PDF
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays
 
PDF
apidays LIVE Paris - Drawing the right lines: DDD, APIs and Microservices by ...
apidays
 
PDF
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
PDF
apidays LIVE Australia 2021 - Leveraging Async APIs to deliver Cross Domain A...
apidays
 
PDF
apidays LIVE New York 2021 - API design is where culture and tech meet each o...
apidays
 
PDF
Hacker vs AI
Nordic APIs
 
PDF
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays
 
PDF
Api architectures for the modern enterprise
CA API Management
 
PDF
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays
 
PPTX
Apigee Edge Product Demo
Apigee | Google Cloud
 
PDF
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays
 
[WSO2 Integration Summit London 2019] Identity and Access Management in an AP...
WSO2
 
Bigger, Better Business With OAuth
Apigee | Google Cloud
 
APIs for... Your Mom
Carlo Longino
 
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
API Management Workshop (at Startupbootcamp Berlin)
3scale
 
Apigee and Accenture Webcast - Accenture Technology Vision 2013 - An API Cent...
Apigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Apigee | Google Cloud
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Kai Wähner
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays
 
apidays LIVE Paris - Drawing the right lines: DDD, APIs and Microservices by ...
apidays
 
apidays LIVE Jakarta - E5 ways to make your integration more resilient by Je...
apidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays
 
apidays LIVE Australia 2021 - Leveraging Async APIs to deliver Cross Domain A...
apidays
 
apidays LIVE New York 2021 - API design is where culture and tech meet each o...
apidays
 
Hacker vs AI
Nordic APIs
 
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays
 
Api architectures for the modern enterprise
CA API Management
 
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays
 
Apigee Edge Product Demo
Apigee | Google Cloud
 
apidays LIVE Paris - The State of SaaS Integration by Gertjan De Wilde
apidays
 
Ad

Similar to Kondo-ing API Authorization (20)

PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
PDF
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
PDF
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
WSO2
 
PDF
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
apidays
 
PDF
API Security Best Practices and Guidelines
WSO2
 
PDF
Akamai_ API Security Best Practices - Real-world attacks and breaches
Security Bootcamp
 
PDF
Takeaways from API Security Breaches Webinar
CA API Management
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PDF
apidays New York 2023 - A decade of API breaches, courtesy of application fla...
apidays
 
PDF
5 step plan to securing your APIs
💻 Javier Garza
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
PDF
Api security-present
Security Bootcamp
 
PPTX
BDSE03-1121-API-PresentationTemplate.pptx
SudhanshuKachhotia
 
PDF
API Vulnerabilties and What to Do About Them
Eoin Woods
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
PDF
2022 apidays LIVE Helsinki & North_Future proofing API Security
apidays
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
PDF
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
PDF
Guidelines to protect your APIs from threats
Isabelle Mauny
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
WSO2
 
APIsecure 2023 - Understanding and Identifying Threats Against APIs, Shannon ...
apidays
 
API Security Best Practices and Guidelines
WSO2
 
Akamai_ API Security Best Practices - Real-world attacks and breaches
Security Bootcamp
 
Takeaways from API Security Breaches Webinar
CA API Management
 
OWASP API Security Top 10 Examples
42Crunch
 
apidays New York 2023 - A decade of API breaches, courtesy of application fla...
apidays
 
5 step plan to securing your APIs
💻 Javier Garza
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Api security-present
Security Bootcamp
 
BDSE03-1121-API-PresentationTemplate.pptx
SudhanshuKachhotia
 
API Vulnerabilties and What to Do About Them
Eoin Woods
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
apidays
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Ad

More from Nordic APIs (20)

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KodekX | Application Modernization Development
KodekX
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Encapsulation theory and applications.pdf
gurumoop
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Cloud computing and distributed systems.
kkkkkhan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

Kondo-ing API Authorization

  • 1. Kondo-ing API Authorization Remy Lyle OCT 2019 1 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.
  • 2. HI! I’M REMY Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.2 • Global Tech Enablement Team @ Ping Identity • Denver, CO, USA • Convinced that APIs are the next frontier for identity and security • Marie Kondo is a personal hero
  • 3. MARIE KONDO  Tidying Expert, Bestselling Author, Netflix Hit Show Star  NYTimes Best Selling Book, The Life Changing Magic of Tidying Up  “Does it spark joy?” Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.3
  • 4. BUT… FOR API AUTHORIZATIONS? 4 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved. https://www.wsj.com/articles/kondo-ing-a- guru-of-organizing-becomes-a-verb- 11547745648
  • 5. ANATOMY OF AN API Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.5 JSON GET /getData
  • 6. ANATOMY OF AN API Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.6 JSON GET /getData Scopes Identity Attributes Privacy Preferences User Consents Data Regulations Zero Trust
  • 7. AND HOW MANY DO YOU HAVE? Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.7 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.7
  • 8. FOUR DATA OBSTACLES Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.8 1. Data is detailed and complex. 2. It’s everywhere and accessed many ways. 3. Multiple stakeholders, moving targets and ever-changing landscape of data security policies and regulation 4. Data transactions are subjected to different layers of authorization decisions
  • 9. THIS IS A REAL PROBLEM  OWASP Top API Security Top 10 Risk Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.9 https://www.owasp.org/index.php/OWASP_API_Security_Project
  • 10. WITH REAL-LIFE CONSEQUENCES  In 2018, a research fellow with Mozilla Foundation scraped nearly 208 million transactions on peer-to-peer payment app Venmo revealing purchase profiles of its users  In June 2019, another 7 million transactions were scraped using the company’s developer API over six months Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.10 Sources: https://www.darkreading.com/application-security/apis-get-their-own-top-10-security-list/d/d-id/1335786 https://22-8miles.com/public-by-default/ https://www.wired.com/story/i-scraped-millions-of-venmo-payments-your-data-is-at-risk/
  • 11. WHO IS RESPONSIBLE? Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.11 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.11 DEVELOPERS? CLIENTS? X X
  • 12. ENTER IN … A TIDYING LAYER Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.12 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.12
  • 13. WHAT IF TIDYING WAS APPLIED Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.13 Scopes Identity Attr Privacy Preferences User Consents Data Regulations Zero Trust Business Defined Policies DEVELOPERS CLIENTS
  • 14. WHAT IF YOU COULD PULL FROM ANY SOURCE Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved. 14 Scopes Identity Attr Privacy Preferences User Consents Data Regulations Zero Trust DBs Directory Other APIs Any state Any attribute Any authz data source
  • 15. WHAT IF THE ARCHITECTS COULD WRITE THE POLICIES Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.15 Business-Derived Policies
  • 16. WHAT IF ACCESS CONTROLS WERE APPLIED Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.16 Allow? Block? Filter? Obfuscate? CLIENTS FirstName LastName AccountNumber Balance FirstName LastName AccountNumber Balance OR …
  • 17. DECOUPLING AUTHZ FROM IMPLEMENTATION Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.17 API Layer that enforces fine grained access control
  • 18. DECOUPLING AUTHZ FROM IMPLEMENTATION Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.18 Marie Kondo API Layer Driver/Obstacle Benefits (How it Helps) 1. Fine-grained authorization policy engine Diff layers of authz decisions Remove developers from managing authz at the individual API level, and remove clients from filtering data themselves at the individual API level Reduce top API security risk Centralize authorization decisions, regardless of authorization data sources, and re- use authorization policies across multiple APIs Privacy Preferences & Consents Policies can enable delegated consent to data access & preference lookups and enforce data access decision based on customers’ wishes. Consumer Data Regulations Policies can enforce compliance with new and changing consumer data protection legislation; sometimes requiring consents. Zero Trust Set up micro-segments of data, even down to the data attribute, to enable least privilege access for sensitive data. Securing APIs Check and enforce policies and customer consents for data being accessed by a third party through a customer data API. Data is detailed Enables granular, attribute-by-attribute access control capabilities 2. GUI Trust Framework Data is everywhere Real-time connections to policy attributes anywhere (e.g. risk scores) [All Drivers] Need for ABAC & dynamic authorization Policies Many stakeholders Externalizes authorization to users for collaborative policy design Reconciling reqs Lifts burden on developers, no need to reconcile or write code
  • 19. Does your API authorization model spark joy? 19 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.
  • 20. PINGIDENTITY.COM 20 Confidential | Do not distribute — Copyright ©2019 Ping Identity Corporation. All rights reserved.