APIConnect Security Best Practice
2 likes1,086 views
The document outlines security best practices for IBM API Connect and DataPower Gateway, emphasizing the importance of configurable security measures, monitoring, and traffic management. It details functionalities such as API discovery, usage analytics, and OAuth support for compliance with regulations like PSD2 and Open Banking. Additionally, it highlights the need for robust access control, load management, and dynamic security policies to protect APIs against various cyber threats.
APIConnect Security Best Practice
- 1. SECURITY BEST PRACTICE APICONNECT & GATEWAY @SHIUFUNPOON
- 2. TRADEMARK ACKNOWLEDGEMENTS • IBM, IBM API Connect, IBM DataPower Gateway are trademarks of International Business Machines Corporation, registered in many jurisdictions • Other company, product and service names may be trademarks, registered marks or service marks of their respective owners. A current list of IBM trademarks is available on the web at "Copyright and trademark information" ibm.com/legal/copytrade.html
- 3. SECURITY • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
- 4. SECURITY – THIS IS ALWAYS A BALANCING ACT • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
- 5. API SECURITY API Gateway: • Decoupling/routing • Traffic management • Security • Translation Developer portal: • API discovery • Self subscription/administration • Account usage analytics • Monetization • Security API Manager: • Plan/product design • Policy administration • API plan usage analytics • API Governance • Security https://www.ibm.com/docs/en/api-connect/2018.x?topic=installing- maintaining-your-api-connect-cloud
- 7. APIC UNDER THE HOOK • Internal services communicating vs mTLS • Quorum, with 3 being the magic number • APIc is the match maker, it introduces each subsystem to each others • APIM, Portal, Analytics, Gateway • How does APIM <-> Portal • How does APIM <-> Analytics • How does APIM <-> Gateway • How does Portal <-> Analytics • How does Gateway <-> Analytics • Configurable, extensible
- 10. Ç√
- 11. API MANAGER • API are published • Publish in openapi v2 format • apim vs consumer • WebGUI/toolkits/portal/BYO • RateLimit Drinking Our Own Champagne Get an access_token access_token must contain the right scope Permission is checked Is token valid Token contains necessary scope ? Does User has the proper permission ?
- 12. HARDENED PORTAL SECURITY Supports OpenID Connect for accelerated developer on-boarding and social login Enable PSD2/ Open Banking compliance to programmatically onboard consumers using REST Management APIs and OpenID Connect Enhanced spam protection against spam bots with CAPTCHA and honeypot Detect and prevent malicious attacks with perimeter and DNS check Detect and prevent flood attacks
- 14. APIMANAGER WITH GATEWAY • Gateway must be 24 * 7 (without API manager) • API gateway introduce a gateway director manager • Using clustering technology to track configuration from APIM • Heartbeat from APIm to make sure Gateway will have the latest information • 911 protocol to handle catastrophic failure • Provides the status of how where the configuration with regard to the update from the APIm • Gateway director allows auto scaling of the additional gateway • Configuration/Key Materials • State of the processing
- 15. • Istio Integration for improved performance & security by passing API header and tokens into Istio • Open API V3 support to meet security industry standards (i.e. PSD2) & improve reuse • OpenBanking & PSD2 Compliant including flexible JWT and OAuth features • 5X Improved Performance with cloud-native API-centric Gateway Service • Fast Time to Value through Out of the Box policies for API Gateway Service • Enterprise Specific Security Support through OAuth flow customization • Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check on Portal, etc. Performant and Secure
- 16. SECURE & MANAGE GRAPHQL ENDPOINTS Next-Gen evolution of Gateway technology beyond Web services and REST with GraphQL support Secure and Manage APIs with GraphQL backends, efficiently managing compute intensive services Threat Protection against cyberattacks using advance query complexity analysis to prevent API- based attacks Rate Limit GraphQL queries with consumer plans based on number of API calls & backend compute time https://www.ibm.com/blogs/research/2019/02/graphql-api-management/ https://developer.github.com/v4/guides/resource-limitations/
- 17. 1. Access Control • Who can access the data and what data • APIc • Client credential (application) • User credential (who) 2. Load Control • How much effort for the server to fulfill the request • Complexity • Type (object type) • Resolve GraphQL Endpoints security breakdown
- 18. Up to 5X+ increased performance with natively built API Gateway using purpose-built technology for native OpenAPI/Swagger REST and SOAP APIs Multi-cloud scalability and extensibility to help meet SLAs and improve client user experience Optimized drag & drop built-in policies for security, traffic control and mediation including flexible OAuth, enhanced JSON & XML threat protection Secure to the core with self-contained signed & encrypted image to minimize risk, plus proven security policies to quickly protect APIs Before: DP Multi protocol Gateway Service API call Backend New: Native API Gateway Service API call Backend CLOUD-NATIVE API GATEWAY SERVICE IN DATAPOWER API GW service
- 19. POLICIES FOR ENFORCEMENT ON API GATEWAY SERVICE Gateway Script and XSLT policy support provides flexible message mediation & dynamic security enforcement Dynamic Routing support through Conditional Policy Enforce strong security through Parse, JSON and XML Schema Validation policy OpenID Connect support to enable banks to meet PSD2 / Open Banking regulations OAuth Token revocation to enable self-service token management Foundational Security Mediation Invoke API Key Map Activity Log JWT Validate JSON-XML Rate Limit JWT Generate Gateway Script Throw OAuth Policy XSLT Set Variable Parse (Threat Detection) Conditional Validate User Security OpenID Connect Built-in policies
- 20. Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs MEETING SECURITY NEEDS THROUGH NEW FLEXIBLE OAUTH PROVIDER
- 21. FEATURE LIST OF OAUTH IN APIC V5, V2018+V5GW, V2018+APIGW Features V4 V5 v2018 +V5 CompatGW v2018 + APIGW Basic OAuth Support ✅ ✅ ✅ ✅ Distinct Client ids and Secrets ⤫ ✅ ✅ ✅ Separate API ⤫ ✅ ✅ ✅ Access Control ⤫ ⤫ ✅ ✅ Seamless packaging within product ✅ ⤫ ✅ ✅ Tight coupling with Provider ⤫ ⤫ ✅* ✅ Metadata,Token introspection, Revocation/Token Management,Advanced scope handling ⤫ ✅ ✅ ✅ Customize OAuth Assembly ⤫ ⤫ ⤫ ✅ Dynamic configuration updates ⤫ ⤫ ** ⤫ ** ✅ Context variable driven ⤫ ⤫ ⤫ ✅ Independent Resource Owner Security ⤫ ⤫ ⤫ ✅ Out of the box OIDC support ⤫ ⤫ *** ⤫ *** ✅ Out of the box JWT Authorization Grant ⤫ ⤫ ** ⤫ ** ✅ * Tight coupling is only at the APIManager API level, not in the backendV5 Gateway ** Can be done with gateway extension *** Supported by a set of rule in the assembly
- 22. Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs MEETING SECURITY NEEDS THROUGH NEW FLEXIBLE OAUTH PROVIDER
- 23. Out of the box JWT Grant Type Support
- 24. Out of the box OIDC Support
- 25. CUSTOMIZABLE EASE OF USE • Crypto material on per OAuth native provider (vs gateway level) • End user credential gathering (context variable) * • Consent handling • Global Policy (and thus inject context variable for processing) * • Token handling (allow listing vs stateless) • Flexibility • ….
- 26. WHAT SHOULD I DO • Monitoring IBM PSIRT for IBM APIC, IBM DataPower • https://www.ibm.com/security/secure-engineering/process.html • Timely upgrade/migration to a new version of firmware • Balance your security needs vs platform offered (hardware vs ova vs docker vs ..) • How about cloud ? ICP ? • APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& ( • Security vs ease of use vs compatibility • Performance/usage spike • HA (rule of 3) • Stateless (especially across Availability Zone)
- 27. GATEWAY SPECIFIC • Is WebGUI needed for production • Automate deployment (which APIc solves) • Monitoring gateway (DataPower Operations Dashboard) • Backup administrator • ACL • mTLS with your backend services • Message validation • Payload redact • SLM • AllowList vs BlockList
- 28. FROM YOU, OUR AUDIENCES • Your feedbacks ? • What would you like to see ? • What can you share with each others on your experience ? Good or Bad