Confronting API Security in the Brave New Open Banking Era
Download as PPTX, PDF9 likes2,058 views
The document discusses the challenges of API security in the context of the evolving open banking landscape and digital transformation in banking. It highlights significant security concerns like authentication, authorization, and threat protection, emphasizing the importance of managing risks while enabling developer access. Key strategies for securing APIs, including OAuth implementation, message security, and content filtering, are also outlined.
Confronting API Security in the Brave New Open Banking Era
- 1. © 2015 Akana. All Rights Reserved. Confronting API Security in the Brave New Open Banking Era Sachin Agarwal
- 2. © 2015 Akana. All Rights Reserved. Digital Disruption in Banking Mobile Cloud Customer Centric Block Chain Payments FinTech
- 3. © 2015 Akana. All Rights Reserved. However Risks Exists
- 4. © 2015 Akana. All Rights Reserved.
- 5. © 2015 Akana. All Rights Reserved. How do banks Open up to the Digital Economy While managing Risk?
- 6. © 2015 Akana. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
- 7. © 2015 Akana. All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
- 8. © 2015 Akana. All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
- 9. © 2015 Akana. All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
- 10. © 2015 Akana. All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
- 11. © 2015 Akana. All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
- 12. © 2015 Akana. All Rights Reserved. Major API Security Concerns
- 13. © 2015 Akana. All Rights Reserved. API Consumer Security?
- 14. © 2015 Akana. All Rights Reserved. Securing APIs 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
- 15. © 2015 Akana. All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
- 16. © 2015 Akana. All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
- 17. © 2015 Akana. All Rights Reserved. OAuth Flow
- 18. © 2015 Akana. All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
- 19. © 2015 Akana. All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
- 20. © 2015 Akana. All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
- 21. © 2015 Akana. All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
- 22. © 2015 Akana. All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
- 23. © 2015 Akana. All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
- 24. © 2015 Akana. All Rights Reserved. Relevance to PCI Compliance • APIs are now part of e-commerce • Card payments pass through API • The infrastructure underlying the API?
- 25. © 2015 Akana. All Rights Reserved. Akana API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
- 26. © 2015 Akana. All Rights Reserved. The Akana Digital Business Platform
- 27. © 2015 Akana. All Rights Reserved. API Resources and API University • Resource Center – http://resource.akana.com/ • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/14301 @akanainc