Managing API Security in SaaS and Cloud
0 likes605 views
The document discusses the importance of managing API security through service abstraction and orchestration to enhance protection and interoperability. It highlights case studies showcasing the implementation of secure APIs while allowing for scalability and integration into existing infrastructures. Key solutions include military-grade security for APIs, identity and access management, and the ability to automate management through virtualization, addressing the challenges faced by organizations in managing their APIs.
Managing API Security in SaaS and Cloud
- 1. Managing API Security Liam Lynch a y c Chief Security Strategist, eBay Founder and Identity Strategist, CSA Feb 23, 2011
- 2. Web services security y Large scale public services need scale but also granular security as well Service fabrics such as Rest are valuable for agile development Many consumer's of services can’t use SOAP or other forms of XML request response Whatever the protocol there needs to be protection and dynamic service delivery
- 3. Service protection Early on protection for service was SSL and access tokens Typical use case was 3rd party iframe invocation in client browsers REST was a step up in protection but the typical use case was still dangerous Full SOAP/XML based services using standards (XML encryption and SAML) are better but elude the typical use case Until…
- 4. Service abstraction Service abstraction allows for denial of service protection Abstraction allows older services to be upgraded without rewriting code Abstraction allows for integrated service delivery Abstraction allows for upgrading security and service standards Abstraction allows for increased security by coordinating with… with
- 5. Service orchestration Orchestration provides a capability to bring in service delivery components just in time Security level orchestration leverages abstraction to enable evaluation at run time The typical use case could be easily enabled by SAML browser tokens and orchestration of identity provider assertions Policies for access can be orchestrated from a variety of sources ddepending on client access and other f t di li t d th factors such h as service authorization
- 6. Summary y Service protection has a history of proprietary and troublesome interoperability issues Service abstraction enables better service security by introducing a standards based layer in front of service platforms Service orchestration enables better security by leveraging service abstraction and injecting standards based security and policy evaluation
- 7. Managing API Security Common Patterns and Case Studies K. Scott Morrison CTO and Chief Architect, Layer 7 , y Feb 23, 2011
- 8. LargeCorporation.com Has A Problem… g p The API Internal Firewall-2 Hosts Firewall-1 The Internal Internet Data Center Partner DMZ How can LargeCorp Securely publish and manage their new API?
- 9. Cloud-based Security & Management Is Too Remote y g The API Internal Firewall-2 Hosts Firewall-1 Cloud Security Offering Internal The last 1000 miles… Data Center DMZ Hackers H k
- 10. Layer 7: The Enterprise Solution For Service Protection y p Keep Security and The API Mgmt. Close to the API Operator Internal Data Center Partner DMZ Military-grade security for REST and SOAP APIs/Services Complete visibility into use patterns y Integration into existing infrastructure Identity & Access Mgmt, Portals, Operations, billings, etc
- 11. Case Study: Publishing Web-based APIs y g Problem: A leading European car portal wanted to securely expose auto and ecommerce information to third party developers S l ti L Solution: Layer 7 authorizes/authenticates thi d party d th i / th ti t third t developers attaching t l tt hi to ecommerce APIs directly or via a Web portal; throttles backend traffic to maintain Quality of Service targets Results: increased revenue by monetizing their APIs; increased traffic, exposure and brand through third-party Web sites, applications and services based on automobile- focused Web service APIs
- 12. But Now LargeCorporation.com Has A New Problem… g p Internal Firewall-2 Hosts Firewall-1 Lots of APIs Lots of Developers Internal Data Center DMZ How can L H LargeCorp scale API C l management?
- 13. The Enterprise Solution For Service Abstraction p Management of APIs Internal the way applications Hosts are managed Lots of Provider Developers View Internal Data Center Developer DMZ View Vi Full policy life-cycle management Policy versioning, roll-back, audit Policy migration (dev-test-prod) Clear separation of duties Cl ti f d ti Role-based Access Control (RBAC) APIs for integration with existing infrastructure and tools
- 14. Case Study: Publishing Information Service APIs y g Problem: A leading global publisher needed to allow customers and partners to use Google Apps to access multiple, existing information services Solution: CloudControl authorizes users and applies rate limiting; converts REST queries to SOAP, and provides API aggregation & orchestration “ Layer 7 offered us the closest fit to our business requirements in a single “ product. No other vendor was even d t N th d close. SOA Architect, World’s leading publisher of science and health information Results: implemented business logic in policy (not code), decreasing maintenance costs; customers and partners can now obtain richer results to their queries from ; p q their platform of choice, simplifying and speeding information gathering
- 15. Finally, How Will LargeCorporation.com Automate? y g p Virtualization Infrastructure High Usage Internal Volumes Data Center DMZ How can LargeCorp react to rapid changes in scale?
- 16. The Enterprise Solution For Service Orchestration p Virtualization Secure and automated Farm co-ordination of all infrastructure to maintain Virtualization SLAs API Switches, Load Balancers, etc High Audit DB Usage Internal Volumes Data Center DMZ Orchestration using GUI tools Fully integrated into security context Parallelized access Connectors to HTTP, TCP, SSH, FTP, JMS, SNMP, SMTP, MQSeries, etc
- 17. Case Study: IaaS & PaaS API Security y y Problem: A leading cloud Iaas and PaaS provider needed to allow customers to self- provision and self-manage private cloud resources without compromising the cloud p provider’s virtualized infrastructure Solution: Layer 7 provides integration with and API management for this provider’s management and billing systems, EMC storage, and VMware vCloud Director; provides security/ threat protection, and ensures SLA/ QoS levels are met Results: with Layer 7 in place, the provider’s customers can create and manage their own private cloud as if it were a true extension of their enterprise
- 18. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com smorrison@layer7tech com http://www.layer7tech.com February 23, 2011