SlideShare a Scribd company logo

NYC Identity Summit Tech Day: Best Practices for API Security

Download as PPTX, PDF
ForgeRock, profile picture
ForgeRock

The document discusses best practices for API security, including using OAuth2 tokens that are issued and managed centrally, protecting communications with TLS, throttling incoming traffic to APIs, enforcing centralized policies at an enforcement point, and monitoring and auditing APIs. It provides ForgeRock Identity Gateway as an example of a solution that implements these practices.

Software
Related topics:
Identity and Access ManagementDigital Identity InsightsIdentity Management
1 of 13
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
© 2016 ForgeRock. All rights reserved. Best Practices for API Security Ludovic Poitou, Product Management Director
© 2016 ForgeRock. All rights reserved. API Security ?
© 2016 ForgeRock. All rights reserved. API Security
© 2016 ForgeRock. All rights reserved. Example: ForgeRock Identity Gateway APIs ForgeRock Access Management Throttling Authorization
© 2016 ForgeRock. All rights reserved. API Key • Use OAuth2 Tokens • Issued & managed centrally • Standard based • Access tokens are short-lived and revocable • Scopes for finer permissions
© 2016 ForgeRock. All rights reserved. Protecting against Disclosure • Secure End to End • Between Client and Gateway • Between Gateway and API • TLS • Certificate based Authentication
© 2016 ForgeRock. All rights reserved. Protect Against Misuse and DOS • Throttle the incoming traffic • Overall • Per API • Per Client • Also a monetization strategy! https://www.flickr.com/photos/telstar/
© 2016 ForgeRock. All rights reserved. Policy Decision and Enforcement Point • Centralized policy management • Introspect Token • Call ForgeRock Access Management PDP • Border enforcement • Specific rules and conditions • Not Found vs Forbidden https://www.flickr.com/photos/yannickgar/
© 2016 ForgeRock. All rights reserved. Monitoring and Auditing • Monitoring • Status • Throughput and Response Times statistics • Auditing • Logs • Reporting • Billing
© 2016 ForgeRock. All rights reserved. Summary
© 2016 ForgeRock. All rights reserved. Throttling Message Transformation Monitoring Session Management Token Exchange SSO Scripting Relying Party Authentication Authorization Federation (SAML / OIDC) Password Capture & Replay Protected Resources Identity Providers Data Stores Web Applications APIs Services Layer Access Layer HTTP / HTTPS OAuth2.0 | OpenID Connect | SAMLv2 External Layer Databases Directories Files Audit ForgeRock Identity Platform: Identity Gateway
© 2016 ForgeRock. All rights reserved. 12
© 2016 ForgeRock. All rights reserved. Best Practices for API Security Ludovic Poitou – Product Management Director Ludovic.Poitou@ForgeRock.com @ludomp

More Related Content

PPTX
NYC Identity Summit Business Day: Continuous Security
ForgeRock
 
PPTX
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
ForgeRock
 
PDF
NYC Identity Summit Tech Day: Authorization for the Modern World
ForgeRock
 
PPTX
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
 
PPTX
ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock
 
PDF
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
ForgeRock
 
PDF
ForgeRock Platform Release - Summer 2016
ForgeRock
 
PDF
Beyond username and password it's continuous authorization webinar
ForgeRock
 
NYC Identity Summit Business Day: Continuous Security
ForgeRock
 
NYC Identity Summit Business Day: Identity is the Center of Everything (Mike ...
ForgeRock
 
NYC Identity Summit Tech Day: Authorization for the Modern World
ForgeRock
 
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
 
ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock
 
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
ForgeRock
 
ForgeRock Platform Release - Summer 2016
ForgeRock
 
Beyond username and password it's continuous authorization webinar
ForgeRock
 

What's hot (20)

PDF
The Future of Digital Identity in the Age of the Internet of Things
ForgeRock
 
PPTX
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
PDF
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
ForgeRock
 
PDF
Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...
ForgeRock
 
PPTX
A Backstage Tour of Identity - Paris Identity Summit 2016
ForgeRock
 
PPTX
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
ForgeRock
 
PDF
The Future is Now: What’s New in ForgeRock Identity Gateway
ForgeRock
 
PPTX
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
ForgeRock
 
PDF
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
ForgeRock
 
PDF
Security & Identity for the Internet of Things Webinar
ForgeRock
 
PDF
Identity Relationship Management - The Right Approach for a Complex Digital W...
ForgeRock
 
PPT
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
ForgeRock
 
PPTX
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
PPTX
Identity Objects in Mirror Are Closer Than They Appear - Identity Live 2017 -...
ForgeRock
 
PPTX
Build a Trust Platform to Enable a Frictionless Customer Experience
ForgeRock
 
PDF
Sydney Identity Unconference Introduction and Highlights
ForgeRock
 
PDF
No IoT Without Identity
ForgeRock
 
PDF
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
PDF
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
PPTX
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
ForgeRock
 
The Future of Digital Identity in the Age of the Internet of Things
ForgeRock
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
ForgeRock
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
ForgeRock
 
Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...
ForgeRock
 
A Backstage Tour of Identity - Paris Identity Summit 2016
ForgeRock
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
ForgeRock
 
The Future is Now: What’s New in ForgeRock Identity Gateway
ForgeRock
 
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
ForgeRock
 
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
ForgeRock
 
Security & Identity for the Internet of Things Webinar
ForgeRock
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
ForgeRock
 
Canberra Executive Breakfast - A Citizen-Centric Approach to Identity
ForgeRock
 
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
Identity Objects in Mirror Are Closer Than They Appear - Identity Live 2017 -...
ForgeRock
 
Build a Trust Platform to Enable a Frictionless Customer Experience
ForgeRock
 
Sydney Identity Unconference Introduction and Highlights
ForgeRock
 
No IoT Without Identity
ForgeRock
 
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
ForgeRock
 
Ad

Viewers also liked (14)

PDF
Uniformes empresariales, BIGBANG México
BIGBANG
 
PDF
Uniformes para empresas df
BIGBANG
 
PDF
13 the ciolos reform
Tomas Garcia Azcarate
 
PPT
Módulo iv slideshare
gifran
 
PDF
9789243503325 spa
Cesar Nuñez
 
PDF
Mexicanidad
BIGBANG
 
PPT
бизнес драйв
RPritula
 
PDF
Carta docente
LendPerugia
 
PPTX
Camdenton School USA
Silvana Carnicero
 
PDF
UDES MAESTRÍA MAPA CONCEPTUAL
Luis Fernando Peña Jimenez
 
PPTX
Periprosthetic fractures
University Hospital Hradec Králové, Czech Republic
 
PPTX
High flexion TKR overview
Hiren Divecha
 
PPSX
MGUH Joint Replacement Class
schwartz2138
 
PPTX
Automobile chassis and body
Ràhúl Pâtêl
 
Uniformes empresariales, BIGBANG México
BIGBANG
 
Uniformes para empresas df
BIGBANG
 
13 the ciolos reform
Tomas Garcia Azcarate
 
Módulo iv slideshare
gifran
 
9789243503325 spa
Cesar Nuñez
 
Mexicanidad
BIGBANG
 
бизнес драйв
RPritula
 
Carta docente
LendPerugia
 
Camdenton School USA
Silvana Carnicero
 
UDES MAESTRÍA MAPA CONCEPTUAL
Luis Fernando Peña Jimenez
 
Periprosthetic fractures
University Hospital Hradec Králové, Czech Republic
 
High flexion TKR overview
Hiren Divecha
 
MGUH Joint Replacement Class
schwartz2138
 
Automobile chassis and body
Ràhúl Pâtêl
 
Ad

Similar to NYC Identity Summit Tech Day: Best Practices for API Security (20)

PPTX
APIs: The New Security Layer
Apigee | Google Cloud
 
PPTX
Adapt or Die Sydney - API Security
Apigee | Google Cloud
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
PPTX
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PPTX
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
PPTX
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
Designing Secure APIs
Steven Chen
 
PPTX
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
PDF
API Security Best Practices and Guidelines
WSO2
 
PPTX
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
PDF
Enhancing your Security APIs
Apigee | Google Cloud
 
PDF
Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Tu Pham
 
PDF
What is API Security and How Does It Keep Apps Safe_.pdf
CyberPro Magazine
 
PDF
5 step plan to securing your APIs
💻 Javier Garza
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
42crunch-API-security-workshop
42Crunch
 
PDF
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
PDF
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 
APIs: The New Security Layer
Apigee | Google Cloud
 
Adapt or Die Sydney - API Security
Apigee | Google Cloud
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
apidays
 
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Designing Secure APIs
Steven Chen
 
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
API Security Best Practices and Guidelines
WSO2
 
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
Enhancing your Security APIs
Apigee | Google Cloud
 
Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Tu Pham
 
What is API Security and How Does It Keep Apps Safe_.pdf
CyberPro Magazine
 
5 step plan to securing your APIs
💻 Javier Garza
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
42crunch-API-security-workshop
42Crunch
 
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 

More from ForgeRock (20)

PDF
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
ForgeRock
 
PPTX
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
ForgeRock
 
PDF
Identity Live Sydney: Identity Management - A Strategic Opportunity
ForgeRock
 
PDF
Identity Live Singapore: Transform Your Cybersecurity Capability
ForgeRock
 
PDF
Identity Live Singapore 2018 Keynote Presentation
ForgeRock
 
PDF
Identity Live Sydney 2018 Keynote Presentation
ForgeRock
 
PDF
Identity Live Singapore: Just Ask 'Em
ForgeRock
 
PDF
Identity Live Singapore: Building Trust & Privacy in a Connected Society
ForgeRock
 
PDF
Identity Live Sydney: Intelligent Authentication
ForgeRock
 
PDF
Identity Live Sydney: Building Trust and Privacy in a Connected Society
ForgeRock
 
PDF
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
ForgeRock
 
PPTX
Get the Exact Identity Solution You Need - In the Cloud - Overview
ForgeRock
 
PDF
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock
 
PDF
Opening Keynote (Identity Live Berlin 2018)
ForgeRock
 
PDF
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
ForgeRock
 
PDF
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
ForgeRock
 
PDF
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
ForgeRock
 
PDF
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
ForgeRock
 
PDF
Shift from GDPR readiness to sustained compliance to improve your business an...
ForgeRock
 
PDF
Intelligent Authentication (Identity Live Berlin 2018)
ForgeRock
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
ForgeRock
 
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
ForgeRock
 
Identity Live Sydney: Identity Management - A Strategic Opportunity
ForgeRock
 
Identity Live Singapore: Transform Your Cybersecurity Capability
ForgeRock
 
Identity Live Singapore 2018 Keynote Presentation
ForgeRock
 
Identity Live Sydney 2018 Keynote Presentation
ForgeRock
 
Identity Live Singapore: Just Ask 'Em
ForgeRock
 
Identity Live Singapore: Building Trust & Privacy in a Connected Society
ForgeRock
 
Identity Live Sydney: Intelligent Authentication
ForgeRock
 
Identity Live Sydney: Building Trust and Privacy in a Connected Society
ForgeRock
 
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
ForgeRock
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
ForgeRock
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock
 
Opening Keynote (Identity Live Berlin 2018)
ForgeRock
 
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
ForgeRock
 
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
ForgeRock
 
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
ForgeRock
 
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
ForgeRock
 
Shift from GDPR readiness to sustained compliance to improve your business an...
ForgeRock
 
Intelligent Authentication (Identity Live Berlin 2018)
ForgeRock
 

Recently uploaded (20)

PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
System and Network Administration Chapter 2
jaramharo
 
AI in Product Development-omnex systems
omnex systems
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
System and Network Administraation Chapter 3
jaramharo
 

NYC Identity Summit Tech Day: Best Practices for API Security

  • 1. © 2016 ForgeRock. All rights reserved. Best Practices for API Security Ludovic Poitou, Product Management Director
  • 2. © 2016 ForgeRock. All rights reserved. API Security ?
  • 3. © 2016 ForgeRock. All rights reserved. API Security
  • 4. © 2016 ForgeRock. All rights reserved. Example: ForgeRock Identity Gateway APIs ForgeRock Access Management Throttling Authorization
  • 5. © 2016 ForgeRock. All rights reserved. API Key • Use OAuth2 Tokens • Issued & managed centrally • Standard based • Access tokens are short-lived and revocable • Scopes for finer permissions
  • 6. © 2016 ForgeRock. All rights reserved. Protecting against Disclosure • Secure End to End • Between Client and Gateway • Between Gateway and API • TLS • Certificate based Authentication
  • 7. © 2016 ForgeRock. All rights reserved. Protect Against Misuse and DOS • Throttle the incoming traffic • Overall • Per API • Per Client • Also a monetization strategy! https://www.flickr.com/photos/telstar/
  • 8. © 2016 ForgeRock. All rights reserved. Policy Decision and Enforcement Point • Centralized policy management • Introspect Token • Call ForgeRock Access Management PDP • Border enforcement • Specific rules and conditions • Not Found vs Forbidden https://www.flickr.com/photos/yannickgar/
  • 9. © 2016 ForgeRock. All rights reserved. Monitoring and Auditing • Monitoring • Status • Throughput and Response Times statistics • Auditing • Logs • Reporting • Billing
  • 10. © 2016 ForgeRock. All rights reserved. Summary
  • 11. © 2016 ForgeRock. All rights reserved. Throttling Message Transformation Monitoring Session Management Token Exchange SSO Scripting Relying Party Authentication Authorization Federation (SAML / OIDC) Password Capture & Replay Protected Resources Identity Providers Data Stores Web Applications APIs Services Layer Access Layer HTTP / HTTPS OAuth2.0 | OpenID Connect | SAMLv2 External Layer Databases Directories Files Audit ForgeRock Identity Platform: Identity Gateway
  • 12. © 2016 ForgeRock. All rights reserved. 12
  • 13. © 2016 ForgeRock. All rights reserved. Best Practices for API Security Ludovic Poitou – Product Management Director Ludovic.Poitou@ForgeRock.com @ludomp