Securing your API Portfolio with API Management

World®
’16
Securing Your API Portfolio With
API Management
Jeffrey Nibler - Vice President, API Management Division - Acclaim Consulting
DO3X18S
DEVOPS

2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

Abstract
This presentation by Acclaim Consulting covers all aspects of securing APIs and
how an APIM solution offers the best flexibility and chance to meet all possible
security use cases. The discussion will cover the differences between an APIM
solution and typical WAM solutions, special security considerations around mobile
security (including device registration with two-factor authentication) and Single-
Page Web Application security, along with an overview of OpenID Connect,
OAuth2, WS-Security and JWTs. Lastly, a brief case study will be presented on how
Verizon and Duke Energy leverage the security features of CA API Management to
protect their businesses.
Jeffrey Nibler
Acclaim Consulting
VP, API Management

Agenda
THE IMPORTANCE OF FLEXIBILITY
APIM VS WAM
SECURING APIS FOR MOBILE, IOT, AND SPA
JWT
OPENID CONNECT VS OAUTH
JOSE – “WS-SECURITY” FOR REST APIS
1
2
3
4
5
6
REAL-WORLD API SECURITY USE-CASES7

The Importance of Flexibility
Yes, but……..
Should API Publishers Dictate API Security?

Yes, but……..

Yes, but……..
Rules are written to be broken, by:
§ Customers
§ Systems (3rd party applications)
§ Internal departments
§ Clients
§ Timelines

You need a centralized system to handle API security for all APIs,
that is flexible and easy to implement & change.
You need something to mask the authentication mechanisms of
your back-end, to your front-end
You want to remove security logic from your APIs
This is where an API Gateway comes in
Simple/Light: JWT/Oauth
More complex
Gateway
Internal
Network
User
Agent

APIM vs WAM
Why do I need APIM if I have WAM?
§ WAM
– Designed for WEB Access Management
§ APIM
– Designed specifically for API Management and API Security
APIM WAM

APIM vs WAM
Why Do I Need APIM if I Have WAM?
OVERLAP
§ Identity and Authentication
– User, Group
§ Access Management
– Resource-Based
– Cookies/Sessions
§ SSO/Federation
– SAML, OAUTH, Kerberos

APIM vs WAM
Why Do I Need APIM if I Have WAM?
SOME COMMON DIFFERENTIATORS
§ Identity and Authentication
– APIM’s can leverage Enterprise Active Directories or internal Identity Providers
§ Access Management
– Better support for non-cookie based identification schemes
– Access control by application instead of User
– APIM provides fine-grain access control for SOAP and RESTful services
– API Plans – Rate limiting, quotas, commoditizing
§ Message Payload Security
– Remove sensitive elements from message responses based on user/role/app
– Threat detection
§ Mobile & IoT Use Cases
– Mobile Device Registration – Programmatic certification/CSR management
– Mobile SDK
Gateway
WAM
Mobile App
Directory
WAM: System of Record
APIM: Point of Enforcement

JWT
JSON Web Token – Pronounced “JOT”
What Are they?
§ Compact, URL-safe mechanism for representing claims
transferred between two parties
– Can contain pre-defined reserved and public claims, as well as private claims
§ JSON-formatted, standardized tokens
– Smaller and easier to implement than SAML/XML/SOAP
– Easy for mobile applications to work with
§ Safe – Can’t be modified by client app
– Uses JWS or JWE to sign or encrypt, symmetric or asymmetric
§ Self-contained - contents are readable
– Ideal for microservices
– High performing – No additional DB or API calls to validate or fetch data
§ Small, and very API-friendly – Ideal for enabling state in cross-
application scenarios

OpenID Connect Vs OAUTH
What’s the Difference?
OAUTH
§ Delegated Authorization Protocol
§ For use in a three or four party model:
– User
– Website/Application (user agent)
– Authorization Server
– Protected Resource (most often in same domain
as the authorization server)
§ NOT about Authentication
OPENID CONNECT
§ Interoperable Authentication Protocol
§ Allows client application developers to outsource
identity management to third parties (such as Facebook
or Google)
§ Used to Authenticate and assert identity of a user
§ OpenID Connect Token is human-readable (JWT) and all
required claims are included within, saving additional
calls to DBs or APIs to retrieve this data
§ Token can be restricted to an audience
§ Stateless

When/Where Do I Use them?
OAUTH
§ When you want to allow a third party
application to view your Facebook Friends
§ When you want to allow a third party
website to make twitter posts on your
behalf
§ If you are the Resource Provider and you
want to allow your users to delegate
access to their information to third party
applications and user-agents
OPENID CONNECT
§ When you want to authenticate a user
– Via your own IDP
– Via third party IDP
§ When you want a readable (if not encrypted),
application-agnostic, JSON formatted
authentication token that can easily be passed
back and forth in API calls
§ When you do not want to pass login credentials
with each API call

Why Shouldn’t I Use OAUTH for Authentication?
§ OAUTH tokens are generally long-lived
§ OAUTH tokens contain no readable information, claims, or
expiry – not even a User ID
§ When OAUTH is used for Authentication, client applications
have implicit trust that the holder of the Access Token is the
resource owner (the user), when a malicious site could hold
the token
– Once an Access Token is obtained, a malicious user or site could use the
token to impersonate the user on any website that uses OAUTH Access
Tokens as proof of authentication (using the client-flow).
§ Facebook and Google have implemented some proprietary
work-arounds for some of these issues but OpenID Connect
is a secure standard

JOSE: “WS-Security” for REST APIs
A Framework Intended to Provide a Method to Securely Transfer Claims Between Parties
§ WS-Security is part of the SOAP specification
that describes structures for cryptographic
keys, and defines cryptographic algorithms
to be used for message signing and message
encryption
§ JOSE provides the same, but in JSON format
making it ideal for REST services

The Power of Two-Way SSL
Hang Up!
§ Hackers try to penetrate systems through discovery
– What APIs do you have?
– What is their endpoint?
– What data elements do they contain?
– Do they require authentication?
– Are they vulnerable to injection, overflow, etc?
§ If a hacker doesn’t have a valid client-certificate, they
are stopped at the connection level, before having
the ability to attack

Two-Way SSL for Mobile Applications
CA Mobile API Gateway
§ Web browsers and mobile devices are not well-suited
for Two-Way SSL due to the manual processes
involved in keypair management, CSR generation,
certificate signing, establishing trust between two
parties, and managing certificate expiry
§ CA Mobile API Gateway solves this
– Programmatically sign and establish trust for client certs
Mobile API Gateway
MOBILE
API
GATEWAY

Two-Way SSL for Mobile Applications
CA Mobile API Gateway with 2-Factor Authentication
Mobile API GatewayMobile Device Enterprise Directory
User ID & PW
Authentication API Call
Validate with LDAP
Return Success Auth Token & Masked
User Phone Numbers
CRM
Obtain User Phone Numbers
Submit Request for Registration Code, with Masked
Phone Number & Auth Token
GW Maps Masked Phone to Actual Phone, Submits
to CRM
CRM Generates
Registration Code and
sends SMS to user
Mobile Device Generates RSA 2048 Key Pair, using
User’s ID + Device ID as CN, then CSR, Base-64
encoding CSR, submit API call to GW with Auth
Token and Registration Code
GW Validates Reg Code with CRM & on Success,
Signs the CSR With it’s Key Pair, and Adds the Key
Pair to the GW’s Trust Store
GW Returns Signed CSR, Base64 Encoded to Mobile
Device Which Stores it
All Subsequent Calls to APIs made over mSSL
GW Validates Cert and
Allows Access To
Protected APIs

API Security Best-Practices Cheat-Sheet
Best-Practices in General
• Use TLS for Everything
• If Unable to Leverage Transport Layer Encryption
• Message Signing if Message Contents are “public” (JWS)
• Message Encryption if Message Contents are “private” (JWE)
• Authorization Delegation
• OAUTH2
• Persistence across APIs
• OpenID Connect / JWT
• Authentication (AuthN)
• API-Based
• OpenID Connect
• Existing Enterprise Directory through the Gateway
• Access Control (AuthZ)
• Leverage existing Enterprise WAM system through the GW, or use the GW
alone
• Continuous Authentication
• Patterns – IP change, geolocation, multiple connections, different
applications
• Threat Prevention
• Throttling/Rate Limiting

API Security Best-Practices Cheat-Sheet
Best-Practices by Use-Case
Mobile & IoT Apps
Mutual SSL
Two-factor Auth + OpenID Connect
Single Page Apps
OpenID Connect with API-Based login
exposed by the gateway, leveraging an
IDP
All API calls from SPA route through
API Gateway
B2B: Mutual SSL
Better than just an API key or shared
secret - API key must be sent with each
request and can be easily stolen

Duke Energy is the largest electric power holding company
in the United States, supplying and delivering energy to
approximately 7.3 million U.S. customers
ACCELERATED IT:
• API GW solution allowed mobile application
to be quickly put into use in the field
TRANSFORMED IT:
• Eliminated help desk, manual paper work-order
process, and multiple sign-ons. Enabled internal AND
external field workers to use electronic work orders
SECURED IT:
• Secured services with Mutual SSL.
• Utilized tokens with Kerberos tickets for SSO to Maximo
and ArcGIS
§ API Gateway, Mobile
API Gateway,
Developer Portal
§ Mobile Device
Registration
§ Utilized API GW to
provide SSO to non-
linked multiple back-
end systems via token
§ Field workers must login to
three separate systems
while in the field to view
work orders
§ Third-party field workers
may not access VPN so a
costly, manual paper work-
order process is utilized
§ New mobile application will
result in the external
exposure of APIs which must
be highly secured
CHALLENGE SOLUTION RESULTS

Verizon Telematics is a leading telematics provider providing
services to the Hum by Verizon product, Network Fleet,
Mercedes Benz Mbrace, VW Car-Net, and Nissan Connected
Car
ACCELERATED IT:
• Two-phase roll-out allowed multiple clients
to adopt new security within their ideal
project timeline
TRANSFORMED IT:
• Provided a single point of entry into all business
services while leveraging existing enterprise Access
Management and Authorization systems.
SECURED IT:
• All APIs have tracked sessions, threat detection,
Mutual SSL, and fine-grain access control
§ API Gateway, Mobile
API Gateway,
Developer Portal
§ Mobile Device
Registration with Two-
Factor Authentication
and Mutual SSL
§ Method-Level Access
Control for SOAP
services
§ Large rapidly
expanding/evolving
API Portfolio with a
mix of SOAP and
RESTful services
§ Many security
components
embedded in the
business logic of the
services or within the
mobile applications
CHALLENGE SOLUTION RESULTS

Questions?

Stay connected at communities.ca.com
Thank you.

@CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.26 @CAWORLD #CAWORLD
DevOps – API Management and
Application Development
For more information on DevOps – API Management and
Application Development, please visit: http://cainc.to/DL8ozQ

Securing your API Portfolio with API Management

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Securing your API Portfolio with API Management

Semelhante a Securing your API Portfolio with API Management (20)

Mais de CA Technologies

Mais de CA Technologies (20)

Último

Último (20)

Securing your API Portfolio with API Management