Mais conteúdo relacionado Semelhante a NYC Identity Summit Tech Day: Best Practices for API Security (20) NYC Identity Summit Tech Day: Best Practices for API Security1. © 2016 ForgeRock. All rights reserved.
Best Practices for API
Security
Ludovic Poitou, Product Management Director
4. © 2016 ForgeRock. All rights reserved.
Example:
ForgeRock
Identity Gateway
APIs
ForgeRock
Access Management
Throttling
Authorization
5. © 2016 ForgeRock. All rights reserved.
API Key
• Use OAuth2 Tokens
• Issued & managed centrally
• Standard based
• Access tokens are short-lived
and revocable
• Scopes for finer permissions
6. © 2016 ForgeRock. All rights reserved.
Protecting against Disclosure
• Secure End to End
• Between Client and Gateway
• Between Gateway and API
• TLS
• Certificate based
Authentication
7. © 2016 ForgeRock. All rights reserved.
Protect Against Misuse and DOS
• Throttle the incoming traffic
• Overall
• Per API
• Per Client
• Also a monetization strategy!
https://www.flickr.com/photos/telstar/
8. © 2016 ForgeRock. All rights reserved.
Policy Decision and Enforcement Point
• Centralized policy
management
• Introspect Token
• Call ForgeRock Access
Management PDP
• Border enforcement
• Specific rules and conditions
• Not Found vs Forbidden
https://www.flickr.com/photos/yannickgar/
9. © 2016 ForgeRock. All rights reserved.
Monitoring and Auditing
• Monitoring
• Status
• Throughput and Response
Times statistics
• Auditing
• Logs
• Reporting
• Billing
11. © 2016 ForgeRock. All rights reserved.
Throttling
Message Transformation Monitoring
Session Management Token Exchange
SSO
Scripting
Relying Party
Authentication
Authorization Federation (SAML / OIDC)
Password Capture &
Replay
Protected Resources Identity Providers Data Stores
Web Applications
APIs
Services Layer
Access Layer HTTP / HTTPS OAuth2.0 | OpenID Connect | SAMLv2
External Layer
Databases
Directories
Files
Audit
ForgeRock Identity Platform: Identity Gateway
13. © 2016 ForgeRock. All rights reserved.
Best Practices for API
Security
Ludovic Poitou – Product Management Director
Ludovic.Poitou@ForgeRock.com
@ludomp