Mais conteúdo relacionado Semelhante a Standard Based API Security, Access Control and AI Based Attack - API Days Paris 2018 (20) Mais de Ping Identity (18) Standard Based API Security, Access Control and AI Based Attack - API Days Paris 20182. PING IDENTITY WORKSHOP
API Days 2018, Paris, Dec. 11-12
2 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Philippe DUBUC
Principal Regional Solution Architect
4. Users, Hackers,
and bots
API
Security
APIs
AGENDA
1. Set the context
2. API Security based on
standards
o Authentication
o Authorization
o Best Practices
o Watch new standards
3. API Attacks Detection
o How AI and ML can help detect attacks?
Copyright ©2018 Ping Identity Corporation. All rights reserved.4
5. Users, Hackers,
and bots
API
Security
APIs
WHO ARE THE STAKEHOLDERS?
1. API’s developers
2. DevOps Team
3. IT Architects
4. Security Professionals
o Implement tools
o Monitor security
Copyright ©2018 Ping Identity Corporation. All rights reserved.5
6. 60% OF
COMPANIES
AGREE THAT API
INTEGRATION IS
CRITICAL TO
THEIR BUSINESS
STRATEGY
6 Copyright ©2018 Ping Identity Corporation. All rights reserved.
8. DIGITAL
TRANSFORMATION
DRIVING
EXPLOSION IN API
AND CREATING
** NEW **
VULNERABILITIES
8 Copyright ©2018 Ping Identity Corporation. All rights reserved.
“724,000 taxpayers victims of the
latest data
breach … with automated, brute
force probe using IRS's public
API ...”
–Forbes
“... individuals obtained access to
high-profile Instagram users'... by
exploiting a bug in an Instagram
API”
–Instagramstatement
10. SO HOW DO WE PROTECT THE
CONSUMERS/EMPLOYEES DATA?
10 Copyright ©2018 Ping Identity Corporation. All rights reserved.
11. 11
STANDARDS CAN
MULTIPLY THE IMPACT
OF APIS
o More extensible
o More interoperable
o More secure
OAuth 2.0
for API security
OIDC
for scoped identity
and access
12. 12 Copyright ©2018 Ping Identity Corporation. All rights reserved.
STANDARDS BASED
APPROACH
NEEDED TO
SECURE APIS
TLS
OAuth 2
OpenID Connect
Authentication
Authority
Access Authority
Intelligent API security
13. VERY HIGH-LEVEL VIEW OF OAUTH2
13 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
5
1. Request Token
2. Authenticate
3. Get Token
4. Use Token
5. Validate
Introspect
Token
Resource
Server
OAuth2
Client
14. ADDING ACCESS SECURITY TO API
14 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
o Authorization Policies
6. Forward Request
o Forward Identity
7. Optional: Validate Token
Resource
Server
OAuth2
Client
Access
Security
5
6
15. WHAT WE DO AT PING IDENTITY
15 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
o Authorization Policies
6. Forward Request
o Forward Identity
7. Optional: Validate Token
Resource
Server
OAuth2
Client
Access
Security
5
6
Authentication
Authority
Authorization
Authority
16. AUTHENTICATION AUTHORITY
Copyright ©2018 Ping Identity Corporation. All rights reserved.16
Authenticate users and provide Single Sign-On across all your apps
Single Sign-On and Identity Federation
• SAML, OAuth, OpenID Connect, more
• Last-Mile / First Mile Integration
Authentication Policy
• Adaptive authentication policies
• Step-Up MFA & 3rd Party Integration
• Source identities attributes from any data store
User Self-Service
• Registration, profile mgmt, and password reset
• Social login and account linking
Users
On Premises Mobile SaaS
AuthenticationDat
a Sources
Step-up
MFA
Auth
Policies
Applications
Authenticate
SSO
Authentication
Authority
SMS
OTP
17. ACCESS SECURITY AUTHORITY
Copyright ©2018 Ping Identity Corporation. All rights reserved.17
Ensure the right people have access to the right resources
Secure access at the app, API, and page/URL
level
Protect resources on-prem and in the cloud
Enforce policies via proxy and/or agent models
Replace or coexist with legacy WAM
Single logout and session control
Adaptive access policies based on user,
device, resource, context and more
Centrally manage policies across hybrid IT
Continuous authentication
Deploy on-prem or in your cloud
Automated deployment & auto-scaling in AWS
Access Security
Authority
Users
Authentication
Authority
Centralized
Access Policies
Continuous
Authentication
Enforce
Everywhere
ProxyAgents
Grant/Deny
Access
Legacy/. on-
prem apps,
APIs
Cloud-based
apps, APIs
Auto-deploys
and auto-scales
in AWS
18. ACCESS SECURITY
PSD/2 Demo
Protecting Open Banking API
Payment scenario
18 Copyright ©2018 Ping Identity Corporation. All rights reserved.
20. Copyright ©2018 Ping Identity Corporation. All rights reserved.
USE CASE: PAYMENT TRANSACTION
Browser
Auth.
Authority
Customer Directory
OAuth
Tokens
4
Merchant
MFA
MFA
2
1
3
6
8
5
BANK
OPEN APIs
7Access
Security
Open Banking
Authority
20
21. THE KEY REQUIRED (& FUTURE)
STANDARDS
21 Copyright ©2018 Ping Identity Corporation. All rights reserved.
23. OAUTH2.0
MINIMUM MANDATORY !
IETF RFC 6749 – 6750
– OAuth2.0 Specs
– Authorization Framework
– RFC 8252: OAuth 2.0 for Native Apps
IETF RFC 7636
– Proof Key for Code Exchange by OAuth Public Clients
– PKCE, pronounced "pixy”
23 Copyright ©2018 Ping Identity Corporation. All rights reserved.
24. OAUTH2.0
To monitor its implementation
OAuth 2.0 Token Binding
– Token Binding: Cookie, Access Tokens, Authorization Codes,
Refresh Tokens, JWT Authorization Grants, and JWT Client
Authentication
– Token Binding (TB) protocol is IETF RFC (Oct.2018): RFC
8471/2/3
24 Copyright ©2018 Ping Identity Corporation. All rights reserved.
26. WHAT IF THE TOKEN IS STOLEN?
26 Copyright ©2018 Ping Identity Corporation. All rights reserved.
27. WHAT’S WRONG WITH OAUTH2 ACCESS
TOKEN?
Bearer Token
Copyright ©2018 Ping Identity Corporation. All rights reserved.27
{
"sub":"jsmith@anycompany.org",
"uid":"jsmith@anycompany.org",
"active":true,
"iddwJson":"n/a",
"token_type":"Bearer",
"exp":1544224231,
"client_id":"ac_client",
"email":"jsmith@anycompany.org",
"username":jsmith@anycompany.org
}
1. Tokens can be revoked
o As specified in the specs,
2. New Token Binding
specs
3. But… when token or
credentials are stolen?
28. ATTACK DETECTION
Stolen OAuth 2.0 Access Token Demo
Copyright ©2018 Ping Identity Corporation. All rights reserved.28
1 Get a token
2 Use token as
the legitimate
user
30. ATTACK DETECTION
Stolen OAuth 2.0 Access Token Demo
Copyright ©2018 Ping Identity Corporation. All rights reserved.30
1 Get a token
2 Use token as
the legitimate
user
3 Use token as
the attacker
32. ATTACK DETECTION
Stolen OAuth 2.0 Access Token Demo
Copyright ©2018 Ping Identity Corporation. All rights reserved.32
1 Get a token
2 Use token as
the legitimate
user
3 Use token as
the attacker
4
Use token as
the attacker
AI/ML is
computing the
behavior
34. ATTACK DETECTION
Stolen OAuth 2.0 Access Token Demo
Copyright ©2018 Ping Identity Corporation. All rights reserved.34
1 Get a token
2 Use token as
the legitimate
user
3 Use token as
the attacker
4
Use token as
the attacker
AI/ML is
computing the
behavior
36. PING IDENTITY INTELLIGENT PLATFORM
36 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
5.1. Attack ?
5.2. Authorization Policies &
Forward Identity
6. Forward Request
7. Optional: Validate Token
Resource
Server
OAuth2
Client
Access
Security
5
6
Authentication
Authority
Authorization
Authority
Attack Detection
5
37. PING IDENTITY INTELLIGENT PLATFORM
37 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Authorisation
Server User Local
Directory
Your APIs
1
Client App
2
3
4
7
1. Request Token
2. Authenticate
o Contextual
o Adaptive
o Policy Based
3. Get Token
4. Use Token
5. Validate token
5.1. Attack ?
5.2. Authorization Policies &
Forward Identity
6. Forward Request
7. Optional: Validate Token
Resource
Server
OAuth2
Client
Access
Security
5
6
Attack Detection
5
PingFederate®
PingAccess®
PingIntelligence
for APIs
38. Security Beyond Access Control
Security Beyond WAF
ADDRESSING API SECURITY GAP
Extending Foundational API security
to protect against cyberattacks on APIs
Security needs beyond existing security:
• Login/Identity attacks detection
• API-specific DoS/DDoS attacks protection
• Detecting Cyberattacks on data, apps,
systems
Need full API activity reporting at scale
API SECURITY TODAY
Access Control and WAF
Tokens,Authentication/Authorization/AttackSignatures
Rate Limiting
Clientthrottling,quotas
Network Privacy
SSL/TLS
THE MISSING PIECES
Data, Application, System Attacks
APTs, DataExfiltration,Deletion…etc.
API DoS/DDoS Targeted Attacks
Compromised API Services Access
Login/OAuth/Authentication Attacks
Credential Stuffing,Fuzzing,Stolen Cookies andTokens
Copyright ©2018 Ping Identity Corporation. All rights reserved.38
39. DO YOU HAVE VISIBILITY INTO API
TRAFFIC?
Do you know Who’s/What’s connected to
your APIs at all times?
API activity needs tracking & reporting
APIs accessed by Who / What / When
Command/method activity on each API
Timeline
Anomalous Behavior
Dumping logs for tracking does not work
– BIG DATA PROBLEM –
APIs
/login
/query
/update
/account
/order
WHAT IS HAPPENING
WITH YOUR APIS?
39 Copyright ©2018 Ping Identity Corporation. All rights reserved.
40. Users, Hackers,
and bots
PingIntelligence
for APIs
APIs
Copyright ©2018 Ping Identity Corporation. All rights reserved.
AI-powered Cyber Security
• API auto-discovery identifies all active APIs
• API activity audit trails for deep insight – compliance
and forensic reports
• Identifies cyberattacks on APIs and data/systems
• API deception instantly detects hacking
• Automatically blocks API threats
INTRODUCING PINGINTELLIGENCE FOR
APIS
AI/ML Solution for Deep API Visibility and Attack
Protection
Copyright ©2018 Ping Identity Corporation. All rights reserved.40
41. PINGINTELLIGENCE FOR APIS
Blocks Cyber Attacks and Provides Deep Insight
into API Usage
Copyright ©2018 Ping Identity Corporation. All rights reserved.41
APICybersecuritywithartificialintelligence
• Self-learned security – no policies or rules to write
• Deep traffic inspection
• On premise, hybrid and public clouds
OperationalSimplicity
• Elastic scaling with Smart Clusters
• Self-learning / auto-configuration principles
• For REST and WebSocket APIs
On Premise or Cloud
deployment
API Behavioral
Cyber Security
API Security
Enforcer
Artificial
Intelligence
Engine
APIs
42. DEPLOYMENT OPTIONS
42 Copyright ©2018 Ping Identity Corporation. All rights reserved.
Inline
with API Gateways or App Servers
Sideband
with API Gateways or
PingAccess
Out-of-Band
with Span/Mirror Port
APIGateway
--and/or--
PingAccess®
APIs
Users and
Devices
API Security
Enforcer
API Behavioral
Security Engine
API
Traffic
API Gateway
APIs
Users and
Devices
API Security
Enforcer
API Behavioral
Security Engine
API
Traffic
Users and
Devices
API Security
Enforcer
API Behavioral
Security Engine
API
Traffic
APIGateway
--and/or--
PingAccess®
APIs
API
Gateway
API Gateway
or
PingAccess
API Gateway
or
PingAccess
43. AUTOMATED ATTACK DETECTION AND BLOCKING
Protecting APIs with Artificial Intelligence and Real-Time Engines
Copyright ©2018 Ping Identity Corporation. All rights reserved.43
Smart Cluster
Meta-Data
Capture
Terminate
Access
API
Security
Enforcer
API
Security
Enforcer
Artificial
Intelligence
Engine/Cluster
Users and
Devices
API
Traffic
APIs Continuous Protection
• Automatedthreat detection & blocking
• AI-poweredAPI cyberattacksdetection
• Loginservicesbreaches, stolen cookies or tokens
• Data theft,deletion,poisoning,system takeover, API memory attacks,
API code injection, etc.
• CookieorWebSocketsessionmanagementattacks
• API-specificlayer7 DDoSattacks – multiple types
• Protectsagainstnew andchanging attacks
Not reliant on specific patterns
• Automatedattack blocking acrossDCsand Clouds
44. PINGINTELLIGENCE API DECEPTION
Tracks Hacking Behavior
Copyright ©2018 Ping Identity Corporation. All rights reserved.44
Users and
Devices
APIs
Decoy
API
1. Decoy APIs attract probing hackers
2. Source identified instantly
3. Blocks access to production APIs
/finance
/query/date
/account
/query/name
PingIntelligence
for APIs
Instant Hacking Detection
APIs
Decoy
API
45. TRAFFIC VISIBILITY AND ATTACK
REPORTING
45 Copyright ©2018 Ping Identity Corporation. All rights reserved.
API SecurityDashboard
• Automatically discovers active APIs
• Deep API traffic visibility – just about
everything on API traffic
• Reports for attack forensics, compliance,
DevOps
• Complements API Gateway analytics
• Dashboard and JSON reports
• APIs to integrate with 3rd party systems
API Auto-Discovery and
Deep API Activity Visibility
JSONAttack Forensics&
Compliance
Reports
46. 19 Copyright ©2018 Ping Identity Corporation. All rights reserved.
API SECURITY DASHBOARD – DIVING
INTO ONE API
Copyright ©2018 Ping Identity Corporation. All rights reserved.46
47. API DECEPTION
Real Time Detection : Hacker probing APIs
47 Copyright ©2018 Ping Identity Corporation. All rights reserved.
48. API DECEPTION
Real Time Detection : Hacker probing APIs
48 Copyright ©2018 Ping Identity Corporation. All rights reserved.
49. API SECURITY IS
NOT A ONE-TIME
PROJECT
49 Copyright ©2018 Ping Identity Corporation. All rights reserved.
* Source: Gartner