In this presentation, Mike Amundsen, Francois Lascelles and Devon Winkworth of Layer 7 Technologies provide information on:
The latest trends in the API economy and best practices and tips for securely exposing enterprise APIs
Key issues around API Management, including access control, data security/privacy, developer management and API performance management
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Melbourne API Management Seminar
1. API Management Breakfast Seminar
Francois Lascelles Devon Winkworth Mike Amundsen
Chief Architect Solutions Architect, APAC Principal API Architect
2. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
3. Challenges for the Modern Enterprise
X-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs
Publish Public APIs Reliably
Real-time Supply Chain
Build Developer Ecosystems
X-agency information sharing
Monetize Internal Information
Media Syndication
Socialize Applications
Trading Platforms
Cloud Access & Integration Connect Enterprise to Mobile Apps
Login
SaaS Access Password
BYOD Employee Enablement
IaaS Integration & Governance Field Enablement
Hybrid Private / Public API Developer Communities
Burst to the Cloud Smart Grid
4. Why APIs? The Rebirth of Applications
Enterprise API
Customers & Partners
8. API Management Scope
Developer
Developer Portal
API
App
API Gateway
API Management Infrastructure
API Lifecycle Access control
Discovery, documentation SLA enforcement
Developer onboarding Threat protection
Performance, scaling Analytics
Integration Monetization
9. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
10. Attending to the Hockey Sticks
More Devices
More Apps
More APIs
11. API Developers
Developers are your target audience
They need great tools to use your API
They know what works
And they tell others about it
13. They need great tools to use your API
Docs
Getting started
Sandbox
Registration
Samples
14. Developers know what works…
30 min to a quick win or else
“It was easy for me to get started with this API.”
Make them look good to peers and superiors
“Hey, I know just the API we can use to solve this problem.”
Make it easy for them to use/promote your API
“Company X has a great API, you should try it.”
Make it hard for them to mis-use/break your API
“This API is very intuitive.”
15. …And they tell others about it.
Conferences
100+ developers, designers, project leaders
Code-a-thons
100- developers, API publishers, API hosts
Meetups
Local developers, designers, leadership
- User Groups (~50)
- Pub Nights (~25)
Online
Wide range of highly targeted communities
- Forums
- Chat rooms
- Social media
16. Reaching out means…
Know your target audience
Give them the tools they need…
To do their jobs well…
So they will spread the good word.
17. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
18. Example: Australia Sports API
Sample API: Professional sports information aggregation
- Teams
- News
- Results
19. Layer 7 Gateway
Ensure Privacy & Security Compliance: Optimize API Traffic:
Authorization & Data Leak Prevention Rate Limiting API Key Management
Authentication
SOAP REST
XML JSON
Attack Prevention Browser Exploit Blocking
Traffic Control Transformations
Security Control
20. Demo: Exposing an API with the Layer 7 Gateway
Gateway
API
endpoint
REST Client
Policy Manager
21. Layer 7 Gateway Capabilities
• Authentication: for different IAM, SAML, Oauth,
• Authorization including Oauth, XACML
Access Control • Token translation / SAML STS
• Horizon call back into enterprise
• Identity federation across service zones
• API threat protection
• XML / JSON schema validation
Security • Data filtering, redaction
• Data privacy: message- and field-level encryption
• Data integrity: digital signatures, hashing, validation
• Throttling, rate limiting, x-cluster message counter
• Prioritization, traffic shaping and QoS
Metering/SLA • Content caching to reduce latency overhead
• Monitoring, reporting on API usage
• Activity reporting to IT management systems
• Format conversion: SOAP/REST/JSON/XML
• Protocol mediation: HTTP(S), messaging, file-based, SSH
Abstraction/Mediation • Dynamic content- and context-based routing
• Composite services: in-line callouts, message enrichment
• Workflow: fan-in, fan-out, looping, synch/asynch
22. Layer 7 Gateway Form Factors
Hardware Appliance VMWare Virtual Appliance
Rack mountable 1-U device Packaged virtual image of hardware appliance
Common criteria EAL 4+ certification, FIPS 140/2 level 3 “VMWare-ready” certified
Optional hardware accelerator modules for XML, crypto Open Virtualization Format (OVF)
Software AWS Virtual Appliance
Instantiate from your AMI catalog
Software installation for Linux or Solaris based systems
Integrate with EC2, RDS, Auto Scale, ELB
23. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
24. Layer 7 API Portal Objectives
Drive Developer Adoption: Provide Insight for all Stakeholders:
Developer API Docs Analytics Rankings
Enrollment
45%
28%
Forums API Explorer
Quotas Task Tracking
Onboarding Reporting
25. Demo: API Portal
Developer portal
- Discover an API
- Try the API
- Register as a developer
- Register an application
- Get an API key
- Metrics
- Community
Demo
26. Layer 7 API Portal Capabilities
• Self-service registration and colleague enrollment
Developer • Plans are provided to help you stratify developers into tiers
• Account managers assigned to help manage specific, high‐value partners
Management • Manage the generation of API keys/OAuth secrets for each developer
application
• Discussion Forums, integrated messaging, FAQs, Announcements to
foster community among developers
Developer • API Documentation, sample code/applications
• API Explorer to allow you to submit queries and see API responses
Support interactively
• Reports that measure API usage, application usage and API latency
• Out‐of‐the‐box templates for API documents, landing pages, etc.
• Content can be versioned and rolled back
Content • Personalized default dashboard for all developer and publisher users
Management • Look and feel easily changed (i.e. logos, fonts, colors, etc.)
• Control access to documentation and forums based on API status (i.e.
private vs. public)
• Account tiers defined to allow for developer grouping and actions
• Define unique and/or standard plans for each API
Business • Define quotas, rate limits and other features for each API plan
Management • Applications tracked as they move from development to test to production
• Application usage measured providing developer understanding and info
for planning
28. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
29. API access control
You got an API key, now what?
- An app is sometimes identified at runtime by including its API key in
a query parameter
- (that doesn’t count as access control)
- Typically, the user of the mobile app needs to be authenticated
- Standard: OAuth 2.0
- Multiple grant types possible
- Opaque, bearer tokens is the most common approach
30. OAuth Toolkit
Better Integration
– Leverage Existing Assets
Faster Time to Market
OAuth 1 OAuth 2 Scaling
– Interpreted vs. Stateful Tokens
– Caching
2 & 3-legged OAuth OpenID Connect
API
Protection
31. Anatomy of an OAuth handshake
(one of many possible grant types illustrated)
OAuth Authorization Server
Subscriber
(resource owner) consent
1
Authorization endpoint
1
+autz code
2 Token endpoint
Mobile App
(client) +access token
This is a shared secret
32. Why exchange a secret with an OAuth authorization
server in the first place?
OAuth Provider
A: In order to consume an API
OAuth Authorization Server
Consume REST API
OAuth Resource Server
With access token from handshake
API endpoint
access token -> app, user
Enforce access control policies
33. OAuth: Leverage existing identity, existing SSO
API Management
- Get SSO cookie, integrate with policy server
(web agent)
<handshake> - Associate SSO cookie with access token
SSO token
Check SSO session
Maintain my SSO
experience!
SSO Policy Server
34. Token Monitoring, Revocation
Track usage of live tokens
Integrate with portals, BI, provider tooling through open API
Expose token revocation to the right parties
Token Management Look for
unusual
usage
revoke patterns
Dev portal revoke
revoke
check
BI
API Provider
Subscriber portal
FAIL!
exploit
compromise
35. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
36. Layer 7 Mobile Access Gateway
A lightweight, low-latency mobile gateway for solving critical mobile challenges in the
following areas:
37. Demo - Mobile Access Gateway
Mobile Access Gateway
- http/websocket/xmpp/push
- Mobile notification hookup
(APNS, Android)
- Targeted notifications
Demo
38. Layer 7 Mobile Access Gateway Capabilities
• Map Web SSO & SAML to mobile-friendly OAuth, OpenID Connect and JSON
Web Tokens
Identity • Create granular access policies at user, app and device levels
• Build composite access policies combining geolocation, message content etc.
• Simplify PKI-based certificate delivery and provisioning
• Protect REST, SOAP and OData APIs against DoS and API attacks
• Proxy API streaming protocols like HTML5 Web Sockets and XMPP messaging
Security • Enforce FIPS 140-2 grade data privacy and integrity
• Validate data exchanges, including all JSON, XML, header and parameter
content
• Surface any legacy application or database as RESTful APIs
• Quickly map between data formats such as XML and JSON
Adoption • Recompose & virtualize APIs to specific mobile identities, apps and devices
• Orchestrate API mashups with configurable workflow
• Cache calls to backend applications
• Recompose small backend calls into efficiently aggregated mobile requests
Optimisation • Compress traffic to minimize bandwidth costs and improve user experience
• Pre-fetch content for hypermedia-based API calls
• Proxy and manage app interactions with social networks
• Broker call-outs to cloud services like Salesforce.com
Integration • Bridge connectivity to iPhone, Windows and Android notification services
• Integrate with legacy applications using ESB capabilities
39. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
40. Layer 7 API Management Implemented at 200+ Enterprise and
Government Customers
Financial Services Communications Public Sector Select Others
41. Case Study: Publishing Telecom APIs
Problem: publicly exposing Telecom APIs presents some unique challenges around
how they get packaged, secured and managed for easy consumption
Solution: SecureSpan Networking Gateway policy-based controls allowed Orange to
define the message, identity and interface level security for their APIs; track usage;
monitor interface health; and update APIs without breaking client applications
“ Making Nursery [Telecom APIs]
available to local, 3rd world
partners has allowed Orange to
overcome many of the barriers
that had previously limited our “
growth in emerging markets.
Benoît Herard, Orange Labs
Results: Orange has created an agile IT platform on which to develop new offerings
faster and at less cost by reusing/recomposing existing services
42. Case Study: APIs Expanding Market Reach
Problem: wanted to securely expose existing services to third party developers in
order to expand their market reach
Solution: Layer 7 API Proxy allows Alaska to securely expose and manage their
APIs, while caching Sabre requests
Results: significantly grew market reach, while controlling costs associated with
constantly pulling data from Sabre to service Developer requests
43. Case Study: APIs Enabling the Enterprise
Problem: reduce cost and delay in processing Medicaid member information by
bringing the process online
Solution: SOA Gateway allows iPad application to securely connect to backend
APIs; provides data routing & guards APIs against intrusion with strict authentication,
authorization and comprehensive threat protection
Results: improves Amerigroup’s health care coverage and member services, while
increasing the effectiveness and efficiency of its Medicaid program
44. Case Study: Publishing Information Service APIs
Problem: allow customers and partners to use Google Apps to access multiple,
existing information services
Solution: CloudControl authorizes users and applies rate limiting; converts REST
queries to SOAP, and provides API aggregation & orchestration
“ Layer 7 offered us the closest fit to our
business requirements in a single “
product. No other vendor was even
close.
SOA Architect, World’s leading publisher of
science and health information
Results: implemented business logic in policy (not code), decreasing maintenance
costs; customers and partners can now obtain richer results to their queries from
their platform of choice, simplifying and speeding information gathering
45. Case Study: SaaS & Mobile Integration
Problem: securely integrate to SaaS services such as Salesforce.com and
Workday, as well as secure mobile payments for Mastercard’s MoneySend service
Solution: Layer 7 securely gates all interactions with cloud-based SaaS providers
and mobile applications, authenticating and authorizing all inbound/outbound
interactions
Results: users manage only a single login/password for all systems; administrators
manage a single LDAP, thereby enhancing security and lowering administration costs
46. Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
47. Challenges for the Modern Enterprise
X-Departments / X-Agency Connectivity Build a Developer Channel with Open APIs
Publish Public APIs Reliably
Real-time Supply Chain
Build Developer Ecosystems
X-agency information sharing
Monetize Internal Information
Media Syndication
Socialize Applications
Trading Platforms
Cloud Access & Integration Connect Enterprise to Mobile Apps
Login
SaaS Access Password
BYOD Employee Enablement
IaaS Integration & Governance Field Enablement
Hybrid Private / Public API Developer Communities
Burst to the Cloud Smart Grid
48. Layer 7 – One Solution for 4 Hybrid Problem Spaces
Across Divisions & Partners Outside Developer Communities
Simplify Information Sharing Build a developer channel
Enable Centralized Shared Services Monetize information assets
Improve B2B Improve customer reach
Bridge ESB Domains Improve customer retention
SOA Gateway
API Portal
Cloud Access
Help Enterprises Connect To
Across Mobile
The Cloud
Mobile Developer Onboarding
Help Service Providers Deliver
BYOD
New Services
Mobile application management
Deploy Security-as-a-cloud
CloudConnect
Service
Mobile Access Gateway
App security
49. Established Leader
The Forrester Wave: Gartner Magic Quadrant
SOA & API Application Gateways, Nov 2011 For SOA & API Governance Technologies, Oct 2011
Risky Strong
Bets Contenders Performers Leaders
challengers leaders
Strong
Intel
Vordel Software AG
Forum Systems
IBM Oracle
IBM
HP
Progress Software
ability to execute
Layer 7
Progress Software Tibco Software
Vordel
Current Software AG SOA Software
Offering Crosscheck Networks
Mashery
Bee Ware Managed Methods
WS02
Tibco Software Intel
Market Presence
Weak
Weak Strategy Strong niche players visionaries
“Layer 7 SecureSpan is strong across the board. SecureSpan SOA Gateway “[Layer 7 has a] …. complete offering, with good coverage of general SOA
scored well in all of the major functional evaluation categories…It has the governance (on-premises and in the cloud), B2B, ESB and API management
broadest array of form factors and one of the strongest strategies for functionality…[The Company is] fast-moving, well on its way to implementing
virtualization and cloud-based deployment.” its good vision for SOA governance and the related marketplaces.”
Additional Notable Recognition
50. Thank You
For more information contact:
Colman McCaffery
cmccaffery@layer7tech.com
+ 61 413 776 428