mobile and api identity – the new challenges

Topics § Define API’s

§ How are they being used

§ What are the issues

§ What's being used

§ One approach

Web API =

Technology

Mobile and API identity – The New Challenges Aran White Solution Architect awhite@layer7.com

Is it a Web API?

REST/JSON? Yes. SOAP/XML? Yes. HTTP/CSV? Yes.

Modern Timeline of Web APIs

2000 Salesforce API ebay API

2002 Amazon API

2004 Flickr API

2006 Twitter API Facebook API Google (Maps) API

2012 Programmableweb.com has 7144 registered APIs

Sources: apievangelist.com programmableweb.com

internetarchive.com Steve Yegge Rant

oreilly.com

2005 ebay makes APIs free

2004 First Web 2.0 Conference

2010 Salesforce adds HTTP API

2008 Programmableweb.com has 1000 registered APIs

2005 Programmableweb.com launched 54 APIs registered.

How have they grown, or exploded

Mobile is driving API publishers

The enterprise model: Start with private APIs…

…consider going public in the future

API’s From Internal Services § Create a new shiny API or enable our existing services

§  Integration for messages and security

§  Internal security verses external security

§ Who is using the service the most

§ How do we control the use

Applications Or Users § We don’t just want to trust the user what about the application?

§ Developers

- On boarding

- Controlling access

- Monitoring

- Managing

§ Will you allow application to store user credentials? Long term or per session

§ Do we trust all devices or platforms?

§ Do we trust Jail broken devices?

Single sign on issues § Multiple Applications

§ Multiple devices

§ Multiple APIs

§ Multiple API providers

§  Integration with cloud services

How are we tackling this § New security models

§ Oauth

§ Open ID connect

§  SAML

§  Tried and tested approaches

-  SSL, Basic Auth, WS Security, XML security

-  Standard threats

§ Multiple approaches per API

§  Brokering between the new world and the existing security

OAuth § Drafts keep changing (or did !!)

§ Can be complex

§  Picking the correct flow

§ Components which do I use.

§  Extensions

§  Brokering with existing security

Open ID Connet § OAuth based solution for authentication

§ Gives access to attributes.

§ Giving access to identities outside the enterprise

§ Helps scale and agility

§ Who is coming through the door

§  Tracking and audit

SAML §  Still there as a very valid solution

§  Supported for federated SSO such as SFDC

§ Can be considered heavyweight and complex

§  B2B solutions still like SAML

§  STS deployments

SAML

WS-­‐*  

Flexibility is the new challenge

LDAP

PKI

The primary API management challenge:

Balancing Control and Accessibility

API publishers want to encourage utilization

Low barriers to access Self service Self documenting

But, API publishers also want to restrict access to APIs

Smart rate limiting Security enforcement Brand control

Architects want API gateways

Gateway

API

API

Thank you Aran White

awhite@layer7.com