February 29th, 2012

Upcoming Webinar: Simplifying API Access Control with OAuth

Extending Existing IAM Technology for Enterprise API Access Control featuring 451 ResearchAccess control is a key aspect of API management. When an enterprise launches an API, identity and access management (IAM) will be among its most pressing concerns. But access control is handled differently for APIs than it is for the Web or even Web services. This can present difficulties for an enterprise that wants to reuse its existing IAM  infrastructure to provide access control for APIs.

On March 14, I’ll be co-presenting a webinar called Simplifying API Access Control with OAuth, alongside Steve Coplan of 451 Research. We’ll be exploring a good deal of the ground around API access control and OAuth but with a particular focus on how existing IAM and Single Sign-On (SSO) systems can be extended to integrate with API-enabled applications and services.

In addition to discussing how enterprises can extend their existing IAM and SSO investments for API access, we’ll be looking at:

  • What security and management concerns are created by open APIs
  • How enterprises can address key IAM challenges when securing APIs
  • Why OAuth is becoming central to API access control

Space is limited – so, if you’re interested, sign up today!

February 27th, 2012

New Solution Brief: API Management for Mobile

API Management for MobileIncreasingly, mobile is one of the major factors driving enterprises to expose their information assets via APIs. With the BYOD movement bringing mobile into the workplace and some forward-thinking enterprises equipping their employees with tablets, there is a growing need for enterprise-level apps that leverage systems and data exposed via APIs.

Of course, allowing enterprise data to be accessed from smart-phones and tablets (via public networks) creates a range of concerns around security and performance. The security risks are clear – perhaps less well understood is the fact that, for apps to perform efficiently, data will need to be filtered and transformed into formats and protocols suitable for mobile.

Layer 7’s new API Management for Mobile solution brief explains how our API Management Suite of products delivers everything enterprises need to address the data security and performance management concerns raised by integrating enterprise assets with mobile devices. To find out more download the solution brief now.

February 24th, 2012

Upcoming XACML Training Workshops

XACML IntegrationWith the advent of APIs in the enterprise comes the need for a new security model. An effective runtime security strategy for the type of open integration environment created by APIs requires the deployment of three intertwined elements – a policy enforcement point, a policy decision point and an attribute service.

Layer 7’s SecureSpan API Proxy fits into this strategy as the policy enforcement point. The API Proxy verifies/authenticates any incoming message before assembling a standard XACML request, which is then sent to the policy decision point. Layer 7 offers easy integration with leading policy decision point technologies from Axiomatics and Radiant Logic.

To help enterprise architects understand how XACML is used for this kind of integration, we’ve been organizing a series of workshops in collaboration with our friends at Axiomatics, Radiant Logic and SailPoint. Coming up, we’ve got events at the Mikrotek Training Facilities in San Francisco, Chicago and New York. Here are the details:

February 23rd, 2012

Upcoming RSA Conference Talk: Hacking’s Gilded Age – How APIs Will Increase Risk & Chaos

RSA Conference 2012I’m going to be speaking about API security at next week’s 2012 RSA Conference. I gave this talk the provocative title Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. It’s scheduled for Friday, March 2, 2012 at 10:10am in room 302.

Here’s the long form of the abstract, which gives a little more detail of what I’m going to cover in the talk than the short abstract that’s online does:

This session will explore why APIs (which are largely RESTful services) are fundamentally different than conventional Web sites, despite the fact that they share common elements such as the HTTP protocol. Web sites abstract back-end applications behind a veneer of HTML that should — if it is well-designed — constrain capability and thus limit an organization’s security exposure. APIs, in contrast, represent a more explicit interface leading directly into applications. These often self-document their intent and thus provide a hacker with important clues that may reveal potential attack vectors — from penetration to denial-of-service. Because of this, APIs require a much more sophisticated model for access control, confidentiality around parameters, integrity of transactions, attack detection, throttling and auditing.

But aside from the technological differences, there are cultural differences in the Web development community that considerably increase the risk profile of using APIs. Many API developers have backgrounds in Web site development and fail to understand why APIs demand a more rigorous security model than the Web sites they were trained on. In a misguided attempt to promote agility, convenience is often chosen over precaution and rigor. The astonishingly rapid rise of RESTful services over SOAP, OAuth over SAML, API keys over certificates and SSL (or nothing) over WS-Security is a testament to fast-and-informal prevailing over complex-and-standardized.

Nevertheless, it is certainly possible to build secure APIs and this session will demonstrate specifically how you can spearhead a secure and scalable API strategy. For every bad practice, we will offer an alternative pattern that is simple-but-secure. We will explicitly show how the API community is dangerously extending some Web paradigms, such as avoiding general use of SSL or not protecting security tokens, into the API world where the cost of failure is far greater. And finally, we will prescribe a series of directives that will steer developers away from the risky behaviors that are the norm on the conventional Web.

I hope you can attend. And if you do, please come up after the talk and say hello.

See you next week in San Francisco!

February 22nd, 2012

New Data Sheet: Layer 7 API Management Suite

Layer 7 API Management Suite Data SheetThere are many pieces to the API management puzzle – securing exposed data, on-boarding developers, managing identities and so on. There’s already a decent selection of API management products on the market and with awareness of the whole concept growing, you can bet there’s more to come.

As the number and variety of API management products continues to grow, Layer 7’s goal is to continue providing the most comprehensive enterprise-level solution on the market. Our API Management Suite of products is uniquely placed to give enterprises everything they need in order to securely expose APIs, manage developers and leverage key technologies like OAuth.

Our new Layer 7 API Management Suite data sheet provides detailed information on our full range of API products, including the API Portal, SecureSpan API Proxy, Enterprise Service Manager and OAuth Toolkit. So, to find out how we’re responding to the challenge of enterprise-level API publishing, read the data sheet today.