February 20th, 2012

Layer 7 at GSMA Mobile World Congress

Mobile World Congress BarcelonaThe ubiquity of mobile devices is something we’ve all become used to in recent years. Still, the remarkable popularity of Apple’s iPad seems to have kicked things up another notch. The whole BYOD phenomenon has finally brought Apple hardware and software into the enterprise. Meanwhile, for many of us, the iPad (or similar tablet product) is becoming the primary means by which we consume content – newspapers, TV, music, you name it!

With new tablets coming on the market and consumers demanding more and more mobile access to content, API management is becoming an increasingly pressing concern for content providers. At Layer 7, we’ve been following these developments closely, while providing API management and security solutions to some big names in content delivery and mobile communications, including Orange.

We’ll be demonstrating our mobile API products at the end of this month, when we set up shop at the GSMA Mobile World Congress in Barcelona (February 27-March 1). This is undoubtedly the big mobile industry event of the year, so it’ll be exciting to be in the thick of things. The fact that it’s happening in a city as spectacular as Barcelona is just the icing on the cake. If you’re lucky enough to be attending, you’ll find us at booth 2.1A79.

February 16th, 2012

The Resilient Cloud for Defense: Maintaining Service in the Face of Developing Threats

TM Forum Management WorldSkill at computing comes naturally to those who are adept at abstraction. The best developers can instantly change focus — one moment they are orchestrating high-level connections between abstract entities, the next they are sweating through the side effects of each individual line of code. Abstraction in computing not only provides necessary containment, it also offers clear boundaries. There is also something very liberating about that line you don’t need to cross. When I write Java code, I’m happy to never think about byte code (unless something is going terribly wrong). And when I did board-level digital design, I could stop at the chip and not think much about individual gates or even transistors. It is undeniably important to understand the entire stack but nothing would ever get done without sustained focus applied to a narrow segment.

Cloud is the latest in a long line of valuable abstractions that extend the computing stack. It pushes down complex details of systems and their management under a view that promotes self-service and elastic computing. In this way, Cloud is as liberating for developers as objects were over assembler.

The physical location of resources is one of the first and most important casualties of such a model. Cloud means you should never have to worry about the day a power failure hits the data center. Of course the truth is that, as you move down the stack from Cloud to system through transistor to electron, physical location matters a lot. So, any Cloud is only as good as its ability to accommodate any failure of the real systems that underpin the resource abstraction.

Layer 7 has recently become involved in an interesting project that will showcase how Cloud providers (public or private) can manage Cloud workloads in the face of threats to their underlying infrastructure. The inspiration for this project is the following display from ESRI, one of the world’s leading GIS vendors:

ESRI developed this display to illustrate wireless outages as a storm rips through central Florida. Suppose that, instead of a wireless base station, each green diamond represents a data center that contributes its hardware resources to a Cloud. As the storm moves through the state, it may affect power, communications and even physical premises. Workloads in the Cloud, which ultimately could map to hardware hosted inside at-risk sites, must be shifted transparently to locations that are at less risk of catastrophic failure.

Today, few Clouds offer the mass physical dispersion of compute hardware suggested by this display. Amazon Web Services, for instance, has the concept of an availability zone, which consists of several massive data centers interconnected within a region (such as US-East, which is in the Dulles area, or EU, which is hosted in Ireland). Amazon’s Cloud is designed to leverage this regional redundancy in order to provide continuous service in the event of a site failure.

This big data center approach makes perfect sense for a service like Amazon. There will always be a place for the large data center that leverages commodity hardware deployed on a breathtaking scale. But there is an alternative that I think is set to become increasingly important. This is the Cloud composed of many smaller compute facilities. We will increasingly see large Clouds coalesce out of multiple small independent hardware sites — more SETI@home than supercomputer. This is where our initiative provides real value.

These highly mobile, micro-Clouds make particular sense in the defense sector. Here, compute resources can be highly mobile and face threats more diverse and much less predictable than hurricanes. This is an arena in which the physical shape of the Cloud may be in continuous change.

This project is being done as a “catalyst” within the TM Forum and we will show it at the TM Forum Management World 2012 show in Dublin this May. Catalysts are projects that showcase new technology for executives in the telecommunications and defense industries. This catalyst is sponsored by Telstra and it brings together a number of important contributors, including:

Watch this space for more information. Hope to see you in Dublin!

February 15th, 2012

Workshop: API Security for Mobile & Cloud

CSA Summit at RSA ConferenceLayer 7 will be at the RSA Conference next week, with CTO Scott Morrison and Director of Solutions Engineering Francois Lascelles both giving presentations. We’ll also be sponsoring the Cloud Security Alliance’s CSA Summit 2012, which will be taking place at the conference, on the 27th.

As part of our activities at the CSA Summit, we’ll be holding an enterprise-level workshop called API Security for Mobile & Cloud. This workshop, which will be held at the W Hotel, between 1pm and 5pm. Sessions will include:

  • Open APIs: The New Enterprise Imperative for Mobile & Cloud & Security Implications
  • API Security & Management Best Practices
  • Managing API Access Through OAuth
  • API Threat Protection & Metering
  • Enabling API Discovery & Developer Self-Service – An API Developer Portal Example

The workshop will include lunch, a networking session and guest speaker Caleb Sima of Andreessen Horowitz, one of the leading venture capital firms in Silicon Valley. Caleb has been engaged in the Internet security arena since 1996 and has become widely recognized as one of the leading experts in Web security, penetration testing and the identification of emerging threats. He is a highly in-demand speaker, press resource and is regularly featured in the Associated Press and global security media.

Space is limited, so if you’re going to be attending the CSA Summit, be sure to register for the workshop today.

February 13th, 2012

OAuth Token Management

Tokens are at the center of API access control in the enterprise. Token management, the process through which the lifecycle of these tokens is governed, emerges as an important aspect of enterprise API management.

OAuth access tokens, for example, can have a lot of session information associated with them:

  • Scope
  • Client ID
  • Subscriber ID
  • Grant type
  • Associated refresh token
  • A SAML assertion or other token the OAuth token was mapped from
  • How often it’s been used, from where

While some of this information is created during OAuth handshakes, some of it continues to evolve throughout the lifespan of the token. Token management is used during handshakes to capture all relevant information pertaining to granting access to an API and it makes this information available to other relevant API management components at runtime.


During runtime API access, applications present OAuth access tokens issued during a handshake. The resource server component of your API management infrastructure, the Gateway controlling access to your APIs, consults the token management system to assess whether or not the token is still valid and to retrieve information associated with it, which is essential to deciding whether or not access should be granted. A valid token is not in itself sufficient. Does the scope associated with it grant access to the particular API being invoked? Does the identity (sometimes identities) associated with it also grant access to the particular resource requested? The token management system also updates the runtime token usage for later reporting and monitoring purposes.

The ability to consult live tokens is important not only to API providers but also to owners of applications to which they are assigned. A token management system must be able to deliver live token information, such as statistics, to external systems. An open API-based integration is necessary for maximum flexibility. For example, an application developer may access this information through an API developer portal, whereas an API publisher may get this information through a BI system or ops-type console. Feeding such information into a BI system also opens up the possibility of detecting potential threats from unusual token usage (frequency, location-based etc.) Monitoring and BI around tokens therefore relates to token revocation.

As mobile applications represent one of the main drivers of API consumption in the enterprise, the ability to easily revoke a token when, for example, a mobile device is lost or compromised is crucial to the enterprise. The challenge around providing token revocation for an enterprise API comes from the fact that it can be triggered from so many sources. Obviously, the API provider itself needs to be able to easily revoke any tokens if a suspicious usage is detected or if it is made aware of an application being compromised. Application providers may need the ability to revoke access from their side and – obviously – service subscribers need the ability to do so as well. The instruction to revoke a token may come from enterprise governance solutions, developer portals, subscriber portals etc.

Finally, the revocation information is essential at runtime. The resource server authorizing access to APIs needs to be aware of whether or not a token has been revoked.

The management of API access tokens is an essential component of enterprise API management. This token management must integrate with other key enterprise assets, ideally through open APIs. At the same time, token data must be protected and its access secured.

February 13th, 2012

Enterprise Apps & APIs: Current State

Enterprise Apps & APIsI really enjoyed presenting my first Layer 7 webinar last Wednesday, discussing enterprise mobile access and the “bring your own device” (BYOD) movement. This movement is snowballing and is even hitting the mainstream radar as this Globe & Mail article attests.  We can all speculate about what the ultimate impact will be on enterprise IT – and I certainly did that in the webinar – but we have to start from where we stand today. Therefore, here are some answers to the “current state” questions attendees asked at the end of the webinar…

How secure can mobile really be? Can it be used in government or defense organizations?
As Nathan Clevenger observes in his book iPad in the Enterprise, the increasing consumerization of IT has reversed the innovation flow. Whereas government research used to lead to technological invention that would be leveraged by businesses and then packaged for consumers (think silicon chips), we are now seeing consumer technology being embraced by business – and high-security government agencies are relatively late adopters due to their data protection concerns. However, mobile is definitely not being rejected by these organizations, since the potential increase in productivity and cost savings are way too high to ignore. At Layer 7, we feel strongly that our solutions can help the most secure organizations embrace mobile and Cloud strategies, as we are able to open up those new worlds while preserving existing security policies and even leveraging existing security infrastructure through new methods such as OAuth.

Have you seen enterprise customers moving apps to the Cloud to support the scale required for mobile?
Mobile app traffic has the potential to increase Enterprise API volumes by orders of magnitude. We’ve worked with clients who have gone through this exponential growth. This means more revenue for these companies but their infrastructure must be able to handle these new peaks. Satisfying this demand is absolutely driving migration of enterprise workloads to the Cloud. We recently did a webinar with Amazon and Best Buy on just this type of solution and are happy to report that Black Friday went off without a hitch. Our Layer 7 solutions are able to help on both sides of this equation: securing and scaling inbound mobile connections, as well as outbound to the Cloud.

Do you see enterprises using the API Portal mostly for internal or external developers?
Currently, much of the focus of mobile app development is in the public domain. Start-ups and established companies alike are looking to populate the Apple App Store and the Android Market. As we get further along the maturity curve of enterprise mobile migration, more and more apps will be developed explicitly for employees and companies will move to mobile device management for app distribution, as using public repositories will no longer be an option. So today, most of our Portal users are providing APIs for use by external developers but we expect to see a dramatic increase in enterprise portal usage for in-house development.

We’re at the start of a very exciting enterprise IT transformation and I hope these answers provide some insight into where we are today. Now, back to the future…