August 30th, 2012

Tech Talk, September 4: Publishing Cloud APIs

Publishing Cloud APIsMore and more businesses are moving applications and data to cloud-based infrastructure. The integration models and vendor offerings that facilitate this are pretty diverse (SaaS, IaaS, PaaS, vCloud, AWS, OpenStack… ) but there is a common thread – the need for APIs with which these services can be managed and maintained.

The importance of APIs continues once the infrastructure is in place. Applications in the cloud can expose their own APIs, opening data access to partners, mobile devices or other cloud technologies. This raises questions around how enterprises can effectively leverage cloud APIs while addressing the security and management concerns that will inevitably arise.

I’ll be discussing some of these concerns when I take part in Layer 7’s latest Tech Talk on Tuesday September 4 at 9am PDT/12pm EDT/5pm BST. The subject matter will be Publishing Cloud APIs and – like all our Tech Talks – this interactive Q&A will be broadcast live on the Layer 7 Facebook page and via Livestream.

Here’s how you can join the conversation:

Feel free to ask questions around:

  • Securely exposing APIs from a cloud-based solution
  • Orchestrating APIs for value-added interfaces
  • Enforcing access control and threat protection across hybrid cloud environments

I’m looking forward to chatting with you. Don’t forget to add the Tech Talk to your calendar. See you on Tuesday!

 

August 29th, 2012

Using WebSockets – Part 2: A Real-Time Challenge

HTTP vs WebSocketIn the previous blog post in this series (Using WebSockets – Part 1: Minding the Gates), Ronnie Mitra talked about the promise of the WebSocket protocol, as well as some security aspects. In this post, I’ll talk about some of the details of the protocol and what they mean for those planning their own WS implementations.

The first thing to keep in mind is that WebSocket is a high-level protocol with its own registered schemes (WS: and WSS:). The specification describes it as: “… intended to be as close to just exposing raw TCP to script as possible.” This is very different from HTTP, which is “…  an application-level protocol for distributed, collaborative, hypermedia information systems.”

That’s good and bad news. It means you have almost the full range of TCP at your disposal. It also means you have none of the established constraints and conventions of the more detailed and focused HTTP specification. This has implications for both design and implementation of WS solutions.

Originally designed with Web browsers in mind, the WS protocol can also be implemented for mobile, desktop, and other stand-alone clients. There are quite a few checks and balances in the specification in order to make it easy (and safe) for browsers to switch from HTTP to WS conversations, all from JavaScript.

However, since many installed browsers do not yet natively support the WS protocol, these checks and balances are not always employed. Instead, WebSockets implementations often take advantage of browser workarounds and fallbacks, in order to support the real-time communications the WS protocol was designed to provide.

It’s also important to remember the specification states: “While this protocol is intended to be used by scripts in web pages, it can also be used directly by hosts [which] can therefore send fake ‘Origin’ header fields, misleading the server.” Implementations that will receive requests from non-browser clients should include additional checks to ensure these requests are valid.

Finally, as the protocol was designed to support real-time communications, it won’t scale in the same way HTTP does. Since the server will keep connections open to all active clients in order to track and broadcast content, servers will need to maintain (or persist) information about each connected client (including knowing when that client is no longer connected!)

If your current HTTP implementations rely on server-based session state, you may not see much difference in the scaling limits of WS. Remember though, the Web’s scaling success is largely based on HTTP’s ability to handle client requests without requiring server-persisted data. Also, some software and implementation patterns designed for HTTP will not work for WS.

Implementing WS is not for the faint-of-heart: it’s not yet widely supported on installed browsers; it uses a different implementation model; it takes more effort/resources to scale it up as services become popular. However, there are some good libraries for coding WS solutions and it can be relatively easy to get started on implementing WebSockets.

But be ready. If you experience great success, you’re likely to have a challenge on your hands!

August 28th, 2012

Mobile API Best Practice: Traffic Compression

Mobile API Traffic CompressionDespite how simple it is to support, compressing API traffic is an often-overlooked optimization. In situations where an API returns verbose resources, compressing the payload is a great way to reduce latencies. JSON and XML are highly compressible formats, for example.

APIs targeting mobile applications should pay special attention to improving call latency, as mobile apps are often used in bandwidth-constrained situations (e.g. using a mobile app on your smartphone connected to an airport wifi). One should set aggressive targets for these latencies, in order to maintain a positive user experience. Although UX specialists have many tricks up their sleeves, they can’t hide a 10-second API response time. Can your API always respond in 100ms or less under bad connections? Better?

Layer 7′s Gateways have built-in compression of REST API traffic using gzip compression. Most client-side frameworks also have built-in support for this kind of encoding. The compression is initiated by the requesting application, simply by adding the following HTTP header to its requests:

accept-encoding: gzip

iOS sample:

[urlReq setValue:@"gzip" forHTTPHeaderField:@"Accept-Encoding"]

Android sample:

URL url = new URL(urlString);
HttpsURLConnection  conn =
(HttpsURLConnection)url.openConnection();

conn.setRequestProperty(“accept-encoding”, “gzip”);

JavaScript sample:

ajax=new XMLHttpRequest();
ajax.setRequestHeaders(‘accept-encoding’,'gzip’);

Any API traffic flowing through theLayer 7′s  SecureSpan API Proxy or SecureSpan Mobile Access Gateway automatically benefits from this compression.

Although the reduced-latency benefit of gzip encoding resources is more pronounced for larger resources and low-bandwidth networks, the compression tradeoff on the client side is negligible. API providers and mobile application developers should consider adopting this mode by default.

In addition to response compression, Layer 7 Gateways also support gzip encoding for request messages. This also provides reduction of latency on the client side when requests contain compressible payloads. For example, consider an HTTP PUT with content-type=application/json. The client application declares the compressed content using the content-encoding http header as part of the request.

PUT /aresource
Content-Type: application/json
Content-Encoding: gzip

[gzip encoded]{
‘a’: ‘large and complex json here’
}[gzip encoded]

When a Layer 7 Gateway detects that an API requester declares this “preemptive” compression, it will not only automatically decompress the request at the perimeter but also compress the response using the same mechanism by default (if the response has a payload).

200 OK
Content-Type: application/json
Content-Encoding: gzip

[compressed response]

August 24th, 2012

Layer 7 at VMworld 2012

VMworld 2012VMworld 2012 kicks off at the Moscone Center in San Francisco this week. At the event, VMware will be making some exciting announcements around the delivery and management of public and private clouds using automation technologies.

Rapid deployment and onboarding has always been a key requirement for Layer 7 solutions, which is what initiated our strong partnership with VMware years ago. These announcements will showcase the next step in that evolution.

Layer 7 will be presenting at the VMworld Solutions Exchange and we’d love for you to stop by to talk about how we take advantage of the latest VMware technology. Come discuss your use case and find out how we can:

  • Protect and manage vCloud APIs
  • Securely expose APIs from a vCloud-based solution
  • Govern infrastructures based on the vCloud Architecture Toolkit (vCAT)
  • Orchestrate APIs for value-added interfaces
  • Dynamically provision vApps from policy based on SLAs
  • Enforce access control and threat protection across hybrid cloud environments

We’ll also be giving demonstrations of our VMware Ready certified products, including the SecureSpan Mobile Access Gateway and Layer 7 API Portal. In case you can’t catch us on the west coast, we’ll also be at the VMware Forum in Toronto on September 20.

August 22nd, 2012

From the Vault: Understanding Mobile IAM with Forrester Research

Forrester WebinarsIn the new hybrid enterprise, organizations need to manage business functions that flow across their domain boundaries in all directions. Increasingly, this means using APIs as conduits for opening up information to services running in the cloud and apps running on mobile devices like the iPad. For enterprises, securing and governing these APIs is not straightforward.

Meanwhile, BYOD is making Mobile Access an urgent issue for enterprises; forcing them to make application functionality available to app developers in a consistent, easily-consumable, mobile-optimized manner, via APIs. Therefore, enterprise technologies are evolving to support API-based mobile interactions.

Identity and access management (IAM) represents a key concern for enterprise IT and it is particularly crucial in BYOD/enterprise mobile scenarios. Mobile IAM requires fundamentally new approaches and the adoption of new standards such as OAuth.

These are some of the most critical issues facing IT departments today but the associated techniques and technologies are not necessarily that well understood in the enterprise world. Therefore, I’d like to take this opportunity to  flag up some relevant webinars from the Layer 7 archive, all of which feature Forrester Research.

If you’re facing the challenge of ensuring secure access in an enterprise mobile scenario, these resources should help you make sense of the issues:

  • How to Make Your Enterprise Applications Mobile Ready, Fast
    Leverage backend mobile middleware to deliver mobile ready enterprise APIs
    Find out more >>
  • Identity, Access & Privacy in the New Hybrid Enterprise
    Make sense of OAuth, OpenID Connect and UMA
    Find out more >>
  • A Practical Guide to API Security & OAuth for the Enterprise
    Implement OAuth as part of an enterprise-level API security solution
    Find out more >>