December 5th, 2012

APIs & the Business of Telecoms

APIs and the Business of TelcosAPIs are the foundation of modern business. Everything we do, from buying a coffee to checking the weather or booking a flight, is supported by a robust API architecture in the background. Businesses likewise assume that they can exchange information and build compelling new services based on APIs.

This is causing disruption across industry sectors but also opportunity and it is having a particularly marked impact on the telecommunications industry. With the proliferation of next-generation communication services, consumers and enterprises alike are looking beyond their network service providers and finding exciting new ways to consume content, engage with businesses and communicate with friends or colleagues.

Telcos haven’t been ignoring this by any means, yet several iterations of failed API strategy have led not only to lost revenue opportunities but – in many cases – huge expense as well. However, now is not the time to cast aside these investments or ignore the exploding API economy – and in fact, we’ve heard plenty of success stories from companies that took the correct approach. Telcos must participate and open up more and more services to keep pace with this economy. And they must do so without compromising data and network security.

Layer 7’s new white paper, APIs & the Business of Telecoms, written by independent telecommunications thought leader Alan Quayle, aims to help telcos understand how they can quickly address the functional and non-functional requirements of a successful API exposure program. This is essential reading for all telcos – APIs really are the future!

December 3rd, 2012

A Break in the Clouds

A Break in the CloudsA recent study by researchers at North Carolina State University and the University of Oregon describes a threat scenario that allows attackers to exploit cloud-based resources for malicious purposes like cracking passwords or launching denial-of-service attacks. The study has gotten a lot of attention, including articles in reputable sources like Dark Reading, Ars Technica and Network World.

In order to optimize the performance of mobile apps or browsers, some computation-heavy functions have been offloaded to cloud-based resources, which in turn access backend resources and Web pages. This creates a middle ground in the cloud that is exploited in the attack, which the authors call “Browser Map Reduce (BMR)”. In reading the paper, it’s clear that this is a legitimate threat. The authors actually carried it out using free resources, although they limited the scope in order not to be abusive.

Aside from questions of curiosity around the mechanics of the vulnerability, the obvious question is this: How can we mitigate this threat? Here are a few perspectives here as well as a method for each.

Apps – This “cloud offload” architecture has arisen because of the processing limitations of mobile devices. When a backend resource is requested by a mobile user, it makes sense to have the data returned in the most consumable format, in order to optimize user experience. Whenever possible, instead of doing this through “browser offload”, data should be returned as JSON objects. This API approach is a proven method that works for mobile devices and is not subject to the BMR threat.

Cloud Services – This threat should not be viewed as a dismissal of the “cloud offload” approach. Cloud-based resources are necessary for handling caching, data indexing and other key functions in the mobile paradigm. However, it serves as a warning that these dedicated cloud-based resources cannot be considered part of a walled garden that includes the associated mobile app. The resource’s entry point must be protected against attackers. Layer 7’s SecureSpan Mobile Access Gateway is an ideal choice for this access control, as it uses identity-based measures to ensure that only requests from legitimate sources are serviced.

Web-Based Resources – Although the backend Web resource was not exploited in this scenario, the study is a reminder that the topology of the mobile Web is changing and increasing in complexity. P2P app-to-API connections cannot be assumed and therefore inbound API calls cannot be implicitly trusted. API access must be controlled and the SecureSpan API Proxy is a leading solution for this purpose.

To sum up, this is a legitimate threat but not a reason to abandon the use of cloud-based resources for mobile app optimization. Be aware of the threats, employ the mitigations and then you can continue to enjoy the exciting growth of the mobile Web.