February 25th, 2013

SSO & OAuth for Mobile Apps – Live Discussion, Feb 26

OAuth SSO Tech TalkIn case you haven’t heard, we are living in the age of mobile applications and the APIs that power them. Sometimes it’s called the API economy.

Smart phones are ubiquitous, social networks are the norm and we are connected to applications on our devices all the time. We love applications like Instagram, Twitter, Evertnote and Snapchat. But we don’t like signing in and out of each of these applications across networks or devices. It’s awkward and cumbersome and we’re often doing it while on the go or commuting, with only one hand to use while tapping in our passwords. Besides, who wants to remember all those passwords anyway? And it’s not safe to use the same one for every application.

This is the major downside of using all these great new mobile applications. Most of us would gladly invite a scenario where we’d only need to log in once to access multiple applications. There’s social login – but is it safe and is our privacy secure? Remember what happened to Burger King’s Twitter account? Enter Single-Sign-On & OAuth for Mobile Applications.

On Tuesday Feb 26, we’ll be hosting a live interactive Tech Talk on security and Single Sign-On (SSO) for mobile applications. And I’m excited to welcome back Layer 7′s Chief Architect and resident OAuth expert Francois Lascelles. He’ll discuss how to provide SSO for mobile applications, without compromising the security of the apps or the APIs that power them. Francois will also be taking your questions throughout the Tech Talk. So, this will be a great opportunity to get answers to your questions about your own applications and the security that surrounds them.

Click here to get the event details and a reminder in your calendar.

On the day of the event, click here to join:

Submit your questions:

February 22nd, 2013

Cisco & the Internet of Everything

Written by
Category API Management, M2M
 

Cisco and the Internet of EverythingJohn Chambers, CEO of Cisco, just published a good blog entry about the potential for change caused by universal connectivity – not just of our mobile gadgets but of pretty much everything. Recently, much has been said about the so-called “Internet of Things” (IoT), of which Cisco is expanding the scope, going so far as to make a bold estimate that 99.4% of objects still remain unconnected. This, of course, is great fodder for late-night talk show hosts. I’ll leave this softball to them and focus instead on some of the more interesting points in Chambers’ post and the accompanying white paper.

It strikes me that there might be more to Cisco’s “Internet of Everything” (IoE) neologism than just a vendor’s attempt to brand what still may be a technology maverick. Internet of Everything sounds so much better than the common alternative when you append “Economy” to the end – and this is how it first appears in Chambers’ post. And that’s actually important because adding economy in the same breath is an acknowledgement that this isn’t just marketing opportunism as much as a recognition that, like mobility, the IoE could potentially be a great catalyst for independent innovation. In fact, Cisco’s white paper really isn’t about technology at all but is instead an analysis of the market potential represented in each emerging sector, from smart factories to college education.

It is exactly this potential for innovation – a new economy – that is exciting. The combination of Mobile Access and APIs was so explosive precisely because it combined a technology with enormous creative potential (APIs) with a irresistible business impetus (access to information outside the enterprise network). The geeks love enabling tools and APIs are nothing if not enabling; mobile just gives them something to build.

I0E, of course, is the ultimate business driver and –  with APIs as the enabler – it equals opportunity of staggering proportions. Like mobile before it – and indeed, social Web integration before that – IoE will come about precisely because the foundation of APIs already exists.

It is here where I disagree with some IoT pundits who advocate specialized protocols for optimizing performance. No thank you; it isn’t 1990 and opaque binary protocols no longer work for us, except when streaming large data sets (I’m looking at you, video).

Security in the IoE will be a huge issue and Cisco has this to say on the topic :

“IoE security will be addressed through network-powered technology: devices connecting to the network will take advantage of the inherent security that the network provides (rather than trying to ensure security at the device level).”

I agree with this because security coding is still just too hard and too easy to implement wrongly. One of the key lessons of mobile development is that we need to make it easy for developers to automatically enable secure communications. Take security out of the hands of developers, put it in the hands of dedicated security professionals and trust me, the developers will thank you.

As IoE extends to increasingly resource-constrained devices, the simpler we can make secure development, the better. Let application developers focus on creating great apps and a new economy will follow.

February 22nd, 2013

The Internet of (Interesting) Things

Written by
 

IoT at MWCRight now, a lot of companies are gearing up for Mobile World Congress – and Layer 7 is no exception. I’m attending MWC and I’ll be interested to see how the Internet of Things (IoT) and M2M play out at the conference. IoT has been getting a lot of attention recently, so – in preparation for MWC – let’s take a look at some of the most interesting things that have been said and done in the last couple of months.

I’m particularly excited about a very ambitious EU-funded project to map an IoT reference architecture. Whether it will really become the reference architecture or simply a collection of best practices is subject to debate but I think the simple fact of trying to pull together all the different knowledge domains into one set of documents is bound to be interesting.

Forbes recently published an article by Alex Brisbourne called The Internet of Things Isn’t as New as It Seems. The article offers some really fascinating insights into the renewal rates for built-in 3G services in iPads and OnStar. Reflecting upon my own positive experiences with a 3G Kindle, I have to agree with Alex that, for connected devices to really reach their potential, connectivity must be simply built-in without requiring a separate subscription.

Another indication of this trend is the fact that car manufacturers are apparently switching from built-in mobile connectivity (requiring the owner to carry a subscription) to tethering off the driver’s existing smart phone. This highlights the challenges telco providers are facing – as summarized in a recent blog post on telco2.net.

Alex Bassi has provided another look at the way IoT is affecting business models, making the point that technology is enabling us to use things without having to own them. In my humble opinion, we’ll see this service-based model, which we normally associate with SaaS and the cloud, extending more and more into the domain of physical “smart” things. We can already see this usage pattern emerging in the automotive sector: car sharing a la Zipcar; limo service from Uber; electric car solutions from Better Place. FastCompany calls this the new “self-service” economy in an article that explores these issues in depth.

To get a good overview of the Internet of Things, I suggest heading over to ZDnet, which regularly posts articles on IoT and M2M. Postscapes, meanwhile, is completely dedicated to tracking IoT – I particularly like this site’s (currently incomplete) directory of companies in the space. There’s also a good collection of relevant essays gathered together on Bundlr.

Finally, here are a couple of links for the technically inclined. First here’s a presentation on the impressive set of open source building blocks developed as part of the m2m.eclipse.org project. Second is a piece that touches upon some technical aspects of the semantic Web that have a good deal of relevance to IoT. This is an area I’m personally very interested in and it might be a good topic to explore in a future post.

In any case, I expect to have plenty of interesting things to report on after Mobile World Congress. If you’re attending the show, be sure to stop by the Layer 7 booth for a chat. We’ll be at booth  #8.1A47 in the App Planet zone.

February 20th, 2013

Journey to the Center of the Mobile World

Written by
 

Layer 7 at Mobile World CongressMobile World Congress – three words that strike fear into the hearts of marketing managers everywhere, for this is the largest mobile event of the year and we’re just a few days away from seeing 70,000 visitors descend upon Barcelona like a kettle of vultures, hungry for new innovations. This year, they will be treated to new hunting ground too, as MWC moves to a new, larger venue with more room for fresh meat. Before that metaphor gets completely worn out, let’s take a look at what we can actually expect from this year’s show.

As usual, we’re likely to see a very broad sweep across various areas of telco innovation and mobile strategy but there are some fundamental questions facing the community and these will dominate many conference sessions, seminars and exhibits:

  1. Connected Living
    As the Internet of Things gains momentum, how can the service provider community deliver the kind of enriched connectivity the broader ecosystem increasingly demands?
  2. Mobile Commerce
    For years, mobile has been a key banking and commerce tool for certain markets. With the rise of NFC (near field communication) and success stories like the Starbucks mobile payment app, will mobile become the preferred payment instrument for us all?
  3. Next-Generation Communications
    The world of communications moves quickly – too quickly even for service providers at times, with the runaway success of technologies of iMessage, WhatsApp and – next – WebRTC. In this ever-innovating world of mobile communications, can service providers regain some ground and demonstrate their value?

Layer 7 has answers to these questions and will be at MWC, demonstrating a variety of solutions that can help service providers address the challenges ahead. For example:

  1. We have been collaborating with AT&T and have planned an M2M solution that will capture anonymous information about visitors as they move around the exhibition halls. This information will be presented as intelligent APIs via the Layer 7 platform.
  2. Security and authentication are very familiar terms to Layer 7 and we’ll be showing how mobile payments can be easily and securely integrated with a mobile app without compromising the user experience.
  3. “Communications as a Service” opens many opportunities for service providers and the new partnership between Layer 7 and Voxeo Labs will show how easy it can be to capitalize on these opportunities.

Come and meet the team at booth 8.1A47 in the App Planet zone or email info@layer7.com to schedule a meeting. See you there!

February 8th, 2013

Enabling OAuth Token Distributors

 

OAuth eBookAre you a token distributor? If you provide an API, you probably are.

One thing I like about tokens is that, when they are compromised, your credentials are unaffected. Unfortunately, it doesn’t work so well the other way around. When your password is compromised, you should assume the attacker could also get access tokens to act on your behalf.

In his post The Dilemma of the OAuth Token Collector and in this twitter conversation, Nishant Kaushik and friends comment on the recent Twitter hack and discuss the pros and cons of instantly revoking all access tokens when a password is compromised.

I hear the word of caution around automatically revoking all tokens at the first sign of a credential being compromised but in a mobile world where user experience (UX) is sacred and where each tapping of a password can be a painful process, partial token revocation shouldn’t be automatically ruled out.

Although, as Nishant suggests, “it is usually hard to pinpoint the exact time at which an account got compromised”, you may know that it happened within a range and use the worst case scenario. I’m not saying that was necessarily the right thing to do in reaction to Twitter’s latest incident but only revoking tokens that were issued after the earliest time the hack could have taken place is a valid approach that needs to be considered. The possibility of doing this allows the API provider to mitigate the UX impact and helps avoid service interruptions (yes, I know UX would be best served by preventing credentials being compromised in the first place).

Of course, acting at that level requires token governance. The ability to revoke tokens is essential to the API proviver. Any token management solution being developed today should pay great attention to it. Providing a GUI to enable token revocation is a start but a token management solution should expose an API through which tokens can be revoked too. This lets existing portals and ops tooling programmatically act on token revocation. Tokens need to be easily revoked per user, per application, per creation date, per scope etc. and per combination of any of these.

Are you a token distributor? You should think hard about token governance. You also think hard about scaling, security, integration to exiting identity assets and interop, among other things. We cover these issues and more in our new eBook : 5 OAuth Essentials for API Access Control.