February 7th, 2013

“Mobile App Security: Always Keep the Back Door Locked” – Our Take

Mobile App SecurityToday’s lead article on Ars Technica talks about the importance of protecting backend resources in the context of mobile applications. The article rightly stresses the importance of this security, talks about the uptake in OAuth and cites API Gateway solutions as a popular option in this space.

However, the article clearly misstates the capabilities of an API Management solution founded on an API Gateway. I am going to assume that the author only had exposure to API Gateways second hand or through a competitor of Layer 7. Here are the misconceptions propagated by the article, along with some corrections:

“These API gateway services can be prohibitively expensive for small-scale applications…  ‘You can replicate the API gateway by creating a set of proxy services in their data center in an application container in their DMZ.’”

Trying to create your own homegrown set of proxy services is expensive and risky. The Layer 7 API Management Suite’s Gateway technology includes 10 years of functional enrichment and optimization. Such robustness cannot be hacked together on the fly.

“An API gateway still runs on the notion that you have to be careful not to block what might be legitimate traffic. So that could cause some openness – some attacks might slip through using Web application firewall evasion techniques.”

An API Gateway is not a typical web application firewall. Layer 7’s Gateway (evident in the company’s name) has full access to all layers of the data stream and can apply protections at any of these layers.

“Of course, if they can retrieve a developer key, attackers can slip past API gateways until their activity is noticed…  That’s why it’s important to encrypt any data stored on the device, including developer keys[.]”

API keys are not treated as security tokens by an API Gateway. The term “API key” is equivalent to a “database key”, not a security key, so don’t mistake it for a robust access control mechanism. It is mainly an identification mechanism. It is a gross misunderstanding to equate API developer keys with a standard access control cryptographic mechanism like PKI public/private keys.

“But keys have other ways of getting into the wild besides breaking into the application code.”

Right, so you should not rely on these keys for access control. The good news is that the API Management Suite’s Portal/Gateway combination makes it easier to revoke and reissue developer keys.

“For enterprise applications, an API gateway isn’t always enough – users need to get access to content on servers inside the firewall that may not be easily exposed through a Web API.”

And this is where the API Gateway really adds value. The Layer 7 API Management Suite allows companies to turn those backend interfaces from their native protocols into REST APIs or other formats that are friendly to mobile devices.

So, thanks to Ars Technica for flagging up this important aspect of mobile security and here’s hoping that this corrected information is included in the next article.

February 6th, 2013

The Forrester Wave: API Management Platforms, Q1 2013

The Forrester Wave API Management Platforms Q1 2013Earlier this week, Forrester Research, Inc. released The Forrester Wave: API Management Platforms, Q1 2013. This report addresses products targeted at several different audiences including API business owners, technical administrators and application developers consuming APIs. We’re proud to announce that the Layer 7 API Management Suite has been recognized as a Leader in the category, with some significant distance between ourselves and our peers.

What I’m most proud of is our consistently high marks in every category; we have worked hard to make sure that our products provide both ease-of-use and deep functionality. The developer experience is just as important to us as the rich integration capabilities provided to technical architects and API administrators. And comprehensive business analytics for API owners are just as important as the availability and security features required by enterprise operations teams. Our scores reflect this breadth of solution strengths.

What might be more difficult to reflect in an “Emerging Market” Wave is product depth – and this is another area where Layer 7 shines. Enterprise customers value our flexibility in deployment options, our support for numerous message formats/protocols, our rich identity framework and our long list of security certifications gained through exhaustive testing and evaluation by some of the most demanding organizations and standards bodies in the industry. Our customers have long recognized Layer 7 as a Leader in this category and we thank Forrester for validating this with the first major analyst evaluation of API Management vendors.

Layer 7 had a similar previous showing in The Forrester Wave: SOA Application Gateways, Q4 2011, in which the company was also recognized as a Leader. This successful heritage is noted by Forrester in the new Wave, which states that “Technical adopters will find a lot of depth to Layer 7’s service management capabilities, including a variety of deployment options, sophisticated traffic shaping and routing capabilities, and extensive connectivity to existing enterprise systems.” By bringing these strengths to bear on the API Management industry, Layer 7 offers an IT-friendly option for enabling all open enterprise API use cases, including access to partners, developers, mobile apps and cloud platforms.

Get a complimentary copy of The Forrester Wave: API Management Platforms, Q1 2013

February 4th, 2013

More Mobile Access Predictions for 2013

MWC PredictionsWith February just beginning, the mobile world is gearing up for Mobile World Congress (MWC), which will be taking place in Barcelona, at the end of the month. It’ll certainly be interesting to see what new products and features will be announced at the show. From the ongoing trends (some of which Mike Amundsen recently discussed), I’d expect to see a number of announcements of IoT products.

The good old measure of progress, mobile subscriber penetration, doesn’t cut it anymore. Now, the real measure is how many other connected devices a subscriber uses – iPads, Smart TVs and even fridges (who wouldn’t want a Galaxy Kitchen or an iPad Mini?) This is just the start of a revolution in connectivity, which will make it easier than ever to consume information and equally easy to emit a lot of information, often through social networks.

But there is another aspect to this – not only will you be able to post your own information but there will be all kinds of devices that can “sense” information about you. I expect to see a lot of this at MWC – sensors and cameras scattered around the floor, mapping passers-by to Facebook profiles and other personal information. Obviously, the capturing and cross pollination of this information raises all sorts of privacy issues.

It will also have a number of significant ramifications for mobile developers. First, there will be a new wealth of information available in the form of Web service APIs, as most of the data will be stored in cloud. The sheer scale of this new information-rich world will require apps to leverage cloud processing capabilities in order to be truly effective. This will create opportunities for enterprises to rethink their mobile architectures.

Second, mobile developers will need to use standard protocols for authentication and authorization. OAuth and OpenID Connect are key standards for protecting resources and allowing app users to authorize apps to leverage their information. Will these standards address all the privacy issues mentioned above? Probably not but they will make it a good deal easier for app developers to comply with privacy laws and regulations.

Third, the most successful app developers will be those that are able to provide a seamless user experience (UX) across multiple devices. This is because the end user of the near future will naturally expect all apps to know about other sessions that user had with an app across all of his or her many smart devices. Devs will therefore want to migrate sessions across devices, to bolster the UX.

If you’re going to MWC, come and say hello to the Layer 7 team. We will be located in the App Planet area Hall: 8.1 Booth: A47. I hope to see you there!

February 1st, 2013

Managing the Internet of Things

Written by
Category API Management, IoT, M2M
 

Internet of ThingsIn case you’ve been hiding under a rock or too busy building “things” to notice, the Internet of Things – or “IoT” – has arrived (along with its sidekick, M2M). The buzz at this year’s Consumer Electronics Show was just the latest confirmation of the momentum gathering behind this trend.

So, what is IoT? Depending on who you ask, you are likely to get different answers. I still like Adam Baumgarten’s original definition from 1999:  “If we had computers that knew everything there was to know about things – using data they gathered without any help from us – we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best.”  In case you are still left wondering, here is a fitting visual.

What is driving this? The German philosopher Hegel (bear with me for a second) explained, in his book Science of Logic, that an accumulation of small quantitative change can lead to a much more profound change in quality. I think that the IoT is at a tipping point of this kind, with gradual changes in technologies and business models coming together to cause just such a leap in quality.

The last decade has seen the widespread adoption of SOA, ubiquitous connectivity, increasing commoditization of IT in the form of cloud computing, commoditization/miniaturization of hardware and big data analytics. Cost barriers to innovation have been eliminated or lowered dramatically through “as-a-service” business models. All these gradual advances are coming together to enable something new in scope, scale and ambition: the Internet of Things.

The good news is that IoT will not force us to unlearn everything we’ve been doing for the last couple of decades. Instead, what we have learned will need to be applied at a significantly larger scale. IoT will require highly scalable service-oriented, event-driven architectures.

I think the example of API Management for mobile provides a glimpse of the challenges ahead. Mobile Access to services will no longer happen just through apps built around Web-based standards and patterns. Increasingly, access will happen via embedded micro controllers using low-overhead pub-sub telemetry protocols like MQTT.

In this context, addressing access control, security, developer management, SLA enforcement, scalability, data integration, billing, analytics and device management will become more crucial than ever. Additionally, the sheer size of data “noise” might require edge analytics through adaptive event filtering and thresholding at the enterprise perimeter.

For a company like Layer 7, this future will hold plenty of opportunities to apply our experience in API Management, Mobile Access, SOA Governance and Cloud Integration. Our cloud-based APIfy platform is just the beginning of this journey. I have spent my career working on innovative technologies for the enterprise and I’m very excited to bring this experience – along with my ideas – to Layer 7, where we look forward to providing new and practical solutions for IoT.