Matt McLarty

Matt McLarty

Matt McLarty is Vice President of Client Solutions at Layer 7 Technologies. Matt is focused on customer success, providing implementation best practices and architectural guidance to ensure clients receive the maximum benefit from Layer 7’s products. Matt brings over 15 years of technology leadership to Layer 7, with a particular focus on enterprise architecture, strategy and integration. Prior to joining Layer 7, Matt led the global IBM technical sales organization responsible for application integration software and solutions, notably helping to grow the SOA Gateway business substantially over a five-year period. Before joining IBM, Matt worked as a Senior Director and Enterprise Architect focused on SOA, electronic payments and identity management.

February 7th, 2013

“Mobile App Security: Always Keep the Back Door Locked” – Our Take

Mobile App SecurityToday’s lead article on Ars Technica talks about the importance of protecting backend resources in the context of mobile applications. The article rightly stresses the importance of this security, talks about the uptake in OAuth and cites API Gateway solutions as a popular option in this space.

However, the article clearly misstates the capabilities of an API Management solution founded on an API Gateway. I am going to assume that the author only had exposure to API Gateways second hand or through a competitor of Layer 7. Here are the misconceptions propagated by the article, along with some corrections:

“These API gateway services can be prohibitively expensive for small-scale applications…  ‘You can replicate the API gateway by creating a set of proxy services in their data center in an application container in their DMZ.’”

Trying to create your own homegrown set of proxy services is expensive and risky. The Layer 7 API Management Suite’s Gateway technology includes 10 years of functional enrichment and optimization. Such robustness cannot be hacked together on the fly.

“An API gateway still runs on the notion that you have to be careful not to block what might be legitimate traffic. So that could cause some openness – some attacks might slip through using Web application firewall evasion techniques.”

An API Gateway is not a typical web application firewall. Layer 7’s Gateway (evident in the company’s name) has full access to all layers of the data stream and can apply protections at any of these layers.

“Of course, if they can retrieve a developer key, attackers can slip past API gateways until their activity is noticed…  That’s why it’s important to encrypt any data stored on the device, including developer keys[.]”

API keys are not treated as security tokens by an API Gateway. The term “API key” is equivalent to a “database key”, not a security key, so don’t mistake it for a robust access control mechanism. It is mainly an identification mechanism. It is a gross misunderstanding to equate API developer keys with a standard access control cryptographic mechanism like PKI public/private keys.

“But keys have other ways of getting into the wild besides breaking into the application code.”

Right, so you should not rely on these keys for access control. The good news is that the API Management Suite’s Portal/Gateway combination makes it easier to revoke and reissue developer keys.

“For enterprise applications, an API gateway isn’t always enough – users need to get access to content on servers inside the firewall that may not be easily exposed through a Web API.”

And this is where the API Gateway really adds value. The Layer 7 API Management Suite allows companies to turn those backend interfaces from their native protocols into REST APIs or other formats that are friendly to mobile devices.

So, thanks to Ars Technica for flagging up this important aspect of mobile security and here’s hoping that this corrected information is included in the next article.

December 3rd, 2012

A Break in the Clouds

A Break in the CloudsA recent study by researchers at North Carolina State University and the University of Oregon describes a threat scenario that allows attackers to exploit cloud-based resources for malicious purposes like cracking passwords or launching denial-of-service attacks. The study has gotten a lot of attention, including articles in reputable sources like Dark Reading, Ars Technica and Network World.

In order to optimize the performance of mobile apps or browsers, some computation-heavy functions have been offloaded to cloud-based resources, which in turn access backend resources and Web pages. This creates a middle ground in the cloud that is exploited in the attack, which the authors call “Browser Map Reduce (BMR)”. In reading the paper, it’s clear that this is a legitimate threat. The authors actually carried it out using free resources, although they limited the scope in order not to be abusive.

Aside from questions of curiosity around the mechanics of the vulnerability, the obvious question is this: How can we mitigate this threat? Here are a few perspectives here as well as a method for each.

Apps – This “cloud offload” architecture has arisen because of the processing limitations of mobile devices. When a backend resource is requested by a mobile user, it makes sense to have the data returned in the most consumable format, in order to optimize user experience. Whenever possible, instead of doing this through “browser offload”, data should be returned as JSON objects. This API approach is a proven method that works for mobile devices and is not subject to the BMR threat.

Cloud Services – This threat should not be viewed as a dismissal of the “cloud offload” approach. Cloud-based resources are necessary for handling caching, data indexing and other key functions in the mobile paradigm. However, it serves as a warning that these dedicated cloud-based resources cannot be considered part of a walled garden that includes the associated mobile app. The resource’s entry point must be protected against attackers. Layer 7’s SecureSpan Mobile Access Gateway is an ideal choice for this access control, as it uses identity-based measures to ensure that only requests from legitimate sources are serviced.

Web-Based Resources – Although the backend Web resource was not exploited in this scenario, the study is a reminder that the topology of the mobile Web is changing and increasing in complexity. P2P app-to-API connections cannot be assumed and therefore inbound API calls cannot be implicitly trusted. API access must be controlled and the SecureSpan API Proxy is a leading solution for this purpose.

To sum up, this is a legitimate threat but not a reason to abandon the use of cloud-based resources for mobile app optimization. Be aware of the threats, employ the mitigations and then you can continue to enjoy the exciting growth of the mobile Web.

October 2nd, 2012

Non-Function Junction: API Automation for Enterprise Operations

API Operations AutomationRecently, I’ve been working closely with a number of large enterprise clients who have already gone or will soon go live with Layer 7 solutions at the core of mission-critical infrastructure. I’ve observed that, in the API Management space, proof of concept and initial projects often focus on functional needs but the emphasis shifts to non-functional requirements as environments mature and sharing increases. There’s a clear, three-phase progression for large enterprises, which moves along these lines:

  1. Solve the basic functional use cases – The 80% in the 80-20 rule
  2. Solve the remaining, more complex use cases – The 20%
  3. Deploy the basic functions on an enterprise scale – Back to the 80%

In Phase 3, it’s all about performance, scalability, operability, security, availability and consumability. The problems are very complex but the goal is to make the resulting solution as usable and simple as possible, given the wide range of users, developers, testers and operators that will be involved in its execution. As technology vendors, we are often guilty of focusing inwardly on bells and whistles, rather than outwardly on interoperability. This works well for phases 1 and 2 but brings a reckoning in the third phase. Fortunately, at Layer 7, we’ve spent the past decade working with enterprise clients and have evolved our products to meet their adaptability, reliability and automation needs.

The Layer 7 Management API is at the core of this capability. The Management API ships with all Layer 7 Gateways, to enable automated administration of policies, resources and access control that can plug into enterprise configuration management, deployment and monitoring systems. It can be accessed programmatically through a Java API, on the network through a Web service API or built into command line scripts. For the clients I have worked with, this capability and the assurance it provides on moving through the systems development lifecycle is quite simply a must have.

July 13th, 2012

Layer 7 at Your Service

Layer 7 ServicesLayer 7 has been providing solutions for more than a decade. In this time, we have gained valuable experience of how to make our industry-leading products deliver maximum benefit in critical customer environments. In particular, we’ve gained a great deal of knowledge about how to translate clients’ business needs into robust solutions that meet the functional requirements and address key non-functional areas like performance, security and operations.

Recently, we’ve added a number of industry experts to our full-time team, in order to deepen this expertise and expand our delivery. Services have become an increasingly important part of our business and we have just launched a new Services section on our Web site in order to provide details of our service offerings.

Training Services are always the right starting point for new clients and we have a number of courses we can tailor to meet any customer’s needs. Following training, we can customize IT Services to provide consulting, configuration and any implementation activity. Our Business Services help companies explore new opportunities through technology. The current focus is on the many possibilities offered by APIs and we’re very excited to have noted industry experts Mike Amundsen and Ronnie Mitra leading this practice.

Please have a look at all the services we offer and let us know if any of these would help your company out. No matter what phase of a project you’re in, we will be happy to be at your service!

June 6th, 2012

Start Spreading the News… Cloud Expo, New York

Cloud Expo 2012Cloud Expo 2012 is almost here. This promises to be an incredible event, with thousands of attendees and over 100 speakers. As previously mentioned, I’m privileged to be presenting on Making Hybrid Cloud Safe & Reliable. I’m particularly excited that I’ll be introducing attendees to the new concept of API-Aware Traffic Management. It will also be great to be back in New York City!

I recently read Daniel Kahneman’s book Thinking Fast & Slow, a fascinating study of how the human mind works. With the new capabilities offered by big data and Cloud computing — the dual themes for next week’s event — and the increasing personalization of technology through Mobile devices, I think we have an opportunity to make our digital systems more human in their processing. What does that mean?  Well, more intuitive in user experience, more lateral through caching of unstructured data and more adaptive to changing conditions. API-Aware Traffic Management certainly reflects this potential.

If you are going to be (or hope to be) at the event, add a response in the comments box or tweet to @MattMcLartyBC. Hope to see you there!