Access control is a key aspect of API management. When an enterprise launches an API, identity and access management (IAM) will be among its most pressing concerns. But access control is handled differently for APIs than it is for the Web or even Web services. This can present difficulties for an enterprise that wants to reuse its existing IAM  infrastructure to provide access control for APIs.

On March 14, I’ll be co-presenting a webinar called Simplifying API Access Control with OAuth, alongside Steve Coplan of 451 Research. We’ll be exploring a good deal of the ground around API access control and OAuth but with a particular focus on how existing IAM and Single Sign-On (SSO) systems can be extended to integrate with API-enabled applications and services.

In addition to discussing how enterprises can extend their existing IAM and SSO investments for API access, we’ll be looking at:

• What security and management concerns are created by open APIs
• How enterprises can address key IAM challenges when securing APIs
• Why OAuth is becoming central to API access control

Space is limited – so, if you’re interested, sign up today!

Increasingly, mobile is one of the major factors driving enterprises to expose their information assets via APIs. With the BYOD movement bringing mobile into the workplace and some forward-thinking enterprises equipping their employees with tablets, there is a growing need for enterprise-level apps that leverage systems and data exposed via APIs.

Of course, allowing enterprise data to be accessed from smart-phones and tablets (via public networks) creates a range of concerns around security and performance. The security risks are clear – perhaps less well understood is the fact that, for apps to perform efficiently, data will need to be filtered and transformed into formats and protocols suitable for mobile.

Layer 7’s new API Management for Mobile solution brief explains how our API Management Suite of products delivers everything enterprises need to address the data security and performance management concerns raised by integrating enterprise assets with mobile devices. To find out more download the solution brief now.

With the advent of APIs in the enterprise comes the need for a new security model. An effective runtime security strategy for the type of open integration environment created by APIs requires the deployment of three intertwined elements – a policy enforcement point, a policy decision point and an attribute service.

Layer 7’s SecureSpan API Proxy fits into this strategy as the policy enforcement point. The API Proxy verifies/authenticates any incoming message before assembling a standard XACML request, which is then sent to the policy decision point. Layer 7 offers easy integration with leading policy decision point technologies from Axiomatics and Radiant Logic.

To help enterprise architects understand how XACML is used for this kind of integration, we’ve been organizing a series of workshops in collaboration with our friends at Axiomatics, Radiant Logic and SailPoint. Coming up, we’ve got events at the Mikrotek Training Facilities in San Francisco, Chicago and New York. Here are the details:

• San Francisco
  February 27, 9am-5pm
  REGISTER NOW
• Chicago
  March 5-6,  9am-5pm
  REGISTER NOW
• New York
  March 8, 9am-5pm
  REGISTER NOW

I’m going to be speaking about API security at next week’s 2012 RSA Conference. I gave this talk the provocative title Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. It’s scheduled for Friday, March 2, 2012 at 10:10am in room 302.

Here’s the long form of the abstract, which gives a little more detail of what I’m going to cover in the talk than the short abstract that’s online does:

This session will explore why APIs (which are largely RESTful services) are fundamentally different than conventional Web sites, despite the fact that they share common elements such as the HTTP protocol. Web sites abstract back-end applications behind a veneer of HTML that should — if it is well-designed — constrain capability and thus limit an organization’s security exposure. APIs, in contrast, represent a more explicit interface leading directly into applications. These often self-document their intent and thus provide a hacker with important clues that may reveal potential attack vectors — from penetration to denial-of-service. Because of this, APIs require a much more sophisticated model for access control, confidentiality around parameters, integrity of transactions, attack detection, throttling and auditing.

But aside from the technological differences, there are cultural differences in the Web development community that considerably increase the risk profile of using APIs. Many API developers have backgrounds in Web site development and fail to understand why APIs demand a more rigorous security model than the Web sites they were trained on. In a misguided attempt to promote agility, convenience is often chosen over precaution and rigor. The astonishingly rapid rise of RESTful services over SOAP, OAuth over SAML, API keys over certificates and SSL (or nothing) over WS-Security is a testament to fast-and-informal prevailing over complex-and-standardized.

Nevertheless, it is certainly possible to build secure APIs and this session will demonstrate specifically how you can spearhead a secure and scalable API strategy. For every bad practice, we will offer an alternative pattern that is simple-but-secure. We will explicitly show how the API community is dangerously extending some Web paradigms, such as avoiding general use of SSL or not protecting security tokens, into the API world where the cost of failure is far greater. And finally, we will prescribe a series of directives that will steer developers away from the risky behaviors that are the norm on the conventional Web.

I hope you can attend. And if you do, please come up after the talk and say hello.

See you next week in San Francisco!

The ubiquity of mobile devices is something we’ve all become used to in recent years. Still, the remarkable popularity of Apple’s iPad seems to have kicked things up another notch. The whole BYOD phenomenon has finally brought Apple hardware and software into the enterprise. Meanwhile, for many of us, the iPad (or similar tablet product) is becoming the primary means by which we consume content – newspapers, TV, music, you name it!

With new tablets coming on the market and consumers demanding more and more mobile access to content, API management is becoming an increasingly pressing concern for content providers. At Layer 7, we’ve been following these developments closely, while providing API management and security solutions to some big names in content delivery and mobile communications, including Orange.

We’ll be demonstrating our mobile API products at the end of this month, when we set up shop at the GSMA Mobile World Congress in Barcelona (February 27-March 1). This is undoubtedly the big mobile industry event of the year, so it’ll be exciting to be in the thick of things. The fact that it’s happening in a city as spectacular as Barcelona is just the icing on the cake. If you’re lucky enough to be attending, you’ll find us at booth 2.1A79.