But do interfaces hosted on AWS and exposed to third-party developers contain significant vulnerabilities? Cloud services allow third-party access to applications and data through APIs. Failing to properly secure that access can put the data and applications at risk. So, how do you safely expose APIs in a cloud environment?

Understanding the cloud API model isn’t always easy. So, on January 29, we’re having a live discussion about publishing APIs in the AWS cloud, which may help answer questions surrounding exposing APIs in cloud environments. I’m excited to welcome Layer 7 Technologies Senior Software Developer Hirbod (Rod) Moshfeghi as our special guest for this API Tech Talk. This is a great opportunity to have your questions answered and to discuss the implications of publishing cloud-based APIs.

Here’s how to join the live discussion…

On the day of the event, click here to join:

• layer7.com/live

Submit your questions:

• Tweet using the tag #Layer7Live
• Email techtalk@layer7.com

Of course there will always be a place for a little more talking and I’ll be doing some of this myself as part of the CES panel Privacy & Security in the Cloud. This discussion will take place on Monday Jan 7, 11am-12pm, in LVCC, North Hall N259. The panel is chaired by my good friend Jeremy Geelan, founder of Cloud Computing Expo, who honed his considerable moderation skills at the BBC.

I’m planning on exploring the intersection between the cloud and our increasingly ubiquitous consumer devices. We will highlight the opportunities created by this technological convergence but we will also consider the implications this has for our personal privacy. I hope you can join us.

In order to optimize the performance of mobile apps or browsers, some computation-heavy functions have been offloaded to cloud-based resources, which in turn access backend resources and Web pages. This creates a middle ground in the cloud that is exploited in the attack, which the authors call “Browser Map Reduce (BMR)”. In reading the paper, it’s clear that this is a legitimate threat. The authors actually carried it out using free resources, although they limited the scope in order not to be abusive.

Aside from questions of curiosity around the mechanics of the vulnerability, the obvious question is this: How can we mitigate this threat? Here are a few perspectives here as well as a method for each.

Apps – This “cloud offload” architecture has arisen because of the processing limitations of mobile devices. When a backend resource is requested by a mobile user, it makes sense to have the data returned in the most consumable format, in order to optimize user experience. Whenever possible, instead of doing this through “browser offload”, data should be returned as JSON objects. This API approach is a proven method that works for mobile devices and is not subject to the BMR threat.

Cloud Services – This threat should not be viewed as a dismissal of the “cloud offload” approach. Cloud-based resources are necessary for handling caching, data indexing and other key functions in the mobile paradigm. However, it serves as a warning that these dedicated cloud-based resources cannot be considered part of a walled garden that includes the associated mobile app. The resource’s entry point must be protected against attackers. Layer 7’s SecureSpan Mobile Access Gateway is an ideal choice for this access control, as it uses identity-based measures to ensure that only requests from legitimate sources are serviced.

Web-Based Resources – Although the backend Web resource was not exploited in this scenario, the study is a reminder that the topology of the mobile Web is changing and increasing in complexity. P2P app-to-API connections cannot be assumed and therefore inbound API calls cannot be implicitly trusted. API access must be controlled and the SecureSpan API Proxy is a leading solution for this purpose.

To sum up, this is a legitimate threat but not a reason to abandon the use of cloud-based resources for mobile app optimization. Be aware of the threats, employ the mitigations and then you can continue to enjoy the exciting growth of the mobile Web.

It’s beautiful and quiet at Vail Cascade this morning. As I stepped outside, I’m pretty sure I saw SAML scurrying away into the trees. This is weird given this week’s proclamations that SAML was dead. Although we won’t be rid of SAML anytime soon, I do look forward to enterprise adoption of the new kid on the block: OpenID Connect. Easier federation, OpenID Connect-style is already common for consumer identity providers; enterprise identity providers should take note and follow suit. As a vendor of API Management infrastructure, it’s up to us to enable the enterprise to better reach out to its target audience. I see support for OpenID Connect as a key component in achieving this today.

My favorite proclamation of the week goes to Patrick Harding who declared in his talk titled “The Platformication of the Enterprise is Upon us Again and They Forgot Security (Again)” that API tokens are going to be “the currency of the API economy”. The management of tokens and their lifecycle is indeed a crucial component of API Management. Consider the case of a mobile application consuming an enterprise API using an OAuth token. Such tokens are associated with the API provider, the user (subscriber), the mobile application and the mobile device. Each live token is potentially associated with multiple parties and one of the challenges of API token management is to enable control of the right tokens by the right parties.

The combination of security and risk management is particularly interesting these days, as rapid migration to Cloud and Mobile has introduced a new set of risks. These new platforms raise issues around compliance, information security and identity management, which can only be addressed with a comprehensive approach to security, using proven technology.

If you’re at the show, stop by and visit Layer 7 at Booth 92. We’d love to demonstrate how our SOA Governance and API Management solutions can counteract the risks involved with adopting these new technologies. Our solutions – flexibly deployed on-premise or in the Cloud – provide control over data and applications being exposed to partners, Cloud and Mobile.

And our industry-leading technology has been certified at the highest levels for use in both corporate and governmental organizations – PCI-DSS compliance for retail, STIG vulnerability testing for the DoD, FIPS 140-2 for cryptographic functionality and Common Criteria certification for overall security.

Don’t let the risk outweigh the reward – come talk to us!

I recently read Daniel Kahneman’s book Thinking Fast & Slow, a fascinating study of how the human mind works. With the new capabilities offered by big data and Cloud computing — the dual themes for next week’s event — and the increasing personalization of technology through Mobile devices, I think we have an opportunity to make our digital systems more human in their processing. What does that mean?  Well, more intuitive in user experience, more lateral through caching of unstructured data and more adaptive to changing conditions. API-Aware Traffic Management certainly reflects this potential.

If you are going to be (or hope to be) at the event, add a response in the comments box or tweet to @MattMcLartyBC. Hope to see you there!

As the variety of available business apps and mobile devices continues to grow exponentially, enterprises will find it increasingly difficult to place such rigid limits on BYOD. Employees are already beginning to feel entitled to use apps that make them more efficient. In some case this may mean that employees will knowingly use banned apps. If businesses want to avoid this kind of insubordination, they will have to work with their employees, not against them.

One part of the solution is a focus on education rather than overly-strict technological bans. Another is embracing the concept of BYOD rather than fighting it. For instance, many of our customers provide their own apps to run on employee-owned devices. We focus on providing these customers with solutions that allow them to make BYOD secure and manageable, without having to ban apps or impose invasive mobile device management software.

The rest of the solution will come from Cloud and mobile vendors taking steps to make their technologies more enterprise-friendly. This means, for example:

• Apple will need to recognize its prevalence in the enterprise market and take steps to certify iCloud and Siri for business use.
• Google Drive and Microsoft SkyDrive will need to deliver terms of service that assuage fears rather than fostering them.

No one has all of the answers yet and I suppose you can’t blame IBM for a cautious approach but the most successful BYOD initiatives are likely going to be those that are flexible enough to avoid alienating employees. How else will we know what happens when Siri is asked to open the pod bay doors?

Many people are familiar with Layer 7’s industry-leading security functionality, so it’s no surprise that I’d recommend using our Gateway technology to protect connections from on-premise infrastructure to off-premise Cloud services. The flexibility of deployment options we offer makes it possible to create a network of secure on- and off-premise endpoints to meet the most stringent requirements. This covers security but what about availability?

People seem to be less familiar with Layer 7’s routing capabilities. Our Gateway technology is optimized to perform flexible, content-based routing with negligible impact on overall transaction times. In the context of the Cloud, this means that traffic proxied by a Layer 7 Gateway can be re-directed using intelligent algorithms and even dynamic, state-based awareness. This routing capability, which I call “API-aware traffic management”, brings huge benefits in ensuring availability when connecting to multiple API instances – on-premise, off-premise, in multiple Clouds… anywhere on the hybrid network.

I’ll be discussing this topic in detail at the upcoming Cloud Expo 2012, June 11-14 in New York City. This promises to be a great event, so I hope you can make it and attend my discussion!

It will be interesting to see whether or not big enterprises buy into this “21st century mainframe” concept but what’s clear is that enterprises now want to migrate critical workloads to the Cloud, en masse. To realize the true benefits of Cloud, many of these workloads will have to be running off-premise. But since many will remain on-premise, enterprises will be relying on hybrid Cloud infrastructure for their most significant IT services.

Security remains a major area of concern for organizations looking to leverage the Cloud. Increasingly, availability and reliability are also significant concerns, particularly since Amazon has had a few outages recently. In addition to addressing these concerns, enterprises are evaluating how they can optimize processing volumes to get maximum cost benefit from their Cloud deployments.

Please join me at the Cloud Expo, June 11-14 in New York, where I’ll be discussing solutions for each of these considerations. Hey, we should have blue skies by then!

All of that is good but I’ve learned that if you add skiing into the mix, it becomes even better. Layer 7 is fortunate to have an excellent partnership with IPT, a very successful IT services company out of Zug, Switzerland. Each year, IPT holds a customer meeting up in Gstaad, which I think surely gives them an unfair advantage over their competitors in countries less naturally blessed. I finally managed to draw the long straw in our company and was able to join my colleagues from IPT at their annual event this January.

Growing up in Vancouver, with Whistler practically looming in my backyard, I learned to ski early and ski well. Or so I thought, until I had to try to keep up with a crew of Swiss who surely were born with skis on their feet. But being challenged is always good and I can say the same for what I learned from my Swiss friends about technology and its impact on the local market.

The Swiss IT market is much more diverse than people from outside of it may think. Yes, there are the famous banks but it is also an interesting microcosm of the greater European market — albeit run with a natural attention to detail and extraordinary efficiency. It’s the different local challenges that shape technology needs and lead to different emphasis.

SOA and Web services are very mature and indeed are pushed to their limits but the API market is still in its very early stages. The informal, wild west character of RESTful services doesn’t seem to resonate in the corridors of power in Zurich. Cloud appears in patches but it is hampered by very real privacy concerns and this, of course, represents a great opportunity. Secure private Clouds are made for this place.

I always find Switzerland very compelling and difficult to leave. Perhaps it’s the miniscule drop of Swiss ancestry I can claim. But more likely it’s just that I think the Swiss have got this life thing all worked out.

Looking forward to going back.