March 5th, 2012

Layer 7 at RSA Conference 2012

RSA Conference 2012The 2012 RSA Conference is now over and as many journalists rightly noted this year’s show was as much about opening up the enterprise to the outside as it was about closing the enterprise from the outside. With the acceleration of Cloud adoption and the rapid growth of tablet and smart phone inside the enterprise, the need to manage how information is shared out securely has never been greater. To this end, Layer 7 gave two talks at RSA in addition to two workshops and a sponsorship of Cloud Security Alliance Conference around this general theme.

The two talks given by Layer 7 staff at RSA included one focused on access best practices for APIs called Enterprise Access Control Patterns for REST & Web API and the other focused on the threat implications of Open APIs called Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. The first was delivered by Layer 7 Director of Solution Engineering Francois Lascelles. The second was delivered by Layer 7 CTO Scott Morrison. For those of you not able to have caught the talks live, we provide the slides below. Enjoy.

 

February 29th, 2012

Upcoming Webinar: Simplifying API Access Control with OAuth

Extending Existing IAM Technology for Enterprise API Access Control featuring 451 ResearchAccess control is a key aspect of API management. When an enterprise launches an API, identity and access management (IAM) will be among its most pressing concerns. But access control is handled differently for APIs than it is for the Web or even Web services. This can present difficulties for an enterprise that wants to reuse its existing IAM  infrastructure to provide access control for APIs.

On March 14, I’ll be co-presenting a webinar called Simplifying API Access Control with OAuth, alongside Steve Coplan of 451 Research. We’ll be exploring a good deal of the ground around API access control and OAuth but with a particular focus on how existing IAM and Single Sign-On (SSO) systems can be extended to integrate with API-enabled applications and services.

In addition to discussing how enterprises can extend their existing IAM and SSO investments for API access, we’ll be looking at:

  • What security and management concerns are created by open APIs
  • How enterprises can address key IAM challenges when securing APIs
  • Why OAuth is becoming central to API access control

Space is limited – so, if you’re interested, sign up today!

February 15th, 2012

Workshop: API Security for Mobile & Cloud

CSA Summit at RSA ConferenceLayer 7 will be at the RSA Conference next week, with CTO Scott Morrison and Director of Solutions Engineering Francois Lascelles both giving presentations. We’ll also be sponsoring the Cloud Security Alliance’s CSA Summit 2012, which will be taking place at the conference, on the 27th.

As part of our activities at the CSA Summit, we’ll be holding an enterprise-level workshop called API Security for Mobile & Cloud. This workshop, which will be held at the W Hotel, between 1pm and 5pm. Sessions will include:

  • Open APIs: The New Enterprise Imperative for Mobile & Cloud & Security Implications
  • API Security & Management Best Practices
  • Managing API Access Through OAuth
  • API Threat Protection & Metering
  • Enabling API Discovery & Developer Self-Service – An API Developer Portal Example

The workshop will include lunch, a networking session and guest speaker Caleb Sima of Andreessen Horowitz, one of the leading venture capital firms in Silicon Valley. Caleb has been engaged in the Internet security arena since 1996 and has become widely recognized as one of the leading experts in Web security, penetration testing and the identification of emerging threats. He is a highly in-demand speaker, press resource and is regularly featured in the Associated Press and global security media.

Space is limited, so if you’re going to be attending the CSA Summit, be sure to register for the workshop today.

February 13th, 2012

OAuth Token Management

Tokens are at the center of API access control in the enterprise. Token management, the process through which the lifecycle of these tokens is governed, emerges as an important aspect of enterprise API management.

OAuth access tokens, for example, can have a lot of session information associated with them:

  • Scope
  • Client ID
  • Subscriber ID
  • Grant type
  • Associated refresh token
  • A SAML assertion or other token the OAuth token was mapped from
  • How often it’s been used, from where

While some of this information is created during OAuth handshakes, some of it continues to evolve throughout the lifespan of the token. Token management is used during handshakes to capture all relevant information pertaining to granting access to an API and it makes this information available to other relevant API management components at runtime.


During runtime API access, applications present OAuth access tokens issued during a handshake. The resource server component of your API management infrastructure, the Gateway controlling access to your APIs, consults the token management system to assess whether or not the token is still valid and to retrieve information associated with it, which is essential to deciding whether or not access should be granted. A valid token is not in itself sufficient. Does the scope associated with it grant access to the particular API being invoked? Does the identity (sometimes identities) associated with it also grant access to the particular resource requested? The token management system also updates the runtime token usage for later reporting and monitoring purposes.

The ability to consult live tokens is important not only to API providers but also to owners of applications to which they are assigned. A token management system must be able to deliver live token information, such as statistics, to external systems. An open API-based integration is necessary for maximum flexibility. For example, an application developer may access this information through an API developer portal, whereas an API publisher may get this information through a BI system or ops-type console. Feeding such information into a BI system also opens up the possibility of detecting potential threats from unusual token usage (frequency, location-based etc.) Monitoring and BI around tokens therefore relates to token revocation.

As mobile applications represent one of the main drivers of API consumption in the enterprise, the ability to easily revoke a token when, for example, a mobile device is lost or compromised is crucial to the enterprise. The challenge around providing token revocation for an enterprise API comes from the fact that it can be triggered from so many sources. Obviously, the API provider itself needs to be able to easily revoke any tokens if a suspicious usage is detected or if it is made aware of an application being compromised. Application providers may need the ability to revoke access from their side and – obviously – service subscribers need the ability to do so as well. The instruction to revoke a token may come from enterprise governance solutions, developer portals, subscriber portals etc.

Finally, the revocation information is essential at runtime. The resource server authorizing access to APIs needs to be aware of whether or not a token has been revoked.

The management of API access tokens is an essential component of enterprise API management. This token management must integrate with other key enterprise assets, ideally through open APIs. At the same time, token data must be protected and its access secured.

February 13th, 2012

Enterprise Apps & APIs: Current State

Enterprise Apps & APIsI really enjoyed presenting my first Layer 7 webinar last Wednesday, discussing enterprise mobile access and the “bring your own device” (BYOD) movement. This movement is snowballing and is even hitting the mainstream radar as this Globe & Mail article attests.  We can all speculate about what the ultimate impact will be on enterprise IT – and I certainly did that in the webinar – but we have to start from where we stand today. Therefore, here are some answers to the “current state” questions attendees asked at the end of the webinar…

How secure can mobile really be? Can it be used in government or defense organizations?
As Nathan Clevenger observes in his book iPad in the Enterprise, the increasing consumerization of IT has reversed the innovation flow. Whereas government research used to lead to technological invention that would be leveraged by businesses and then packaged for consumers (think silicon chips), we are now seeing consumer technology being embraced by business – and high-security government agencies are relatively late adopters due to their data protection concerns. However, mobile is definitely not being rejected by these organizations, since the potential increase in productivity and cost savings are way too high to ignore. At Layer 7, we feel strongly that our solutions can help the most secure organizations embrace mobile and Cloud strategies, as we are able to open up those new worlds while preserving existing security policies and even leveraging existing security infrastructure through new methods such as OAuth.

Have you seen enterprise customers moving apps to the Cloud to support the scale required for mobile?
Mobile app traffic has the potential to increase Enterprise API volumes by orders of magnitude. We’ve worked with clients who have gone through this exponential growth. This means more revenue for these companies but their infrastructure must be able to handle these new peaks. Satisfying this demand is absolutely driving migration of enterprise workloads to the Cloud. We recently did a webinar with Amazon and Best Buy on just this type of solution and are happy to report that Black Friday went off without a hitch. Our Layer 7 solutions are able to help on both sides of this equation: securing and scaling inbound mobile connections, as well as outbound to the Cloud.

Do you see enterprises using the API Portal mostly for internal or external developers?
Currently, much of the focus of mobile app development is in the public domain. Start-ups and established companies alike are looking to populate the Apple App Store and the Android Market. As we get further along the maturity curve of enterprise mobile migration, more and more apps will be developed explicitly for employees and companies will move to mobile device management for app distribution, as using public repositories will no longer be an option. So today, most of our Portal users are providing APIs for use by external developers but we expect to see a dramatic increase in enterprise portal usage for in-house development.

We’re at the start of a very exciting enterprise IT transformation and I hope these answers provide some insight into where we are today. Now, back to the future…