OAuth handshake patterns and OAuth token management are currently two of the hottest topics related to enterprise APIs. Although OAuth originated as a third-party authorization mechanism, it now addresses a multitude of patterns related to controlling access for RESTful APIs. With version 2.0 of the standard defining numerous grant types that accommodate both two and three-legged cases, OAuth is becoming the de-facto standard for any API access control.

Regardless of the specific access control scenario, any enterprise-scale OAuth implementation must leverage existing infrastructure and processes for managing and controlling identities. For example, OAuth should be implemented in a way that maintains any existing Single Sign-On user experience or it should simply reuse existing identities and their attributes as part of the authorization checks.

Next Wednesday, I’ll be joined by Steve Coplan of 451 Research for a webinar called Simplifying API Access Control with OAuth. We’ll be taking an in-depth look at just how OAuth can be integrated with existing systems for effective API access control. We’ve already had a lot of interest in the event but there are still a few free spots, so don’t hesitate to sign up for the webinar today.

The 2012 RSA Conference is now over and as many journalists rightly noted this year’s show was as much about opening up the enterprise to the outside as it was about closing the enterprise from the outside. With the acceleration of Cloud adoption and the rapid growth of tablet and smart phone inside the enterprise, the need to manage how information is shared out securely has never been greater. To this end, Layer 7 gave two talks at RSA in addition to two workshops and a sponsorship of Cloud Security Alliance Conference around this general theme.

The two talks given by Layer 7 staff at RSA included one focused on access best practices for APIs called Enterprise Access Control Patterns for REST & Web API and the other focused on the threat implications of Open APIs called Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. The first was delivered by Layer 7 Director of Solution Engineering Francois Lascelles. The second was delivered by Layer 7 CTO Scott Morrison. For those of you not able to have caught the talks live, we provide the slides below. Enjoy.

On Monday February 27, 2012 Layer 7 hosted an exclusive workshop at RSA Conference in San Francisco at the trendy W Hotel. The audience was a group of IT professionals interested to learn more about API management as it relates to mobile and Cloud security.

There was an hour of networking before the presentations started, during which lunch was served. The room filled quickly. As this was an exclusive event, seating was limited. By the time the first presenter had started, it was standing room only.

Layer 7 CTO Scott Morrison hosted the event, which featured guest speakers Caleb Sima and Rag Ramanathan. The workshop provided insight into API security and management best practices for mobile and Cloud.

More and more enterprises are looking to API publishing as a way of exposing their data to partners and external developers building mobile apps and Cloud services. But this inevitably creates serious security concerns.

So the aim of the workshop was to address the issue of API security for mobile and Cloud, with three presentations. The slides from these presentations are embedded below.

Caleb Sima: Open APIs – Security for Mobile & the Cloud
A look at what’s driving new Internet-facing organizations to open up information through APIs, plus a discussion of the implications for application security.

Rag Ramanathan: Securing & Governing Cloud APIs
A look at why APIs matter in the Cloud and the unique security challenges Cloud APIs create.

Scott Morrison: API Security & Management Best Practices
A look at the high-level considerations for controlling, metering and monitoring APIs from test through to production.

This week, at Mobile World Congress, I got to see firsthand how mobile and Cloud are transforming the distribution of content. People want to consume entertainment on four screens: TV, PC, smartphone and tablet. They want their watching, listening, gaming and reading experiences to be 100% portable. They want instant, on-demand access to content. They sometimes want to own the content but they sometimes prefer to rent or subscribe. These changes in how end-users want to consume content are demanding a rethink of how entertainment producers deliver this content.

Cloud and APIs figure prominently in enabling entertainment producers to deliver content anytime, anywhere. APIs allow producers to expose content and associated metadata to “apps” that can be delivered via any smart device, including a TV. Similarly, Cloud computing creates the promise of instant content delivery to any device, on-demand. But for the content producer, exposing content from the Cloud, over APIs, across the Internet, to a mixed universe of internally and externally-built apps that may live on TVs, PCs, tablets or smartphones creates challenges around security and management.

Layer 7 offers solutions for entertainment producers and distributors who need to secure and manage content delivered from the Cloud, over APIs, to apps. That’s why, this Friday, Layer 7 will be exhibiting at the Hollywood IT Summit. If you happen to be attending, stop by the booth or catch Layer 7’s Steve Loscialpo giving a talk called Simplifying Content Distribution Across Mobile & Cloud Using API Management. Here are the event details:

• Hollywood IT Summit – Friday, March 2, 2012
  Pepperdine University, Malibu Campus, Los Angeles – Register here

Access control is a key aspect of API management. When an enterprise launches an API, identity and access management (IAM) will be among its most pressing concerns. But access control is handled differently for APIs than it is for the Web or even Web services. This can present difficulties for an enterprise that wants to reuse its existing IAM  infrastructure to provide access control for APIs.

On March 14, I’ll be co-presenting a webinar called Simplifying API Access Control with OAuth, alongside Steve Coplan of 451 Research. We’ll be exploring a good deal of the ground around API access control and OAuth but with a particular focus on how existing IAM and Single Sign-On (SSO) systems can be extended to integrate with API-enabled applications and services.

In addition to discussing how enterprises can extend their existing IAM and SSO investments for API access, we’ll be looking at:

• What security and management concerns are created by open APIs
• How enterprises can address key IAM challenges when securing APIs
• Why OAuth is becoming central to API access control

Space is limited – so, if you’re interested, sign up today!