Increasingly, mobile is one of the major factors driving enterprises to expose their information assets via APIs. With the BYOD movement bringing mobile into the workplace and some forward-thinking enterprises equipping their employees with tablets, there is a growing need for enterprise-level apps that leverage systems and data exposed via APIs.

Of course, allowing enterprise data to be accessed from smart-phones and tablets (via public networks) creates a range of concerns around security and performance. The security risks are clear – perhaps less well understood is the fact that, for apps to perform efficiently, data will need to be filtered and transformed into formats and protocols suitable for mobile.

Layer 7’s new API Management for Mobile solution brief explains how our API Management Suite of products delivers everything enterprises need to address the data security and performance management concerns raised by integrating enterprise assets with mobile devices. To find out more download the solution brief now.

With the advent of APIs in the enterprise comes the need for a new security model. An effective runtime security strategy for the type of open integration environment created by APIs requires the deployment of three intertwined elements – a policy enforcement point, a policy decision point and an attribute service.

Layer 7’s SecureSpan API Proxy fits into this strategy as the policy enforcement point. The API Proxy verifies/authenticates any incoming message before assembling a standard XACML request, which is then sent to the policy decision point. Layer 7 offers easy integration with leading policy decision point technologies from Axiomatics and Radiant Logic.

To help enterprise architects understand how XACML is used for this kind of integration, we’ve been organizing a series of workshops in collaboration with our friends at Axiomatics, Radiant Logic and SailPoint. Coming up, we’ve got events at the Mikrotek Training Facilities in San Francisco, Chicago and New York. Here are the details:

• San Francisco
  February 27, 9am-5pm
  REGISTER NOW
• Chicago
  March 5-6,  9am-5pm
  REGISTER NOW
• New York
  March 8, 9am-5pm
  REGISTER NOW

I’m going to be speaking about API security at next week’s 2012 RSA Conference. I gave this talk the provocative title Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. It’s scheduled for Friday, March 2, 2012 at 10:10am in room 302.

Here’s the long form of the abstract, which gives a little more detail of what I’m going to cover in the talk than the short abstract that’s online does:

This session will explore why APIs (which are largely RESTful services) are fundamentally different than conventional Web sites, despite the fact that they share common elements such as the HTTP protocol. Web sites abstract back-end applications behind a veneer of HTML that should — if it is well-designed — constrain capability and thus limit an organization’s security exposure. APIs, in contrast, represent a more explicit interface leading directly into applications. These often self-document their intent and thus provide a hacker with important clues that may reveal potential attack vectors — from penetration to denial-of-service. Because of this, APIs require a much more sophisticated model for access control, confidentiality around parameters, integrity of transactions, attack detection, throttling and auditing.

But aside from the technological differences, there are cultural differences in the Web development community that considerably increase the risk profile of using APIs. Many API developers have backgrounds in Web site development and fail to understand why APIs demand a more rigorous security model than the Web sites they were trained on. In a misguided attempt to promote agility, convenience is often chosen over precaution and rigor. The astonishingly rapid rise of RESTful services over SOAP, OAuth over SAML, API keys over certificates and SSL (or nothing) over WS-Security is a testament to fast-and-informal prevailing over complex-and-standardized.

Nevertheless, it is certainly possible to build secure APIs and this session will demonstrate specifically how you can spearhead a secure and scalable API strategy. For every bad practice, we will offer an alternative pattern that is simple-but-secure. We will explicitly show how the API community is dangerously extending some Web paradigms, such as avoiding general use of SSL or not protecting security tokens, into the API world where the cost of failure is far greater. And finally, we will prescribe a series of directives that will steer developers away from the risky behaviors that are the norm on the conventional Web.

I hope you can attend. And if you do, please come up after the talk and say hello.

See you next week in San Francisco!

The ubiquity of mobile devices is something we’ve all become used to in recent years. Still, the remarkable popularity of Apple’s iPad seems to have kicked things up another notch. The whole BYOD phenomenon has finally brought Apple hardware and software into the enterprise. Meanwhile, for many of us, the iPad (or similar tablet product) is becoming the primary means by which we consume content – newspapers, TV, music, you name it!

With new tablets coming on the market and consumers demanding more and more mobile access to content, API management is becoming an increasingly pressing concern for content providers. At Layer 7, we’ve been following these developments closely, while providing API management and security solutions to some big names in content delivery and mobile communications, including Orange.

We’ll be demonstrating our mobile API products at the end of this month, when we set up shop at the GSMA Mobile World Congress in Barcelona (February 27-March 1). This is undoubtedly the big mobile industry event of the year, so it’ll be exciting to be in the thick of things. The fact that it’s happening in a city as spectacular as Barcelona is just the icing on the cake. If you’re lucky enough to be attending, you’ll find us at booth 2.1A79.

Layer 7 will be at the RSA Conference next week, with CTO Scott Morrison and Director of Solutions Engineering Francois Lascelles both giving presentations. We’ll also be sponsoring the Cloud Security Alliance’s CSA Summit 2012, which will be taking place at the conference, on the 27th.

As part of our activities at the CSA Summit, we’ll be holding an enterprise-level workshop called API Security for Mobile & Cloud. This workshop, which will be held at the W Hotel, between 1pm and 5pm. Sessions will include:

• Open APIs: The New Enterprise Imperative for Mobile & Cloud & Security Implications
• API Security & Management Best Practices
• Managing API Access Through OAuth
• API Threat Protection & Metering
• Enabling API Discovery & Developer Self-Service – An API Developer Portal Example

The workshop will include lunch, a networking session and guest speaker Caleb Sima of Andreessen Horowitz, one of the leading venture capital firms in Silicon Valley. Caleb has been engaged in the Internet security arena since 1996 and has become widely recognized as one of the leading experts in Web security, penetration testing and the identification of emerging threats. He is a highly in-demand speaker, press resource and is regularly featured in the Associated Press and global security media.

Space is limited, so if you’re going to be attending the CSA Summit, be sure to register for the workshop today.