February 8th, 2013

Enabling OAuth Token Distributors

 

OAuth eBookAre you a token distributor? If you provide an API, you probably are.

One thing I like about tokens is that, when they are compromised, your credentials are unaffected. Unfortunately, it doesn’t work so well the other way around. When your password is compromised, you should assume the attacker could also get access tokens to act on your behalf.

In his post The Dilemma of the OAuth Token Collector and in this twitter conversation, Nishant Kaushik and friends comment on the recent Twitter hack and discuss the pros and cons of instantly revoking all access tokens when a password is compromised.

I hear the word of caution around automatically revoking all tokens at the first sign of a credential being compromised but in a mobile world where user experience (UX) is sacred and where each tapping of a password can be a painful process, partial token revocation shouldn’t be automatically ruled out.

Although, as Nishant suggests, “it is usually hard to pinpoint the exact time at which an account got compromised”, you may know that it happened within a range and use the worst case scenario. I’m not saying that was necessarily the right thing to do in reaction to Twitter’s latest incident but only revoking tokens that were issued after the earliest time the hack could have taken place is a valid approach that needs to be considered. The possibility of doing this allows the API provider to mitigate the UX impact and helps avoid service interruptions (yes, I know UX would be best served by preventing credentials being compromised in the first place).

Of course, acting at that level requires token governance. The ability to revoke tokens is essential to the API proviver. Any token management solution being developed today should pay great attention to it. Providing a GUI to enable token revocation is a start but a token management solution should expose an API through which tokens can be revoked too. This lets existing portals and ops tooling programmatically act on token revocation. Tokens need to be easily revoked per user, per application, per creation date, per scope etc. and per combination of any of these.

Are you a token distributor? You should think hard about token governance. You also think hard about scaling, security, integration to exiting identity assets and interop, among other things. We cover these issues and more in our new eBook : 5 OAuth Essentials for API Access Control.

December 18th, 2012

New Mobile eBooks

Layer 7 eBooksAs a Partner Architect at Layer 7, I’m lucky enough to get to interact with some of the best and brightest in the industry. These include software vendors, systems integrators, analysts and thought leaders. When you add in our own experts, we have access to a veritable “who’s who” of the API world.

Recently, we began a series of free eBooks that will distill our communal knowledge into specific, targeted recommendations for dealing with a variety of challenges around APIs – from interface design, to security, to developer engagement. Today, I’m pleased to announce the first two of these, which deal with API exposure for internal mobility projects and for externally-facing open APIs.

First, we have Enterprise on the Go: 5 Essentials for BYOD & Mobile Enablement. This eBook focuses on the challenge of securely exposing internal applications and information assets to mobile employees, either on their own devices (BYOD) or as part of a larger mobility initiative. These five key points for a successful deployment are presented in an easy-to-consume synopsis and then backed up by white papers, webinars and customer case studies. Of particular interest to our enterprise customers are the sections on repurposing existing services and using middleware to optimize for mobile use cases.

Next, we have 5 Ways to Get Top Mobile App Developer Talent for your Open APIs. While not all enterprises have chosen to expose their APIs externally, those that have are faced with the challenge of acquiring a talented community of developers that will build useful mobile apps for the consumer marketplace. However, enterprises can’t simply assume “build it and they will come.” Getting devs onboard requires investment in documentation, branding and community development. This eBook discusses some of the best methods for onboarding and rewarding those developers who provide the most value.

Whether focused on internal or external developers, these eBooks are valuable resources for anyone looking to expose APIs for mobile access to enterprise assets. We welcome your feedback on this format and look forward to continuing the series.

December 10th, 2012

Top 5 Resources from Layer 7 in 2012

Top Layer 7 ResourcesThis year has seen incredible growth in the API economy, particularly as it relates to the proliferating mobile app ecosystem. At Layer 7 technologies, we are committed to helping enterprises understand these issues through a range of thought leadership activities. As a part of this, we’ve published a great deal of content in our Resource Library during 2012. With the year drawing to a close, it seems like a great opportunity to review some of the most popular pieces.

We tackled issues around mobile and BYOD head-on in a white paper called Secure Mobile Access for Enterprise Employees, which describes how enterprises can securely open their data and application functionality to mobile devices via custom-made apps. Another popular white paper was Federated Identity & Single Sign-On, which explores identity federation for API, mobile, SOA and cloud.

Our webinars featuring input from Forrester Research also drew a lot of interest, especially A Practical Guide to API Security & OAuth for the Enterprise, which provided real-world insight into deploying OAuth as the access control component of a complete API Management solution. Forrester also helped us explore enterprise mobile enablement in another webinar, How to Make Your Enterprise Applications Mobile Ready, Fast.

Looking to the future, Layer 7 will be publishing a series of eBooks, outlining essentials for addressing key issues around API Management and Mobile Access. We got a great reaction from the first of these, called 5 Ways to Get Top Mobile App Developer Talent for Your Open APIs. Over the coming months, we’ll also be publishing eBooks talking about mobile enablement and OAuth. Be sure to watch out for those!