1 / 35

Webinar Securing Open Web APIs: Embrace The Oxymoron

Webinar Securing Open Web APIs: Embrace The Oxymoron. Eve Maler, Principal Analyst August 28, 2012. Call in at 12:55 p.m. Eastern time. Agenda. Must we compromise security to increase accessibility? Consumerization-related trends challenge IAM traditions

harrisrobert
Download Presentation

Webinar Securing Open Web APIs: Embrace The Oxymoron

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WebinarSecuring Open Web APIs:Embrace The Oxymoron Eve Maler, Principal Analyst August 28, 2012. Call in at 12:55 p.m. Eastern time

  2. Agenda • Must we compromise security to increase accessibility? • Consumerization-related trends challenge IAM traditions • To secure and identity-enable the open Web, apply Zero Trust • Leverage emerging technologies as powerful open Web security solutions

  3. The world of the extended enterprise requires you to think outside the box App sourcing and hosting SaaS apps Apps in public clouds Partner apps Apps in private clouds On-premises enterprise apps Employees Enterprise computers Contractors Enterprise-issued devices Partners Public computers Members Personal devices Customers App access channels User populations Source: March 22, 2012, “Navigate The Future Of Identity And Access Management” Forrester report

  4. Steve Yegge’s rant crystallized the challenge “[Jeff Bezos] issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses… ‘1) All teams will henceforth expose their data and functionality through service interfaces.’” Like anything else big and important in life, accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful arch-nemesis (yes, there’s more than one nemesis to accessibility) named security. And, boy howdy, are the two ever at odds. But I’ll argue that accessibility is actually more important than security because dialing accessibility to zero means you have no product at all, whereas dialing security to zero can still get you a reasonably successful product such as the Playstation Network.

  5. Web APIs have become business-enabling tools

  6. SAML: sounds awesome — maybe later?

  7. Loosely coupled web services security hasn’t become super popular IT HAS BEEN SLOW TO ADOPT WS-SECURITY Source: Forrester’s November 2008 Global Software Strategies Online Survey

  8. It’s a battle of “rich” versus “reach” CLASSIC FEDERATION USE CASES ARE FALLING BEHIND NEW LOOSELY COUPLED IAM NEEDS Source: October 26, 2011, “OpenID Connect Heralds The ‘Identity Singularity’” Forrester report

  9. Agenda • Must we compromise security to increase accessibility? • Consumerization-related trends challenge IAM traditions • To secure and identity-enable the open Web, apply Zero Trust • Leverage emerging technologies as powerful open Web security solutions

  10. Three trends affect how we control access to services Webdevificationof IT Inward identity propagation Free-agent identities

  11. Portable consumer identities have arrived

  12. In the API economy, security pros’ control diminishes with distance

  13. Who wants to be the single source of truth? Everyone . . .

  14. Our security worlds are colliding UNIFY YOUR STANCE AND PREPARE FOR ANYTHING B2C SaaS The identity singularity B2E + B2B

  15. Agenda • Must we compromise security to increase accessibility? • Consumerization-related trends challenge IAM traditions • To secure and identity-enable the open Web, apply Zero Trust • Leverage emerging technologies as powerful open Web security solutions

  16. In Zero Trust, all interfaces are treated as untrusted Apply Zero Trust all the way up the stack. Source: September 14, 2010, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report

  17. Plan for both inward and outward identity propagation Source: March 22, 2012, “Navigate The Future Of Identity And Access Management” Forrester report

  18. Go from IDaaS to “IAM as an API” Source: March 22, 2012, “Navigate The Future Of Identity And Access Management” Forrester report

  19. Examples

  20. Agenda • Must we compromise security to increase accessibility? • Consumerization-related trends challenge IAM traditions • To secure and identity-enable the open Web, apply Zero Trust • Leverage emerging technologies as powerful open Web security solutions

  21. New identity solutions disrupt . . . but attract. Or, the good thing about reinventing the wheel is that you can get a round one.* *Douglas Crockford, inventor of JavaScript Object Notation (JSON)

  22. Emerging IAM standards have an edge over traditional ones for Zero Trust Authentication,session management,SSO, federation Authorization,consent,access control Provisioning,proofing,self-service IAMfunctionality EstablishedSOA-friendlystandards Emergingweb-friendlystandards SCIM Connect

  23. OAuth Now the “web authorization protocol” standard

  24. Web 2.0 players invented OAuth just to solve the “password anti-pattern”

  25. What it really does is let a person delegate constrained access to an app

  26. OAuth can help manage risk, cost, and complexity FOR INTERNET-SCALE ZERO TRUST, YOU NEED IT ALL Gets client apps out of the business of storing passwords Friendly to a variety of user authentication methods and user devices, including smartphones and tablets Allows app access to be tracked and revoked on a per-client basis Allows for least-privilege access to API features Can capture explicit user authorization for access Lowers the cost of secure app development Bonus: provides plumbing for a much larger class of needs around security, identity, access, and privacy

  27. Use case: consumer-facing web and native apps EBAY HAS “CHANNEL PARTNERS” THAT CREATE APPS FOR SELLERS eBay seller (in resource owner role) eBay (in authorization server and resource server roles) Third-party seller app (in client role) Third parties offer productivity apps to eBay sellers who list items and do other tasks through the eBay API. These apps never see the seller’s eBay credentials. They don’t merely “impersonate” the seller. The app can take action even if the user is offline.

  28. Use case: B2B and business SaaS app integration through SAML SSO CONSTRUCTION FIRM LETS PROJECT PARTNERS “SSO IN” TO APIS USING NATIVE APPS Partner workforce member (in resource owner role) Construction firm (in authorization server resource server, and SP [RP] roles) Partner app (in client and IdP roles) Partner apps integrate with the construction firm’s valve-design service. On-site partner engineers log in to their home systems through a company-issued tablet. They can then use special apps that call the valve-design service, bootstrapped by SAML.

  29. OAuth vendor solutions are popping up all over the place

  30. OpenID Connect OpenID branding with OAuth DNA

  31. OpenID Connect turns SSO into a standard OAuth-protected identity API X Initiating user’s login session Initiating user’s login session Not responsible for session initiation X Not responsible for collecting user consent Collecting user’s consent to share attributes Collecting user’s consent to share attributes High-security identity tokens (using JSON Web Tokens) X High-security identity tokens (SAML only) No identity tokensper se X X No claims per se; protects arbitrary APIs Distributed and aggregated claims Distributed and aggregated claims X Dynamic introduction (OpenID only) Dynamic introduction Client onboarding is static X X Session time out (in process) Session timeout No sessions per se OAuth 2.0 SAML 2.0, OpenID 2.0 OpenID Connect

  32. Where SAML is “rich,” OpenID Connect holds promise for “reach” Already exposing customer identities using a draft OpenID Connect-style API Working to expose workforce identities through OpenID Connect LOB apps and smaller partners can get into the federation game moreeasily; complex SAML solutions will see price pressure over time.

  33. Get ready: OAuth and friends are spreading fast because Zero Trust is pulling them along.

  34. Recommendations • Select access control mechanisms with care in publishing APIs. • Treat your internal environment as an ecosystem of its own. • Look to emergent API management solutions. • Be responsible in developing client apps as well.

  35. Eve Maler +1 617.613.8820 emaler@forrester.com Twitter: @xmlgrrl

More Related