API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration Services, Adobe - Layer 7 User Conference Palo Alto

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.1 Copyright © 2013 CA. All rights reserved.

API Roles in Cloud and Mobile SecurityGreg Olsen, IT Manager, Integration Services

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.2 Copyright © 2013 CA. All rights reserved.

Problem Statement Service Gateway API Portal Current Condition Q&A

Agenda

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.3 Copyright © 2013 CA. All rights reserved.

Problems

Getting on the same page

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.4 Copyright © 2013 CA. All rights reserved.

Problem Statement 1: Insufficient capabilities allowing for service exposure and integration with customers, partners, external service providers, and applications residing outside our internal security domain (e.g., Amazon). Missing capabilities include consistent application of security policy, SLA management and enforcement, and easily usable administration interfaces.

Problem Statement 2: Need a central discovery method for all enterprise APIs. Missing capabilities include metrics and documentation.

Problem Statments

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.5 Copyright © 2013 CA. All rights reserved.

The project which drove the Service Gateway Project: Manager’s Hub

1200 managers within Adobe

Need to approve invoices/sick leave/sabbatical forms/offer letters/etc. from internal applications (SAP) to SaaS services

The Manager’s Hub allows approvals to be done via smart phones, tablets and desktops – a mobile strategy

Second driver: SAP Hana Project

Implement 16 new services within Adobe and with select external vendors

Roll out on June 22, 2012

Deployed Development, Non-prod and Production in May 2012

Deployed first set of services into Production in June 2012

Problem 1 Solution: Service GatewayNovember 2011 until June 2012

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.6 Copyright © 2013 CA. All rights reserved.

Service Gateway: Business Capabilities & Benefits

Capability Area Capability Description Business Benefits

Policy • Consistent service based policies across the enterprise

• Ability to customize policies to meet changing or unique requirements

• Creation, deployment and enforcement

Ability to provide a more predictable and reliable level of service for key business functions

Service Level • Service Performance• Throughput, Availability and

Utilization Tracked over Time• Enforce established SLAs• Rate limiting to protect backend

services

Visibility to service performance measures allowing the business to track how well SLAs are being met

Security • Authentication and Authorization (OAuth, SAML)

• Denial of Service Detection• Encryption• XML attack and intrusion prevention

(i.e., nesting, injection)

Protection of key resources through the use of state of the art security mechanisms

Deployment • Virtual appliance (VMware, Amazon AMI, etc.)

• Hardware based appliance• Relevant to our current

environments

Leverages existing investments and allows for expansion into new environments where services are being developed

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.7 Copyright © 2013 CA. All rights reserved.

Integration Principles, Technologies, Services and Tools

REST, JSON, oAuth, SAML, X.509 Certs, PKCS, PCI-DSS, TLS, EDIINT (AS2), EDIFACT, ANSI X.12, SFTP, HTTP/HTTPS, XML, Xpath, XML Schema, XSLT, SOAP, WS-Security,

WS-Trust, WSDL, WS-Policy, JMS

TIBCO BW TIBCO EMSweb

Methods

Informatica

SAP PITumbleweed

Corticon

PGP

Apache CXF

7

SupportForum

Self-Service Portal

Online Training

Virtual Dev Lab

Service Composition

Advanced Messaging

Database Integration

Event Processing

Distributed Cache

Managed File Transfer

Service Access &

Governance

B2BIntegration

Business Rules Mgmt

Loose Coupling, Simplicity, Service Orientation, Global Access, Cloud Capable, Reusability, Reliability, Transparency

Enabling Standards and

Technologies

Products

iPaaS Services

iPaaS Tools(Self Service)

Architecture Principles

Layer 7Gateway

Layer 7 API Portal

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.8 Copyright © 2013 CA. All rights reserved.

Service Gateway Use Cases: Priorities

Use Case Use Case Use Case

* REST to SOAP Mediation

Apply Policies Based on Message Data

* Resiliency

Cross-Domain Service Mediation

Dynamic Endpoint Lookup

* Scalability

* Authentication and Authorization

Distributing Policies to Service Gateway

Load Balancing

* Logging and Auditing Service Level Management

SSL Offload

* Unexpected Velocity of Transactions

Monitoring Health of the Service Gateway

* Required – all else is a must have but can initially live without

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.9 Copyright © 2013 CA. All rights reserved.

The Gateway is faster at processing than the software in the backend – be prepared to throttle back the velocity of data!

Some authentication models may not be approved for use by your security teams Today, we use IMS or SSO tokens and validate against IMS or

OpenAM server Originally, we wanted to use oAuth

Speed of adaption Originally we thought we’d have at least one year to ramp up Once it went live, EVERYONE wanted to use it Our current volume is higher than we thought we’d be after one

year – plan for rapid adaption

Concerns and CaveatsService Gateway

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.10 Copyright © 2013 CA. All rights reserved.

Require a single location to find all the APIs flowing through the Service Gateway

Track usage of the APIs

Discovery of reusable APIs

Documentation

Sample code

Problem 2 Solution: API PortalFrom April 2012 to August 2012

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.11 Copyright © 2013 CA. All rights reserved.

API Portal

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.12 Copyright © 2013 CA. All rights reserved.

Enterprise APIs

1. Publish & Secure APIs 2. Onboard Developers

3. Monetize your APIs Developer

Technical/Security Architect

Web Administrator

Business Manager

4. Close the Loop

API Portal

API Portal: Part of Layer 7’s Turnkey Solution

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.13 Copyright © 2013 CA. All rights reserved.

All want the benefits of the portal but not the work Documentation needs to be completed according to templates

we’ve shared Most teams do not want “another set of templates” even though

the value is clear Adaption is slower than anticipated Reticence by some of our business units to use an IT-owned

and operated application

Concerns and CaveatsAPI Portal

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.14 Copyright © 2013 CA. All rights reserved.

Developers look to off-load security work to the Service Gateway for all their APIs – can’t keep up with demand!

InfoSec looks to the Service Gateway to ensure data is compliant with internal policies

Network Security looks to the Service Gateway to monitor attacks from the outside (we get scanned for vulnerabilities about once every 3 days)

Statistics after one year (ahead of forecast):

Today

Ave. Calls Per Minute/Hour

95/5700

Max Calls Per Minute/Hour

907/54,420

Total Number of APIs 29

Number of BUs 7

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.15 Copyright © 2013 CA. All rights reserved.

Had two problems to solve: a central gateway for all services and APIs and a central registry for all those services and documentation

Caveats Agreements by all (security and application owners) prior to

production roll-out General agreements by all developers to use API Portal

Summary: A Few Words to Remember

© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.16 Copyright © 2013 CA. All rights reserved.

Q&A