© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 1 Copyright © 2013 CA. All rights reserved. API Roles in Cloud and Mobile Security Greg Olsen, IT Manager, Integration Services
Aug 20, 2015
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.1 Copyright © 2013 CA. All rights reserved.
API Roles in Cloud and Mobile SecurityGreg Olsen, IT Manager, Integration Services
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.2 Copyright © 2013 CA. All rights reserved.
Problem Statement Service Gateway API Portal Current Condition Q&A
Agenda
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.3 Copyright © 2013 CA. All rights reserved.
Problems
Getting on the same page
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.4 Copyright © 2013 CA. All rights reserved.
Problem Statement 1: Insufficient capabilities allowing for service exposure and integration with customers, partners, external service providers, and applications residing outside our internal security domain (e.g., Amazon). Missing capabilities include consistent application of security policy, SLA management and enforcement, and easily usable administration interfaces.
Problem Statement 2: Need a central discovery method for all enterprise APIs. Missing capabilities include metrics and documentation.
Problem Statments
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.5 Copyright © 2013 CA. All rights reserved.
The project which drove the Service Gateway Project: Manager’s Hub
1200 managers within Adobe
Need to approve invoices/sick leave/sabbatical forms/offer letters/etc. from internal applications (SAP) to SaaS services
The Manager’s Hub allows approvals to be done via smart phones, tablets and desktops – a mobile strategy
Second driver: SAP Hana Project
Implement 16 new services within Adobe and with select external vendors
Roll out on June 22, 2012
Deployed Development, Non-prod and Production in May 2012
Deployed first set of services into Production in June 2012
Problem 1 Solution: Service GatewayNovember 2011 until June 2012
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.6 Copyright © 2013 CA. All rights reserved.
Service Gateway: Business Capabilities & Benefits
Capability Area Capability Description Business Benefits
Policy • Consistent service based policies across the enterprise
• Ability to customize policies to meet changing or unique requirements
• Creation, deployment and enforcement
Ability to provide a more predictable and reliable level of service for key business functions
Service Level • Service Performance• Throughput, Availability and
Utilization Tracked over Time• Enforce established SLAs• Rate limiting to protect backend
services
Visibility to service performance measures allowing the business to track how well SLAs are being met
Security • Authentication and Authorization (OAuth, SAML)
• Denial of Service Detection• Encryption• XML attack and intrusion prevention
(i.e., nesting, injection)
Protection of key resources through the use of state of the art security mechanisms
Deployment • Virtual appliance (VMware, Amazon AMI, etc.)
• Hardware based appliance• Relevant to our current
environments
Leverages existing investments and allows for expansion into new environments where services are being developed
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.7 Copyright © 2013 CA. All rights reserved.
Integration Principles, Technologies, Services and Tools
REST, JSON, oAuth, SAML, X.509 Certs, PKCS, PCI-DSS, TLS, EDIINT (AS2), EDIFACT, ANSI X.12, SFTP, HTTP/HTTPS, XML, Xpath, XML Schema, XSLT, SOAP, WS-Security,
WS-Trust, WSDL, WS-Policy, JMS
TIBCO BW TIBCO EMSweb
Methods
Informatica
SAP PITumbleweed
Corticon
PGP
Apache CXF
7
SupportForum
Self-Service Portal
Online Training
Virtual Dev Lab
Service Composition
Advanced Messaging
Database Integration
Event Processing
Distributed Cache
Managed File Transfer
Service Access &
Governance
B2BIntegration
Business Rules Mgmt
Loose Coupling, Simplicity, Service Orientation, Global Access, Cloud Capable, Reusability, Reliability, Transparency
Enabling Standards and
Technologies
Products
iPaaS Services
iPaaS Tools(Self Service)
Architecture Principles
Layer 7Gateway
Layer 7 API Portal
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.8 Copyright © 2013 CA. All rights reserved.
Service Gateway Use Cases: Priorities
Use Case Use Case Use Case
* REST to SOAP Mediation
Apply Policies Based on Message Data
* Resiliency
Cross-Domain Service Mediation
Dynamic Endpoint Lookup
* Scalability
* Authentication and Authorization
Distributing Policies to Service Gateway
Load Balancing
* Logging and Auditing Service Level Management
SSL Offload
* Unexpected Velocity of Transactions
Monitoring Health of the Service Gateway
* Required – all else is a must have but can initially live without
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.9 Copyright © 2013 CA. All rights reserved.
The Gateway is faster at processing than the software in the backend – be prepared to throttle back the velocity of data!
Some authentication models may not be approved for use by your security teams Today, we use IMS or SSO tokens and validate against IMS or
OpenAM server Originally, we wanted to use oAuth
Speed of adaption Originally we thought we’d have at least one year to ramp up Once it went live, EVERYONE wanted to use it Our current volume is higher than we thought we’d be after one
year – plan for rapid adaption
Concerns and CaveatsService Gateway
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.10 Copyright © 2013 CA. All rights reserved.
Require a single location to find all the APIs flowing through the Service Gateway
Track usage of the APIs
Discovery of reusable APIs
Documentation
Sample code
Problem 2 Solution: API PortalFrom April 2012 to August 2012
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.11 Copyright © 2013 CA. All rights reserved.
API Portal
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.12 Copyright © 2013 CA. All rights reserved.
Enterprise APIs
1. Publish & Secure APIs 2. Onboard Developers
3. Monetize your APIs Developer
Technical/Security Architect
Web Administrator
Business Manager
4. Close the Loop
API Portal
API Portal: Part of Layer 7’s Turnkey Solution
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.13 Copyright © 2013 CA. All rights reserved.
All want the benefits of the portal but not the work Documentation needs to be completed according to templates
we’ve shared Most teams do not want “another set of templates” even though
the value is clear Adaption is slower than anticipated Reticence by some of our business units to use an IT-owned
and operated application
Concerns and CaveatsAPI Portal
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.14 Copyright © 2013 CA. All rights reserved.
Developers look to off-load security work to the Service Gateway for all their APIs – can’t keep up with demand!
InfoSec looks to the Service Gateway to ensure data is compliant with internal policies
Network Security looks to the Service Gateway to monitor attacks from the outside (we get scanned for vulnerabilities about once every 3 days)
Statistics after one year (ahead of forecast):
Today
Ave. Calls Per Minute/Hour
95/5700
Max Calls Per Minute/Hour
907/54,420
Total Number of APIs 29
Number of BUs 7
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.15 Copyright © 2013 CA. All rights reserved.
Had two problems to solve: a central gateway for all services and APIs and a central registry for all those services and documentation
Caveats Agreements by all (security and application owners) prior to
production roll-out General agreements by all developers to use API Portal
Summary: A Few Words to Remember
© 2013 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.16 Copyright © 2013 CA. All rights reserved.
Q&A