Confronting API Security in the Brave New Open Banking Era
-
Upload
akana -
Category
Technology
-
view
1.187 -
download
2
Transcript of Confronting API Security in the Brave New Open Banking Era
© 2015 Akana. All Rights Reserved.
Confronting API Security in the Brave New Open Banking Era
Sachin Agarwal
© 2015 Akana. All Rights Reserved.
Digital Disruption in Banking
Mobile Cloud Customer Centric
Block Chain Payments FinTech
© 2015 Akana. All Rights Reserved.
However Risks Exists
© 2015 Akana. All Rights Reserved.
© 2015 Akana. All Rights Reserved.
How do banks Open up to the Digital Economy
While managing Risk?
© 2015 Akana. All Rights Reserved.
EVOLUTION OF DIGITAL CHANNELS
© 2015 Akana. All Rights Reserved.
Client-Server/ Web Applications
• No Programmatic Access
• Security through network isolation
• Limited Users
Access locations and variability of operations were limited
© 2015 Akana. All Rights Reserved.
Web ServicesThe enterprise opened slightly with Web Services/SOAP
• SSL/TLS, Certificate based, PKI, WS-Trust
• Some B2B and Partners applications
• Complex, but quite secure and flexible
© 2015 Akana. All Rights Reserved.
And then came APIsDisrupting how and where information is accessed
• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.
• Focus on human readability, developer adoption
© 2015 Akana. All Rights Reserved.
Realizing End-to-End Security
Managing the User Experience
Securing the App - PII, PHI
Enabling Easy Developer Access
Securing the Channel
Securing the Backend
© 2015 Akana. All Rights Reserved.
Understanding the Security Landscape
• Protocol specific threats
• Key Management• OAuth• Monitoring• Licensing• Security Token
Mediation
API Specific Security
Single Sign On MDM
ATP, Firewall, VPN etc.
© 2015 Akana. All Rights Reserved.
Major API Security Concerns
© 2015 Akana. All Rights Reserved.
API Consumer Security?
© 2015 Akana. All Rights Reserved.
Securing APIs
1 Authentication & Authorization
2 App Key Validation/Licensing
3 Message Security
4 Threat Protection
5 Content Filtering
6 Rate Limiting
Developers
© 2015 Akana. All Rights Reserved.
Authentication/Authorization/SSOControl and restrict access to your APIsMake it easy yet secure
© 2015 Akana. All Rights Reserved.
Understanding OAuthOAuth lets a person delegate constrained access from one app to another
User
Resource Owner
Client App
Resource Server
© 2015 Akana. All Rights Reserved.
OAuth Flow
© 2015 Akana. All Rights Reserved.
OAuth – You need
• OAuth Clients• Provisioning• Approval Flow
• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh
• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics
OAuth is hard and complicated
© 2015 Akana. All Rights Reserved.
LicensingPackage your APIs in different waysUse API keys to restrict what the App can access
The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies
© 2015 Akana. All Rights Reserved.
Message and Parameter Security
HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=
mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code
Message Security• Implement HTTPS• For XML payloads encrypt specific parts of the message
© 2015 Akana. All Rights Reserved.
Threat Protection• Denial of Service• Injection Attacks
– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks
• Cross Site Scripting• Network address and range
blacklists/whitelists • HTTP Parameter Stuffing
© 2015 Akana. All Rights Reserved.
Content Filtering• Provide a content firewall,
protecting against malicious content
• Validate message content including message headers, form and query parameters, XML and JSON data structures.
• Policies for XML and JSON DoS
• Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
© 2015 Akana. All Rights Reserved.
Quota Management/Rate LimitingRestrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.
© 2015 Akana. All Rights Reserved.
Relevance to PCI Compliance• APIs are now part of e-commerce
• Card payments pass through API
• The infrastructure underlying the API?
© 2015 Akana. All Rights Reserved.
Akana API GatewayGateway
SecurityAuthenticationProtectionIAM IntegrationEncryptionMediationQuality of ServicePaging/CachingOrchestrationScripting
© 2015 Akana. All Rights Reserved.
The Akana Digital Business Platform
© 2015 Akana. All Rights Reserved.
API Resources and API University• Resource Center
– http://resource.akana.com/• Follow us on:
www.facebook.com/soasoftware
www.linkedin.com/company/14301
@akanainc