Confronting API Security in the Brave New Open Banking Era

© 2015 Akana. All Rights Reserved.

Confronting API Security in the Brave New Open Banking Era

Sachin Agarwal


Digital Disruption in Banking

Mobile Cloud Customer Centric

Block Chain Payments FinTech


However Risks Exists


How do banks Open up to the Digital Economy

While managing Risk?


EVOLUTION OF DIGITAL CHANNELS


Client-Server/ Web Applications

• No Programmatic Access

• Security through network isolation

• Limited Users

Access locations and variability of operations were limited


Web ServicesThe enterprise opened slightly with Web Services/SOAP

• SSL/TLS, Certificate based, PKI, WS-Trust

• Some B2B and Partners applications

• Complex, but quite secure and flexible


And then came APIsDisrupting how and where information is accessed

• Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.

• Focus on human readability, developer adoption


Realizing End-to-End Security

Managing the User Experience

Securing the App - PII, PHI

Enabling Easy Developer Access

Securing the Channel

Securing the Backend


Understanding the Security Landscape

• Protocol specific threats

• Key Management• OAuth• Monitoring• Licensing• Security Token

Mediation

API Specific Security

Single Sign On MDM

ATP, Firewall, VPN etc.


Major API Security Concerns


API Consumer Security?


Securing APIs

1 Authentication & Authorization

2 App Key Validation/Licensing

3 Message Security

4 Threat Protection

5 Content Filtering

6 Rate Limiting

Developers


Authentication/Authorization/SSOControl and restrict access to your APIsMake it easy yet secure


Understanding OAuthOAuth lets a person delegate constrained access from one app to another

User

Resource Owner

Client App

Resource Server


OAuth Flow


OAuth – You need

• OAuth Clients• Provisioning• Approval Flow

• OAuth Server• Identity Integration• Token Validation• Token Issue/refresh

• Token Mediation (SAML, LDAP etc)• QoS, Monitoring• Policy Management• API Proxying• Reporting• Analytics

OAuth is hard and complicated


LicensingPackage your APIs in different waysUse API keys to restrict what the App can access

The licenses control:– OAuth Authorization Scopes– Document visibility– Quota policies


Message and Parameter Security

HTTP Parameter• http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=

mykey• Protect API Keys with HMAC – Hash-based Message Authentication Code

Message Security• Implement HTTPS• For XML payloads encrypt specific parts of the message

http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey







Threat Protection• Denial of Service• Injection Attacks

– Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks

• Cross Site Scripting• Network address and range

blacklists/whitelists • HTTP Parameter Stuffing


Content Filtering• Provide a content firewall,

protecting against malicious content

• Validate message content including message headers, form and query parameters, XML and JSON data structures.

• Policies for XML and JSON DoS

• Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines


Quota Management/Rate LimitingRestrict the number of calls an App can makeApply controls based on context, affinity, segmentation etc.


Relevance to PCI Compliance• APIs are now part of e-commerce

• Card payments pass through API

• The infrastructure underlying the API?


Akana API GatewayGateway

SecurityAuthenticationProtectionIAM IntegrationEncryptionMediationQuality of ServicePaging/CachingOrchestrationScripting


The Akana Digital Business Platform


API Resources and API University• Resource Center

– http://resource.akana.com/• Follow us on:

www.facebook.com/soasoftware

www.linkedin.com/company/14301

@akanainc

http://resource.soa.com/

http://resource.soa.com/

Confronting API Security in the Brave New Open Banking Era

Technology

Transcript of Confronting API Security in the Brave New Open Banking Era