Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
-
Upload
ca-api-management -
Category
Documents
-
view
1.545 -
download
0
description
Transcript of Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7
Craig Burton Distinguished Analyst, KuppingerCole
Identity in an API Economy
The API Economy and SAML
• Introduction to the The API Economy Ecosystem
• The Cambrian Explosion of Everything
• An API for Everyone and Everything
• Admin-based mapping is broken
• E2S (Entity to Service) automation—beyond SAML
• Summary
2
Identity in an API Economy
The API Economy
• The Five KuppingerCole API tenets
1. Everything and everyone will be API-enabled
2. The API Ecosystem is core to any cloud strategy
3. Baking core competency in an API-set is an economic imperative
4. Enterprise inside-out
5. Enterprise outside-in
3
The API Ecosystem
Understanding the API Ecosystem
• The API Ecosystem is divided into to type of API designs
– The API Provider—the enterprise inside-out
– The API Consumer—the enterprise outside-in
4
The API Ecosystem
Understanding the API Ecosystem
• The API Provider—the enterprise inside-out
– API types
• Open APIs—published APIs for public consumption
• Dark APIs—unpublished APIs for closed consumption
• The API Consumer—the enterprise outside-in
– API types
• Open APIs—published APIs for public consumption
• Dark APIs—unpublished APIs for closed consumption
• Internal APIs—legacy applications with traditional information and
resources
5
The API Ecosystem
Understanding the API Economy—the billionaire club
6
The API Ecosystem
Understanding the API Economy—Twitter unpacked
• 13 billion API calls a day
• 54 million+ calls an hour
• 900,000+ calls per minute
• 15,000+ calls per second
Twitter traffic drove 2012 Olympic Coverage—All API-driven
7
The API Ecosystem
Understanding the API Ecosystem
8
The API Ecosystem
Open API Growth Rate
9
The API Ecosystem
API Growth Rate
• Open APIs
– We just hit the 7,000 API mark
– 8,000 by year end
– 16,000 by 2015
• Dark APIs
– Dark APIs are 5x+/- Open API growth rate
– 80,000 by 2015
10
The Cambrian Explosion of Everything
Growth In the Cambrian Era—unprecedented growth of life
11
The Cambrian Explosion of Everything
Apple’s numbers
• 400 million iOS devices
• 700,000 apps
• Average person uses 100+ apps per device
• 84 million iPads
• 68% market share in 2012
• 17 million iPads sold in April-June 2012
• More iPads than any PC vendor’s entire product line
• 94% of Fortune 500 are investing in or deploying iPads at work
12
The Cambrian Explosion of Everything
Cisco’s predictions and KC API tenet #1
• 2.8x devices per person on the planet by 2015
• 19.6b devices
• 7 billion people
• Tenet #1: Everyone and Everything is API-enabled
– 26.6 billion APIs
13
Broken Model
The Admin-based mapping model Is broken
• Identity model for ALL current SAML-based systems do not scale
• Identity model is Admin-based
• All entities are mapped to services by people (Admins)
• The Math
– Mapping 26.6 billion entities to just one service
– 640,000 admins 24 hours a day for 5 years
– Apple numbers 100+/10 apps per device
• Broken
14
Federation is evolving
Approach IdPs SPs Type of IdP
1:1 – e.g. with a specific supplier
1 1 Owned by federation partner
1:n – e.g. authN to many cloud services
1 n Owned by company
n:1 – e.g. a service for many suppliers or cloud service customers
n 1 Owned by many federation partners
n:1 – e.g. supporting different logins
n 1 Owned by whomever – Facebook, enterprise, government (eID),…
n:n – reality, if you look at the big picture
n n Look at all the federations of your company and you have a mix
15
The traditional federation approach: Direct connections
16
Users Apps
The future federation approach: Meshed/service-focused
17
Users Apps
E2S Automation
e2s (Entity to Service) Automation—Beyond Admin-based SAML
• Scalable SAML will require automation
• Automation is enabled via APIs
• The future of e2s identity mapping must be API-based to meet today’s
demand
– 400 million+ iOS devices
– 26.6 billion APIs
– These numbers are conservative
18
E2S Automation
e2s (Entity to Service) Automation—Beyond Admin-based SAML
• OpenID Connect is SAML’s API future
– Tractability unknown
– No vendor is using it for automation yet
– No vendor is doing e2s automation yet
• SCIM (System for Cross-domain Identity Management) is potential e2s
automation protocol
• Note: Salesforce Identity gives both of these standards a boost of reality.
19
Identity in the API Economy
Summary
• SAML will not support all use cases (but some)
• Other standards are not as mature
• That means:
– Don’t rely on an approach that is focused on traditional approaches
– Understand these approaches as a subset of the big picture
– Design your architecture for hat big picture
– Start with the subset you need
– Look for technology which is built for (or who’s suppliers are devoted to)
the big picture
20
Identity, Access and Privacy Using
SecureSpan Simple, Scalable Solutions for OAuth, OpenID Connect, and SCIM
K. Scott Morrison
CTO
Oct 2012
The Old Enterprise
Formal and structured security & connectivity
VPNs & prop. Protocols for thick clients
HTTP(s) for browsers
SOAP+WS-* for B2B
Enterprise
Network
Line of
business
servers
Road
Warriors with
VPN
Browser
Clients
Formal
Trading
Partners
Firewall
VPN
SSL WS-S
The New Hybrid Enterprise
Highly agile security & connectivity
REST, OAuth, OpenID Connect, SCIM
Enterprise
Network
Line of
business
servers
Mobile
Devices
Informal,
API-driven
integrations
Firewall
Clouds
Recall: Change Drivers
are Social, Mobile & Cloud
From: CB
Internal
Directories
Client
Directories
The Hybrid Enterprise Is Made Possible By APIs
24
Web App
API
Server
Web Client
Mobile App
An API is a
RESTful service
A Fundamental Shift is Occurring
The Old Enterprise The New Hybrid Enterprise
This is the secret to
achieve scale and
agile federation
The Problem:
How to we bridge the gap
between the need, and a
concrete implementation?
Issues • Agility
• Scalability
• Distribution
First Consider The Foundation Technologies
OAuth
OpenID
Connect
SCIM
To get access to an API.
To share information about users.
APIs for Identity Provisioning and
Management Across Domains.
Now prioritize these
considering maturity and
available infrastructure
Priority #1: OAuth
Make it easy
Make it scale
How to Make OAuth Easy
Simple, drop-in virtual or hardware
gateway
Acts as both Authorization Server (AS) and
Resource Server (RS)
Advanced security on all APIs
Threat detection, audit, QoS mgmt, etc
Enterprise
Network
SecureSpan
Gateway
Protecting RS
Informal,
API-driven
integrations
Firewall
Mobile
Devices
Clouds,
Webapps, etc
Protected
Resource
Directory
SecureSpan
Gateway as
AS
All Authorization Grants
➠ Authorization code
➠ Implicit
➠ Resource owner password
credentials
➠ Client credentials
How Easy?
How Easy?
How Easy?
How to Make OAuth Web Scale
DMZ
Firewall 1
Protected
Resource
Directory
SecureSpan
Gateway as
Secure Token
Store
Secure Zone
Firewall 2
SecureSpan
Gateway
cluster RS
SecureSpan
Gateway
cluster as AS
How to Make OAuth Scale – Architecture
OVP
Client
Store
Token
Store
Internal (secure) network DMZ
Resource
Server
Authorization
Server
API Proxy
Server
Token
Server
IDMS
client
Internet
Accessed when
client requests
resources
Accessed when
client requests
user authorization
and tokens
Endpoints accessible through an API
Endpoints accessible through OAuth protocol API
Resource provider
Accessible through an LDAP query
• Who is asking
• Which API?
• What scope?
• Is token valid?
• etc…
• Prove who you are
• Authorize entitlement
• etc…
• Create
• Check
• Expire
• Revoke
• etc…
Priority #2: Introduce OpenID Connect
OVP
Client
Store
Token
Store
Internal (secure) network DMZ
Resource
Server
UserInfo
CheckID
SessionMgmt
IDMS
client
Internet
Endpoints accessible through an API
Endpoints accessible to outside clients
Resource provider
Accessible through an LDAP query
DynamicReg
Discovery
• Provide access token
• Get attributes (eg:
family_name, picture,
gender, birthdate, etc)
• Provide IDtoken
• Validate and return claims
Optional
Optional
Core
1. Refresh endpoint
2. End session endpoint
Priority #3: Introduce SCIM
“…make it fast, cheap, and easy to
move users in to, out of, and around
the cloud. “ http://www.simplecloud.info/
RESTful API
for user/group
CRUD user/group
schema
Summary
Implement OAuth now!
- Don’t roll your own
- Plan for failure
- Plan for scale
Plan for OpenID Connect
- Understand what you need to share
- Look to integration with existing identity providers
Plan for SCIM
- Came about because of obvious need
- Maturing very fast
Oct 2012
K. Scott Morrison
Chief Technology Officer
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377
http://www.layer7tech.com
For further information: