Managing Sensitive Information in an API and Microservices World

©2016 Apigee Corp. All Rights Reserved.

Managing Sensitive Information in an API and Microservices WorldPeter Miron, ApceraJoshua Norrid, Apigee

Presented by Joshua Norrid, Apigee and Peter Miron, Apcera

Managing Sensitive Information in an API and Microservices World

Innovation, Meet Trust.+


• Customers want CONVENIENCE.• All parties desire CONTROL of sensitive data.• All parties demand CONSISTENCY of experience and process.• Sensitive Data Providers must apply CONSTRAINTS to

CONSUMPTION.• Sensitive Data Providers must achieve and maintain

COMPLIANCE.

4

A “Chain of Custody” is required for managing sensitiveinformation with APIs in the digital world.

Why Are We Talking About This?


Help businesses compete digitally

Proven. More API management deployments – over 500 to date – run on Apigee than any

other platform

$100M run rate. Signed definitive offer to be acquired by Google in September, 2016

API Management Platform: Apigee Edge

Experienced management team from BEA, Oracle, IBM, Yahoo

5

About Apigee

6

Any Application๏ Cloud Native Applications๏ Legacy x86 Applications๏ Containerized Applications and more!

Any Infrastructure

Composition, Orchestration & Deployment

Networking + Nano-Segmentation

Application Service Management

Policy & Enforcement

etc.

Apcera: A Trusted Application Management Platform

Composition, Orchestration & Deployment

Networking + Nano-Segmentation

Application Service Management

WorkloadComposition

WorkloadResource Management

WorkloadScheduling and Placement

WorkloadCommunication and Connectivity

Policy and Automated Enforcement

©2016 Apigee Corp. All Rights Reserved. 7

The Digital Value Chain

©2016 Apigee Corp. All Rights Reserved. 8

The Extended Digital Value Chain


The pipeline: inspiration from the past…

9


A useful pattern from from Caesar in Alesia…• Alesia was a hill-top fort surrounded by

river valleys, with strong defensive features.

• Over 80,000 men were garrisoned inside.

• 3 Roman legions built dual fortification walls that surrounded the enemy.

• An moat and 4.5 meter ditches were also constructed on the inner wall. Water from

nearby rivers was used to fill it.

• No traffic was permitted inside or out without first being “mediated” or

“transformed” by Roman soldiers. A true physical proxy.

10

Mediate + Enrichment

Analytics

Developer Portal

Apps / Systems Developers + Partners

Users

API Security

Traffic Management

Callouts Extensibility (Node, Java, Python,

JavaScript)

Dashboards + Reports

Monetization

Global Scale BaaS

Existing and New Services (SOAP, REST, HTTP/HTTPS, JMS, etc.)

Apigee + Apcera: Capabilities Magnified

APIs

PUTDELETE

POSTGET

Multi-CloudAdditl. Code + LogicEnhanced Security

Semantic Pipeline Rules + BPM

Enhanced Messaging

Container Mgt.

< CUSTOMER >

C O N F I D E N T I A L


Trace Data Requests and Fulfillment at Each System / Application Handoff• Who requested what data? When?• Who else has access to that data?• What services participated in the transaction to produce the report?• What policies enabled that participation in the transaction?• Are we certain no one and no other services have access to that data?

Service ConsumersA. Business PartnersB. Regulatory AgenciesC. ComplianceD. Legal Requests

Report ClassificationA. Customer Privacy RelatedB. Business CriticalC. Trade Secret

General Use Case

Reporting Service

Report

Trusted 3rd Party

Request Report


Service ConsumersA. Law EnforcementB. Legal/Risk/Security

Telco Use Case

Telco offers call data reporting as a business service:• Online and printed reports—who called whom, when, duration, etc.• Policy governs the service—who has access to a given report, who saw a report, who granted access, who deploys

software, who writes and tests software, etc.• Composed of both software and operations (IT, legal, risk, etc.)

Report ClassificationA. Sensitive / Privacy RelatedB. Requires Warrant

CDR Service

Client Details Report

Trusted 3rd Party

Request Call Detail Records


KYC Service

Client Details Report

Finance Use Case

Client Onboarding Operations

Request KYC Details for Jane Doe

Client Onboarding OpsA. Legal / Risk /

Security (Internal)

B. Banking SystemsC. Audit (External

and Internal)

Information ClassificationA. Very sensitive / privacy-

relatedB. Requires a reason and

entitlements to accessC. May result in fines,

penalties, notification to entities impacted or other business operations if disclosed incorrectly (or thought to).

A Financial Firm Must:• Capture and verify each account’s complete ownership, legal entities, for example, joint, LLC, individual.• Capture all activities that create, update, delete or query client information.• On a regular basis re-validate the above, retain all records in write-once-form.• Ensure that all information disclosure requirements are met for PCI and KYC related information (notification, credit

insurance, etc.)• In general the firm must provide all KYC supporting details as required by its policies and those of its regulator.

Requirements vary for each jurisdiction (country, state, etc.), product (stock, CD) and business (brokerage, banking, insurance, credit / loan)


EMR Service

Electronic Medical Records

Healthcare Use Case

Trusted EMR 3rd Parties

Request EMR Details for John Doe Trusted 3rd PartiesA. DoctorsB. PatientsC. Payers

Information ClassificationA. Very sensitive / privacy-

relatedB. Requires a reason and

entitlements to accessC. Requires auditability of

access

Policy Governs:• Organizations and potentially Users that can access data through Apigee Edge• Developers ability to modify software to update access to those records• Operational control over where data can be sent toAuditability:• Access grant date• Software modification• Per request traceability

Demonstration

Try Apcera Community Edition for Free: http://bit.ly/apcera-ce

Try Apigee for Free: Apigee.com

Learn More at

www.apcera.com

Thank You!Joshua Norrid

@[email protected]

Peter Miron@PeteMiron

[email protected]

Rachel Thieman

Thank you


Appendices

20


Apigee Edge Covers The Entire API Management Lifecycle

21

Threat Protection

Test

Monetize

Scale Traffic

Maintain Availability

Update / Iterate

Publish APIs

Analyze

Develop

Deploy

Model

Access Control

Data Access

Real Time Monitoring

Document

Use

Run

BuildApigee Edge

Swagger

Node.js

Design

PackageIntegration

Configuration

Coding

TransformationQuota

Monitoring

Versions

Logging

Alerts

Debugging

Auditing

Load TestingStaging

DDoS

IdentityRoles

Portal

Developers

App Registration

Rate Plans

Documentation

Mobile Data

Activity Metrics

Push Notification

Zero Downtime

Low Latency

Geo-Distribution

Traffic Spikes

22©2016 Apigee Corp. All Rights Reserved.

Apigee Products

Experience APIs

Intelligent Security

Run-time

Data Warehouse

CRM, ERP, etc.

SOA

Database

Customer Application

InfrastructureInternet of Things

Vertical-specific

api-x

Backend APIs

Managing Sensitive Information in an API and Microservices World

Technology

Transcript of Managing Sensitive Information in an API and Microservices World