API-Security Gateway Dirk Krafzig

Transcription

1 API-Security Gateway Dirk Krafzig

2 Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing importance of compliance requirements IT-Sicherheitsgesetz ISO Traditional technologies are insufficient Too slow Insecure Too expensive

3 One Box Multiple Use Cases Smart ESB Public Interfaces Secure Cloud Access SSO Case Study: Multi-factor SSO Requirements Implementation patterns Authentication factors: SIM, Certificate, Password Best practices

4 One Box Multiple Use Cases Key Features XML Processing PKI Protocols: WS, REST, Mediation Identity Security Monitoring / Auditing Zero Programming Use Cases Smart ESB Public Interfaces Secure Cloud Access SSO

5 Smart ESB API gateway reveals it s strengths at runtime. Gateway ESB Mediation Security ++ + Governance ++ + Workflow - + Integration with Dev-Tools - ++ Learning Curve Costs ++ - Speed (Project delivery) ++ - Performance ++ -

6 Public Interfaces Requirements Highly visible Strategic impact E.g. part of digital strategy Multiple clients Huge number of individual users Access through internet Features Technology bridging Encapsulating internal systems and integrate with client s technology Security Support multiple security mechanisms Protect against multiple attack vectors Versioning Governance Scalability Robustness

7 Secure Cloud Access Requirements Usage of external services E.g. billing engine, geo data Usage of systems of business partners Analytics integration Features Protect against misuse Authentication Authorization Privacy Control potentially incurring costs Automated rules Governance Single point of control Logging

8 SSO Requirements Login of different users Convenient Secure Multiple user stores Avoid changes to legacy systems Access through internet Features Standard protocols such as SAML and OAuth Security Support multiple security mechanisms Login workflows Security integration Support multi-factor Governance Single point of control Logging

9 One Box Multiple Use Cases Smart ESB Public Interfaces Secure Cloud Access SSO Case Study: Multi-factor SSO Requirements Implementation patterns Authentication factors: SIM, Certificate, Password Best practices

10 Case Study: Multi-Factor SSO Internet and Intranet users shall use SalesForce Intranet users Internet users Based on Identity in Active Directory Business role assigned (RBAC) Official desktop PC Seamless access Kerberos identity Based on Identity in Active Directory Business role assigned (RBAC) Smartphone, tablet, official desktop PC, any other PC 2 factors SSL SIM card + Windows PW Certificate + Windows PW Certificate + SIM card

11 Single Sign-on User experience Seamless access to applications No book-keeping of log-in credentials Security Avoid post-it mentality Centralized mechanisms can be secured more efficiently Costs Costs of account administration per user Maintenance of ID stores Wikipedia Single sign-on is a property of access control of multiple related but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.

12 Multi-Factor Authentication Protect user against identity theft Apply multiple authentication factors Secret e.g. password Possession e.g. company hardware Token e.g. RSA token Biometric factor e.g. fingerprint Wikipedia Multi-factor authentication is a method of computer access control which a user can pass by successfully presenting several separate authentication stages. Addressing increasingly important requirements BYOD Access through Internet Usage by non-employees

13 Multi-Factor SSO 1) Open URL Start Service-Provider-initiated SAML protocol

14 Multi-Factor SSO 2) Redirect

15 Multi-Factor SSO 3) Retrieve Kerberos (SPNEGO) 1 If valid Kerberos ticket is available than proceed with Intranet workflow

16 Multi-Factor SSO Scenario: Intranet / Kerberos available 4.1) Retrieve roles LDAP 4.2) Redirect 4.3) Authorization

17 Multi-Factor SSO Scenario: Internet 5.3) Login 5.1) Redirect 5.2) Redirect 2 If no valid Kerberos ticket is available than proceed with Internet workflow

18 Multi-Factor SSO Scenario: Internet 5.4) Redirect 5.7) Redirect 5.6) Validate PIN 5.5) Retrieve PIN Pin: 1234

19 Multi-Factor SSO Scenario: Internet LDAP 5.8) Retrieve roles 5.9) Redirect 5.10) Authorization

20 Multi-Factor SSO Scenario: Internet (enhanced) 6.2) Check certificate 6.1) Retrieve certificate 3 Alternative, more convenient scenario if personalized certificate is available

21 Multi-Factor SSO Scenario: Internet (enhanced) 6.3) Redirect 6.4) Redirect

22 Multi-Factor SSO Scenario: Internet (enhanced) LDAP 6.5) Retrieve roles 6.6) Redirect 6.7) Authorization

23 Success Factors Easily define authentication workflows No programming! Keep up with changing requirements Fine-tune user experience Case study: requirements changed literally one day before going-live

24 Success Factors Bridge technology gaps Support any kind of encryption technology according to needs of involved systems Easily map one technology to another Case study: server for SIM authentication had particular requirements for SAML format

25 Success Factors Build-in PKI Support PKI life cycle For example quickly generate / sign keys for testing purposes Case study: Warnings for expiration of certificates were extremely helpful

26 Success Factors Monitoring Web console Monitor events as they occur Log file SNMP integration Case study: extremely useful for debugging

27 Success Factors Zero programming Allow working with data centre staff No learning curve for team Case study: just a few days of consulting needed to select appropriate approach and deliver best practice configuration ( and of cause to deliver the documentation ;-)

28 Success Factors Prepare for ever changing personal User friendly GUI Task-oriented, on-the-spot documentation Quick guides for fast familiarization with the job Allow deputy of the deputy to do basic tasks Check sanity od API gateway Start / stop Access log Identify security breaches Push into mainstream of data centre tasks (firewall and router configuration)

29 Thank you!