API Security to Connect Back-end APIs with HTML5 Cross Platform Apps Andy Thurai, CTO, Intel Big Data & Application Security Software Twitter: @AndyThurai Blog: www.thurai.net/securityblog
Intel software is growing..
Intel does software (or API)???? Intel is a top 10 largest software company in the world. (Forbes) Software represents nearly 15% (and growing) of Intel revenue. Intel software SVP Renee James is now President of the company. Intel acquisition strategy has been software focused: McAfee (Security) Mashery (API management, SaaS platform) Sarvega (API Gateway) Aepona (Telco/ API monetization engine) Wind River (embedded software for devices - IoT) AppMobi (html5 dev tools company) *Forbes
Converging Trends Driving the Mobile App Economy HTML5 offers platform and cost advantages for both Enterprise and third-party developers. VisionMobile HTML5 usage and stability will appear first in mobile environments, and then on the desktop. Evolution of HTML5 Is Key to Adoption of Mobile BI Applications -Analyst An API strategy is becoming a must in terms of speed to market with new products, maximizing business development, and product development opportunities. -USA Today BaaS market is estimated to grow from $216.5 million in 2012 to $7.7 billion in 2017 -MarketsandMarkets
Intel Enabling the API Economy In APIs we re investing in an arsenal of API related assets to be a key player in the new API app economy. 10 yr old mature Expressway gateway (Security, deep integration) Mashery for API Mgt SaaS portal part of Expressway API Manager SKU & 300k dev community Aepona for telco API integration & monetization AppMobi Cross platform push messaging, app promotion, in-app purchasing, integrated analytics Intel Cloud Services platform is a cloud hosted BaaS API play Intel Capital investment in Feed Henry BaaS player Intel Intelligent Systems Framework for embedded APIs Ultimate driver for Data Center, Enterprise Apps, Cloud & Client side platforms
Apps & APIs Turn the Enterprise Into a Platform Creates a virtuous spiral for the developers that build compelling apps and APIs APIs extend the reach of apps as they become part of distributed data network. As more people & devices use the APIs, the app developer generates more data. APIs can expose analytics which create feedback loops to optimize platform performance & user experience APIs & Mobile connections are the new client/servers DEVICES CLOUD and so on SERVICES, APIS & ANALYTICS DEVICES Intel is uniquely positioned with hardware, analytics, API portfolios to deliver open approach
Enterprises Have Unique Requirements for Mobile Enablement Trying to get a mobile project going at your Enterprise? Does this look familiar? Disparate middleware and database technologies Disparate identity management silos Disparate programming languages Current architecture optimized for web browsers Vertical integration prohibits cloud outsourcing Inconsistent security model across domains PII/PCI compliance requirements? On top of this you want: BYOD Any device Native application features Low development & maintenance costs Fast time to market Robust security for Enterprise data Enable real-time BI streaming to device Our mobile reality is fragmented iphone, Android, Windows, Blackberry. How can Enterprises reduce cost drivers & speed revenue generating innovation from APIs to mobile
Key Drivers Cost Reduction Drives the demand for low cost solutions Cross-platform flexibility New ways to get more from existing resources Security Require compliance Desire customer trust and confidence Need to protect IP/Brand Time To Market Launch new apps faster on more platforms compared to alternatives Reliability Seeking trusted partners and advisors Reduced risk Operational Efficiency Requires efficient practices Fungible resources Effort saving tools Incremental Revenue Utilize legacy information assets in innovative ways
Why Developers Favor HTML5 Clients for Development HTML5 is advanced Proven web technologies with advanced features Intel takes HTML5 further with new APIs and Parallel JavaScript HTML5 is open Built on open web technologies and W3C standards More than two million HTML5 developers worldwide Intel advances HTML5 via open source projects and the W3C HTML5 is everywhere More than one billion mobile devices with HTML5 browsers in 2013 40% app developers use HTML5 today, another 40% plan to in the future Create apps faster, better and at lower cost
Closed,Stack Centric Solutions Custom Solutions/ Vertical Integration Vertical Integration custom app suite on a single device like ipad Server solutions may be custom proprietary appliances tuned to their own extensive software stack High prof service & integration overhead + expense Custom Backend (IBM, SAP, etc). Single Platform Deployment Free Readily Available Client Tooling Tied to Enterprise Grade Middleware Lacking Back-End API Native APP Device
Open End to End Approach HTML5 based Apps/Cross Platform BYOD demands cross platform client solutions Heterogeneous data connectors Expressway securely exposes Enterprise data to mobile devices at scale connected to Identity Mgt Systems Efficient SaaS or Local API Sharing Portals to promote & manage APIs HTML5 provides Enterprise with the most efficient, low-cost cross-platform solutions. Intel Expressway Intel XDK Existing Back-End API Portals Cross- Platform App Multi-Device
Load Balancer Web Application Firewall Load Balancer Load Balancer Traditional 3-Tier Server Side Architecture Web server App server App server Database Master Web server App server Database slave 1 Web server App server Database slave N Browser Presentation Tier Logic (application) Tier Persistence Tier 3-Tier Shared Nothing Architecture Most common architecture, widely deployed Gold standard, developed as a result of the web revolution Problem: Designed primarily for HTML web browsers, not mobile apps Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson
Load Balancer Load Balancer Load Balancer 2-Tier, App-Optimized Architecture Web server App server App server Database Master API Gateway Mobile Web Middleware server App server Database slave 1 HTML5 & Native Apps Asset server Delivery & Governance Tier App server Logic (application) Tier Database slave N Persistence Tier 2-Tier API-optimized architecture using API Gateway design pattern Emerging standard for app enablement Pushes view/presentation to client side Delivery tier focuses on integration, mediation, and security instead Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson
Retrofitting BaaS for Enterprise Generic Commodity Mobile App Services from Cloud User Mgt (federation), commerce, social messaging, GEO location, CMS & Data Storage Custom APIs, Data Query, REST façade Device SDKs, frameworks- e.g. phone gap Enterprise BaaS Requirements API Management, Security & Integration Mash-up 3 rd party BaaS or Provider APIs From single use APIs to packaged turn key enterprise delivery platforms designed around the business Tools Backend API Assets
Runtime & Design Time View Execution side Request side Legacy & Identity IT as a service (CSB) Local or SaaS API Portal API Promotion & Management Developer Private Cloud APIs Hybrid Apps Mashups App Public or BaaS APIs Native Apps HTML5/Hybrid Apps Development Cycle
Intel in HTML5 Apps App Dev Center App Framework (jqmobi) App Porter ios to Html5 AppMobi SDK & 150K Community Intel XDK w/source Editing, Emulation/Phone Gap, Best-in-class Testing App Game Interface Augment canvas obj Optimized libraries HTML5 and JavaScript code are wrapped in a container to run as a native app Ability to leverage Expressway s WebSockets streaming, protocol translation, & Security that reduces MDM dependencies SaaS Control Panel 16 It's a very good tool-stephen Campbell, lead developer at Second Fiction Game Studio Intel XDK Client
Develop HTML5 Apps App Dev Center Intel API Manager Portal Developer Apps ios* Amazon* Android* Windows* 8 Nook* Facebook* Appup* Chrome* WebApp Intel XDK on software.intel.com/html5 *Other brands and names are the property of their respective owners
HTML5 Client Development Workflow Write once run everywhere Make security architecture part of design CORS best practices, API key management security design decisions applicable on multiple targets
Security Usages- HTML5 API Key Security HTML5 Application Deployment Model HTTP Request Server HTML5/JavaScript API Key Security Concern HTML5 apps are pushed to the client, including all API keys API Keys for cross-platform requests will be distributed to all clients Clients can view source to obtain API keys Solution #1: Obfuscate API key may work for low value APIs Solution #2: Replace API key with function call to Intel Expressway API Manager for step-up authentication 19
Security Usages- HTML5 Security Architecture with a Service Gateway Gateway_auth() Web server HTML5 Application Challenge Service Gateway Web server Asset server Delivery Tier Enterprise Identity Management Dynamic API Key Increases Security API Key returned at runtime JavaScript function makes HTTP(S) API call to service gateway User forced to strong authentication: Browser mutual SSL or challenge with username/password or OTP (One-time-password) Supports Enterprise authentication and authorization systems, such as Oracle, CA, IBM, LDAP/AD Minimal impact to existing API key lifecycle 20
Intel IT Use Case Real-time conference room availability Mashup of reservation system API and sensor information Upgrade to websocket to give real-time updates as rooms are occupied Streaming pattern applicable to real-time Big Data BI 21
Biotech Client to Mobile Middleware Use Case Challenge: Translation of legacy data to APIs, securely exposing sensitive data never designed to leave the datacenter, infrastructure scalability and performance PII Compliance Heterogeneous Back end Driven by M & A Secure Delivery of Analytical Data Legacy Systems & Protocols Solution: Middle tier API proxy & portal for threat defense, IaaS cloud authentication/authorization, data translation and high performance RESTful APIs Local API Portal Middle tier & API Management Benefits: Scaled BYOD mobile app delivery to 10K users Ability to create new app mash-ups from multiple legacy systems Client Access Optimized server tier for dynamic content requests Connected client App Dev to server side API runtime Safely protect PII data in transit to/from mobile 10K + BYOD Geo Distributed mobile Base Client app Dev Tools 22 22
Emerging Uses: Touchless API Security for Hadoop & PCI & PII Data Controls Tokenization service Intel Compliance Platform PCI, PII Data Anonymization 23
Intel Expressway API Manager & Intel XDK Engaged Dev Communities -130K HTML 5 App Mobi -300K Server side API Mashery Enterprise On-prem or Cloud API Sharing with Integrated Run-time Enforcement & Mediation 24