Today's Security > 140 Conversation is with Craig Burton is a Distinguished Analyst at Kuppinger Cole, in his recent work, Craig explores the API Economy and how participating in the API economy reconfigures organizations' priorities.
GP: Your work on the API economy has many implications, as a security guy I am particularly interested in the security and identity bits. What do you think changes in the security architect's world when they're defending an API (and the data and functionality behind it) versus normal IT Security defending an enterprise?
CB: I think the biggest change is in the area of token and key management. If an organization wants to make sure that its API(s) are not being abused, well managed keys and tokens are essential. Managing developer's with keys is probably not something most organizations have ever done. This will be new and will require focus, education and vigilance. This is why finding the right partner for managing an API or API suite is essential.
The dichotomy of purpose is also going to be a challenge. In the enterprise, the job is to plug any and all holes as much as possible.
In an API economy, it is essential to have elegant managed access to core competency.
This is not only a technical challenge with keys and tokens, but a political and position challenge that goes against the grain of the past.
GP: Right on the money with "going against the grain of the past"- many infosec teams are driving by looking in the rear view mirror. I think that people are used to looking at security as a binary "secure/insecure" but the API economy, Attribute based access control, and federation these are all based on dividing up certain discrete parts of the access control chain of responsibilities. Its natural that people focus bulk of their attention on securing the interface but that's only one part. Have you seen this trickle down into changes of authorization and access control in the apps and/or bubble up to how companies interact with API consumers?
CB: Not yet, but I am sure it will happen. Managing keys is a huge task and can be easily done poorly.
GP: OAuth and Federation are two of the core security elements in your API economy definition. What role do you see these playing? These go well beyond key management, the links are much deeper on the Service Provider side and Identity provider side, no?
CB: Yes. OAuth, especially since Facebook is now using only OAuth 2.0, is emerging as the preferred mechanism for token-based authentication. The two-legged and three-legged ceremonies are exactly what developers needs. Of course key and token management are core for this to work. Anyone providing support for OAuth has to manage keys.
Federated authentication systems are way behind. The SAML movement didn't really consider developers at all. Supporting developers will need to move up on the list of priorities for this community to get into the API game.
GP: The other elements you describe in the API economy such as late binding and event-driven have an impact on security architecture as well, open, late binding, and event driven systems have different security requirements than say traditional mainframe or PC applications or even web portals. The WS-* approach was to sort of try and bring everything into one circus tent, the aggregation of REST, JSON, OAuth and other standards and styles seems to be moving in a certain direction too but in a bottom up way. This might make integration trickier, are there things enterprises can do here to make sure there identity and security architecture is coherent with API Economy style apps?
CB: Enterprises need to hire an API support group or company to help them make sure they get it right.
The top five in alphabetical order are:
· 3Scale
· Apigee
· Layer 7 Technologies
· Mashery
· WebServius
All of these companies are very good at what they do. This is not a time to skimp on this issue.
Comments