Page 1
Chris Swan, CTO, @cpswan
API Security
Page 2
© 2015
Setting the scene
Page 3
© 2015
A little over a decade ago
Page 4
© 2015
But it all went horribly wrong
Page 5
© 2015
Mostly because of XML asymmetry of effort
X
O R Easy
Hard
Page 6
© 2015
The audit paradox
Page 7
© 2015
Building in
CC photo by WorldSkills
Page 8
© 2015
What building in looks like
Page 9
© 2015
Bolting on
CC photo by arbyreed
Page 10
© 2015
What bolting on looks like
Page 11
© 2015
The shifting sands
Page 12
© 2015
Unified Threat Management
Firewall
NIDS/NIPS
AV
Anti Spam
VPN
DLP
Load Balancer
UTM
Page 13
© 2015
Application Delivery Controllers
Cache
TLS offload
Compression
WAF
Multiplexing
Load Balancer
ADC
Traffic Shaping
Page 14
© 2015
PaaS gives us the chance to ‘bolt in’
Page 15
© 2015
But Docker adoption shows a movement against opinionated platforms
Page 16
© 2015
If a security event happens and it isn’t monitored
Page 17
© 2015
SDN and NFV
Page 18
© 2015
Networks made from and configured by software
Page 19
© 2015
We can put a bunch of ‘network’ onto a VM
Firewall
VPN
Switch
Router
Page 20
© 2015
And add more functions into containers
Firewall
VPN
Switch
Router Cache
TLS offload
WAF
Load Balancer
NIDS/NIPS
Page 21
© 2015
This could be thought of as an app centric perimeter
Page 22
© 2015
But it refactors very readily into microservices
Page 23
© 2015
Some challenges remain
Page 24
© 2015
ToDo: SecDevOps
APIs (to the network) are necessary but not sufficient: Need to have them integrated into the overall system Control metadata (and its mutability): Must be visible and understandable Security events need to be captured: Then turned into something humans can action
Page 25
© 2015
Questions?