ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
BestPrac*cesinDeployingAPIGatewaysAPIWorld2017
GregDiFruscioDirectorofSupport
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Why they are an essential component of a secure, robust and scalable API infrastructure.
Best practices and common deployment scenarios of API Gateways.
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
TYPESofAPIGATEWAYS
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
#1 APIGatewayBasics
Deployedsimilartoareverseproxy(protocolbreak)ThegatewayrepresentstheendpointAPIandappearstotheconsumerasifitistheapplica*onorserviceitselfCanbelocatedon-premiseorincloudMovethesecurity,iden*ty,andmanagementprocessingouttotheAPIGateway*er–lettheAPIsfocusonthebusinessrequirementWhileAPIGatewaysexposetheAPIs,notallAPIGatewaystrulysecuretheAPIs
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
IAM(Iden*tyandAccessManagement)designedforIden*tyandAccessControlandcentralizingIAMagentsIAMGatewayproductssupportlimitedAPItypes(i.e.REST)Limitedsupportfornetworkprotocols(i.e.RESTAPIsoverHTTP)VeryliUleornoabilitytoprovideinforma*onassuranceoftheAPIdataTypicallybuiltoninsecureplaVorms–soWwareonlyorunhardenedvirtualappliance
#2 APIIAMGateways
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Moreversa*lethanIAMGatewayswithbroadersupportforAPItypesandnetworkprotocols
EvolvedfromESBintegra*onplaVormswhereintegra*onandpayloadconversionarecorefunc*ons
Usuallydevelopercentric
OWenprovidedeveloperportalsforAPIconsumers,selfdocumen*ngAPIs
TypicallybuiltonopenplaVormsdesignedforflexibility
Inherentlysuscep*bletoaUackandcompromise
#3 APIManagementGateways
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Securityfirstfocus–productformfactorsandfeaturesetsProductshardenedagainstcyberaUack–closedsystems
IncludeAPIIden*tyfeaturesfromIAMspace
IncludeAPIGovernancefeaturesfromAPIManagementspace
IncludeAPISecurityfromCybersecurityspace
SupportforwidearrayofAPItypesandnetworkprotocols
Focusoncontentlayersecurity(e.g.schemavalida*on,encryp*on,dsig)inaddi*ontoTLS
Bi-direc*onalscanningtopreventthreatsaswellasdataleakage
#4 APISecurityGateways
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
WhichtypeofAPIGatewayisrightforyou?IsHTTP/Sonlyprotocolsufficient?
AreRESTAPIservicestheonlytypeyouwillneedtosupport?AreyouconcernedaboutmalwareandotherAPIexploitsembeddedwithinthepayloads?
Doyouneedtosupportlegacyapplica*onsandservices?
Areyouconcernedwithdataleakageandsensi*veinforma*onloss?
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
DEPLOYINGAPIGATEWAYS
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
On-Premiseorcloud?
Hardware,virtual,soWware,AMI,other?
#1 Loca*onandFormFactor
Wherearetheservices?
Wherearetheclients?
Wherearetheuseriden*tyrepositories?
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
APItypes(e.g.REST,SOAP,XML,WebPortals,etc.)Networkprotocols(HTTP/S,SFTP,JMS,SMTP,AMQP1.0,mixing)
Iden*ty,accesscontrol,andSSOrequirements(Iden*tyRepositories)
APIsecurityrequirements(TLS,Schemavalida*on,AVscanning,parametervalida*on,methodvalida*on,etc.)
APIintegra*on/media*onrequirements(JSONto/fromXML,etc.)
Loggingrequirements
CustomErrorhandling
#2 UseCaseDiscussion
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
SimpleisbeUer(pointandclick,nocodingnecessary)Erroronthesideofsecurity
Startbasicandaddprocessinglayers
Reusingpolicyobjects
Policynamingconven*ons
Propaga*onofpoliciesacrossenvironments
Automa*onviaAPIs
#4 PolicyConfigura*onandManagement
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
AskyourvendorforasecurityreviewofyourpoliciesCheckforsensi*veinforma*oninlogs
CheckforweakciphersandTLS/SSLprotocols
Posi*veandnega*vetes*ng
Reviewerrorsgeneratedongatewayanderrorsreturnedfromapplica*ons
Doitbeforemovingintoproduc*on
SchedulethemoWen
#4 SecurityReview
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
BESTPRACTICESINAPISECURITY
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
SecureOS–theinfrastructureisatarget
Securepolicy/configura*onstorage
Protectyourprivatekeys
#1 ProductSecurity
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
#2 APISecurityPolicy
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Aimforagentlessapproach
Protectiden*tyrepositories
UseSSOandFedera*on
#3 APIIden*tyMul*-Contextauthen*ca*onandauthoriza*on
Reducedependenciesonvendorspecificimplementa*ons
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Rewri*ngURLs–obfuscateyourpathMappingpayloadformats–forintegra*onaswellassecurity
MappinguseraUributeinforma*onretrievedfromiden*tycall
QueryingLDAP,Databases,APIs(t-junc*onprocessing)
Networkprotocolmedia*on(e.g.HTTPSto/fromAc*veMQ)
#4 APIIntegra*on
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
IntegratewithcentralSIEM/loggingsystem(e.g.Splunk,ELK,Graylog,etc.)
Buildreal*meDashboardsfromgatewaylogs
Leveragebigdataanaly*csforalerts,trends,reports
#3 APIMonitoring
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
ChoosetherighttypeofAPIGatewayforyourcurrentandfutureneeds
DecidewheretheAPIGateway(s)willliveandwhatformfactorsarecorrectforyourenvironment
Spendthe*meupfronttoarchitectthesolu*onandbuildthepoliciesinaccordancetoyourplan
YourAPIsandyourAPIinfrastructurearetargets–APISecuritymeanssecurityfeaturesaswellassecurearchitecture
Conclusions
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
ForumOS™.FIPS140-2LevelIIpurpose-builtchassis.NIAPNDPPCerPfied.PatentedcryptographicacceleraPon
FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableAmazonAMI
Windows,Linux,orSolarisdeployableinanycompuPngecosystem(single-packageinstallwithnodependencies)
FORMFACTORS
APISecurityGateway
FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableOVAVMWareimage
Hardware
Virtual
Cloud
SoWware
ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494
Tolearnmorevisitusath[p://info.forumsys.com/api_world