Akana, profile picture
Uploaded byAkana
PPTX, PDF2,059 views

Confronting API Security in the Brave New Open Banking Era

The document discusses the challenges of API security in the context of the evolving open banking landscape and digital transformation in banking. It highlights significant security concerns like authentication, authorization, and threat protection, emphasizing the importance of managing risks while enabling developer access. Key strategies for securing APIs, including OAuth implementation, message security, and content filtering, are also outlined.

Embed presentation

Downloaded 135 times
© 2015 Akana. All Rights Reserved. Confronting API Security in the Brave New Open Banking Era Sachin Agarwal
© 2015 Akana. All Rights Reserved. Digital Disruption in Banking Mobile Cloud Customer Centric Block Chain Payments FinTech
© 2015 Akana. All Rights Reserved. However Risks Exists
© 2015 Akana. All Rights Reserved.
© 2015 Akana. All Rights Reserved. How do banks Open up to the Digital Economy While managing Risk?
© 2015 Akana. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
© 2015 Akana. All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
© 2015 Akana. All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
© 2015 Akana. All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
© 2015 Akana. All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
© 2015 Akana. All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
© 2015 Akana. All Rights Reserved. Major API Security Concerns
© 2015 Akana. All Rights Reserved. API Consumer Security?
© 2015 Akana. All Rights Reserved. Securing APIs 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
© 2015 Akana. All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
© 2015 Akana. All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
© 2015 Akana. All Rights Reserved. OAuth Flow
© 2015 Akana. All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
© 2015 Akana. All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
© 2015 Akana. All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
© 2015 Akana. All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
© 2015 Akana. All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
© 2015 Akana. All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
© 2015 Akana. All Rights Reserved. Relevance to PCI Compliance • APIs are now part of e-commerce • Card payments pass through API • The infrastructure underlying the API?
© 2015 Akana. All Rights Reserved. Akana API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
© 2015 Akana. All Rights Reserved. The Akana Digital Business Platform
© 2015 Akana. All Rights Reserved. API Resources and API University • Resource Center – http://resource.akana.com/ • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/14301 @akanainc

More Related Content

PPTX
Test and Protect Your API
bySmartBear
 
PPTX
Deconstructing API Security
byAkana
 
PDF
API Economy - The Making of a Digital Business
byAkana
 
PPTX
Architecting Mobile Solutions Using Microsoft Azure and Akana
byAkana
 
PDF
Eat Your Microservices Elephant One Bite at a Time
byAkana
 
PPTX
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
byAkana
 
PPTX
Enterprise API Adoption Patterns
byAkana
 
PPTX
Microservices Done Right: Key Ingredients for Microservices Success
byApigee | Google Cloud
 
Test and Protect Your API
bySmartBear
 
Deconstructing API Security
byAkana
 
API Economy - The Making of a Digital Business
byAkana
 
Architecting Mobile Solutions Using Microsoft Azure and Akana
byAkana
 
Eat Your Microservices Elephant One Bite at a Time
byAkana
 
Realizing Hybrid Cloud: Using IBM Bluemix, APIs, and DataPower
byAkana
 
Enterprise API Adoption Patterns
byAkana
 
Microservices Done Right: Key Ingredients for Microservices Success
byApigee | Google Cloud
 

What's hot

PPTX
API and SOA: Two Sides of the Same Coin?
byAkana
 
PDF
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
byWSO2
 
PPTX
API Management Part 1 - An Introduction to Azure API Management
byBizTalk360
 
PPTX
API Management
byRoger van de Kimmenade
 
PPTX
Build an api eco-system you can be proud of
byCisco DevNet
 
PDF
Lean Method for Building Good APIs for Business – APIOps Cycles
byNordic APIs
 
PDF
Intel Mashery API Management Solution
byDavid Gevorkyan
 
PDF
Delivering on Personalization with the Power of APIs
byAkana
 
PPTX
API Security: Securing Digital Channels and Mobile Apps Against Hacks
byAkana
 
PPTX
Platform for Secure Digital Business
byAkana
 
PPTX
Are APIs and SOA Converging?
byAkana
 
PPTX
Manage Your Mesh
byAkana
 
PDF
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
byWSO2
 
PPTX
Jumping Ahead with {enterprise:apis}
bySachin Agarwal
 
PPTX
Open api in enterprise
byGuru Lakshmeekar B
 
PPTX
Is it time for a Connector-less Approach to Cloud Integration?
byAkana
 
PPTX
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
byAkana
 
PDF
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
byapidays
 
PPTX
DevOps & Apps - Building and Operating Successful Mobile Apps
byApigee | Google Cloud
 
PPTX
A Peek Into The Future of Mobile-Enabled Health Care
byAkana
 
API and SOA: Two Sides of the Same Coin?
byAkana
 
Apply API Governance to RESTful Service APIs using WSO2 Governance Registry a...
byWSO2
 
API Management Part 1 - An Introduction to Azure API Management
byBizTalk360
 
API Management
byRoger van de Kimmenade
 
Build an api eco-system you can be proud of
byCisco DevNet
 
Lean Method for Building Good APIs for Business – APIOps Cycles
byNordic APIs
 
Intel Mashery API Management Solution
byDavid Gevorkyan
 
Delivering on Personalization with the Power of APIs
byAkana
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
byAkana
 
Platform for Secure Digital Business
byAkana
 
Are APIs and SOA Converging?
byAkana
 
Manage Your Mesh
byAkana
 
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
byWSO2
 
Jumping Ahead with {enterprise:apis}
bySachin Agarwal
 
Open api in enterprise
byGuru Lakshmeekar B
 
Is it time for a Connector-less Approach to Cloud Integration?
byAkana
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
byAkana
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
byapidays
 
DevOps & Apps - Building and Operating Successful Mobile Apps
byApigee | Google Cloud
 
A Peek Into The Future of Mobile-Enabled Health Care
byAkana
 

Viewers also liked

PPTX
API Adoption Patterns in Banking & The Promise of Microservices
byAkana
 
PPTX
Digital Healthcare – Realizing Interoperability with APIs
byAkana
 
PDF
Fintech overview 페이게이트 박소영대표 20151006_v5
byeungjin cho
 
PDF
핀테크 성공을 위한 디지털 비즈니스 마인드
byBradley Byoungyong Moon (문병용)
 
PDF
Oracle api gateway overview
byOracle Corporation
 
PDF
API Design Workflows
byJakub Nesetril
 
PPTX
Apiary
bySuresh B
 
PDF
Investing in fintech: Trends in financial technology for investors and entrep...
byOurCrowd
 
PDF
Ch.10 개인금융
byMinsuk Chang
 
PPTX
Driving Digital Innovation with a Layered API Design Approach
byAkana
 
PPTX
Extracting Insights from your API Programs
byAkana
 
PPTX
Http คืออะไร
byปรัชญาทวี พงพยัคฆ์
 
PDF
APIs: The Lynchpin of your Open Banking PSD2 Strategy
byApigee | Google Cloud
 
PDF
การหา Google map key api
byMaitree Rimthong
 
PPTX
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
byAkana
 
PPT
FinTech, from 'Nice to Know' to 'Need to Know'
byRobi Dattatreya
 
PPTX
An Architecture for a Platform Providing Things As A Service
byJavier Nieto de Santos
 
PPTX
150625_핀테크포럼 6월 정기모임_핀테크의 성공은 보안이다
byStartupAlliance
 
PDF
Node at Apiary.io
byJakub Nesetril
 
PDF
Financial Literacy on the Go
byExperian_US
 
API Adoption Patterns in Banking & The Promise of Microservices
byAkana
 
Digital Healthcare – Realizing Interoperability with APIs
byAkana
 
Fintech overview 페이게이트 박소영대표 20151006_v5
byeungjin cho
 
핀테크 성공을 위한 디지털 비즈니스 마인드
byBradley Byoungyong Moon (문병용)
 
Oracle api gateway overview
byOracle Corporation
 
API Design Workflows
byJakub Nesetril
 
Apiary
bySuresh B
 
Investing in fintech: Trends in financial technology for investors and entrep...
byOurCrowd
 
Ch.10 개인금융
byMinsuk Chang
 
Driving Digital Innovation with a Layered API Design Approach
byAkana
 
Extracting Insights from your API Programs
byAkana
 
Http คืออะไร
byปรัชญาทวี พงพยัคฆ์
 
APIs: The Lynchpin of your Open Banking PSD2 Strategy
byApigee | Google Cloud
 
การหา Google map key api
byMaitree Rimthong
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
byAkana
 
FinTech, from 'Nice to Know' to 'Need to Know'
byRobi Dattatreya
 
An Architecture for a Platform Providing Things As A Service
byJavier Nieto de Santos
 
150625_핀테크포럼 6월 정기모임_핀테크의 성공은 보안이다
byStartupAlliance
 
Node at Apiary.io
byJakub Nesetril
 
Financial Literacy on the Go
byExperian_US
 

Similar to Confronting API Security in the Brave New Open Banking Era

PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PPTX
Deep-Dive: API Security in the Digital Age
byApigee | Google Cloud
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PDF
Enhancing your Security APIs
byApigee | Google Cloud
 
PDF
Role of API Management in an API led Digital Economy
byWSO2
 
PPTX
APIs: The New Security Layer
byApigee | Google Cloud
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Akamai_ API Security Best Practices - Real-world attacks and breaches
bySecurity Bootcamp
 
PPTX
API Security: Securing Digital Channels and Mobile Apps Against Hacks
byAkana
 
PDF
CIS14: Protecting Your APIs from Threats and Hacks
byCloudIDSummit
 
PDF
How to Build, Manage, and Promote APIs
byWSO2
 
PDF
Takeaways from API Security Breaches Webinar
byCA API Management
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
byLF_APIStrat
 
PDF
OpenID Foundation FAPI WG: June 2017 Update
byNat Sakimura
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PDF
APIDays Paris Security Workshop
by42Crunch
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
Deep-Dive: API Security in the Digital Age
byApigee | Google Cloud
 
API Security Best Practices and Guidelines
byWSO2
 
Enhancing your Security APIs
byApigee | Google Cloud
 
Role of API Management in an API led Digital Economy
byWSO2
 
APIs: The New Security Layer
byApigee | Google Cloud
 
OWASP API Security Top 10 Examples
by42Crunch
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Akamai_ API Security Best Practices - Real-world attacks and breaches
bySecurity Bootcamp
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
byAkana
 
CIS14: Protecting Your APIs from Threats and Hacks
byCloudIDSummit
 
How to Build, Manage, and Promote APIs
byWSO2
 
Takeaways from API Security Breaches Webinar
byCA API Management
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
byLF_APIStrat
 
OpenID Foundation FAPI WG: June 2017 Update
byNat Sakimura
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
APIDays Paris Security Workshop
by42Crunch
 

More from Akana

PPTX
Platform for Secure Digital Business
byAkana
 
PPTX
The Business Value for Internal APIs in the Enterprise
byAkana
 
PPTX
The Datacenter API
byAkana
 
PPTX
Making Sense of Hypermedia APIs – Hype or Reality?
byAkana
 
PDF
API Design Essentials - Akana Platform Overview
byAkana
 
PDF
The Latest in API Orchestration, Mediation, and Integration
byAkana
 
PPTX
Powering Internal API Communities
byAkana
 
PPTX
Microservices: Why Should Businesses Care?
byAkana
 
PPTX
Unified Security for Mobile, APIs and the Web
byAkana
 
PPTX
Lifecycle Manager and the Lifecycle API
byAkana
 
PPTX
The Science of APIs in a Mobile World:Security, Control and Quality
byAkana
 
PPTX
Realizing SOA and API Convergence for IBM DataPower Customers
byAkana
 
PPTX
Using APIs
byAkana
 
PPTX
Intermediary for Microsoft: Product Overview and Demo
byAkana
 
PPTX
Rapid Mobile App to API Integration
byAkana
 
PPTX
Jumping Ahead with Enterprise APIs
byAkana
 
PPTX
Manage Your Mesh
byAkana
 
PPTX
Maybe It's Time for a Connector-less approach to Cloud Integration
byAkana
 
PPTX
Turbo-Charge DataPower to Reach Your SOA Goals
byAkana
 
PPTX
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
byAkana
 
Platform for Secure Digital Business
byAkana
 
The Business Value for Internal APIs in the Enterprise
byAkana
 
The Datacenter API
byAkana
 
Making Sense of Hypermedia APIs – Hype or Reality?
byAkana
 
API Design Essentials - Akana Platform Overview
byAkana
 
The Latest in API Orchestration, Mediation, and Integration
byAkana
 
Powering Internal API Communities
byAkana
 
Microservices: Why Should Businesses Care?
byAkana
 
Unified Security for Mobile, APIs and the Web
byAkana
 
Lifecycle Manager and the Lifecycle API
byAkana
 
The Science of APIs in a Mobile World:Security, Control and Quality
byAkana
 
Realizing SOA and API Convergence for IBM DataPower Customers
byAkana
 
Using APIs
byAkana
 
Intermediary for Microsoft: Product Overview and Demo
byAkana
 
Rapid Mobile App to API Integration
byAkana
 
Jumping Ahead with Enterprise APIs
byAkana
 
Manage Your Mesh
byAkana
 
Maybe It's Time for a Connector-less approach to Cloud Integration
byAkana
 
Turbo-Charge DataPower to Reach Your SOA Goals
byAkana
 
The API Economy is Here: Facebook, Twitter, Netflix and Your IT Enterprise
byAkana
 

Recently uploaded

PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
Cloud Infrastructure monitoring with Grafana Cloud
byImma Valls Bernaus
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PPTX
Formulation and Evaluation of herbal peel off mask gel
byRanikonde
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
Cloud Infrastructure monitoring with Grafana Cloud
byImma Valls Bernaus
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
Formulation and Evaluation of herbal peel off mask gel
byRanikonde
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 

Confronting API Security in the Brave New Open Banking Era

  • 1.
    © 2015 Akana.All Rights Reserved. Confronting API Security in the Brave New Open Banking Era Sachin Agarwal
  • 2.
    © 2015 Akana.All Rights Reserved. Digital Disruption in Banking Mobile Cloud Customer Centric Block Chain Payments FinTech
  • 3.
    © 2015 Akana.All Rights Reserved. However Risks Exists
  • 4.
    © 2015 Akana.All Rights Reserved.
  • 5.
    © 2015 Akana.All Rights Reserved. How do banks Open up to the Digital Economy While managing Risk?
  • 6.
    © 2015 Akana.All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS
  • 7.
    © 2015 Akana.All Rights Reserved. Client-Server/ Web Applications • No Programmatic Access • Security through network isolation • Limited Users Access locations and variability of operations were limited
  • 8.
    © 2015 Akana.All Rights Reserved. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible
  • 9.
    © 2015 Akana.All Rights Reserved. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption
  • 10.
    © 2015 Akana.All Rights Reserved. Realizing End-to-End Security Managing the User Experience Securing the App - PII, PHI Enabling Easy Developer Access Securing the Channel Securing the Backend
  • 11.
    © 2015 Akana.All Rights Reserved. Understanding the Security Landscape • Protocol specific threats • Key Management • OAuth • Monitoring • Licensing • Security Token Mediation API Specific Security Single Sign On MDM ATP, Firewall, VPN etc.
  • 12.
    © 2015 Akana.All Rights Reserved. Major API Security Concerns
  • 13.
    © 2015 Akana.All Rights Reserved. API Consumer Security?
  • 14.
    © 2015 Akana.All Rights Reserved. Securing APIs 1 Authentication & Authorization 2 App Key Validation/ Licensing 3 Message Security 4 Threat Protection 5 Content Filtering 6 Rate Limiting Developers
  • 15.
    © 2015 Akana.All Rights Reserved. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure
  • 16.
    © 2015 Akana.All Rights Reserved. Understanding OAuth OAuth lets a person delegate constrained access from one app to another User Resource Owner Client App Resource Server
  • 17.
    © 2015 Akana.All Rights Reserved. OAuth Flow
  • 18.
    © 2015 Akana.All Rights Reserved. OAuth – You need • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics OAuth is hard and complicated
  • 19.
    © 2015 Akana.All Rights Reserved. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – OAuth Authorization Scopes – Document visibility – Quota policies
  • 20.
    © 2015 Akana.All Rights Reserved. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message
  • 21.
    © 2015 Akana.All Rights Reserved. Threat Protection • Denial of Service • Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks • Cross Site Scripting • Network address and range blacklists/whitelists • HTTP Parameter Stuffing
  • 22.
    © 2015 Akana.All Rights Reserved. Content Filtering • Provide a content firewall, protecting against malicious content • Validate message content including message headers, form and query parameters, XML and JSON data structures. • Policies for XML and JSON DoS • Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines
  • 23.
    © 2015 Akana.All Rights Reserved. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc.
  • 24.
    © 2015 Akana.All Rights Reserved. Relevance to PCI Compliance • APIs are now part of e-commerce • Card payments pass through API • The infrastructure underlying the API?
  • 25.
    © 2015 Akana.All Rights Reserved. Akana API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting
  • 26.
    © 2015 Akana.All Rights Reserved. The Akana Digital Business Platform
  • 27.
    © 2015 Akana.All Rights Reserved. API Resources and API University • Resource Center – http://resource.akana.com/ • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/14301 @akanainc