SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security Genève, Hôtel Warwick, 21.09.16 En partenariat avec CA Technologies
AGENDA Transforming your business in the digital era API Security challenges 15 min Best practices 5 min API security for digital transformation - SIGS 2
DIGITAL TRANSFORMATION IS THEIR KEY TO SURVIVAL API security for digital transformation - SIGS 3
SMOKE SIGNALS FOR DIGITAL TRANSFORMATION building apps for our new cloud platform... a mandate to double mobile revenue a big UX/CX initiative in the works need to improve the customer experience massive CMS and commerce re-platform speed up our market responsiveness catch up with X and future-proof our business shift customers to the secure digital solution hacked our connected product API security for digital transformation - SIGS 4
APIS: THE BUILDING BLOCKS OF DIGITAL TRANSFORMATION Cloud External Developers Mobile Data Data Your Digital Business Partners/External Divisions IOT Devices APIs API security for digital transformation - SIGS 5
WHAT ARE APIS Your App REQUEST API Their App DATA Application Programming Interfaces (APIs) are plugs that allow software applications to share data and functionality. API security for digital transformation - SIGS 6
API 101 PRIMER AFTER "alerts": [{ type": FLW "description": Flood Watch" Integration Experience Speed Monetization Internet of Things API security for digital transformation - SIGS 7
WHY MODERNIZE? WHY USE APIS? APIs have become the industry standard for system interfaces of all kinds. Hide complexity; expose existing functionality Use APIs as the basis for porting systems/functionality into the cloud Make it easier for other business units and business partners to access systems and data, but maintain security Next step in evolution of SOA/Integration platforms Want to have benefits of APIs API security for digital transformation - SIGS 8
BUSINESS CHALLENGES Project Business Team : How can I make my business data available through a mobile app? Do I need to copy my data to a mobile phone? IT Security Officer I know that consuming data from a mobile app contains some risk. How to reduce risk while expanding API exposure? How to meet compliance? Developer What options I have to secure data in rest and transit? How can I securely manage keys? How to manage authentication within the app? Operations IT Team How do I enforce consistent security policy across APIs? What controls I have to mitigate attacks like DoS on our back-end? Privacy Officer How do I govern APIs exposed to internal and external developers (third-party or agency)? How do I manage the PII life cycle of data exposed via APIs API security for digital transformation - SIGS 9
AGENDA Transforming your business in the digital era API Security challenges 15 min Best practices 5 min API security for digital transformation - SIGS 10
API BREACHES API security for digital transformation - SIGS 11
API SECURITY IS UNIQUE Your APIs are vulnerable to the typical OWASP Top 10 attacks IN ADDITION, you have to worry about: Hackers reverse engineering apps to access private APIs API key theft looks like legit usage! Traffic spike protection by way of bots or DoS attacks Identity tracking across API sessions XML/JSON injection-type attacks Token harvesting due to insecure communication or storage API security for digital transformation - SIGS 12
SECURE WHAT? Mobile Device Management API Management Protect data at-rest Protect data source / data in-motion Mobile browser Web Any other app APIs API security for digital transformation - SIGS 13
FOR EXAMPLE: https://api.services.elca.ch/employees/john { "firstname": John ", "lastname" : Williams", title" : VP of engineering, "address" : { "streetaddress": 21 Avenue de la Harpe", "city" : Lausanne", prov" : VD", "postalcode" : 1001" }, "phonenumber": [ { "type" : office", "number": 0216132136" }, { "type" : home", "number": xxxxxxx" } ] } Without proper authentication/authorization, a corporate directory can be leaked over the internet!
SECURING YOUR DIGITAL CHANNELS Authenticate the user Control what the App can access Rate Limit access Protect from hackers PCI compliance Quota Management Protection Licensing Au/Az/SSO API security for digital transformation - SIGS 15
DEFENSE IN DEPTH : SECURE YOUR APIS Users Apps APIs Backend OAuth2 MFA Federated login API key OAuth2 TLS IP access control Spike arrest Rate limits Threat protection Intrusion detection DDoS Mutual TLS IP access control API security for digital transformation - SIGS 16
AGENDA Transforming your business in the digital era API Security challenges 15 min Best practices 5 min API security for digital transformation - SIGS 17
FULL STACK ARCHITECTURE Internet Internet services Remote Access Transition Front-ends Reverse proxy VPN concentrator Secure zone Policy server (PDP) Applications API Gateway Portal Web front-end 2-Factor Services Identity Portal Front-end HSM KMS (key server) Infrastructure Datas ESB Portal Application server Identity Back-end Server Active Directory PKI DNS/DHCP/ Email-gateway Management Policy server Database (PIP) Portal Database Identity Database Admin jump host API security for digital transformation - SIGS 18
AUTHENTICATION/AUTHORIZATION/SSO 1 Control and restrict access to your APIs Make it easy yet secure API security for digital transformation - SIGS 19
LICENSING 2 Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: OAuth Authorization Scopes Document visibility Quota policies API security for digital transformation - SIGS 20
MESSAGE AND PARAMETER SECURITY 3 Protect your APIs keys and message using encrypted channel and HMAC HTTP Parameter http://apis.elca.ch/directory/staff?app_id=mydir&app_key=mykey Protect API Keys with HMAC Hash-based Message Authentication Code Message Security Implement HTTPS For XML/JSON payloads encrypt specific parts of the message API security for digital transformation - SIGS 21
THREAT PROTECTION 4 Package your APIs in different ways Use API keys to restrict what the App can access Denial of Service Injection Attacks Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks Cross Site Scripting Network address and range blacklists/whitelists HTTP Parameter Stuffing API security for digital transformation - SIGS 22
CONTENT FILTERING 5 Provide a content firewall, protecting against malicious content Validate message content including message headers, form and query parameters, XML and JSON data structures. Policies for XML and JSON DoS Protection against viruses in attachments and other binary content via ICAP integration with leading antivirus engines API security for digital transformation - SIGS 23
QUOTA MANAGEMENT/RATE LIMITING 6 Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc. API security for digital transformation - SIGS 24
SECURITY FEATURE OF AN API GATEWAY : OUT-OF-THE-BOX SECURITY POLICIES OpenID Provider/Relying Party OAuth 1.0a & 2.0 (all grant-types) Developer/Partner Key Auth & Az CORS Management HTTP Basic-Auth Mutual SSL based Authentication SAML 1.1 & 2.0 (STS included) WS-Trust 1.2 & 1.3 WS-Security Transport Binding WS-Security Username Token WS-Security Message Encryption/Signature Integration with AD, SiteMinder, OAM, RSA, ELCARD Cookie-based Authentication Denial of Service attack Prevention SQL Injection Prevention Virus Scanning XML Schema Validation Malicious Pattern Detection SLA/Throttling by a Developer/Partner Certificate (PKI) Management (CA Included) API security for digital transformation - SIGS 25
API SECURITY GOVERNANCE INTEGRATE INTO LIFE CYCLE Test Doc. Design Govern Develop Secure Support for open standards & protocols (eg. SAML, OAuth, TLS, etc) Security & Access Control Policies - Authentication, Authorization, Transport level security Input validation & vulnerability detection ( XSS, CSRF,SQL injection..) Rate Limiting & Throttling Deploy 26 API security for digital transformation - SIGS
KEY TAKEAWAYS Follow API Threat Model and build API security into your API products Ensure identity and security controls at every points of API lifecycle and integrate best practice into SDLC Gain visibility into API security risks, data sensitivity prior to deployment Protect sensitive data In transit and at rest Layered Protection is key API security for digital transformation - SIGS 27
Merci. Contact Nagib Aouini Head of Cyber security services ELCA Nagib.aouini@elca.ch Grégory Ruch Cyber Security Expert ELCA Grégory.ruch@elca.ch ELCA Informatique SA Lausanne 021 613 21 11 Genève 022 307 15 11 ELCA Informatik AG Zürich 044 456 32 11 Bern 031 556 63 11 www.elca.ch API security for digital transformation - SIGS ELCA 28