What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management?
Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can
- provide visibility for all security threats targeting their backend services
- control access to sensitive data - end-to-end
- enable developers to build secure apps with secure APIs
- facilitate secure access with partners and developers
5. Agenda
• API Security 101
• Launching an API Platform for a regulated company
• Key Takeaways
5
6. Apigee
Managemen
t
Develope
r
API Team
Enterprise Security Requirements
6
API Threat Protection
IT Security
Developer friendly security features – Secure SDLC
Threat protection by configuration
Identity and fine granular access control
Security for App and API Developers
Security by global policies – Separation of Duties
Security automation enabled by APIs
End-to-End security – In Rest and Transit
OOB features for security and compliance management
End-to-End Security
User Apigee
Run-time
App/Devi
ce
Backend
7. API Security Stakeholders
7
Product Manager
How can I release features with
built-in security?
How I can reduce the release
cycle?
Business owner
How to reduce risk while
expanding API exposure?
How to meet compliance?
Ops
How do I enforce consistent
security policy across APIs?
What controls I have to mitigate
attacks like DoS?
API Developer
What options I have to secure
data in rest and transit?
How can I securely manage keys?
Security & Privacy Team
How do I manage the PII life cycle of
data exposed via APIs
How do I govern APIs exposed to internal
and external developers?
8. The risk must be mitigated on several layers
8
Application Architecture (user and data mgmt)
Application Topology (zoning, protocols, …)
Operating System security (access control, patches, …)
Network security (firewall, topology, filtering, …)
API Security (auth* and backend sheltering)
Auditing,
Monitoring,
Processes
(Data center,
Development,
Deployment)
Scope of API Security Deployment
9. Threat Modeling and API/infrastructure Design
• Your APIs are vulnerable to the typical Web application
security attacks – Think OWASP Top 10 attacks
• In addition you have to worry about:
– API abuse via API key theft
– Hackers reverse engineering Apps to access private APIs
– Traffic spike protection by way of Bots or DoS attacks
– Identity tracking across API sessions
– XML/JSON injection type attacks
– Token harvesting due to insecure communication or storage
9
10. API Security Governance – Integrate into Life
Cycle
Govern
Design
Develop
Secure
Deploy
Doc.
Test
10
Support for open standards & protocols
(eg. SAML, OAuth, TLS, etc)
Security & Access Control Policies -
Authentication, Authorization, Transport
level security
Input validation & vulnerability detection (
XSS, CSRF,SQL injection..)
Rate Limiting & Throttling
11. Launching an API Platform for a regulated
company
{
“Jason Kobus”: {
“role”: “Director API Banking / Fintech Integration”,
“company”: “Silicon Valley Bank”,
“credentials”: {“current”: [“CSPO”, “CISSP”, “CISA”]}, {“former”: [“CIA”, “CISM”, “CIPP, “Series 7”, “PMP”, “ISO 27001 LI”]},
“mission”: “Deliver secure financial APIs to make clients happy and extend reach / increase revenue”
}
}
September 29, 2015
DISCLAIMER: The content on this site, and comments made during the presentation, are my own and don't necessarily represent the positions,
strategies, or opinions of Silicon Valley Bank.
12. API Opportunity and Risk Management
What are the biggest cyber-threats facing regulated financial entities today and on the
horizon? How can organizations embracing innovation and agile development culture
while balancing the time to market goals with risk management mission?
– Visibility
– Data protection
– API security
– Partner integration
13. Visibility
• Risk Assessment:
– OWASP/NIST for typical threats
– Brute force: How strong are your keys?
• Vulnerability assessment
• Penetration testing
• Packet Capture
• Know your API operations:
– What are they capable of?
– Could they be exploited by fraudsters?
The first step in avoiding a trap is knowing
of its existence!" -- Thufir Hawat, Dune
14. Protect Sensitive Data
• Avoid Data breaches, Partner with Privacy:
– GLBA, HIPAA, PCI DSS, EU DPD, State laws, etc. == Compliance Complexity
• Controls:
– Network: SSL termination
– Data protection strategy:
• Avoid, Redact, Encrypt, Insure
• Read-only/non-transact
– more...
15. API $ecurity
• Vet your API gateway partner and leverage their security infrastructure, assurance, and
experts.
• Consider the worst case scenario – what if there is an event? Make sure your Legal
understands.
• API Authentication paradigms in financial services
– "data aggregation“ APIs used to pull account, balance, transaction data
• User ID and password (challenge questions) = same creds as online banking
• User ID and read-only PIN
– OAUTH
• Enforce client security better
• Where purpose and actual grant align
16. Partner Integration
• How to “Trust” your API partners:
– Good vendor management – financials / SOC-2
– Data sharing agreements
– Work with partners to ensure end users get clear and unambiguous notice
to customers before they authorize the access
UK report "Data sharing and open data in banking":
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/413766/PU1793_Open_data_re
sponse.pdf
17. Security at Points of Engagement
17
P
A I
Users Apps Developers APIs API Team Backend
Mutual TLS
IP Access
control
RBAC
Identity & Access Mgmt.
Audit
Spike Arrest
Rate Limits
Threat Protection
Intrusion Detection
DDoS
Access
Block
Revoke
SSO
RBAC
API key
OAuth2
TLS
OAuth2
MFA
Federated Login
IP Access Control
18. Key Takeaways
• Follow API Threat Model and build API security into your API
products
• Ensure identity and security controls at every points of API
lifecycle and integrate best practice into SDLC
• Gain visibility into API security risks, data sensitivity prior to
deployment
• Protect sensitive data – In transit and at rest
• Layered Protection is key
18
Presenter:
Numerous videos about APIs on our YouTube channel
Presenter: Numerous presentations about APIs available on SlideShare
Presenter: - Subra – ‘Tell our audience’ something about your background / experience, and your role here at Apigee
-
Main Points:
Turning insight into action
Sequential Story:
Now
What is (D) or What will be (U): U
Analytical or Emotional connection: A
Script:
A cross functional API team has information needs relative to each role.
API product managers are looking to understand program adoption and how API use can be improved.
Business owners want to understand where to invest and how the program is effecting bottom line revenue.
Operations needs to monitor the health and operation of the APIs as they are used by apps and developers
Lastly app developers need to know how their apps are performing, the impact of the API on the app and what changes might help them.
ISO New England is an independent, not-for-profit corporation responsible for keeping electricity flowing across the six New England states and ensuring that the region has reliable, competitively priced wholesale electricity. They are responsible for high voltage grid operation, whole sale energy market administration, and power system planning. For them, understanding where
ISO is using analytics virtual dimensions which use analytics intelligence to derive ‘city’ to view by city where their API traffic is originating from.
ISO To Go App that puts real-time wholesale electricity pricing and power grid information in the the hands of decision makers
We did not have the ability to do so in analytics and gave them the usual run down of our geo-map feature. The day after this discussion, we announced the "virtual dimensions" feature which brought with it the native ability to run reports by city.
Get the idea?
Background Info:
Apigee
Traditional security model is based on locking down access to backend systems
But, in the world of APIs, those backend systems have to be available all the time.
So, instead of blocking access to internal systems, API security must:
Protect the endpoints and all points of engagement along the value chain
Integrate with existing corporate security standards and systems