A successful API strategy requires a strong partnership between the business, IT, and security functions. Rather than as a hindrance, security increasingly is viewed as a business enabler, with CISOs and CSOs playing a critical role in implementing “guardrails” for safe, secure and compliant API services and security architectures free of unnecessary complexity. Ultimately, a secure API platform enables developers and DevOps to focus on innovation—by improving the mobile user experience and deploying apps in the cloud, with appropriate security controls built-in. In this webcast, Apigee’s Subra Kumaraswamy and Saba Software CSO Randy Barr will explore how CISOs and CSOs partner with IT and business leaders for a safe and secure journey to cloud, SaaS, and mobile services. Join to learn about: - The role of the security officer in helping IT and business meet objectives - How smart and secure API guardrails remove friction in consuming APIs while protecting sensitive data exposed via APIs. - Best practices that work for an API centric enterprise Download podcast: http://bit.ly/1B6h3TR

1. Digital Security:
The CISO Perspective
Apigee
@apigee
Subra Kumaraswamy
@subrak
Randy Barr
CISO, Saba Software

2. youtube.com/apigee

3. slideshare.net/apigee

4. @Subrak
Subra Kumaraswamy
Randy Barr

5. Agenda
• The changing Digital landscape
• Trends: technology and threats
• Security enablers
• Key takeaways

6. What’s keeping you up at night?
6
Data Theft

7. The Forces@Work
Source: TheFutureOrganization.com

8. overwhelmed
employee
Talent Challenges@Work
diversity

9. Trends

10. DevOps is growing exponentially

11. Node.js exploding

12. Breaches continue to haunt the enterprise
Source: Verizon 2014

13. Paradox of choice

14. The changing landscape
B A C K - E N D S Y S T E M S
M O B I L E
S E C U R I T Y
APIs
S O C I A L A N D S A A S
Contextual & behavioral security
Encrypt everything
Identity-as-a-Service
SaaS security/identity plugin
Fraud detection
APT security analytics
E N D P O I N T
S E C U R I T Y
Digital security is shifting from defense to
analytics (predictive) & prevention

15. Technologies driving digital transformations
Mobile
DevOpsCloud
API

16. Digital security as an
enabler

17. What’s the role of InfoSec in enabling digital
transformation?

18. Top areas of CISO concern
Source: Wisegate

19. The role of digital security: enabling DevOps

20. 20
• End-to-end security managed
through configuration and global policies
• Data-centric controls such as encryption,
tokenization, and key management
• Leverage API for security automation activities
including patching, user and access management,
logging, and auditing
• Security verification through tool automation,
aligned with SDLC: Dev->Stage->Prod
Enabling DevOps

21. Role of digital security: enabling cloud
Compliance
Trust
Architecture
Identity and
Access
Availability
Incident
Response
Data
Protection
Governance

22. 22
• Governance of Data and Identity
• Security Architecture standard
• Technology Services & Tools to Support:
– Data Protection – Encryption/Hashing/Anonymization
– Access management – Privileged and End Users
– Threat monitoring and protection
– Compliance (PCI, HIPAA) management
– Availability Management – DDoS mitigation, Multi-
region operation
– Operational Hygiene – Patching, Logging, etc
• Establish Incident Response with service provider
Enabling cloud

23. • Most Cloud providers leverage this as their security story
• This only covers the data centers policies, employees, standards
– CCTV
– 24x7x365 security personnel
– Entry and Exits of facility
• What about
– When a server needs to be changed, it is not covered
– When new employee at cloud provider starts it is not covered
– Security Policies, Standards apply to cloud vendor
– Monitoring of the environment
– Business Continuity / Disaster Recovery
– Incident Management
– Vulnerability Penetration Testing
– Etc.
Data center security audit/assessments

24. Role of digital security: enabling mobile

25. 25
Enabling mobile
• Leveraging solutions to perform
automated scans
• There are vendors that provide both
automated and hands on reviews of mobile apps
• Performed once a new version is uploaded to the store
• Should perform
– Run-time scanning (Dynamic and app logic analysis)
– Network Scanning
– Serverside scanning
• Mobile security training
• Rogue App monitoring

26. So how does API-first architecture manifest itself?

27. API-first architecture
API Tier
All Apps
Analytics
App
Servers
ESB
Social
Apps
Web
Apps
Mobile
Apps
Backend
Services
OrchestrationPersistence Security
Internet
API services for
mobile and
cloud apps
Consistent
security
across
channels
Developers
IT security
architect

28. Technologies driving digital transformations
Mobile
DevOpsCloud
API

29. Information security must be able to meet governance
requirements and manage compliance when handling
PCI DSS or HIPAA use cases

30. Top technology considerations and takeaways
• Focus on data-centric controls such as masking,
encryption and hashing to protect data at rest.
• Work closely with DevOps teams to “bake in”
security controls into the orchestration layer and
cloud hosting systems.
• Leverage APIs to build consistent, secure and
scalable mobile solutions.
• Automate security monitoring and management
using APIs.
DeveloperUser APIApp API Team Backend

31. Security as a Enabler: Summary
• Security is a competitive differentiator
– IT security must remove barriers to enable
business and developers/DevOps
• DevOps (need for speed, flexibility) and InfoSec
(need for consistent protection) go hand-in-hand
• API-first architecture provides consistent security
enforcement for mobile and cloud use cases
DeveloperUser APIApp API Team Backend

32. @Subrak
Subra Kumaraswamy
Randy Barr
Questions?

33. Thank You
Apigee
@apigee

34. Identity landscape in the digital world

35. •What drives adoption of cloud solutions within a
company
•Selecting IT solutions are as easy as reading the
numbers off your credit card
•Small implementations can lead to adoption by
other users
•Ability for mobility is key to further adoption of the
solution
•Growth leads to managing the solution
•Security is then brought in
Choices

36. SECURITY TRANSPARENCY
• Reliance on Data Center Audits
• Privacy
• White papers with no details
• Reluctant to share details citing protecting their
existing customers
• Customer audits
• Cloud Controls Matrix
• Consensus Assessments Initiative Questionnaire
• Independent 3rd party report of Saba’s policies,
standards and processes
• SOC II Type II report
• DR Executive Summary
• Policies & Standards table of contents
• Independent 3rd party penetration test
• Network and Application Vulnerability executive report
within 48 hours of request
Completecustomervisibility

37. Enabling the DevOps to securely expose the back-
end services with necessary authentication,
authorization, message security, and Auditing

38. Security considerations
• Authentication of Apps, APIs and Users: LDAP, active
directory, SAML, OAuth, two-way TLS
• User and role management
• Protect sensitive data stored and processed in the
cloud and mobile devices
• Threat management (DoS, spikes, injection attacks)
• Logging and auditing

39. Role of InfoSec