Presentation by Hans Zandbelt from Ping Identity (pingidentity.com) from Nordic APIs (nordicapis.com) Stockholm March 2013 about the need of identity services when publishing an API.
Today: a mix of on-premise applications and SaaS or cloud applications, both web and mobile native apps.User authentication and access control based on app-specific accounts and credentials, some SSO to web apps, mostly internal.Firewall applies to some applications, hosted on the corporate network.
The expansion of cloud usage brings along 3 dimensions of change:Users: different use cases, more and more inbound too. Consumer identity: 70% dropoff on registration.Devices: mobile, smaller screens, different capabilities, no longer exclusively owned by the enterprise.
Applications reside both on-premises and in the cloud, but also directories and databases.Users can access these applications from anywhere, using a variety of devices.User accounts and Access control demand to be harmonized over cloud and on-premises for compliancy reasons, following the corporate IT security policy.The firewall can no longer be the center of the universe: access control needs to be handled on a different level.
It is clear that a corporate firewall cannot meet the demands for cloud, mobile and hybrid use cases.Identity is the concept that is shared between all contexts, what binds everything together in IAM.We must concludethat identity is the new perimeter, or at least the new paradigm to leverage.
What is the role that identity can play for APIs.
Separate identity information from the application. Leverage the remote identity through the client accessing the application.Identity on internet scale leverages a 2rd or 3rd party that is well positioned to manage and publish identity information (concept holds for both enterprise and consumer scenario’s).We should strive to use identity across the web world (browser-based apps, Web SSO) and the native world (mobile and rich desktop clients): no need to do things twiceSSO is about convience for users, but more importantly: addressing a bunch of security issues. SSO using 3rd party asserted identity actually is a rare exampleWhere convenience and security go hand in hand.Applying this concept in a uniform way will allow enterprise businesses to extend their enterprise security policies to the cloud.That is a must have for compliancy reasons.
APIs are becoming important rapidly especially because of the rise of mobile apps and big data.
How would you secure web apis:SOAP: WS-SecurityREST: nothing there yet until recently. Only passwords.What we need is a token based method to access APIs: will explain in the next slide.
Deprecated way of dealing with API access: hand out your password to a client or third party service.Bad: store pwd, indiscriminate, no multi-factor, no granularity, no differentation, no revocation.Need something better.
Enter Oauth 2.0: a protocol for secure API authorization.Simple standard or framework, based on REST and JSON, meant for the mobile web world.Delegated authorization, tokens are issued, obtained and used to mitigate the anti-password pattern.Granular, revokable access to specified parties, without exposing your credentials.
Framework, allows for a variety of use cases over enterprise and consumer domains.Balance between security and usablilty by using 2 types of tokens: access tokens and refresh tokens.Scopes: allow for fine grained granularity, of access control, much like entitlements.
Recent development: leverageOauth to achieve SSO across native apps.Until now each app would do its own Oauth flow which may result in a user logging in and granting access to an app on an individual basis, repeatably.This shows how to leverage an existing Web SSO investment, eg. SAML or OpenID Connect for native mobile app SSO.
In the new cloud world we need to be prepared with a variety of use cases, devices, channels and hence protocols.Identity however is a constant factor and really the constant connector between all. Interoperability and standards are important: cloud is about doing things across multi-domains: interoperability only comes with standards. Choose products that implement standards, if possibleMany standards at once!IAM as a business enabler: it can streamline the way in which you’re doing business, adding convenience and security for all parties you deal with (employees, customers, partners)Across devices preferred by your partners/users.Agility: cloud IT is meant to cope with ever changing demands, static infrastructure is legacy, have more flexibility, rapid changing IT environment; architect your IT for that
Externalization of authentication and authorization: make your API use tokens, not passwords. Some of your APIs may eventually have to deal with both enterprise as well as consumer identity. Be sure that you can handle that.Design your API so that you can handle both the browser based, the server2server communication as well as native mobile applications inA unified way.Reuse your existing security and identity policies across the 3 worlds and use your existing identity store to do that. No need to build custom silosFor doing this.And best of all: you don’t need to implement that, you can use an existing server or implementation. Come and talk to Ping!
Cloud will expand and change.2013 is the year of the Identity standards, OpenID Connect (ratitication) and OAuth 2.0 (large deployments and convergence)Ping will be at the forefront of these changes, actively developing and implementing the new standards.