Securing Value in API Ecosystems, Ajay Biyani, Head of Customer Engineering Asia & Japan, ForgeRock

1. Securing Value in
API Ecosystems
SKO
San Diego
2019

2. / Breakout Pre-Work:
In this breakout, we’ll focus on how ForgeRock can help Enterprises secure the value of an API
connected ecosystem, building trust for Consumers through convenience, choice and visibility that
delivers on the promise of personalization.
Standardized APIs offer new ways for enterprises to extend their digital capabilities to enable innovation
and meet varied customer needs across market segments without breaking the budget. Seamlessly and
safely connecting customers with partner propositions offers opportunities to enhance the customer
experience and create new revenue streams.
What is an API - click this link
API economy - Enabling new business and delivery models - https://youtu.be/axGD5Hds8Bo
Cornerstone of Future Growth: Ecosystems - https://youtu.be/06dsHz9GrDE
Deep-dive into Citi's API strategy - https://youtu.be/indAIODhnVA
Retail banking digital transformation is happening - https://youtu.be/5WmgtcyQvzc
What it really takes to capture the value of APIs
https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/what-it-really-takes-to-
capture-the-value-of-apis
Top 10 Things CIOs Need to Know About APIs and the API Economy
https://www.gartner.com/doc/3579034?srcId=1-7251599992&cm_sp=swg-_-gi-_-dynamic

3. SKO
San Diego
2019
Securing Value in
API Ecosystems

4. 1. Sales Play Intro
2. State of Play
3. Personas
4. Exercise 1: Qualification
5. Business Value Prop
6. Technical Value Prop
7. Exercise 2: Identify the Use Case
8. Assets
SKO
San Diego
2019

5. / The “API Ecosystem” Security Play
5
Your API strategy promises to accelerate your transformation, no doubt you’re seeing this
program driving speed to market, more capability and a cost benefit to your organization.
Are you confident that your current technology addresses the operational challenges and
security risks an API ecosystem introduces?
ForgeRock's proven patterns will extend your authentication and authorization policies
beyond the corporate perimeter. ForgeRock supports multiple types of digital identities,
devices and applications connecting securely across your developing ecosystem.
Open APIs + ForgeRock = Risk mitigated success at scale and pace
✓ Accelerate ROI in API enabled Ecosystems
✓ Deliver seamless and safe customer journeys
✓ Securely connect valuable new propositions

6. 2. State of PlaySKO
San Diego
2019

7. / Identity and the API Economy
Protect
Borrow
Invest
Spend
Save
Financial
Services
Capabilities
Customers
Developers
The Enterprise as
a single point of
access
Commerce
Capabilities
Energy
Restaurants
Acquisitions
Shopping
Lifestyle
Capabilities
Culture
Travel
Entertainment
Loyalty
Business
Capabilities
CFO Services
Procurement
Business Management
Payroll
Managing
consumer identity
and being able to
associate multiple
digital identities
with a single
customer is
“super critical” to
success…

8. Find Me
Want to be found
not based on
some broad
demographic, but
on very specific
characteristics
Advise Me
Want their
Provider to
provide advice
based on
transaction data,
social data and on
all the different
pieces of
information they
have shared
Protect Me
Want to feel that
the security and
protection the
provider offers are
not painful or
irritating
Know Me
Want to feel like
their provider has
a 360-degree view
of their
relationship.
Ask Me
Want to be asked
about products
and given
suggestions about
services
Alert Me
Expect their
Provider to know
what is going on
in the world, and if
something
changes in the
market, to bring
them information
that will help
Delivering a Consistent, Seamless and Secure
Customer Experience at Scale…
Personal, Convenient and Trusted
/ Real-time Contextual Engagement

9. / APIs, Legacy Systems and the Transformation of Industries
Financial Services
Rising Customer
Expectations
Personalized Omnichannel
Engagement
Increasing Mobile
Transactions
Support for Services,
Channels & Products
Regulation
Competition from Fintech
& BigTech
Retail eCommerce
Integration of
Omnichannel Experience
Personalized and
Engaging
Streamline access to
outcome
Dynamic High Traffic
Events
Address Abandoned
Journeys
Security & Fraud
Prevention
Automotive / Mobility
New Mobility Services
Autonomous Vehicles
Integrated Financial
Services
Chip to Cloud Security
New Business Models
Smart Infrastructure
Telco Media
Device independent
seamless content delivery
Digital native disruption
Supporting new devices
Personalized Content
Mobile Connect
5g Networks

10. / APIs, Legacy Systems and the Transformation of Industries
Financial Services
Rising Customer
Expectations
Personalized Omnichannel
Engagement
Increasing Mobile
Transactions
Support for Services,
Channels & Products
Regulation
Competition from Fintech
& BigTech
Retail / Consumer
Product
Integration of
Omnichannel Experience
Personalized and
Engaging
Streamline access to
outcome
Dynamic High Traffic
Events
Address Abandoned
Journeys
Security & Fraud
Prevention
Automotive / Mobility
Autonomous Vehicles
Integrated Financial
Services
Chip to Cloud Security
New Business Models
Smart Infrastructure
Telco Media
Device independent
seamless content delivery
Digital native disruption
Supporting new devices
Personalized Content
Mobile Connect
5g Networks

11. / Why Enterprises use APIs
VS
APIs are a key tool for digital transformation extending and extracting value as the core
of an interconnected ecosystem in which the enterprise interacts with all kinds of
companies, Services and Things.
Legacy Integration
Rows and Columns
Batch or Real-Time
Machine Scale
Behind the Firewall
Client/Server
Weeks and Months Effort
API Integration
Any Data Type
Any Time
Any Scale
Any Location
Any Device
Minutes and Hours Effort

12. / Securing APIs is Critical

13. / Global Regulatory Scope
Consumer
Data Right
PSD2
3000+ institutionsFinancial Data
Exchange
UK Open Banking
Hong Kong Open
API Framework
Enforcement Dated
Consultation Stage
Japan, 80 banks
with Open APIs
Payments NZ trial
version of UK OBIE
Canada Open Banking

14. 32
Waves of
Business
Innovation
Driven by APIs
Each wave delivers new capabilities that challenge
the established operating model, moving the
Enterprise from being internally focused to being
engaged in a dynamic, evolving business
ecosystem
A focus on using APIs to develop and
optimize internal business processes
1
A focus on creating new API based products and
services and using platforms to deliver them
A focus on actively engaging in an ecosystem, delivering valuable
API driven services that enhance customer experience
INTERNAL
PLATFORM
ECOSYSTEM

15. / Benefits of API Ecosystems:
Agility
With APIs, establishing
better customer journeys
that link digital assets
outside the enterprise
happens much quicker.
Through APIs, the
development of new
services is accelerated as
the integration with 3rd
party applications and new
workflows is quicker and
thereby more productive.
Flexibility
APIs can access the app
components, making the
delivery of services and
information more flexible to
address demands. As
business adapts over time
APIs help to anticipate
changes. Data from
external sources is visible
more quickly making
service provision more
flexible.
Revenue
The digital economy is built
on APIs with potential new
revenue streams available
by extending this data-
sharing structure to new
partnerships and
propositions, which open up
a world of possibility in how
enterprises can operate and
compete.
Personalization
When access is provided to
an API, the content
generated can be published
automatically and is
available for every channel.
It allows information to be
shared and distributed
more easily and more
widely. APIs can be used to
distribute information and
services to new audiences
which can be personalized
to create custom user
experiences.

16. / Improved
CX Delivers
More
Revenue

17. / In summary:
Agility Personalization Flexibility Revenue
Transition Security & Privacy Scale Monetization
▪ APIs are a critical tool for digital transformation – inside out and outside in
▪ APIs deliver better, more seamless, journeys for customers to connect with partners and propositions
▪ APIs are the most efficient instrument for adapting to the new rules of the game
▪ APIs allow enterprises to transform into more digitalized entities that are connected to customer needs.
Identity Platform Strategy

18. 3. PersonasSKO
San Diego
2019

19. / Buyer Persona - The Digital
Business Owner
19
Who is she?
What’s important to her / her role?
● I need to make it easy for customers to switch to digital channels, without
compromising privacy and data security.
● I want all the innovative things I see being used by digital native businesses to
remove friction from our customer journeys.
● Our digital business needs to be agile and flexible. I want to be able to try out
new ideas, test and compare, get customer feedback and adapt accordingly.
● Our traditional IT operational processes mean I am always being frustrated, and
late to market.
The internal customer, and
key influencer
Responsible for digital
transformation, including
digital products channels.
Titles include;
● Chief Digital Officer
● Digital Product Manager
● Head of customer
experience
● Head of Digital
Transformation
● Digital Application owner

20. / Buyer Persona - The IAM expert
20
Who is he?
What’s important to him / his role?
● As the business undergoes digital transformation, my existing legacy IAM
platforms cannot cope with business demands for innovative, frictionless
customer journeys.
● In particular adopting MFA and Biometrics is painful; difficult to integrate, difficult
to test, and difficult to sift through the myriad of small start up vendors
● I have a lot of sunk cost invested in my current IAM platforms, including complex
integrations into back end systems and data stores. Unpacking it to start again is
too risky and too expensive to even think about.
● IAM is mission critical - if it doesn’t work, our business doesn’t work. I don’t can’t
risk breaking something that important
The ForgeRock buyer
Responsible for ensuring IAM
systems are fit for purpose.
Titles may include;
● Head of / Director of IAM
● IAM Architect
● Chief Information
Security Officer

21. / Buyer Persona - The API expert
21
Who is he?
What’s important to him / his role?
● I need to show viable use cases to management. That means a focus on
functionality and clear business benefits
● I have chosen some strategic suppliers - I am expecting them to give me
everything I need for the program
● We’re in proof of concept mode right now; I don’t want to do anything that will
add cost, complexity, and effort into the project; I can push non-essential
functions into a later phase of the program
● I need the program up and running; we can deal with scalability later
● I need to bridge between the digital and physical world
Internal customer; influencer
Responsible for implementing
IoT functionality;
● Head of API
Management
● Program Manager
● Head of Digital Channels
● Head of Platform & API
Engineering

22. / Buyer Persona - The Data
Protection Guru
22
Who is she?
What’s important to her / her role?
● it’s my job to ensure we don’t have a data breach. That is the number one
priority. We also have to comply with regulations for data protection, and I need
that to be streamlined and efficient.
● I need to make it easy for customers to self serve when it comes to keeping their
data up to date, without compromising privacy and data security, so I want it to
be coordinated across the business.
● Our digital business needs to be agile and flexible, but my job is to worry about
the impact going too fast could have if we make mistakes. Convenience is a
Security trade off, so I need to understand the risks.
● I want to track and manage customer consent for data collection and usage at a
granular level, without creating a customer experience nightmare.
The Gatekeeper. Has the
ability to say ‘No’.
Responsible for consumer
data protection, and
compliance with data
protection regulations;
● Chief Information
Security Officer
● Head of Compliance
● Chief Privacy Officer
● Data Protection Manager

23. Exercise 1:
Opportunity Qualification
SKO
San Diego
2019

24. / Opportunity Qualification
24
Split into Table teams.
Team A: The Digital Business Owner
Team B: The IAM expert
Team C: The API Expert
Team D: The Data Protection Guru
Using SPIN, Brainstorm in your team what qualification questions you could ask to understand:
➔ Situation (Focus on understanding business situation, and objectives)
➔ Pain (what is stopping them from achieving their goals)
● Impact (what are the quantifiable business and personal implications of unresolved Pain points)
● Need (Get them to visualise a path forward)

25. 4. Value PropositionSKO
San Diego
2019

26. / Why ForgeRock?
Cybersecurity
Enterprises are adopting
innovative cybersecurity and
privacy safeguards to manage
threats and achieve competitive
advantages. To do so, they are
thinking more broadly about
cybersecurity and privacy as
both protectors and enablers for
the business, third-party
partners and customers.
Laws & Regulations
Finding the right balance between
using personal data and
protecting privacy is one of the
biggest challenges of the digital
age. All organizations that
process personal data will have to
deal with new rules, including
those provided in the General
Data Protection Regulation
(GDPR).
Digital Identity
Customer Experience
Customer expectations change with
every innovative product and new
service. They demand that your
organization provide them with the
same digital experiences they have
at other companies.
Customer Experience (CX) is a
competitive differentiator.
Organizations deemed as CX
laggards are shrinking on their total
return.4
Digital Transformation
Digital technology is changing
organizations, products, and
services, and it is a source of
innovation. Enterprises are facing
the challenging of undergoing a
digital transformation that will bring
about many internal changes, while
external parties are looking for ways
to offer end-users the optimal
customer experience.

27. The average Enterprise manages more than 300 APIs. Increasingly
Enterprises connect 3rd parties using APIs with direct access to
data and app functionality. which requires:
• Authentication: A means by which to authenticate a user to a
high degree of trust.
• Authorization: A means to enforce user consent.
• Consent: A means by which a user grants a third party
permission to access their account
• API Security: A means to protect API’s and verify consent
/ Why ForgeRock?
Access decisions from and by internal and external sources are
always best made using an enterprise-wide identity platform

29. Comprehensive Identity
Lifecycle and Access
Management Features
FORGEROCK
DIFFERENCE
29
• Secure & Frictionless Authentication
Journeys - powered by Authentication
Trees
• Rich Authorization Capability
supporting Identity Relationships
• Open Standards with Extensibility
• Modern Application Integration with
REST, Identity Gateway, Agents, Edge,
MicroServices
• IoT-Class Scale and Performance
• Accelerate Deployments with
Kubernetes & DevOps on AWS, Azure,
Google, and RedHat OpenShift

30. Reduce fraud and prevent
data breaches by securing
all APIs with common
standards
Turn compliance
regulations into
competitive advantage
Protect API investment
with an intelligent and
future-proof identity
platform
Build personal, safe and
simple identity experiences,
faster than the competition,
connecting value in the
wider ecosystem.
Deliver Customer Centric
Value Propositions through
flexible and easy to use
identity and access solutions
with higher resilience and
more up-time.
Grow The BusinessMinimise Risk
Faster end to end
integration and external
connection through
abstraction of identity
from monolithic systems
and less app downtime.
Build on existing
investments and
streamline operations
with a unified identity
platform that provides the
engagement layer with
customers, employees and
third party partners.
Cost Benefit
/ Business Benefits
30

31. • Personalised content across all
devices
• Seamless viewing experience
anytime, anywhere, on any device
• Family relationships
• Personalised direct marketing
campaigns
• Use identity data for insight to drive
commissioning of shows,
scheduling, and new product
development

32. User Experience
Relationships
Personalization
Privacy
Speed Security
Data Enrichment
New Channels
Connecting Partners
ROI
/ ForgeRock delivers:

33. 5. Technical Value
Proposition
SKO
San Diego
2019

34. / Challenge #1: Trust Beyond the Perimeter
Internal APIs
External APIs
Product APIsB2B APIs New Business
& Innovation Channels

35. Challenge #2: Legacy Identity Security
Employees
(thousands
)
People
PCs
Endpoints
Apps and Data
On-premises
Employees
(thousands
)
Partners and
Suppliers
Customers
(millions)
People
Devices/Thing
s
(Billions)
Connected
Buildings PhonesTablet
s
Connected
Cars
Endpoints
On-premises Public
Cloud
Private
Cloud
Device
Private Public
Source: Forrester
Research

36. Challenge #3: Lack of Security Standards
Employees
(thousands
)
People
PCs
Endpoints
Apps and Data
On-premises
Employees
(thousands
)
Partners and
Suppliers
Customers
(millions)
People
Devices/Thing
s
(Billions)
Connected
Buildings PhonesTablet
s
Connected
Cars
Endpoints
On-premises Public
Cloud
Private
Cloud
Device
Private Public
Source: Forrester
Research

37. What Enterprises Want To Have

38. 38Copyright © 2016 Accenture. All rights reserved.
API Security – Building Blocks
• How to enroll customers digitally, in an effective and immediate
way?
• How to deal with the complexity of the identities of millions of
customers and things, in a consistent and unified view for admins.
and applications?
• How to ensure access control of customers and internal users
access to the digital channel (including 3rd parties), in a simple and
seamless way?
• How to ensure API requests come from real customers, authorized
to use them and correspond to legitimate uses?
• How to enable customers to self service (reset their password,
request additional services), and self manage their personal shared
information?
• How to detect suspicious user behavior to prevent fraud and
advanced persistent threats?
Access Management & Authorization

39. 39Copyright © 2016 Accenture. All rights reserved.
API Security – Building Blocks
• How to prevent attacks against the APIs, mobile or not, that need
to be exposed for omni-channel or the ecosystem?
• How to ensure security is built in the applications and
integrations along their lifecycle (waterfall or agile)?
• How to prevent data exfiltration, fraud and other Insider / Partner
threats?
• Protect the information in transit, typically when consumed by
applications, by encrypting the communications and performing
mutual authentication of parties involved thanks to qualified
certificates
API Security

40. 40Copyright © 2016 Accenture. All rights reserved.
API Security – Building Blocks
• Authentication: API Gateways should support a broad range of user
authentication patterns for an easy and flexible implementation, such as
standard API keys, application ID and key pair, and OAuth versions 1.0
and 2.0.
• Traffic throttling: API Gateways normally allow to set rate limits for API
usage and control traffic flow for groups of developers. The platform
allows the configuration of alerts and user notifications when a traffic
overage is detected, and are expected to support rate limiting by
application or by account.
• Access Control: API Gateways tend to be a central management point
where policies can be set up to establish access rules and limit the
availability of specific methods or endpoints. This contributes to an
effective defense in depth security strategy.
API Management
ForgeRock’s OpenIG provides:
• API security
• Acting as Authorization server
• Mobile integration
• Integration with IoT gateways
• Security microservices architecture
• Integration with other gateways

41. 41Copyright © 2016 Accenture. All rights reserved.
API Security – Building Blocks
• Microservices and Docker containers are emerging as a way to provide APIs the required level of elasticity
• However, their protection is somewhat different to classical architectures and brings a new set of challenges
• Authentication and authorization in a microservices world can be approached by making use of OAUTH
implementations, where there will be a tradeoff between security and performance
Innovative Architectures: Cloud & Microservices Security

43. Exercise 2:
Identify the Use Case
SKO
San Diego
2019

44. / Identify the Use Case
Use cases capture the goals of the business and IT. To understand a use case, we tell stories. The
stories cover how to achieve the goal and often address existing problems that occur on the way.
Use cases provide a way to identify and capture all the different but related stories in a simple but
comprehensive way. This enables the business and technical requirements to be easily captured,
shared, and understood.
Split into Table teams.
Decide on defining 2 Use Cases for an Enterprise in your sector / geography.
1 internal use case and 1 external use case
As a team share ideas on:
• business outcomes
• business and technical challenges
• market and regulatory drivers
• types of user – senior executives, contractor, millennial, developer, senior citizen
• describe their user journey
• position ForgeRock components

45. 6. AssetsSKO
San Diego
2019

47. 6. Appendix SlidesSKO
San Diego
2019

48. / Market Revenue Forecast

49. / Decision Maker Guidance