Bradford Stephens, Developer Evangelist, Ping Identity APIs are the glue of the web, and Enterprise APIs are driving innovation inside and out of the cloud. Now that information is being shared more freely, how can we secure those APIs? Data silos are falling across the enterprise and needs for interoperability are rising -- but how do you manage access in a de-siloed world? This talk will mix best practices and real-world examples for examining how to secure your APIs.

1. Copyright ©2013 Ping Identity Corporation. All rights reserved.1
Confidential
API Security
Bradford Stephens (Ping)
& Tim Anglade (Apigee)

2. Copyright ©2013 Ping Identity Corporation. All rights reserved.2
Confidential
• Intros
• The “Platform Imperative”
• What does Security Mean?
• Solutions
• Wrap-Up
Contents

3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3
Confidential
• Hi!
• Former CEO of VC-Backed database startup, Drawn to
Scale. Built a distributed SQL database, Spire, from
scratch.
• Does a lot of work in big data, distributed systems, and
APIs.
• Now running Developer Evangelism + Platforms @ Ping!
Bradford Intro

4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4
Confidential
• Hi as well!
• Built financial infrastructure at NASDAQ, an eCommerce
startup, Invited Expert work at W3C and now APIs &
Mobile Apps
• Spent a few years focusing heavily on distributed systems
and NOSQL databases — nosqltapes.com and
nosqlsummer.org
• Now running Developer Programs @ Apigee!
Tim Intro

5. Copyright ©2013 Ping Identity Corporation. All rights reserved.5
Confidential
Business Software is Changing
CRM
Sales
Analytics
Sharepoint
Website
Transactions
Marketing
Biz Apps

6. Copyright ©2013 Ping Identity Corporation. All rights reserved.6
Confidential
Business Software is Changing
Biz Apps
Salesforce Box
AWS
Shopify
Omniture
Google
Apps

7. Copyright ©2013 Ping Identity Corporation. All rights reserved.7
Confidential
Business Software is Changing
Biz Apps
Salesforce Box
AWS
Shopify
Omniture
Google
Apps
API
API
API
API
API
API
API

8. Copyright ©2013 Ping Identity Corporation. All rights reserved.8
Confidential
The Enterprise Must Open
Understanding the API Economy—the billionaire club

9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9
Confidential
The Enterprise Must Open
API Growth Rate
• Open APIs
– We just hit the 7,000 API mark
– 8,000 by year end
– 16,000 by 2015
• Dark APIs
– Dark APIs are 5x+/- Open API growth rate
– 80,000 by 2015

10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10
Confidential
The Enterprise Must Open
• Internal apps must be refactored
• Close collaboration with Partners
• Explosion of different channels and devices
• Everything is more social

11. Copyright ©2013 Ping Identity Corporation. All rights reserved.11
Confidential
What even is security?
What does security mean in this open-default world?

12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12
Confidential
The never-ending battle
• Security is a never-ending battle between collaboration and
secrets … to get work done
• Once we’ve chosen where we fall on the spectrum, how do
you keep security around it?

13. Copyright ©2013 Ping Identity Corporation. All rights reserved.13
Confidential
Major Concepts
• Identity
• Authentication
• Authorization
• Encryption
• Accounting

14. Copyright ©2013 Ping Identity Corporation. All rights reserved.14
Confidential
Identity
• Answers “Who are you?”
• UserIDs, Digital Certificates, ATM Cards
• A public claim asserting yourself

15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15
Confidential
Authentication
• Answers “How can you prove who you are?”
• Responding to a challenge
• Private shared secrets, best if known only to user (Private
Key)

16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16
Confidential
Authorization
• Answers “What are you allowed to do?”
• Token/Ticket Mechanism
• Certain tokens are allowed certain abilities
• Enforcing the principle of least privilege

17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17
Confidential
Encryption
• Answers “How can we keep this secret?”
• Only authorized parties can understand data
• Non-symmetric algorithms ‘mask’ data – ‘impossible’ to
reverse engineer

18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18
Confidential
Accounting
• Answers “Who did what, when?”
• Typically use a logging mechanism (Splunk)
• “Closes the loop” between Authentication and
Authorization
• Essential in identifying gaps and postmortems

19. Copyright ©2013 Ping Identity Corporation. All rights reserved.19
Confidential
So what is API Security?
• A Secure API only allows the right people the right amount of
access to resources and data
• Has to balance collaboration in an open-by-default world vs.
keeping important secrets
• Many, many ways to do this

20. Copyright ©2013 Ping Identity Corporation. All rights reserved.20
Confidential
Identity
Authentication
Authorization
Channel Enc.
Accounting
Dedicated ATM
X
X
802.1X
X
X
LDAP
X
ActiveDirectory
X
X (partial)
Database Table
X
RADIUS/Diameter
X
X
X
VPN / IPSec
X
X
X.509
X
X
SSL, TLS, DTS
X
Basic/Digest Auth, Login
X
X
2-factor
X
Master login
X
X
API keys
X
X (partial)
OAuth 1.0
OAuth 1.0a
X (partial)
OAuth 2.0
X (partial)
OpenID
X
OpenID Connect
X
SAML
X
X (partial)
Shiro or other framework
X
X
Splunk or other logging
X
Roll your own
Recap

21. Copyright ©2013 Ping Identity Corporation. All rights reserved.21
Confidential
Topology
Database
App Layer
API
User A
App 1
User B
App 2
User C
App 3

22. Copyright ©2013 Ping Identity Corporation. All rights reserved.22
Confidential
• Use-cases
– Internal APIs
– Partner APIs
– Public APIs (consumer, open, mobile etc.)
• Tiers (legs)
– Server-to-Server (internal, partner)
usually 2-legged authentication
– End-user (consumer, mobile, open)
usually requires 3-legged authentication
API Types

23. Copyright ©2013 Ping Identity Corporation. All rights reserved.23
Confidential
Topology
Database
App Layer
API
User A
App 1
User B
App 2
User C
App 3

24. Copyright ©2013 Ping Identity Corporation. All rights reserved.24
Confidential
• Malicious Apps
• Well-intentioned but vulnerable App
• Well-intentional App with Malicious Users
Common Security Concerns

25. Copyright ©2013 Ping Identity Corporation. All rights reserved.25
Confidential
Topology
Database
App Layer
API
User A
App 1
User B
App 2
User C
App 3

26. Copyright ©2013 Ping Identity Corporation. All rights reserved.26
Confidential
• Two classes
– Human & Business
– Technologies
• Secure APIs use both!
Remedies

27. Copyright ©2013 Ping Identity Corporation. All rights reserved.27
Confidential
1. Registration Wall
– Knowing is half the battle!
– Identify problematic apps or users
– Isolate them from other traffic
– Provide means of communicating with
well-intentioned users
Human & Business Remedies

28. Copyright ©2013 Ping Identity Corporation. All rights reserved.28
Confidential
2. Proof
– Enhance registration by requiring proof the
account was not automatically created (captcha)
or has a legit email address (activation link)
– Phone Activation
– Driver’s license, …
Human & Business Remedies

29. Copyright ©2013 Ping Identity Corporation. All rights reserved.29
Confidential
3. Traffic Shaping
– Quotas
– Throttling
– Tiered Traffic
– Dynamic IP Filters
– Dynamic ISP Filters
– Up to & including blocking
– Processes not technologies!
Human & Business Remedies

30. Copyright ©2013 Ping Identity Corporation. All rights reserved.30
Confidential
4. Audits & Certifications
– More useful than you think
– Checks for dark corners in your organization
– PCI-DSS and ISO 2700X series
Human & Business Remedies

31. Copyright ©2013 Ping Identity Corporation. All rights reserved.31
Confidential
• Which of these should you implement?
• All of them? (Again, security vs. freedom.)
• Don’t forget to impose those human &
business rules on internal users!
– 80.123456% of DDoS cases come from inside the
house.
Human & Business Remedies

32. Copyright ©2013 Ping Identity Corporation. All rights reserved.32
Confidential
• Identity
• Authentication
• Authorization
• Encryption (Channel Security)
• Accounting (Auditing)
Technical Remedies!

33. Copyright ©2013 Ping Identity Corporation. All rights reserved.33
Confidential
Identity
Authentication
Authorization
Channel Enc.
Accounting
Dedicated ATM
X
X
802.1X
X
X
LDAP
X
X (definitions)
ActiveDirectory
X
X (definitions)
Database Table
X
RADIUS/Diameter
X
X
X
VPN / IPSec
X
X
X.509
X
X
SSL, TLS, DTS
X
Basic/Digest Auth, Login
X
X
2-factor
X
Master login
X
X
API keys
X
X (primitives)
OAuth 1.0
OAuth 1.0a
X (primitives)
OAuth 2.0
X (primitives)
OpenID
X
OpenID Connect
X
SAML
X
X (primitives)
Shiro or other framework
X
X
Splunk or other logging
X
Roll your own
Recap

34. Copyright ©2013 Ping Identity Corporation. All rights reserved.34
Confidential
1. Dedicated ATM connection
– You laugh, but…
Technical Remedies!

35. Copyright ©2013 Ping Identity Corporation. All rights reserved.35
Confidential
2. Identity Providers
– LDAP
– ActiveDirectory (provides authorization as well)
– User table in your database…
– Third party: Google, Twitter, etc. — still usually
maps to a user record in your internal tables.
– Every other combination of solutions will use one
of the first three in this list!
Technical Remedies!

36. Copyright ©2013 Ping Identity Corporation. All rights reserved.36
Confidential
3. Network Channel Security
– LAN level: 801.1X
– Beyond: use VPN/IPSec
– Both provide machine authentication and point-
to-point channel encryption
– Both would rely on a RADIUS or Diameter server
for user authentication and authorization
management
Technical Remedies!

37. Copyright ©2013 Ping Identity Corporation. All rights reserved.37
Confidential
4. Application/HTTP Channel Security
– SSL, TLS
– X.509
Technical Remedies!

38. Copyright ©2013 Ping Identity Corporation. All rights reserved.38
Confidential
4. Authentication
– Basic/Digest Auth (over SSL)
– Login form then API key
– Optional 2-factor (code generator, keyfob, etc.)
– Plugged to LDAP, or table of API keys or
hardcoded master login (bad).
– All or nothing keys: like giving every app full
access to your facebook account
Technical Remedies!

39. Copyright ©2013 Ping Identity Corporation. All rights reserved.39
Confidential
4. Authentication/Authorization with OAuth
– OAuth fundamentally tries to solve this problem, by
doing authentication but allowing to segment
authorization per app
– “Valet Key” analogy: the App has access to the
system as you, but cannot do certain things (like
change your password)
– That valet key is a token, that automatically expires
after a certain time
– Allows for “3-legged Authentication”, not just API and
App or (API and User), but API, App and User
• Use for revokes and accounting
– You still end up doing a regular authentication
somewhere in the middle (Basic auth, login form, etc.)
Technical Remedies!

40. Copyright ©2013 Ping Identity Corporation. All rights reserved.40
Confidential
– OAuth 1
• Do not use OAuth 1.0: logically insecure
• OAuth 1.0a (RFC edition) fixes that, works nicely, in
use at Twitter
• Signatures are hard (made so you don’t have to rely on
SSL/TLS though)
• Malicious Apps can be kicked out and all their tokens
revoked
• Web authentication flow can use keyfobs or other multi-
factor auth systems
• Very web-centric. The ideal use-case when it was
designed was “allow Twitter to access my Flickr photos”
Technical Remedies!

41. Copyright ©2013 Ping Identity Corporation. All rights reserved.41
Confidential
– OAuth 2.0
• Lead author famously walked out, not all bad though!
• Hard to implement correctly, in a secure manner
• Lots of grant types
• Not as interoperable as OAuth 1 — really a framework,
for security, not a protocol anymore
• Formalizes “scopes” for specific permissions (like “post
to wall”, “see friends”, etc.)
• Introduces refresh tokens — stay away
• Introduces compatibility with SAML and JWT — stay
away
• 2 token types: Bearer and MAC
Technical Remedies!

42. Copyright ©2013 Ping Identity Corporation. All rights reserved.42
Confidential
– OAuth 2.0 Bearer Tokens
• only ones used in practice
• as insecure as a Bearer Bond
• Heavily rely on channel being secure, which is rarely
the case, even over HTTPS
• No client binding
– App B could use a token issued for App A to log in as you
to App A
– Facebook wrote its own extension to deal with that
• Stay away from refresh tokens, it only serves a very
narrow use-case where two-tier refreshes are
necessary.
Technical Remedies!

43. Copyright ©2013 Ping Identity Corporation. All rights reserved.43
Confidential
5. Authorization
– Shiro — a Java framework to enforce
authorization rules in your apps
– SAML — full XML protocol to handle
authentication and authorization
Technical Remedies!

44. Copyright ©2013 Ping Identity Corporation. All rights reserved.44
Confidential
Identity
Authentication
Authorization
Channel Enc.
Accounting
Dedicated ATM
X
X
802.1X
X
X
LDAP
X
X (definitions)
ActiveDirectory
X
X (definitions)
Database Table
X
RADIUS/Diameter
X
X
X
VPN / IPSec
X
X
X.509
X
X
SSL, TLS, DTS
X
Basic/Digest Auth, Login
X
X
2-factor
X
Master login
X
X
API keys
X
X (primitives)
OAuth 1.0
OAuth 1.0a
X (primitives)
OAuth 2.0
X (primitives)
OpenID
X
OpenID Connect
X
SAML
X
X (primitives)
Shiro or other framework
X
X
Splunk or other logging
X
Roll your own
Recap

45. Copyright ©2013 Ping Identity Corporation. All rights reserved.45
Confidential
Identity
Authentication
Authorization
Channel Enc.
Accounting
Dedicated ATM
X
X
802.1X
X
X
LDAP
X
X (definitions)
ActiveDirectory
X
X (definitions)
Database Table
X
RADIUS/Diameter
X
X
X
VPN / IPSec
X
X
X.509
X
X
SSL, TLS, DTS
X
Basic/Digest Auth, Login
X
X
2-factor
X
Master login
X
X
API keys
X
X (primitives)
OAuth 1.0
OAuth 1.0a
X (primitives)
OAuth 2.0
X (primitives)
OpenID
X
OpenID Connect
X
SAML
X
X (primitives)
Shiro or other framework
X
X
Splunk or other logging
X
Roll your own
Connect 5!

46. Copyright ©2013 Ping Identity Corporation. All rights reserved.46
Confidential
Identity
Authentication
Authorization
Channel Enc.
Accounting
Dedicated ATM
X
X
802.1X
X
X
LDAP
X
X (definitions)
ActiveDirectory
X
X (definitions)
Database Table
X
RADIUS/Diameter
X
X
X
VPN / IPSec
X
X
X.509
X
X
SSL, TLS, DTS
X
Basic/Digest Auth
X
X
2-factor
X
Master login
X
X
API keys
X
X (primitives)
OAuth 1.0
OAuth 1.0a
X (primitives)
OAuth 2.0
X (primitives)
OpenID
X
OpenID Connect
X
SAML
X
X (primitives)
Shiro or other framework
X
X
Splunk or other logging
X
Roll your own
Connect 5!

47. Copyright ©2013 Ping Identity Corporation. All rights reserved.47
Confidential
• Use-cases
– Internal APIs
– Partner APIs
– Public APIs (consumer, open, mobile etc.)
• Tiers (legs)
– Server-to-Server (internal, partner)
usually 2-legged authentication
– End-user (consumer, mobile, open)
usually requires 3-legged authentication
API Types (again)
`

48. Copyright ©2013 Ping Identity Corporation. All rights reserved.48
Confidential
• Internal, Server-to-Server APIs
– Use OAuth 2.0 with Bearer Tokens obtained through a Client
Credentials grant (only 2-legged requirement)
– Alternatives: 802.1X with RADIUS/Diameter, X.509
• Partner, Server-to-Server APIs
– Use OAuth 2.0 with Bearer obtained through a Client
Credentials grant (only 2-legged requirement)
– Alternatives: VPN/IPSec with RADIUS/Diameter, X.509
• Consumer, Open or End-user Internal/Partner
– Consumer/Open APIs: use OAuth 2.0 with Bearer Tokens,
using Authentication Code or Implicit Grant flow (better
support for advanced authentication options, less trust on
clients)
• Mobile APIs
– use Oauth 2.0 (3-legged requirement) with Bearer Tokens
obtained through a Resource Owner grant or OS integration if
available (better UX)
Recommendations

49. Copyright ©2013 Ping Identity Corporation. All rights reserved.49
Confidential
• Security vs. Freedom
• Devil’s advocate OAuth 1.0a isn’t all bad, and
tons of people implement it for Twitter.
• How badly do you want to protect this vs. how
badly do you want people to use it?
• All the way to physically securing the
interface…
In conclusion…

50. Copyright ©2013 Ping Identity Corporation. All rights reserved.50
Confidential
• Questions, comments:
bstephens@pingidentify.com
tim.a@apigee.com
Thanks!