SlideShare une entreprise Scribd logo

APIConnect Security Best Practice

Shiu-Fun Poon
Shiu-Fun Poon

This covers security with APIc/gateway. It goes over high-level concepts and what IBM APIc can offer, this covers 2018, and v10 of the product Note: this is from a presentation from a year or so ago, with some updates to the link

Logiciels
1  sur  28
Télécharger pour lire hors ligne
SECURITY BEST PRACTICE APICONNECT & GATEWAY @SHIUFUNPOON
TRADEMARK ACKNOWLEDGEMENTS • IBM, IBM API Connect, IBM DataPower Gateway are trademarks of International Business Machines Corporation, registered in many jurisdictions • Other company, product and service names may be trademarks, registered marks or service marks of their respective owners. A current list of IBM trademarks is available on the web at "Copyright and trademark information" ibm.com/legal/copytrade.html
SECURITY • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
SECURITY – THIS IS ALWAYS A BALANCING ACT • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
API SECURITY API Gateway: • Decoupling/routing • Traffic management • Security • Translation Developer portal: • API discovery • Self subscription/administration • Account usage analytics • Monetization • Security API Manager: • Plan/product design • Policy administration • API plan usage analytics • API Governance • Security https://www.ibm.com/docs/en/api-connect/2018.x?topic=installing- maintaining-your-api-connect-cloud
MANAGEMENT SERVER
APIC UNDER THE HOOK • Internal services communicating vs mTLS • Quorum, with 3 being the magic number • APIc is the match maker, it introduces each subsystem to each others • APIM, Portal, Analytics, Gateway • How does APIM <-> Portal • How does APIM <-> Analytics • How does APIM <-> Gateway • How does Portal <-> Analytics • How does Gateway <-> Analytics • Configurable, extensible
https://www.ibm.com/downloads/cas/NQBJRBDO
Ç√
API MANAGER • API are published • Publish in openapi v2 format • apim vs consumer • WebGUI/toolkits/portal/BYO • RateLimit Drinking Our Own Champagne Get an access_token access_token must contain the right scope Permission is checked Is token valid Token contains necessary scope ? Does User has the proper permission ?
HARDENED PORTAL SECURITY Supports OpenID Connect for accelerated developer on-boarding and social login Enable PSD2/ Open Banking compliance to programmatically onboard consumers using REST Management APIs and OpenID Connect Enhanced spam protection against spam bots with CAPTCHA and honeypot Detect and prevent malicious attacks with perimeter and DNS check Detect and prevent flood attacks
CONFIGURE PORTAL BEHAVIOR
APIMANAGER WITH GATEWAY • Gateway must be 24 * 7 (without API manager) • API gateway introduce a gateway director manager • Using clustering technology to track configuration from APIM • Heartbeat from APIm to make sure Gateway will have the latest information • 911 protocol to handle catastrophic failure • Provides the status of how where the configuration with regard to the update from the APIm • Gateway director allows auto scaling of the additional gateway • Configuration/Key Materials • State of the processing
• Istio Integration for improved performance & security by passing API header and tokens into Istio • Open API V3 support to meet security industry standards (i.e. PSD2) & improve reuse • OpenBanking & PSD2 Compliant including flexible JWT and OAuth features • 5X Improved Performance with cloud-native API-centric Gateway Service • Fast Time to Value through Out of the Box policies for API Gateway Service • Enterprise Specific Security Support through OAuth flow customization • Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check on Portal, etc. Performant and Secure
SECURE & MANAGE GRAPHQL ENDPOINTS Next-Gen evolution of Gateway technology beyond Web services and REST with GraphQL support Secure and Manage APIs with GraphQL backends, efficiently managing compute intensive services Threat Protection against cyberattacks using advance query complexity analysis to prevent API- based attacks Rate Limit GraphQL queries with consumer plans based on number of API calls & backend compute time https://www.ibm.com/blogs/research/2019/02/graphql-api-management/ https://developer.github.com/v4/guides/resource-limitations/
1. Access Control • Who can access the data and what data • APIc • Client credential (application) • User credential (who) 2. Load Control • How much effort for the server to fulfill the request • Complexity • Type (object type) • Resolve GraphQL Endpoints security breakdown
Up to 5X+ increased performance with natively built API Gateway using purpose-built technology for native OpenAPI/Swagger REST and SOAP APIs Multi-cloud scalability and extensibility to help meet SLAs and improve client user experience Optimized drag & drop built-in policies for security, traffic control and mediation including flexible OAuth, enhanced JSON & XML threat protection Secure to the core with self-contained signed & encrypted image to minimize risk, plus proven security policies to quickly protect APIs Before: DP Multi protocol Gateway Service API call Backend New: Native API Gateway Service API call Backend CLOUD-NATIVE API GATEWAY SERVICE IN DATAPOWER API GW service
POLICIES FOR ENFORCEMENT ON API GATEWAY SERVICE Gateway Script and XSLT policy support provides flexible message mediation & dynamic security enforcement Dynamic Routing support through Conditional Policy Enforce strong security through Parse, JSON and XML Schema Validation policy OpenID Connect support to enable banks to meet PSD2 / Open Banking regulations OAuth Token revocation to enable self-service token management Foundational Security Mediation Invoke API Key Map Activity Log JWT Validate JSON-XML Rate Limit JWT Generate Gateway Script Throw OAuth Policy XSLT Set Variable Parse (Threat Detection) Conditional Validate User Security OpenID Connect Built-in policies
Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs MEETING SECURITY NEEDS THROUGH NEW FLEXIBLE OAUTH PROVIDER
FEATURE LIST OF OAUTH IN APIC V5, V2018+V5GW, V2018+APIGW Features V4 V5 v2018 +V5 CompatGW v2018 + APIGW Basic OAuth Support ✅ ✅ ✅ ✅ Distinct Client ids and Secrets ⤫ ✅ ✅ ✅ Separate API ⤫ ✅ ✅ ✅ Access Control ⤫ ⤫ ✅ ✅ Seamless packaging within product ✅ ⤫ ✅ ✅ Tight coupling with Provider ⤫ ⤫ ✅* ✅ Metadata,Token introspection, Revocation/Token Management,Advanced scope handling ⤫ ✅ ✅ ✅ Customize OAuth Assembly ⤫ ⤫ ⤫ ✅ Dynamic configuration updates ⤫ ⤫ ** ⤫ ** ✅ Context variable driven ⤫ ⤫ ⤫ ✅ Independent Resource Owner Security ⤫ ⤫ ⤫ ✅ Out of the box OIDC support ⤫ ⤫ *** ⤫ *** ✅ Out of the box JWT Authorization Grant ⤫ ⤫ ** ⤫ ** ✅ * Tight coupling is only at the APIManager API level, not in the backendV5 Gateway ** Can be done with gateway extension *** Supported by a set of rule in the assembly
Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs MEETING SECURITY NEEDS THROUGH NEW FLEXIBLE OAUTH PROVIDER
Out of the box JWT Grant Type Support
Out of the box OIDC Support
CUSTOMIZABLE EASE OF USE • Crypto material on per OAuth native provider (vs gateway level) • End user credential gathering (context variable) * • Consent handling • Global Policy (and thus inject context variable for processing) * • Token handling (allow listing vs stateless) • Flexibility • ….
WHAT SHOULD I DO • Monitoring IBM PSIRT for IBM APIC, IBM DataPower • https://www.ibm.com/security/secure-engineering/process.html • Timely upgrade/migration to a new version of firmware • Balance your security needs vs platform offered (hardware vs ova vs docker vs ..) • How about cloud ? ICP ? • APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& ( • Security vs ease of use vs compatibility • Performance/usage spike • HA (rule of 3) • Stateless (especially across Availability Zone)
GATEWAY SPECIFIC • Is WebGUI needed for production • Automate deployment (which APIc solves) • Monitoring gateway (DataPower Operations Dashboard) • Backup administrator • ACL • mTLS with your backend services • Message validation • Payload redact • SLM • AllowList vs BlockList
FROM YOU, OUR AUDIENCES • Your feedbacks ? • What would you like to see ? • What can you share with each others on your experience ? Good or Bad

Recommandé

APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEsandipg123
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdiveShiu-Fun Poon
 
What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019IBM DataPower Gateway
 

Recommandé

APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEsandipg123
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
Gateway deepdive
Gateway deepdiveGateway deepdive
Gateway deepdiveShiu-Fun Poon
 
What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019What's new in API Connect and DataPower - 2019
What's new in API Connect and DataPower - 2019IBM DataPower Gateway
 
DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksIBM DataPower Gateway
 
What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018IBM API Connect
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
API and Microservices Management
API and Microservices ManagementAPI and Microservices Management
API and Microservices ManagementIBM DataPower Gateway
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API SecurityJagadish Vemugunta
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemuguntafloridawusergroup
 
Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Natalia Kataoka
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Azure API Management
Azure API ManagementAzure API Management
Azure API ManagementDaniel Toomey
 
API Gateway report
API Gateway reportAPI Gateway report
API Gateway reportGleicon Moraes
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
Technical Introduction to IBM Integration Bus
Technical Introduction to IBM Integration BusTechnical Introduction to IBM Integration Bus
Technical Introduction to IBM Integration BusGeza Geleji
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Managementjeremysbrown
 
Api Gateway
Api GatewayApi Gateway
Api GatewayKhaqanAshraf
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven IntegrationWSO2
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 

Contenu connexe

Tendances

DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksIBM DataPower Gateway
 
What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018IBM API Connect
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API SecurityJagadish Vemugunta
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemuguntafloridawusergroup
 
Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Natalia Kataoka
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Azure API Management
Azure API ManagementAzure API Management
Azure API ManagementDaniel Toomey
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
Technical Introduction to IBM Integration Bus
Technical Introduction to IBM Integration BusTechnical Introduction to IBM Integration Bus
Technical Introduction to IBM Integration BusGeza Geleji
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Managementjeremysbrown
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 

Tendances (20)

DataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance BenchmarksDataPower API Gateway Performance Benchmarks
DataPower API Gateway Performance Benchmarks
 
What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018What's New in API Connect & DataPower Gateway in 1H 2018
What's New in API Connect & DataPower Gateway in 1H 2018
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
 
API and Microservices Management
API and Microservices ManagementAPI and Microservices Management
API and Microservices Management
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
Data Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish VemuguntaData Power Architectural Patterns - Jagadish Vemugunta
Data Power Architectural Patterns - Jagadish Vemugunta
 
Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018Migrating from IBM API Connect v5 to v2018
Migrating from IBM API Connect v5 to v2018
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
 
Data power use cases
Data power use casesData power use cases
Data power use cases
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
 
API Gateway report
API Gateway reportAPI Gateway report
API Gateway report
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
 
Technical Introduction to IBM Integration Bus
Technical Introduction to IBM Integration BusTechnical Introduction to IBM Integration Bus
Technical Introduction to IBM Integration Bus
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
 

Similaire à APIConnect Security Best Practice

[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven IntegrationWSO2
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0WSO2
 
Whats new in data power
Whats new in data powerWhats new in data power
Whats new in data powersflynn073
 
Api management update for optus
Api management update for optusApi management update for optus
Api management update for optussflynn073
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big PictureForgeRock
 
WSO2 Workshop Sydney 2016 - APIs
WSO2 Workshop Sydney 2016 - APIsWSO2 Workshop Sydney 2016 - APIs
WSO2 Workshop Sydney 2016 - APIsDassana Wijesekara
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
API Management Microservices beyond HIP
API Management Microservices beyond HIPAPI Management Microservices beyond HIP
API Management Microservices beyond HIPSmartWave
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisisChristian Posta
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital BusinessAkana
 
API Management within a Microservice Architecture
API Management within a Microservice ArchitectureAPI Management within a Microservice Architecture
API Management within a Microservice ArchitectureWSO2
 
API Management Within a Microservices Architecture
API Management Within a Microservices Architecture API Management Within a Microservices Architecture
API Management Within a Microservices Architecture Nadeesha Gamage
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersAmazon Web Services
 
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace SoftwareCloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace SoftwareAmazon Web Services
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsShikha Srivastava
 

Similaire à APIConnect Security Best Practice (20)

[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0
 
Whats new in data power
Whats new in data powerWhats new in data power
Whats new in data power
 
Api management update for optus
Api management update for optusApi management update for optus
Api management update for optus
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
 
WSO2 Workshop Sydney 2016 - APIs
WSO2 Workshop Sydney 2016 - APIsWSO2 Workshop Sydney 2016 - APIs
WSO2 Workshop Sydney 2016 - APIs
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Day 1 axway apim-training
Day 1 axway apim-trainingDay 1 axway apim-training
Day 1 axway apim-training
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
API Management Microservices beyond HIP
API Management Microservices beyond HIPAPI Management Microservices beyond HIP
API Management Microservices beyond HIP
 
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIsWSO2- OSC Korea - Accelerating Digital Businesses with APIs
WSO2- OSC Korea - Accelerating Digital Businesses with APIs
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
API Management within a Microservice Architecture
API Management within a Microservice ArchitectureAPI Management within a Microservice Architecture
API Management within a Microservice Architecture
 
API Management Within a Microservices Architecture
API Management Within a Microservices Architecture API Management Within a Microservices Architecture
API Management Within a Microservices Architecture
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
 
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace SoftwareCloud DevSecOps Considerations Leveraging AWS Marketplace Software
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
 

Plus de Shiu-Fun Poon

IBM APIc API security protection mechanism
IBM APIc API security protection mechanismIBM APIc API security protection mechanism
IBM APIc API security protection mechanismShiu-Fun Poon
 
Cheatsheet to run DP docker
Cheatsheet to run DP dockerCheatsheet to run DP docker
Cheatsheet to run DP dockerShiu-Fun Poon
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
 
How to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIcHow to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIcShiu-Fun Poon
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
IBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheetIBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheetShiu-Fun Poon
 
Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)Shiu-Fun Poon
 
Open Banking via APIc 2018
Open Banking via APIc 2018Open Banking via APIc 2018
Open Banking via APIc 2018Shiu-Fun Poon
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 

Plus de Shiu-Fun Poon (14)

GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL Security
 
IBM APIc API security protection mechanism
IBM APIc API security protection mechanismIBM APIc API security protection mechanism
IBM APIc API security protection mechanism
 
Cheatsheet to run DP docker
Cheatsheet to run DP dockerCheatsheet to run DP docker
Cheatsheet to run DP docker
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credential
 
DataPower as PCI
DataPower as PCIDataPower as PCI
DataPower as PCI
 
How to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIcHow to integration with 3rd Party OAuth Provider with IBM APIc
How to integration with 3rd Party OAuth Provider with IBM APIc
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
 
IBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheetIBM Apic toolkit cheatsheet
IBM Apic toolkit cheatsheet
 
DataPower DoS/DDoS
DataPower DoS/DDoSDataPower DoS/DDoS
DataPower DoS/DDoS
 
Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)Social Login (Nested OAuth/OIDC)
Social Login (Nested OAuth/OIDC)
 
White vs Black list
White vs Black listWhite vs Black list
White vs Black list
 
Open Banking via APIc 2018
Open Banking via APIc 2018Open Banking via APIc 2018
Open Banking via APIc 2018
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 

Dernier

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Dernier (20)

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 

APIConnect Security Best Practice

  • 1. SECURITY BEST PRACTICE APICONNECT & GATEWAY @SHIUFUNPOON
  • 2. TRADEMARK ACKNOWLEDGEMENTS • IBM, IBM API Connect, IBM DataPower Gateway are trademarks of International Business Machines Corporation, registered in many jurisdictions • Other company, product and service names may be trademarks, registered marks or service marks of their respective owners. A current list of IBM trademarks is available on the web at "Copyright and trademark information" ibm.com/legal/copytrade.html
  • 3. SECURITY • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
  • 4. SECURITY – THIS IS ALWAYS A BALANCING ACT • Availability • Configurable • Standard • Ease of use • Monitoring • Resource consumption • …
  • 5. API SECURITY API Gateway: • Decoupling/routing • Traffic management • Security • Translation Developer portal: • API discovery • Self subscription/administration • Account usage analytics • Monetization • Security API Manager: • Plan/product design • Policy administration • API plan usage analytics • API Governance • Security https://www.ibm.com/docs/en/api-connect/2018.x?topic=installing- maintaining-your-api-connect-cloud
  • 7. APIC UNDER THE HOOK • Internal services communicating vs mTLS • Quorum, with 3 being the magic number • APIc is the match maker, it introduces each subsystem to each others • APIM, Portal, Analytics, Gateway • How does APIM <-> Portal • How does APIM <-> Analytics • How does APIM <-> Gateway • How does Portal <-> Analytics • How does Gateway <-> Analytics • Configurable, extensible
  • 9.
  • 10. Ç√
  • 11. API MANAGER • API are published • Publish in openapi v2 format • apim vs consumer • WebGUI/toolkits/portal/BYO • RateLimit Drinking Our Own Champagne Get an access_token access_token must contain the right scope Permission is checked Is token valid Token contains necessary scope ? Does User has the proper permission ?
  • 12. HARDENED PORTAL SECURITY Supports OpenID Connect for accelerated developer on-boarding and social login Enable PSD2/ Open Banking compliance to programmatically onboard consumers using REST Management APIs and OpenID Connect Enhanced spam protection against spam bots with CAPTCHA and honeypot Detect and prevent malicious attacks with perimeter and DNS check Detect and prevent flood attacks
  • 14. APIMANAGER WITH GATEWAY • Gateway must be 24 * 7 (without API manager) • API gateway introduce a gateway director manager • Using clustering technology to track configuration from APIM • Heartbeat from APIm to make sure Gateway will have the latest information • 911 protocol to handle catastrophic failure • Provides the status of how where the configuration with regard to the update from the APIm • Gateway director allows auto scaling of the additional gateway • Configuration/Key Materials • State of the processing
  • 15. • Istio Integration for improved performance & security by passing API header and tokens into Istio • Open API V3 support to meet security industry standards (i.e. PSD2) & improve reuse • OpenBanking & PSD2 Compliant including flexible JWT and OAuth features • 5X Improved Performance with cloud-native API-centric Gateway Service • Fast Time to Value through Out of the Box policies for API Gateway Service • Enterprise Specific Security Support through OAuth flow customization • Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check on Portal, etc. Performant and Secure
  • 16. SECURE & MANAGE GRAPHQL ENDPOINTS Next-Gen evolution of Gateway technology beyond Web services and REST with GraphQL support Secure and Manage APIs with GraphQL backends, efficiently managing compute intensive services Threat Protection against cyberattacks using advance query complexity analysis to prevent API- based attacks Rate Limit GraphQL queries with consumer plans based on number of API calls & backend compute time https://www.ibm.com/blogs/research/2019/02/graphql-api-management/ https://developer.github.com/v4/guides/resource-limitations/
  • 17. 1. Access Control • Who can access the data and what data • APIc • Client credential (application) • User credential (who) 2. Load Control • How much effort for the server to fulfill the request • Complexity • Type (object type) • Resolve GraphQL Endpoints security breakdown
  • 18. Up to 5X+ increased performance with natively built API Gateway using purpose-built technology for native OpenAPI/Swagger REST and SOAP APIs Multi-cloud scalability and extensibility to help meet SLAs and improve client user experience Optimized drag & drop built-in policies for security, traffic control and mediation including flexible OAuth, enhanced JSON & XML threat protection Secure to the core with self-contained signed & encrypted image to minimize risk, plus proven security policies to quickly protect APIs Before: DP Multi protocol Gateway Service API call Backend New: Native API Gateway Service API call Backend CLOUD-NATIVE API GATEWAY SERVICE IN DATAPOWER API GW service
  • 19. POLICIES FOR ENFORCEMENT ON API GATEWAY SERVICE Gateway Script and XSLT policy support provides flexible message mediation & dynamic security enforcement Dynamic Routing support through Conditional Policy Enforce strong security through Parse, JSON and XML Schema Validation policy OpenID Connect support to enable banks to meet PSD2 / Open Banking regulations OAuth Token revocation to enable self-service token management Foundational Security Mediation Invoke API Key Map Activity Log JWT Validate JSON-XML Rate Limit JWT Generate Gateway Script Throw OAuth Policy XSLT Set Variable Parse (Threat Detection) Conditional Validate User Security OpenID Connect Built-in policies
  • 20. Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs MEETING SECURITY NEEDS THROUGH NEW FLEXIBLE OAUTH PROVIDER
  • 21. FEATURE LIST OF OAUTH IN APIC V5, V2018+V5GW, V2018+APIGW Features V4 V5 v2018 +V5 CompatGW v2018 + APIGW Basic OAuth Support ✅ ✅ ✅ ✅ Distinct Client ids and Secrets ⤫ ✅ ✅ ✅ Separate API ⤫ ✅ ✅ ✅ Access Control ⤫ ⤫ ✅ ✅ Seamless packaging within product ✅ ⤫ ✅ ✅ Tight coupling with Provider ⤫ ⤫ ✅* ✅ Metadata,Token introspection, Revocation/Token Management,Advanced scope handling ⤫ ✅ ✅ ✅ Customize OAuth Assembly ⤫ ⤫ ⤫ ✅ Dynamic configuration updates ⤫ ⤫ ** ⤫ ** ✅ Context variable driven ⤫ ⤫ ⤫ ✅ Independent Resource Owner Security ⤫ ⤫ ⤫ ✅ Out of the box OIDC support ⤫ ⤫ *** ⤫ *** ✅ Out of the box JWT Authorization Grant ⤫ ⤫ ** ⤫ ** ✅ * Tight coupling is only at the APIManager API level, not in the backendV5 Gateway ** Can be done with gateway extension *** Supported by a set of rule in the assembly
  • 22. Rapid OAuth policy creation to quickly create OAuth provider security without deep security expertise Improved governance capabilities on managing OAuth providers with flexible administrative access control to enforce enterprise standards Ability to meet business demands with customizable OAuth assembly New User Security policy to enforce authentication & authorization in API assembly, adapting to unique enterprise security needs MEETING SECURITY NEEDS THROUGH NEW FLEXIBLE OAUTH PROVIDER
  • 23. Out of the box JWT Grant Type Support
  • 24. Out of the box OIDC Support
  • 25. CUSTOMIZABLE EASE OF USE • Crypto material on per OAuth native provider (vs gateway level) • End user credential gathering (context variable) * • Consent handling • Global Policy (and thus inject context variable for processing) * • Token handling (allow listing vs stateless) • Flexibility • ….
  • 26. WHAT SHOULD I DO • Monitoring IBM PSIRT for IBM APIC, IBM DataPower • https://www.ibm.com/security/secure-engineering/process.html • Timely upgrade/migration to a new version of firmware • Balance your security needs vs platform offered (hardware vs ova vs docker vs ..) • How about cloud ? ICP ? • APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& ( • Security vs ease of use vs compatibility • Performance/usage spike • HA (rule of 3) • Stateless (especially across Availability Zone)
  • 27. GATEWAY SPECIFIC • Is WebGUI needed for production • Automate deployment (which APIc solves) • Monitoring gateway (DataPower Operations Dashboard) • Backup administrator • ACL • mTLS with your backend services • Message validation • Payload redact • SLM • AllowList vs BlockList
  • 28. FROM YOU, OUR AUDIENCES • Your feedbacks ? • What would you like to see ? • What can you share with each others on your experience ? Good or Bad