SlideShare une entreprise Scribd logo

Best Practices for API Security

Télécharger en tant que PPTX, PDF
MuleSoft
MuleSoft

APIs have become a strategic necessity for your business. They facilitate agility and innovation. However, the financial incentive associated with this agility is often tempered with the fear of undue exposure of the valuable information that these APIs expose. With data breaches now costing $400m or more, senior IT decision makers are right to be concerned about API security. In this SlideShare, you'll learn: -The top API security concerns -How the IT industry is dealing with those concerns -How Anypoint Platform ensures the three qualifications needed to keep APIs secure

Technologie
1  sur  31
Nial Darbey, Senior Solutions Consultant, MuleSoft Aaron Landgraf, Senior Product Marketing Manager, MuleSoft January, 2016 Best Practices for API Security: Anypoint Platform Solutions
Why API security is so crucial “The estimated financial loss from 700 million compromised records was $400 million, which shows the real importance of managing data breach risks .” • -Verizon 2015 Data Breach Investigations Report
All contents © MuleSoft Inc. Introduction 3 • In this presentation we will show how MuleSoft’s Anypoint Platform can ensure that your API is highly available to respond to clients and can guarantee the integrity and confidentiality of the information it processes. • We will explore in depth the main security concerns around APIs and look at how the IT industry has responded to those concerns. • We will also present Anypoint Platform as fully capable of managing and hosting APIs that are secure according to the highest industry standards.
All contents © MuleSoft Inc. Table of Contents 4 1. Identity 2. Main Security Concerns 3. Mule Runtime Security Capabilities 4. Anypoint Platform Security Capabilities 5. Summary Scenario
Identity
All contents © MuleSoft Inc. Identity 6 • Identify Users, Apps and Servers • Record of Identities • LDAP Active Directory • Identity Provider Identity is core to the world of security. You must be able to recognize the Apps that consume your API, the Users of the same and the Servers that your API calls out to. Likewise, your API should be able to identify itself to both Apps and Servers. Likewise, your API should be able to identify itself to both Apps and Servers. You need an Identity Store to which you can refer to verify your recognition of Apps and Users. The Identity Store could be a database, but an LDAP server is the most popular solution. Active Directory is a popular LDAP implementation. An Identity Provider is software which is dedicated to managing the interaction with the Identity Store(s) for authentication and authorization purposes. Your API can function in this role though it is much more preferable to delegate this responsibility to the Identity Provider.
All contents © MuleSoft Inc. Identity > Authentication 7 • Client and Server • Username / Password Credentials • Multi-factor Authentication • Token Based Credentials When you are presented with an App ID or a User’s username (claim) in a call to your API, you must be able to verify the authenticity of the claim. This is done with some form of a shared secret. When your API acts as Identity Provider, it typically authenticates the claim by passing the same credentials to the LDAP server. The use of username / password pairs as credentials is a very common practice but it is not recommended from two perspectives: Passwords have a level of predictability whereas the ideal is to maximize on randomness or entropy. Also, the maintenance of passwords is difficult. If you need to change a password then you immediately affect all Apps that make use of that password. Recognizing the weakness of username and password credentials, an App using Multi-factor Authentication (MFA) demands from the User a one-time usage token she receives after authenticating with her credentials. Token based credentials are a better alternative to Username Password Credentials, which provide higher entropy and a more secure form of authentication and authorization.
All contents © MuleSoft Inc. Identity > Authorization 8 • Role Based Access Control • Attribute Based Access Control • Delegated Access Control with OAuth 2.0 Typically, every business, enterprise or organization is divided into groups of employees around related business functions. This group information can be used when software Users interact with an App and you need to restrict their access according to the authorization or access control rule in place for that software. You can use the group they belong to in order to identify their role when using the App. Going beyond the static assignment of roles to Users based on the organizational groups to which they belong, Attribute based Access Control (ABAC) aims to facilitate the dynamic determination of access control based on some sort of circumstantial information available at the time of the API call. The HTTP based OAuth 2.0 framework allows an App to obtain access to a resource exposed by your API either on its own behalf or on behalf of the User who owns the resource. Thus it allows Users to delegate access control to third party Apps.
All contents © MuleSoft Inc. Identity > Federated Identity 9 • Single Sign-on • SAML 2.0 • OpenID Connect The token based approach to authentication allows for the separation of the issuing of tokens from their validation and thus facilitates the centralization of Identity Management. The Security Assertion Markup Language (SAML) is an industry standard which has become a defacto standard for Enterprise level Identity Federation. It allows Identity Providers to communicate authentication and authorization information about Users to Service Providers in a standard way. OpenID Connect is built on top of OAuth 2.0 to provide a Federated Identity mechanism that allows you to secure your API in a way similar to what you would get were you to exploit WS- Security with SAML.
Main Security Concerns
All contents © MuleSoft Inc. Main Security Concerns 11 • Integrity • Confidentiality • Availability • Users, Apps • Clients and Servers
All contents © MuleSoft Inc. Main Security Concerns > Integrity 12 • Digital Signatures • Message Safety Message Integrity goes beyond the authentication of the App and the User and includes the verification that the Message was not compromised mid-flight by a malicious third party. In other words, the Message received by your API is verified as being exactly the one sent by the App. The same goes for when your API acts as Client to a Server.
All contents © MuleSoft Inc. Main Security Concerns > Confidentiality 13 • Public Key Cryptography • Digital Certificates • Mutual Authentication • HTTPS It is all very well to rest assured with the Integrity of a message sent by a known App, but the journey from App to API may have been witnessed by some unwelcome spies who got to see all of those potentially very private details inside the message! Thus, it is necessary to hide those details from the point of delivery by the App to the reception by the Server. An agreement is needed between the App and API in order to be able to hide the details of the message in a way that allows only the API to uncover them and vice versa.
All contents © MuleSoft Inc. Main Security Concerns > Availability 14 • Load balancing • Clustering • Reliability Your API must guarantee that it is always available to respond to calls and that once it begins execution on the call, that it can finish handling the received message right the way through to completion without losing data. This can be achieved by horizontally scaling the API across multiple servers and by handing off the processing of the message to a message broker which will hold the message till the API has completed its processing. The understanding in this latter scenario is that another process is subscribed to this message publication and thus continues the processing asynchronously.
Mule Runtime Security Capabilities
All contents © MuleSoft Inc. Mule Runtime > Confidentiality 16 • Mule HTTPS Connector • Mule Encryption Processor • Dynamic Data Filtering with DataWeave An HTTPS listener can be configured with reference to a keystore so that your API can authenticate itself to the App. When client authentication is demanded from the App, the listener can reference a truststore. The Mule Message Encryption Processor can change the content of a message so that it becomes unreadable by unauthorized entities. Mule can encrypt the entire payload of a message or specific parts of the payload, according to security requirements, using different encryption strategies. DataWeave is Mule’s data transformation engine which transforms between different mime-types using a simple expression language which is common across all data formats. The language can be used to remove and / or mask data fields in the payload, whatever the structure of the payload and the location of the field.
All contents © MuleSoft Inc. Mule Runtime > Integrity 17 • Mule Security Manager • Mule Secure Token Service OAuth 2.0 Provider • Mule Digital Signature Processor • Mule Credentials Vault Exposing your API over HTTPS guarantees that it has not been modified in transit. However, authentication and authorization of the request still need to take place. Central to authentication in Mule is Mule Security Manager. This is the bridge between a standard mule configuration and Spring Security beans. Mule can act as an OAuth2 Provider, issuing tokens to registered Apps, applying expiration periods to these tokens and associating them to User roles and fine-grained access control known in the OAuth world as scopes. Mule Digital Signature Processor adds a digital signature to a message payload, or part of the payload, to prove the identity of the Message’s sender. Mule Credentials Vault is for the encryption of properties that are referred to and decrypted by the Mule application at deployment time.
All contents © MuleSoft Inc. Mule Runtime > Availability 18 • Mule HA Clusters • Anypoint MQ A single Mule server hosting your API is not enough to facilitate high availability. To achieve this, you need to host the same API on more than one Mule runtime. With a load balancer in front of the API, you can guarantee that the API will always handle incoming requests as the load balancer chooses between those instances which are healthy. Reliability on Mule can be achieved by clustering two or more instances of Mule together which is easy using Anypoint Runtime Manager. For reliable processing of Messages between multiple APIs you can use Anypoint MQ.
Anypoint Platform Security Capabilities
All contents © MuleSoft Inc. Anypoint Platform > API solution 20 • API Adapability with Policies • Anypoint Gateway communication • Security Policies • Custom Policies Anypoint Platform API Solution is a fully multi-tenant application running on top of Amazon Web Services (AWS) and inside a VPC (cloud VPN). Although Anypoint Platform can manage and enforce the runtime security of your API, the API itself remains wherever you have it deployed. Using the Mule runtime as an API gateway you can host your API. The Mule runtime communicates constantly with Anypoint API Manager to retrieve policies and report back analytical information about the usage of your API. Anypoint Platform returns to issues of Identity when addressing its specific security policies. Policies on the Anypoint Platform are snippets of Mule Configuration. As such, custom policies are very easily configurable and can be surfaced on the API Manager portal as siblings to our out-of-the-box policies.
All contents © MuleSoft Inc. Anypoint Platform > MQ 21 • Cloud Messaging • Multi-tenant • Multi Datacenter persistent Storage • Encrypted Exchanges and Queues Anypoint MQ is a multi-tenant cloud messaging service offering persistent data storage across multiple data centers, ensuring that it can handle data center outages and have full disaster recovery.
All contents © MuleSoft Inc. Anypoint Platform > Virtual Private Cloud 22 • Your DataCenter + Anypoint iPaas • Single Private Secured Network • IPSec • OpenVPN • Amazon VPC peering Mule applications can be deployed either to your on-premises Mule runtime or to our fully hosted and fully managed iPaaS. In most scenarios, Mule applications deployed to the iPaaS will need to integrate with systems in your datacenter. In some cases a hybrid architecture is adopted where Mule applications deployed to the iPaaS must integrate with Mule applications deployed to Mule runtime on-premises. Virtual Private Cloud (VPC) enables you to connect your organization in Anypoint Platform to your corporate data centers – whether on-premises or in other clouds – as if they were all part of a single, private secured network. You can configure these networks at hardware or software levels. VPC can be configured to use IPSec, TLS (over OpenVPN) or Amazon VPC peering to connect to your on-premises data centers. IPsec connections can be configured at the hardware level in addition to a software client.
All contents © MuleSoft Inc. Anypoint Platform > User Roles and Permissions 23 • Organizations and Business Groups • Separate API Management • Separate Runtime Management • Roles and Permissions per Organization / BG • Federated with External Identity Providers In Anypoint Platform, users belong to an organization and have a set of roles and permissions. API versions and deployment environments are grouped under organizations. To access them you need to have an account that that owns the necessary permissions and that belongs to its corresponding organization – and to the Business Group if the resource exists in one. Roles and permissions can be granted for accessing resources that exist in the master organization, or for resources that exist within a Business Group. A user that owns any role of a business group is implicitly granted membership in the Business Group. Each role contains a list of permissions that define what a user that holds that role can do with the specific resources it scopes. Permissions can also be added at an individual user level. Keep in mind that API permissions are API version specific and iPaaS permissions are environment specific – they grant you the ability to do something within a particular API version / environment, not the entire organization.
All contents © MuleSoft Inc. Anypoint Platform > Security Compliance 24 • FIPS 140-2 • SSAE 16 SOC 2 • PCI DSS Level-1 • HiTrust When Anypoint API Manager manages APIs from the cloud, it stores only metadata about the APIs and the Apps which consume them. The APIs can be deployed on the Mule runtime either on-premises or in our fully hosted, fully managed iPaaS solution. The extent to which Anypoint Platform platform is compliant with external audits is detailed in the whitepaper “Anypoint Platform Cloud Security and Compliance”.
Summary Scenario
All contents © MuleSoft Inc. Scenario problem 26 Mythical Retail has a chain of stores and deliver an e-commerce solution to their customers. One of their business objectives is to increase ecommerce revenue by 20% in the next 18 months. Mythical wants… Mythical has… An omnichannel digital strategy Anypoint Platform for integration and API management A single view of the customer Clienteling software to help sales associates A loyalty program to understand their customers spending habits Uniformity across all customer touchpoints How can this be secured?
Scenario Solution
Scenario Solution
All contents © MuleSoft Inc. Scenario solution 29 1. Katie signs in to her iPhone App. 2. Part of the digital solution catering to Katie’s experience is the My Shopping API which delivers all the relevant capabilities to her iPhone App. This API is protected with the PingFederate access token enforcement policy. In order to consume the My Shopping API, the iPhone App must interact with the PingFederate Authorization Server to request an OpenID Connect token on her behalf. PingFederate authenticates her credentials against Active Directory. Upon successful authentication, it generates a token and signs it (see Digital Signatures 2.1.1) before responding to the iPhone App with the token. The App presents this token in a custom HTTP header on every subsequent call to My Shopping API. 3. All calls between experience, process and system APIs are protected with the client ID enforcement policy. Each API has an ID and secret stored in Mule Credentials Vault. 4. The calls to the Tokenization API are protected with client cert authentication and the payload passed to the API is encrypted and signed with Mule Encryption Processor and Mule Digital Signature Processor respectively before sending. 5. Publications to Anypoint MQ are protected with OAuth 2.0 and HTTPS. 6. Subscriptions to Anypoint MQ are protected with OAuth 2.0 and HTTPS. 7. There is a federated trust between the Identity Providers in both security contexts for Mythical Retail and its shipping partner. Both the sales associate’s App and Katie’s App can call the Order Tracking API with the access token that they received from PingFederate. The Order Tracking API validates the token with OpenAM, the Identity Provider of the shipping company. This is able to verify that the token was signed by the Identity Provider of Mythical Retail, which it trusts. The Order Tracking API accepts the invocation by the iPhone App and responds accordingly. 8. Sales associates use multi-factor authentication to sign in to their App. The App calls PingFederate OAuth 2.0 authorization server to get a token which it passes to the Shop Assistant API. 9. Interaction with the systems of record is secured in various forms according to the requirements of each Server. Tokens and username and password credentials are stored in Mule Credentials Vault.
All contents © MuleSoft Inc. In Conclusion 30 APIs are a strategic necessity to give your business the agility and speed needed to succeed in today’s business environment. But with the increasing cost of security breaches, senior IT decision makers quite rightly want assurances that exposing their data via APIs will not create undue risk. Anypoint Platform’s features provide the necessary assurances for the confidentiality, reliability and availability of APIs designed and managed on the platform. Anypoint Platform is trusted by industries needing the highest levels of security, including 5 of the top 12 global banks, 2 of the top 5 global insurance companies and top pharmaceutical and global healthcare companies. For more resources on API security, please take a look at our whitepaper and webinar on API security best practices.
Thank You

Recommandé

Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning MuleSoft
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
Frequently asked MuleSoft Interview Questions and Answers from Techlightning
Frequently asked MuleSoft Interview Questions and Answers from TechlightningFrequently asked MuleSoft Interview Questions and Answers from Techlightning
Frequently asked MuleSoft Interview Questions and Answers from TechlightningArul ChristhuRaj Alphonse
 
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Angel Alberici
 
Mulesoft ppt
Mulesoft pptMulesoft ppt
Mulesoft pptAchyuta Lakshmi
 
Cloudhub 2.0
Cloudhub 2.0Cloudhub 2.0
Cloudhub 2.0Christopher Co
 
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...Jitendra Bafna
 
Managing APIs with MuleSoft
Managing APIs with MuleSoftManaging APIs with MuleSoft
Managing APIs with MuleSoftGuilherme Pereira Silva
 

Recommandé

Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning MuleSoft
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
Frequently asked MuleSoft Interview Questions and Answers from Techlightning
Frequently asked MuleSoft Interview Questions and Answers from TechlightningFrequently asked MuleSoft Interview Questions and Answers from Techlightning
Frequently asked MuleSoft Interview Questions and Answers from TechlightningArul ChristhuRaj Alphonse
 
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Angel Alberici
 
Mulesoft ppt
Mulesoft pptMulesoft ppt
Mulesoft pptAchyuta Lakshmi
 
Cloudhub 2.0
Cloudhub 2.0Cloudhub 2.0
Cloudhub 2.0Christopher Co
 
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...Jitendra Bafna
 
Managing APIs with MuleSoft
Managing APIs with MuleSoftManaging APIs with MuleSoft
Managing APIs with MuleSoftGuilherme Pereira Silva
 
MuleSoft Architecture Presentation
MuleSoft Architecture PresentationMuleSoft Architecture Presentation
MuleSoft Architecture PresentationRupesh Sinha
 
Dataweave Libraries and ObjectStore
Dataweave Libraries and ObjectStoreDataweave Libraries and ObjectStore
Dataweave Libraries and ObjectStoreVikalp Bhalia
 
Object Store V2 Workshop
Object Store V2 WorkshopObject Store V2 Workshop
Object Store V2 WorkshopMuleSoft
 
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...Jitendra Bafna
 
MuleSoft Anypoint Platform and Three Tier Architecture
MuleSoft Anypoint Platform and Three Tier ArchitectureMuleSoft Anypoint Platform and Three Tier Architecture
MuleSoft Anypoint Platform and Three Tier ArchitectureHarish Kumar
 
Running and Managing Mule Applications
Running and Managing Mule ApplicationsRunning and Managing Mule Applications
Running and Managing Mule ApplicationsMuleSoft
 
MuleSoft for Enterprises
MuleSoft for EnterprisesMuleSoft for Enterprises
MuleSoft for EnterprisesPrashantGolani1
 
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63Angel Alberici
 
Custom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker exampleCustom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker exampleRoyston Lobo
 
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...MuleSoft
 
Migrating to mule 4 - Are you ready for This.
Migrating to mule 4 - Are you ready for This.Migrating to mule 4 - Are you ready for This.
Migrating to mule 4 - Are you ready for This.Harish Kumar
 
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule #6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule JohnMathewPhilip
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020Royston Lobo
 
Anypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesAnypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesMuleSoft Meetups
 
Creating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeCreating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeManish Kumar Yadav
 
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOpsWashington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOpsBig Compass
 
A comprehensive guide to mule soft mule 4
A comprehensive guide to mule soft mule 4A comprehensive guide to mule soft mule 4
A comprehensive guide to mule soft mule 4pruthviraj krishnam
 
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020Royston Lobo
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Manish Kumar Yadav
 
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...Jitendra Bafna
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 

Contenu connexe

Tendances

MuleSoft Architecture Presentation
MuleSoft Architecture PresentationMuleSoft Architecture Presentation
MuleSoft Architecture PresentationRupesh Sinha
 
Dataweave Libraries and ObjectStore
Dataweave Libraries and ObjectStoreDataweave Libraries and ObjectStore
Dataweave Libraries and ObjectStoreVikalp Bhalia
 
Object Store V2 Workshop
Object Store V2 WorkshopObject Store V2 Workshop
Object Store V2 WorkshopMuleSoft
 
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...Jitendra Bafna
 
MuleSoft Anypoint Platform and Three Tier Architecture
MuleSoft Anypoint Platform and Three Tier ArchitectureMuleSoft Anypoint Platform and Three Tier Architecture
MuleSoft Anypoint Platform and Three Tier ArchitectureHarish Kumar
 
Running and Managing Mule Applications
Running and Managing Mule ApplicationsRunning and Managing Mule Applications
Running and Managing Mule ApplicationsMuleSoft
 
MuleSoft for Enterprises
MuleSoft for EnterprisesMuleSoft for Enterprises
MuleSoft for EnterprisesPrashantGolani1
 
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63Angel Alberici
 
Custom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker exampleCustom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker exampleRoyston Lobo
 
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...MuleSoft
 
Migrating to mule 4 - Are you ready for This.
Migrating to mule 4 - Are you ready for This.Migrating to mule 4 - Are you ready for This.
Migrating to mule 4 - Are you ready for This.Harish Kumar
 
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule #6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule JohnMathewPhilip
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020Royston Lobo
 
Anypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesAnypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesMuleSoft Meetups
 
Creating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeCreating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeManish Kumar Yadav
 
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOpsWashington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOpsBig Compass
 
A comprehensive guide to mule soft mule 4
A comprehensive guide to mule soft mule 4A comprehensive guide to mule soft mule 4
A comprehensive guide to mule soft mule 4pruthviraj krishnam
 
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020Royston Lobo
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Manish Kumar Yadav
 
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...Jitendra Bafna
 

Tendances (20)

MuleSoft Architecture Presentation
MuleSoft Architecture PresentationMuleSoft Architecture Presentation
MuleSoft Architecture Presentation
 
Dataweave Libraries and ObjectStore
Dataweave Libraries and ObjectStoreDataweave Libraries and ObjectStore
Dataweave Libraries and ObjectStore
 
Object Store V2 Workshop
Object Store V2 WorkshopObject Store V2 Workshop
Object Store V2 Workshop
 
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
MuleSoft Surat Virtual Meetup#25 - Anypoint Platform Features and Capabilitie...
 
MuleSoft Anypoint Platform and Three Tier Architecture
MuleSoft Anypoint Platform and Three Tier ArchitectureMuleSoft Anypoint Platform and Three Tier Architecture
MuleSoft Anypoint Platform and Three Tier Architecture
 
Running and Managing Mule Applications
Running and Managing Mule ApplicationsRunning and Managing Mule Applications
Running and Managing Mule Applications
 
MuleSoft for Enterprises
MuleSoft for EnterprisesMuleSoft for Enterprises
MuleSoft for Enterprises
 
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
MuleSoft Event Driven Architecture (EDA Patterns in MuleSoft) - VirtualMuleys63
 
Custom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker exampleCustom policies in mule 4 and a circuit breaker example
Custom policies in mule 4 and a circuit breaker example
 
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
Best Practices in Implementing a Center for Enablement (C4E) within Your Orga...
 
Migrating to mule 4 - Are you ready for This.
Migrating to mule 4 - Are you ready for This.Migrating to mule 4 - Are you ready for This.
Migrating to mule 4 - Are you ready for This.
 
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule #6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
#6 Calicut MuleSoft Meetup : Demystyfying Custom Policies in Mule
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
 
Anypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best PracticesAnypoint API Manager Custom Policies & Best Practices
Anypoint API Manager Custom Policies & Best Practices
 
Creating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven ArchetypeCreating MuleSoft API Template Project Using Maven Archetype
Creating MuleSoft API Template Project Using Maven Archetype
 
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOpsWashington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
Washington DC MuleSoft Meetup: CI/CD Pipeline with MuleSoft and Azure DevOps
 
A comprehensive guide to mule soft mule 4
A comprehensive guide to mule soft mule 4A comprehensive guide to mule soft mule 4
A comprehensive guide to mule soft mule 4
 
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
 
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
Clustering, Server setup and Hybrid deployment setup using Anypoint Runtime M...
 
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
MuleSoft Surat Meetup#48 - Anypoint API Governance (RAML, OAS and Async API) ...
 

Similaire à Best Practices for API Security

Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfMohitRampal5
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practiceSanjay Roy
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall42Crunch
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
8 i internet_security
8 i internet_security8 i internet_security
8 i internet_securityAnil Pandey
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfPankaj Goyal
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfPankajGoyal164048
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-timeRogue Wave Software
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Savannah Cole
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 

Similaire à Best Practices for API Security (20)

Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
attacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdfattacks-oauth-secure-oauth-implementation-33644.pdf
attacks-oauth-secure-oauth-implementation-33644.pdf
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
 
8 i internet_security
8 i internet_security8 i internet_security
8 i internet_security
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
 
Uncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdfUncover the Flex Gateway with a Demonstration (1).pdf
Uncover the Flex Gateway with a Demonstration (1).pdf
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
OAuth
OAuthOAuth
OAuth
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 

Plus de MuleSoft

The CIO's Guide to Digital Transformation
The CIO's Guide to Digital TransformationThe CIO's Guide to Digital Transformation
The CIO's Guide to Digital TransformationMuleSoft
 
Gluecon 2017: Metadata is the Glue
Gluecon 2017: Metadata is the GlueGluecon 2017: Metadata is the Glue
Gluecon 2017: Metadata is the GlueMuleSoft
 
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...MuleSoft
 
How to Get Unstuck
How to Get Unstuck How to Get Unstuck
How to Get Unstuck MuleSoft
 
Product Vision and Roadmap for Anypoint Platform
Product Vision and Roadmap for Anypoint PlatformProduct Vision and Roadmap for Anypoint Platform
Product Vision and Roadmap for Anypoint PlatformMuleSoft
 
How API Enablement Drives Legacy Modernization
How API Enablement Drives Legacy ModernizationHow API Enablement Drives Legacy Modernization
How API Enablement Drives Legacy ModernizationMuleSoft
 
Microservices on Anypoint Platform
Microservices on Anypoint PlatformMicroservices on Anypoint Platform
Microservices on Anypoint PlatformMuleSoft
 
Applying UX principles and methods to APIs
Applying UX principles and methods to APIs Applying UX principles and methods to APIs
Applying UX principles and methods to APIs MuleSoft
 
Secure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterpriseSecure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterpriseMuleSoft
 
Gathering Operational Intelligence in Complex Environments at Splunk
Gathering Operational Intelligence in Complex Environments at SplunkGathering Operational Intelligence in Complex Environments at Splunk
Gathering Operational Intelligence in Complex Environments at SplunkMuleSoft
 
CloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment OptionsCloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment OptionsMuleSoft
 
Governing and Sharing your Integration Assets
Governing and Sharing your Integration AssetsGoverning and Sharing your Integration Assets
Governing and Sharing your Integration AssetsMuleSoft
 
MuleSoft's Approach to Driving Customer Outcomes
MuleSoft's Approach to Driving Customer Outcomes MuleSoft's Approach to Driving Customer Outcomes
MuleSoft's Approach to Driving Customer Outcomes MuleSoft
 
Designing and building Mule applications
Designing and building Mule applicationsDesigning and building Mule applications
Designing and building Mule applicationsMuleSoft
 
Object Store
Object StoreObject Store
Object StoreMuleSoft
 
Introducing Anypoint Exchange 2.0
Introducing Anypoint Exchange 2.0Introducing Anypoint Exchange 2.0
Introducing Anypoint Exchange 2.0MuleSoft
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformMuleSoft
 
Relevancy in a Rapidly Changing World (Yvonne Wassenaar)
Relevancy in a Rapidly Changing World (Yvonne Wassenaar)Relevancy in a Rapidly Changing World (Yvonne Wassenaar)
Relevancy in a Rapidly Changing World (Yvonne Wassenaar)MuleSoft
 
Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)
Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)
Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)MuleSoft
 
Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)
Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)
Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)MuleSoft
 

Plus de MuleSoft (20)

The CIO's Guide to Digital Transformation
The CIO's Guide to Digital TransformationThe CIO's Guide to Digital Transformation
The CIO's Guide to Digital Transformation
 
Gluecon 2017: Metadata is the Glue
Gluecon 2017: Metadata is the GlueGluecon 2017: Metadata is the Glue
Gluecon 2017: Metadata is the Glue
 
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
 
How to Get Unstuck
How to Get Unstuck How to Get Unstuck
How to Get Unstuck
 
Product Vision and Roadmap for Anypoint Platform
Product Vision and Roadmap for Anypoint PlatformProduct Vision and Roadmap for Anypoint Platform
Product Vision and Roadmap for Anypoint Platform
 
How API Enablement Drives Legacy Modernization
How API Enablement Drives Legacy ModernizationHow API Enablement Drives Legacy Modernization
How API Enablement Drives Legacy Modernization
 
Microservices on Anypoint Platform
Microservices on Anypoint PlatformMicroservices on Anypoint Platform
Microservices on Anypoint Platform
 
Applying UX principles and methods to APIs
Applying UX principles and methods to APIs Applying UX principles and methods to APIs
Applying UX principles and methods to APIs
 
Secure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterpriseSecure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterprise
 
Gathering Operational Intelligence in Complex Environments at Splunk
Gathering Operational Intelligence in Complex Environments at SplunkGathering Operational Intelligence in Complex Environments at Splunk
Gathering Operational Intelligence in Complex Environments at Splunk
 
CloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment OptionsCloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment Options
 
Governing and Sharing your Integration Assets
Governing and Sharing your Integration AssetsGoverning and Sharing your Integration Assets
Governing and Sharing your Integration Assets
 
MuleSoft's Approach to Driving Customer Outcomes
MuleSoft's Approach to Driving Customer Outcomes MuleSoft's Approach to Driving Customer Outcomes
MuleSoft's Approach to Driving Customer Outcomes
 
Designing and building Mule applications
Designing and building Mule applicationsDesigning and building Mule applications
Designing and building Mule applications
 
Object Store
Object StoreObject Store
Object Store
 
Introducing Anypoint Exchange 2.0
Introducing Anypoint Exchange 2.0Introducing Anypoint Exchange 2.0
Introducing Anypoint Exchange 2.0
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint Platform
 
Relevancy in a Rapidly Changing World (Yvonne Wassenaar)
Relevancy in a Rapidly Changing World (Yvonne Wassenaar)Relevancy in a Rapidly Changing World (Yvonne Wassenaar)
Relevancy in a Rapidly Changing World (Yvonne Wassenaar)
 
Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)
Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)
Leveraging APIs and the Cloud to Transform Veteran Care (Steve Rushing)
 
Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)
Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)
Role of Technology in the Evolution of P&C Insurance (Marcus Ryu)
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Best Practices for API Security

  • 1. Nial Darbey, Senior Solutions Consultant, MuleSoft Aaron Landgraf, Senior Product Marketing Manager, MuleSoft January, 2016 Best Practices for API Security: Anypoint Platform Solutions
  • 2. Why API security is so crucial “The estimated financial loss from 700 million compromised records was $400 million, which shows the real importance of managing data breach risks .” • -Verizon 2015 Data Breach Investigations Report
  • 3. All contents © MuleSoft Inc. Introduction 3 • In this presentation we will show how MuleSoft’s Anypoint Platform can ensure that your API is highly available to respond to clients and can guarantee the integrity and confidentiality of the information it processes. • We will explore in depth the main security concerns around APIs and look at how the IT industry has responded to those concerns. • We will also present Anypoint Platform as fully capable of managing and hosting APIs that are secure according to the highest industry standards.
  • 4. All contents © MuleSoft Inc. Table of Contents 4 1. Identity 2. Main Security Concerns 3. Mule Runtime Security Capabilities 4. Anypoint Platform Security Capabilities 5. Summary Scenario
  • 6. All contents © MuleSoft Inc. Identity 6 • Identify Users, Apps and Servers • Record of Identities • LDAP Active Directory • Identity Provider Identity is core to the world of security. You must be able to recognize the Apps that consume your API, the Users of the same and the Servers that your API calls out to. Likewise, your API should be able to identify itself to both Apps and Servers. Likewise, your API should be able to identify itself to both Apps and Servers. You need an Identity Store to which you can refer to verify your recognition of Apps and Users. The Identity Store could be a database, but an LDAP server is the most popular solution. Active Directory is a popular LDAP implementation. An Identity Provider is software which is dedicated to managing the interaction with the Identity Store(s) for authentication and authorization purposes. Your API can function in this role though it is much more preferable to delegate this responsibility to the Identity Provider.
  • 7. All contents © MuleSoft Inc. Identity > Authentication 7 • Client and Server • Username / Password Credentials • Multi-factor Authentication • Token Based Credentials When you are presented with an App ID or a User’s username (claim) in a call to your API, you must be able to verify the authenticity of the claim. This is done with some form of a shared secret. When your API acts as Identity Provider, it typically authenticates the claim by passing the same credentials to the LDAP server. The use of username / password pairs as credentials is a very common practice but it is not recommended from two perspectives: Passwords have a level of predictability whereas the ideal is to maximize on randomness or entropy. Also, the maintenance of passwords is difficult. If you need to change a password then you immediately affect all Apps that make use of that password. Recognizing the weakness of username and password credentials, an App using Multi-factor Authentication (MFA) demands from the User a one-time usage token she receives after authenticating with her credentials. Token based credentials are a better alternative to Username Password Credentials, which provide higher entropy and a more secure form of authentication and authorization.
  • 8. All contents © MuleSoft Inc. Identity > Authorization 8 • Role Based Access Control • Attribute Based Access Control • Delegated Access Control with OAuth 2.0 Typically, every business, enterprise or organization is divided into groups of employees around related business functions. This group information can be used when software Users interact with an App and you need to restrict their access according to the authorization or access control rule in place for that software. You can use the group they belong to in order to identify their role when using the App. Going beyond the static assignment of roles to Users based on the organizational groups to which they belong, Attribute based Access Control (ABAC) aims to facilitate the dynamic determination of access control based on some sort of circumstantial information available at the time of the API call. The HTTP based OAuth 2.0 framework allows an App to obtain access to a resource exposed by your API either on its own behalf or on behalf of the User who owns the resource. Thus it allows Users to delegate access control to third party Apps.
  • 9. All contents © MuleSoft Inc. Identity > Federated Identity 9 • Single Sign-on • SAML 2.0 • OpenID Connect The token based approach to authentication allows for the separation of the issuing of tokens from their validation and thus facilitates the centralization of Identity Management. The Security Assertion Markup Language (SAML) is an industry standard which has become a defacto standard for Enterprise level Identity Federation. It allows Identity Providers to communicate authentication and authorization information about Users to Service Providers in a standard way. OpenID Connect is built on top of OAuth 2.0 to provide a Federated Identity mechanism that allows you to secure your API in a way similar to what you would get were you to exploit WS- Security with SAML.
  • 11. All contents © MuleSoft Inc. Main Security Concerns 11 • Integrity • Confidentiality • Availability • Users, Apps • Clients and Servers
  • 12. All contents © MuleSoft Inc. Main Security Concerns > Integrity 12 • Digital Signatures • Message Safety Message Integrity goes beyond the authentication of the App and the User and includes the verification that the Message was not compromised mid-flight by a malicious third party. In other words, the Message received by your API is verified as being exactly the one sent by the App. The same goes for when your API acts as Client to a Server.
  • 13. All contents © MuleSoft Inc. Main Security Concerns > Confidentiality 13 • Public Key Cryptography • Digital Certificates • Mutual Authentication • HTTPS It is all very well to rest assured with the Integrity of a message sent by a known App, but the journey from App to API may have been witnessed by some unwelcome spies who got to see all of those potentially very private details inside the message! Thus, it is necessary to hide those details from the point of delivery by the App to the reception by the Server. An agreement is needed between the App and API in order to be able to hide the details of the message in a way that allows only the API to uncover them and vice versa.
  • 14. All contents © MuleSoft Inc. Main Security Concerns > Availability 14 • Load balancing • Clustering • Reliability Your API must guarantee that it is always available to respond to calls and that once it begins execution on the call, that it can finish handling the received message right the way through to completion without losing data. This can be achieved by horizontally scaling the API across multiple servers and by handing off the processing of the message to a message broker which will hold the message till the API has completed its processing. The understanding in this latter scenario is that another process is subscribed to this message publication and thus continues the processing asynchronously.
  • 15. Mule Runtime Security Capabilities
  • 16. All contents © MuleSoft Inc. Mule Runtime > Confidentiality 16 • Mule HTTPS Connector • Mule Encryption Processor • Dynamic Data Filtering with DataWeave An HTTPS listener can be configured with reference to a keystore so that your API can authenticate itself to the App. When client authentication is demanded from the App, the listener can reference a truststore. The Mule Message Encryption Processor can change the content of a message so that it becomes unreadable by unauthorized entities. Mule can encrypt the entire payload of a message or specific parts of the payload, according to security requirements, using different encryption strategies. DataWeave is Mule’s data transformation engine which transforms between different mime-types using a simple expression language which is common across all data formats. The language can be used to remove and / or mask data fields in the payload, whatever the structure of the payload and the location of the field.
  • 17. All contents © MuleSoft Inc. Mule Runtime > Integrity 17 • Mule Security Manager • Mule Secure Token Service OAuth 2.0 Provider • Mule Digital Signature Processor • Mule Credentials Vault Exposing your API over HTTPS guarantees that it has not been modified in transit. However, authentication and authorization of the request still need to take place. Central to authentication in Mule is Mule Security Manager. This is the bridge between a standard mule configuration and Spring Security beans. Mule can act as an OAuth2 Provider, issuing tokens to registered Apps, applying expiration periods to these tokens and associating them to User roles and fine-grained access control known in the OAuth world as scopes. Mule Digital Signature Processor adds a digital signature to a message payload, or part of the payload, to prove the identity of the Message’s sender. Mule Credentials Vault is for the encryption of properties that are referred to and decrypted by the Mule application at deployment time.
  • 18. All contents © MuleSoft Inc. Mule Runtime > Availability 18 • Mule HA Clusters • Anypoint MQ A single Mule server hosting your API is not enough to facilitate high availability. To achieve this, you need to host the same API on more than one Mule runtime. With a load balancer in front of the API, you can guarantee that the API will always handle incoming requests as the load balancer chooses between those instances which are healthy. Reliability on Mule can be achieved by clustering two or more instances of Mule together which is easy using Anypoint Runtime Manager. For reliable processing of Messages between multiple APIs you can use Anypoint MQ.
  • 20. All contents © MuleSoft Inc. Anypoint Platform > API solution 20 • API Adapability with Policies • Anypoint Gateway communication • Security Policies • Custom Policies Anypoint Platform API Solution is a fully multi-tenant application running on top of Amazon Web Services (AWS) and inside a VPC (cloud VPN). Although Anypoint Platform can manage and enforce the runtime security of your API, the API itself remains wherever you have it deployed. Using the Mule runtime as an API gateway you can host your API. The Mule runtime communicates constantly with Anypoint API Manager to retrieve policies and report back analytical information about the usage of your API. Anypoint Platform returns to issues of Identity when addressing its specific security policies. Policies on the Anypoint Platform are snippets of Mule Configuration. As such, custom policies are very easily configurable and can be surfaced on the API Manager portal as siblings to our out-of-the-box policies.
  • 21. All contents © MuleSoft Inc. Anypoint Platform > MQ 21 • Cloud Messaging • Multi-tenant • Multi Datacenter persistent Storage • Encrypted Exchanges and Queues Anypoint MQ is a multi-tenant cloud messaging service offering persistent data storage across multiple data centers, ensuring that it can handle data center outages and have full disaster recovery.
  • 22. All contents © MuleSoft Inc. Anypoint Platform > Virtual Private Cloud 22 • Your DataCenter + Anypoint iPaas • Single Private Secured Network • IPSec • OpenVPN • Amazon VPC peering Mule applications can be deployed either to your on-premises Mule runtime or to our fully hosted and fully managed iPaaS. In most scenarios, Mule applications deployed to the iPaaS will need to integrate with systems in your datacenter. In some cases a hybrid architecture is adopted where Mule applications deployed to the iPaaS must integrate with Mule applications deployed to Mule runtime on-premises. Virtual Private Cloud (VPC) enables you to connect your organization in Anypoint Platform to your corporate data centers – whether on-premises or in other clouds – as if they were all part of a single, private secured network. You can configure these networks at hardware or software levels. VPC can be configured to use IPSec, TLS (over OpenVPN) or Amazon VPC peering to connect to your on-premises data centers. IPsec connections can be configured at the hardware level in addition to a software client.
  • 23. All contents © MuleSoft Inc. Anypoint Platform > User Roles and Permissions 23 • Organizations and Business Groups • Separate API Management • Separate Runtime Management • Roles and Permissions per Organization / BG • Federated with External Identity Providers In Anypoint Platform, users belong to an organization and have a set of roles and permissions. API versions and deployment environments are grouped under organizations. To access them you need to have an account that that owns the necessary permissions and that belongs to its corresponding organization – and to the Business Group if the resource exists in one. Roles and permissions can be granted for accessing resources that exist in the master organization, or for resources that exist within a Business Group. A user that owns any role of a business group is implicitly granted membership in the Business Group. Each role contains a list of permissions that define what a user that holds that role can do with the specific resources it scopes. Permissions can also be added at an individual user level. Keep in mind that API permissions are API version specific and iPaaS permissions are environment specific – they grant you the ability to do something within a particular API version / environment, not the entire organization.
  • 24. All contents © MuleSoft Inc. Anypoint Platform > Security Compliance 24 • FIPS 140-2 • SSAE 16 SOC 2 • PCI DSS Level-1 • HiTrust When Anypoint API Manager manages APIs from the cloud, it stores only metadata about the APIs and the Apps which consume them. The APIs can be deployed on the Mule runtime either on-premises or in our fully hosted, fully managed iPaaS solution. The extent to which Anypoint Platform platform is compliant with external audits is detailed in the whitepaper “Anypoint Platform Cloud Security and Compliance”.
  • 26. All contents © MuleSoft Inc. Scenario problem 26 Mythical Retail has a chain of stores and deliver an e-commerce solution to their customers. One of their business objectives is to increase ecommerce revenue by 20% in the next 18 months. Mythical wants… Mythical has… An omnichannel digital strategy Anypoint Platform for integration and API management A single view of the customer Clienteling software to help sales associates A loyalty program to understand their customers spending habits Uniformity across all customer touchpoints How can this be secured?
  • 29. All contents © MuleSoft Inc. Scenario solution 29 1. Katie signs in to her iPhone App. 2. Part of the digital solution catering to Katie’s experience is the My Shopping API which delivers all the relevant capabilities to her iPhone App. This API is protected with the PingFederate access token enforcement policy. In order to consume the My Shopping API, the iPhone App must interact with the PingFederate Authorization Server to request an OpenID Connect token on her behalf. PingFederate authenticates her credentials against Active Directory. Upon successful authentication, it generates a token and signs it (see Digital Signatures 2.1.1) before responding to the iPhone App with the token. The App presents this token in a custom HTTP header on every subsequent call to My Shopping API. 3. All calls between experience, process and system APIs are protected with the client ID enforcement policy. Each API has an ID and secret stored in Mule Credentials Vault. 4. The calls to the Tokenization API are protected with client cert authentication and the payload passed to the API is encrypted and signed with Mule Encryption Processor and Mule Digital Signature Processor respectively before sending. 5. Publications to Anypoint MQ are protected with OAuth 2.0 and HTTPS. 6. Subscriptions to Anypoint MQ are protected with OAuth 2.0 and HTTPS. 7. There is a federated trust between the Identity Providers in both security contexts for Mythical Retail and its shipping partner. Both the sales associate’s App and Katie’s App can call the Order Tracking API with the access token that they received from PingFederate. The Order Tracking API validates the token with OpenAM, the Identity Provider of the shipping company. This is able to verify that the token was signed by the Identity Provider of Mythical Retail, which it trusts. The Order Tracking API accepts the invocation by the iPhone App and responds accordingly. 8. Sales associates use multi-factor authentication to sign in to their App. The App calls PingFederate OAuth 2.0 authorization server to get a token which it passes to the Shop Assistant API. 9. Interaction with the systems of record is secured in various forms according to the requirements of each Server. Tokens and username and password credentials are stored in Mule Credentials Vault.
  • 30. All contents © MuleSoft Inc. In Conclusion 30 APIs are a strategic necessity to give your business the agility and speed needed to succeed in today’s business environment. But with the increasing cost of security breaches, senior IT decision makers quite rightly want assurances that exposing their data via APIs will not create undue risk. Anypoint Platform’s features provide the necessary assurances for the confidentiality, reliability and availability of APIs designed and managed on the platform. Anypoint Platform is trusted by industries needing the highest levels of security, including 5 of the top 12 global banks, 2 of the top 5 global insurance companies and top pharmaceutical and global healthcare companies. For more resources on API security, please take a look at our whitepaper and webinar on API security best practices.