Travis Broughton

Travis Broughton

Travis is an architect with Intel's Data Center Software Division. He has fifteen years of experience with Intel IT, working as an Enterprise Architect.

Gartner API Management report: Intel an MQ ‘Leader’

According to Gartner API Management + SOA Governance = Application Services Governance.  This year’s Magic Quadrant reflects that change, updating the title as well as some of the participants.  It has been nearly two years since Gartner’s final “SOA Governance” Magic … Read more >

The post Gartner API Management report: Intel an MQ ‘Leader’ appeared first on Application Security.

Read more >

HTML5 and API Management at IDF

The Intel Developer Forum (IDF) is coming up in a few weeks, and it’s shaping up to be a great event.  Mobile will be a key focus of this year’s IDF, and as you might imagine API management and HTML5 will be on display.

If you will be attending, make sure you stop by the Security and Software pavilions to see the latest patterns in API management.  We’ll have a few demos that showcase what is possible when using enterprise-class API management to surface and package internal capabilities for external consumption by HTML5-powered apps.

You should also consider attending our lab, SFTL004, on Thursday, September 13th at 1:00p.  We’ll be giving an overview of the Intel HTML5 development environment, walking you through the creation of a rich HTML5 app that consumes APIs exposed by Intel Expressway API Manager.

We’ll have other demos and experts on hands to answer your questions, and I’m told there may even be some free beer.  I hope to see you there!

The post HTML5 and API Management at IDF appeared first on Application Security.

Read more >

EC2 Security: Bridging Enterprise Cloud Apps to the Mobile Mainland

The cloud holds enormous promise for improving agility, availability, and cost for app deployments. Amazon’s EC2 is especially attractive given the investments they have made in building out capacity around the world, allowing apps to be deployed where they are being used, minimizing latency. However, some enterprises are unsure about cloud deployments because of security concerns. In this post I will talk about how to enhance EC2 security to allow APIs to be deployed in the AWS cloud in a way that delivers enterprise-grade policy enforcement while fully realizing many of the cloud’s benefits.  To learn more, join me on July 24th at 10:00a Pacific / 1:00p Eastern for a webinar with Amazon’s Ryan Holland.

Cloud App Deployment – Best Practices

As I noted in an earlier post, the Open Data Center Alliance has laid out some great ideas in constructing cloud-aware applications. One of their recommendations is to make the most of the cloud by decomposing apps into self-contained modules, which are implemented as RESTful APIs. These smaller building blocks are easier to replicate for resiliency and elasticity: additional performance and availability can be delivered when and where it is needed using the most economical instance types.

The ODCA also recommends implementing security at every layer. This is critical given the move to modular web services, as the increased number of web services greatly increases the application’s attack surface. Enterprises moving to the public cloud can no longer depend upon their trusted DMZ to shield these web services from attackers, so they must implement additional layers of security to compensate.

Beyond the ODCA recommendations, EC2 offers up an ideal platform for innovating with APIs.  A prototype can be quickly built and deployed using a smaller instance type, minimizing cost while delivering basic functionality.  Once the basic idea has been proven, production use can be supported by an appropriately-sized instance, scaling out as needed to meet demand.  New functionality can be tested out in other instances, which can be created on demand.  A dev sandbox can be created in minutes; the path to production can be arbitrarily deep but need not persist any longer than it is needed.  This self-service, fungible compute model allows developers access to as much capacity as is needed at any given time while only paying for what is actually required.  By elastically scaling the API management and security layer, seasonal demand spikes can be absorbed without upfront or ongoing capital investment.

Cloud Integration & API Mashups

Another benefit of EC2 hosting is the close proximity to SaaS APIs that can be used to implement the utility portions of an app. The API economy has resulted in incredible innovation, delivering functionality that is readily consumable by any developer and any app. By integrating with these APIs, a new app (or API) can be developed more quickly, as the developers can focus only on new functionality.  Or in the emerging Backend as a Service (BaaS) model generic mobile services such as location, user management, or other services that can be “mashed up” at runtime with custom enterprise apis.  A Cloud hosted API management and security layer can assemble this level of sophistication at a much lower cost and faster time to market than custom coding.  Scale is the key.

For some enterprises, however, the benefits of SaaS integration can come with a tradeoff in terms of enterprise integration.  When deploying to EC2, security mechanisms such as identity management and access controls may not be consistent with those deployed in the enterprise.  Cloud apps using social identity require integration with the corporate back end to ensure that entitlements are enforced correctly.  Other policies related to perimeter defense may also be difficult to replicate in the public cloud, owing to differences between corporate standards and EC2 security offerings.

The Facade Proxy

As Craig Burton described in his blog a few months ago, the facade proxy pattern can be used to integrate and secure back-end APIs.  This is particularly effective in the public cloud, as it greatly reduces the attack surface by routing API traffic through a cluster of specialized gateways.  As Burton’s blog illustrates, the facade proxy pattern also facilitates mashups and other integrations across APIs.

Deploying a facade layer in the cloud allows the enterprise to avoid round trips back to their own data center, improving performance.  It also simplifies network configuration, and allows for elastic scaling of this key portion of the API management layer.

An EC2 Security Appliance (and more)

Intel® Expressway API Manager (EAM) is the first self-service, Enterprise class API management product available in the AWS marketplace.  It can be used to integrate, mash up, and secure enterprise APIs as a bridge between internal islands of enterprise data and the new world of ubiquitous mobile connectivity.

Robust security policies including XSS and SQL injection prevention can neutralize external threats before they reach the underlying framework hosting the API.  This means that enterprises can evaluate their gateway policy and tune it as necessary rather than rushing through a quick-turn QA cycle to validate that a new dot release of Rails, node.js, PHP, etc didn’t break their app.  New framework releases can then be rolled in with the next code release, improving overall quality and reliability.

EAM also integrates with enterprise identity providers such as Active Directory or LDAP, and can provide a mapping to OAuth, API keys, or other mobile-friendly mechanisms.


Available now through Amazon’s AWS Marketplace, Expressway API Manager can simplify public cloud deployments and augment the standard EC2 security controls for APIs.  To learn more, check out my webinar with Ryan Holland of Amazon Web Services – July 24th at 10:00a Pacific / 1:00p Eastern.

The post EC2 Security: Bridging Enterprise Cloud Apps to the Mobile Mainland appeared first on Application Security.

Read more >

Join Us Tomorrow: SC eSymposium on Audit & Compliance

Tokenization.  It’s not just for PCI anymore.  As enterprises migrate to the cloud for improved cost and efficiency, data is being put at risk.  A recent scan of Amazon S3 buckets showed a treasure trove of sensitive information being stored without any access controls whatsoever.  We’ve seen identity theft, leaked social security numbers, leaked customer email addresses, and other PII inadvertently exposed to attackers.

Fortunately this is not completely new ground.  The Retail industry developed the PCI framework years ago to deal with many of the same complexities we’re seeing today in the cloud.  Migration to SaaS, PaaS, or even IaaS means relying on an external party for some portion of your data or workflow, just as the Retail industry did with payments, settlements, etc.  We can adopt best practices from the PCI framework to protect cloud-hosted data.  Tools such as tokenization or format-preserving encryption can help.

Join me tomorrow at the SC Congress eConference on Auditing and Compliance.  I’ll be joined by Principal Forrester Analyst John Kindervag to discuss best practices in data protection for the cloud.  We’ll look at Forrester’s proven “PCI Unleashed” framework and map that to cloud data protection use cases, and then we’ll discuss some applications of Intel® Expressway Tokenization Broker that can help to protect PCI, PII, and PHI data in the cloud.

The post Join Us Tomorrow: SC eSymposium on Audit & Compliance appeared first on Application Security.

Read more >

Cloud-Aware Tokenization: Helping to Build PCI-Compliant Applications in the Cloud

Last year the Open Data Center Alliance published an excellent whitepaper that defined the concept of “cloud-aware” applications.  The ODCA paper sets forth the following recommendations: Everything is a Service Use RESTful APIs Separate Compute and Persistence Design for Failure … Read more >

The post Cloud-Aware Tokenization: Helping to Build PCI-Compliant Applications in the Cloud appeared first on Application Security.

Read more >

Mobile Middleware for the Enterprise: API Security Considerations

A few weeks ago I blogged about different Mobile Middleware usage models for enterprise.  Continuing that thread, this post will drill down into API security considerations for enterprise mobile apps. Mobile applications are typically intended for use outside of the … Read more >

The post Mobile Middleware for the Enterprise: API Security Considerations appeared first on Application Security.

Read more >