Once More Into the Breach… Less than a month after the Target credit card breach another significant data theft is in the news. This week’s victim is Snapchat, the popular photo sharing social network. Gibson Security announced the weakness, with some solid … Read more >
RECENT BLOG POSTS
News broke last week that a major retailer was the victim of a massive theft of customer credit card data, in what is becoming an all too common cadence of data breaches. Thieves made off with not just the credit … Read more >
The post The Grinch Who Stole Christmas for Target’s Brand and Customers appeared first on Application Security.
It has been several years since Gartner first made their prediction that Citizen Developers will create at least 25% of business applications by 2014. We have quite a few of these at Intel, and I recently shared one of my … Read more >
The post Mobile Access: Citizen Developers Empowered by APIs and HTML5 appeared first on Application Security.
Securosis has a new analyst report out called “API Gateways: Where Security Enables Innovation“. The paper describes how API gateways simultaneously enable security and software development. It shows how security can be enforced practically, without becoming an impediment to productivity … Read more >
De-identifying Data in APIs I was catching up on my RSS feeds over the weekend, reading all the things I missed while I was at IDF, when I saw this great post from Kin Lane calling for “A Masking, Scrubbing, … Read more >
My colleague Blake posted yesterday with a response to Daniel Jacobson’s thought-provoking post, “Why you probably don’t need an API strategy”. Blake spells out some pretty clear reasons why you do need an API strategy and outlines some of the different … Read more >
Last week I (along with many other Intel Employees and customers) attended the Intel Developer Forum at the Moscone Center in San Francisco. I was impressed with the range of mobile application development tools showcased, along with the new devices … Read more >
According to Gartner API Management + SOA Governance = Application Services Governance. This year’s Magic Quadrant reflects that change, updating the title as well as some of the participants. It has been nearly two years since Gartner’s final “SOA Governance” Magic … Read more >
The post Gartner API Management report: Intel an MQ ‘Leader’ appeared first on Application Security.
The Intel Developer Forum (IDF) is coming up in a few weeks, and it’s shaping up to be a great event. Mobile will be a key focus of this year’s IDF, and as you might imagine API management and HTML5 will be on display.
If you will be attending, make sure you stop by the Security and Software pavilions to see the latest patterns in API management. We’ll have a few demos that showcase what is possible when using enterprise-class API management to surface and package internal capabilities for external consumption by HTML5-powered apps.
You should also consider attending our lab, SFTL004, on Thursday, September 13th at 1:00p. We’ll be giving an overview of the Intel HTML5 development environment, walking you through the creation of a rich HTML5 app that consumes APIs exposed by Intel Expressway API Manager.
We’ll have other demos and experts on hands to answer your questions, and I’m told there may even be some free beer. I hope to see you there!
The cloud holds enormous promise for improving agility, availability, and cost for app deployments. Amazon’s EC2 is especially attractive given the investments they have made in building out capacity around the world, allowing apps to be deployed where they are being used, minimizing latency. However, some enterprises are unsure about cloud deployments because of security concerns. In this post I will talk about how to enhance EC2 security to allow APIs to be deployed in the AWS cloud in a way that delivers enterprise-grade policy enforcement while fully realizing many of the cloud’s benefits. To learn more, join me on July 24th at 10:00a Pacific / 1:00p Eastern for a webinar with Amazon’s Ryan Holland.
Cloud App Deployment – Best Practices
As I noted in an earlier post, the Open Data Center Alliance has laid out some great ideas in constructing cloud-aware applications. One of their recommendations is to make the most of the cloud by decomposing apps into self-contained modules, which are implemented as RESTful APIs. These smaller building blocks are easier to replicate for resiliency and elasticity: additional performance and availability can be delivered when and where it is needed using the most economical instance types.
The ODCA also recommends implementing security at every layer. This is critical given the move to modular web services, as the increased number of web services greatly increases the application’s attack surface. Enterprises moving to the public cloud can no longer depend upon their trusted DMZ to shield these web services from attackers, so they must implement additional layers of security to compensate.
Beyond the ODCA recommendations, EC2 offers up an ideal platform for innovating with APIs. A prototype can be quickly built and deployed using a smaller instance type, minimizing cost while delivering basic functionality. Once the basic idea has been proven, production use can be supported by an appropriately-sized instance, scaling out as needed to meet demand. New functionality can be tested out in other instances, which can be created on demand. A dev sandbox can be created in minutes; the path to production can be arbitrarily deep but need not persist any longer than it is needed. This self-service, fungible compute model allows developers access to as much capacity as is needed at any given time while only paying for what is actually required. By elastically scaling the API management and security layer, seasonal demand spikes can be absorbed without upfront or ongoing capital investment.
Cloud Integration & API Mashups
Another benefit of EC2 hosting is the close proximity to SaaS APIs that can be used to implement the utility portions of an app. The API economy has resulted in incredible innovation, delivering functionality that is readily consumable by any developer and any app. By integrating with these APIs, a new app (or API) can be developed more quickly, as the developers can focus only on new functionality. Or in the emerging Backend as a Service (BaaS) model generic mobile services such as location, user management, or other services that can be “mashed up” at runtime with custom enterprise apis. A Cloud hosted API management and security layer can assemble this level of sophistication at a much lower cost and faster time to market than custom coding. Scale is the key.
For some enterprises, however, the benefits of SaaS integration can come with a tradeoff in terms of enterprise integration. When deploying to EC2, security mechanisms such as identity management and access controls may not be consistent with those deployed in the enterprise. Cloud apps using social identity require integration with the corporate back end to ensure that entitlements are enforced correctly. Other policies related to perimeter defense may also be difficult to replicate in the public cloud, owing to differences between corporate standards and EC2 security offerings.
The Facade Proxy
As Craig Burton described in his blog a few months ago, the facade proxy pattern can be used to integrate and secure back-end APIs. This is particularly effective in the public cloud, as it greatly reduces the attack surface by routing API traffic through a cluster of specialized gateways. As Burton’s blog illustrates, the facade proxy pattern also facilitates mashups and other integrations across APIs.
Deploying a facade layer in the cloud allows the enterprise to avoid round trips back to their own data center, improving performance. It also simplifies network configuration, and allows for elastic scaling of this key portion of the API management layer.
An EC2 Security Appliance (and more)
Intel® Expressway API Manager (EAM) is the first self-service, Enterprise class API management product available in the AWS marketplace. It can be used to integrate, mash up, and secure enterprise APIs as a bridge between internal islands of enterprise data and the new world of ubiquitous mobile connectivity.
Robust security policies including XSS and SQL injection prevention can neutralize external threats before they reach the underlying framework hosting the API. This means that enterprises can evaluate their gateway policy and tune it as necessary rather than rushing through a quick-turn QA cycle to validate that a new dot release of Rails, node.js, PHP, etc didn’t break their app. New framework releases can then be rolled in with the next code release, improving overall quality and reliability.
EAM also integrates with enterprise identity providers such as Active Directory or LDAP, and can provide a mapping to OAuth, API keys, or other mobile-friendly mechanisms.
Available now through Amazon’s AWS Marketplace, Expressway API Manager can simplify public cloud deployments and augment the standard EC2 security controls for APIs. To learn more, check out my webinar with Ryan Holland of Amazon Web Services – July 24th at 10:00a Pacific / 1:00p Eastern.
The post EC2 Security: Bridging Enterprise Cloud Apps to the Mobile Mainland appeared first on Application Security.
Tokenization. It’s not just for PCI anymore. As enterprises migrate to the cloud for improved cost and efficiency, data is being put at risk. A recent scan of Amazon S3 buckets showed a treasure trove of sensitive information being stored without any access controls whatsoever. We’ve seen identity theft, leaked social security numbers, leaked customer email addresses, and other PII inadvertently exposed to attackers.
Fortunately this is not completely new ground. The Retail industry developed the PCI framework years ago to deal with many of the same complexities we’re seeing today in the cloud. Migration to SaaS, PaaS, or even IaaS means relying on an external party for some portion of your data or workflow, just as the Retail industry did with payments, settlements, etc. We can adopt best practices from the PCI framework to protect cloud-hosted data. Tools such as tokenization or format-preserving encryption can help.
Join me tomorrow at the SC Congress eConference on Auditing and Compliance. I’ll be joined by Principal Forrester Analyst John Kindervag to discuss best practices in data protection for the cloud. We’ll look at Forrester’s proven “PCI Unleashed” framework and map that to cloud data protection use cases, and then we’ll discuss some applications of Intel® Expressway Tokenization Broker that can help to protect PCI, PII, and PHI data in the cloud.
The post Join Us Tomorrow: SC eSymposium on Audit & Compliance appeared first on Application Security.
API Evangelist Kin Lane has just released a new paper that provides an overview of the Backend as a Service space. Kin’s research does a great job covering the breadth of tools and services that get lumped in under the … Read more >
The post Cloud Service Brokerage: Enabling MBaaS for the Enterprise appeared first on Application Security.
Kin Lane has started tracking what he calls API Brokers over at API Evangelist. This quote illustrates the promise of API brokerage: I envision other new API brokers emerging, in niche areas like images, video or messaging. Imagine if you could … Read more >
The post Be Your Own Broker: An Enterprise Perspective using API Management appeared first on Application Security.
I saw a conversation today on Twitter that asked why we don’t just embed proper security into Hadoop instead of suggesting the API gateway approach to Hadoop security that my colleague Blake proposed. The same could be asked about any number … Read more >
The post Hadoop Security: Internal or External? Why not both! appeared first on Application Security.
Join us Wednesday, May 22 at 10:00a Pacific / 1:00p Eastern for our next webinar with Capital One and Mashery: APIs are a hot topic in all sectors of IT – they have gone from being niche solutions provided by … Read more >
The post Our Next Webinar: Five Practical Steps to Building an Enterprise Class API Program appeared first on Application Security.
Last year the Open Data Center Alliance published an excellent whitepaper that defined the concept of “cloud-aware” applications. The ODCA paper sets forth the following recommendations: Everything is a Service Use RESTful APIs Separate Compute and Persistence Design for Failure … Read more >
The post Cloud-Aware Tokenization: Helping to Build PCI-Compliant Applications in the Cloud appeared first on Application Security.
A few weeks ago I blogged about different Mobile Middleware usage models for enterprise. Continuing that thread, this post will drill down into API security considerations for enterprise mobile apps. Mobile applications are typically intended for use outside of the … Read more >
The post Mobile Middleware for the Enterprise: API Security Considerations appeared first on Application Security.
This Thursday, I will be presenting a webinar with Forrester covering 4 Building Blocks to Mobilize Your Enterprise App Strategy. As we prepared for this talk, Mike and I talked about a few trends that are emerging in response to … Read more >