Securing APIs

One of the key questions which comes up in API Management is about which authentication scheme to use. Gunnar Peterson has written, in a different context, about the benefit to the security architect of providing a menu of authentication schemes to use. Some clients are limited by what authentication scheme they can handle, and by providing a "menu" of authentication schemes at the API Gateway level, this can be handled. Within a policy (expressed as a "circuit" in the Vordel Gateway) you can handle clients differently depending on how they authenticated.

So which API authentication schemes are on the "menu"? Of course there is HTTP Digest Auth and mutual SSL. But there are specific API authentication schemes similar to Amazon's Query API authentication. If you want to learn more about this API authentication option, then on the Vordel website there is a video example showing API authentication for iPhone apps and Facebook as clients. If you push the video on to the 20 minute mark, and listen for a few minutes, you can learn about how the Vordel Gateway provides the API security, making use of HMAC digests with SHA1. If you're familiar with the Amazon Web Services Query authentication, you will recognize this:


So the options for API authentication balance flexibility (providing customers with a menu of authentication options) and security (policies which vary access depending on which scheme the client uses). A Gateway provides this balance, versus hardcoding the scheme into the API itself.

Replacing walls and PDFs with conversation and videos

James Governor from Redmonk has a piece yesterday about how companies often don't "get it" that people do not want to register for PDFs, or even deal with PDFs in the first place. He says that "Text is the language of the Net. It’s the language of blogs". I agree, but I would add that video is also a key language of the Net. Want to see how the Vordel Gateway works with Oracle Entitlements Server? Here's a video on YouTube showing it. And here is a blog post by my colleague Josh about the Vordel / Oracle Entitlements Server interop. Text and video. All Google searchable. And no registration wall.

To echo one of the comments on James' piece, that mobile is driving this, I'd add that it is mobile which is driving video as well as text. My Droid 2 plays YouTube videos just fine, enabling people to view a Vordel Gateway demo video right on their phone. You would be amazed how many people I talk to who say "Yeah I have watched the video" when I mention a particular Vordel feature (e.g. our Security Token Service support).

Take for example this video (no registration needed) of a Vordel customer (Blackhawk Network) explaining how they use the Vordel Gateway to manage a REST API consumed by Facebook Marketplace and iPhone apps. I'd argue that viewing the video, listening to an enterprise architect explaining exactly why they architected the solution like they did, and why they chose Vordel, is certainly more valuable than PDF and in fact it compliments text-based blogs well.

This is the Cluetrain idea: Markets as conversations. Get information out there, include customers and partners in the conversation, and don't hide information behind PDFs and registration walls. Engage with text in blogs, certainly, but also using video which is just as much a first-class citizen of the Internet.

Covering your *aaS - A security checklist for cloud models

If you ask three organizations how they are using the Cloud, you will get (at least) three answers. One may be considering using Google Apps for email, to avoid asking an admin to reboot mail servers at 4am to clear an email backlog. Another may be considering using Terramark or Amazon EC2 to spin up compute power to run processor-intensive work (like DNA sequencing, let's say). Another may be considering using Amazon's S3 as external storage. Here is where the *aaS model comes to the rescue. Cloud usage fits relatively neatly into the different categorizations of SaaS, PaaS, and IaaS.

Using this categorization, I recently wrote a cloud security introduction for CSO Magazine which uses these categories: SaaS, PaaS, and IaaS, to show how security applies differently in each case. Check it out...

Cloud Security Alliance piece - Single Sign-On to Cloud services

I wrote this piece recently for the Cloud Security Alliance for Infosecurity Magazine on Single Sign-On to the Cloud. As a practitioner in this area, it is striking how service providers such as Google Apps enable access to their service (corporate Gmail inboxes, Google Docs) via API keys. In the case of Google Apps, the key is used to sign a SAML 2.0 assertion sent up to log the user into their email inbox.

I'm sometimes asked for Cloud security predictions. One prediction I have is that it is only a matter of time when API keys are stolen from an organization, and used to access resources such as email inboxes and sales leads. CSOs are mostly not aware that these keys, often sitting on hard drives or baked into apps, are vital to protect. In the article I talk about the API key protection options. Check it out...