managing sensitive information in an api and microservices world
TRANSCRIPT
©2016 Apigee Corp. All Rights Reserved.
Managing Sensitive Information in an API and Microservices WorldPeter Miron, ApceraJoshua Norrid, Apigee
Presented by Joshua Norrid, Apigee and Peter Miron, Apcera
Managing Sensitive Information in an API and Microservices World
Innovation, Meet Trust.+
©2016 Apigee Corp. All Rights Reserved.
• Customers want CONVENIENCE.• All parties desire CONTROL of sensitive data.• All parties demand CONSISTENCY of experience and process.• Sensitive Data Providers must apply CONSTRAINTS to
CONSUMPTION.• Sensitive Data Providers must achieve and maintain
COMPLIANCE.
4
A “Chain of Custody” is required for managing sensitiveinformation with APIs in the digital world.
Why Are We Talking About This?
©2016 Apigee Corp. All Rights Reserved.
Help businesses compete digitally
Proven. More API management deployments – over 500 to date – run on Apigee than any
other platform
$100M run rate. Signed definitive offer to be acquired by Google in September, 2016
API Management Platform: Apigee Edge
Experienced management team from BEA, Oracle, IBM, Yahoo
5
About Apigee
6
Any Application๏ Cloud Native Applications๏ Legacy x86 Applications๏ Containerized Applications and more!
Any Infrastructure
Composition, Orchestration & Deployment
Networking + Nano-Segmentation
Application Service Management
Policy & Enforcement
etc.
Apcera: A Trusted Application Management Platform
Composition, Orchestration & Deployment
Networking + Nano-Segmentation
Application Service Management
WorkloadComposition
WorkloadResource Management
WorkloadScheduling and Placement
WorkloadCommunication and Connectivity
Policy and Automated Enforcement
©2016 Apigee Corp. All Rights Reserved. 7
The Digital Value Chain
©2016 Apigee Corp. All Rights Reserved. 8
The Extended Digital Value Chain
©2016 Apigee Corp. All Rights Reserved.
The pipeline: inspiration from the past…
9
©2016 Apigee Corp. All Rights Reserved.
A useful pattern from from Caesar in Alesia…• Alesia was a hill-top fort surrounded by
river valleys, with strong defensive features.
• Over 80,000 men were garrisoned inside.
• 3 Roman legions built dual fortification walls that surrounded the enemy.
• An moat and 4.5 meter ditches were also constructed on the inner wall. Water from
nearby rivers was used to fill it.
• No traffic was permitted inside or out without first being “mediated” or
“transformed” by Roman soldiers. A true physical proxy.
10
Mediate + Enrichment
Analytics
Developer Portal
Apps / Systems Developers + Partners
Users
API Security
Traffic Management
Callouts Extensibility (Node, Java, Python,
JavaScript)
Dashboards + Reports
Monetization
Global Scale BaaS
Existing and New Services (SOAP, REST, HTTP/HTTPS, JMS, etc.)
Apigee + Apcera: Capabilities Magnified
APIs
PUTDELETE
POSTGET
Multi-CloudAdditl. Code + LogicEnhanced Security
Semantic Pipeline Rules + BPM
Enhanced Messaging
Container Mgt.
< CUSTOMER >
C O N F I D E N T I A L
©2016 Apigee Corp. All Rights Reserved.
Trace Data Requests and Fulfillment at Each System / Application Handoff• Who requested what data? When?• Who else has access to that data?• What services participated in the transaction to produce the report?• What policies enabled that participation in the transaction?• Are we certain no one and no other services have access to that data?
Service ConsumersA. Business PartnersB. Regulatory AgenciesC. ComplianceD. Legal Requests
Report ClassificationA. Customer Privacy RelatedB. Business CriticalC. Trade Secret
General Use Case
Reporting Service
Report
Trusted 3rd Party
Request Report
©2016 Apigee Corp. All Rights Reserved.
Service ConsumersA. Law EnforcementB. Legal/Risk/Security
Telco Use Case
Telco offers call data reporting as a business service:• Online and printed reports—who called whom, when, duration, etc.• Policy governs the service—who has access to a given report, who saw a report, who granted access, who deploys
software, who writes and tests software, etc.• Composed of both software and operations (IT, legal, risk, etc.)
Report ClassificationA. Sensitive / Privacy RelatedB. Requires Warrant
CDR Service
Client Details Report
Trusted 3rd Party
Request Call Detail Records
©2016 Apigee Corp. All Rights Reserved.
KYC Service
Client Details Report
Finance Use Case
Client Onboarding Operations
Request KYC Details for Jane Doe
Client Onboarding OpsA. Legal / Risk /
Security (Internal)
B. Banking SystemsC. Audit (External
and Internal)
Information ClassificationA. Very sensitive / privacy-
relatedB. Requires a reason and
entitlements to accessC. May result in fines,
penalties, notification to entities impacted or other business operations if disclosed incorrectly (or thought to).
A Financial Firm Must:• Capture and verify each account’s complete ownership, legal entities, for example, joint, LLC, individual.• Capture all activities that create, update, delete or query client information.• On a regular basis re-validate the above, retain all records in write-once-form.• Ensure that all information disclosure requirements are met for PCI and KYC related information (notification, credit
insurance, etc.)• In general the firm must provide all KYC supporting details as required by its policies and those of its regulator.
Requirements vary for each jurisdiction (country, state, etc.), product (stock, CD) and business (brokerage, banking, insurance, credit / loan)
©2016 Apigee Corp. All Rights Reserved.
EMR Service
Electronic Medical Records
Healthcare Use Case
Trusted EMR 3rd Parties
Request EMR Details for John Doe Trusted 3rd PartiesA. DoctorsB. PatientsC. Payers
Information ClassificationA. Very sensitive / privacy-
relatedB. Requires a reason and
entitlements to accessC. Requires auditability of
access
Policy Governs:• Organizations and potentially Users that can access data through Apigee Edge• Developers ability to modify software to update access to those records• Operational control over where data can be sent toAuditability:• Access grant date• Software modification• Per request traceability
Demonstration
Try Apcera Community Edition for Free: http://bit.ly/apcera-ce
Try Apigee for Free: Apigee.com
Learn More at
www.apcera.com
Thank You!Joshua Norrid
Peter Miron@PeteMiron
Thank you
©2016 Apigee Corp. All Rights Reserved.
Appendices
20
©2016 Apigee Corp. All Rights Reserved.
Apigee Edge Covers The Entire API Management Lifecycle
21
Threat Protection
Test
Monetize
Scale Traffic
Maintain Availability
Update / Iterate
Publish APIs
Analyze
Develop
Deploy
Model
Access Control
Data Access
Real Time Monitoring
Document
Use
Run
BuildApigee Edge
Swagger
Node.js
Design
PackageIntegration
Configuration
Coding
TransformationQuota
Monitoring
Versions
Logging
Alerts
Debugging
Auditing
Load TestingStaging
DDoS
IdentityRoles
Portal
Developers
App Registration
Rate Plans
Documentation
Mobile Data
Activity Metrics
Push Notification
Zero Downtime
Low Latency
Geo-Distribution
Traffic Spikes
22©2016 Apigee Corp. All Rights Reserved.
Apigee Products
Experience APIs
Intelligent Security
Run-time
Data Warehouse
CRM, ERP, etc.
SOA
Database
Customer Application
InfrastructureInternet of Things
Vertical-specific
api-x
Backend APIs