melbourne api management seminar
TRANSCRIPT
API Management Breakfast Seminar
Francois Lascelles Chief Architect
Devon Winkworth Solutions Architect, APAC
Mike Amundsen Principal API Architect
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
Challenges for the Modern Enterprise
Build a Developer Channel with Open APIs
Cloud Access & Integration Connect Enterprise to Mobile Apps
BYOD Employee Enablement
Field Enablement
API Developer Communities
Smart Grid
Login
Password SaaS Access
IaaS Integration & Governance
Hybrid Private / Public
Burst to the Cloud
Real-time Supply Chain
X-agency information sharing
Media Syndication
Trading Platforms
Publish Public APIs Reliably
Build Developer Ecosystems
Monetize Internal Information
Socialize Applications
X-Departments / X-Agency Connectivity
Why APIs? The Rebirth of Applications
Customers & Partners
Enterprise API
Traditional “Closed” APIs
Divisions
Cloud
Partners
Mobile
Enterprise
API
The New “Open” API
Divisions
Cloud
Partners
Mobile
Open
API
Cloud
Partners
Mobile
Divisions
Open
API
Third Parties are Key
API Management Scope
API Lifecycle
Discovery, documentation
Developer onboarding
Performance, scaling
Integration
Access control
SLA enforcement
Threat protection
Analytics
Monetization
Developer Portal
API Gateway
Developer
App
API
API Management Infrastructure
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
Attending to the Hockey Sticks
More Devices
More Apps
More APIs
API Developers
Developers are your target audience
They need great tools to use your API
They know what works
And they tell others about it
Developers are your Target Audience
APIs
Developers
Apps
Users
They need great tools to use your API
Docs
Getting started
Sandbox
Registration
Samples
Developers know what works…
30 min to a quick win or else
“It was easy for me to get started with this API.”
Make them look good to peers and superiors
“Hey, I know just the API we can use to solve this problem.”
Make it easy for them to use/promote your API
“Company X has a great API, you should try it.”
Make it hard for them to mis-use/break your API
“This API is very intuitive.”
…And they tell others about it.
Conferences
100+ developers, designers, project leaders
Code-a-thons
100- developers, API publishers, API hosts
Meetups
Local developers, designers, leadership
- User Groups (~50)
- Pub Nights (~25)
Online
Wide range of highly targeted communities
- Forums
- Chat rooms
- Social media
Reaching out means…
Know your target audience
Give them the tools they need…
To do their jobs well…
So they will spread the good word.
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
Example: Australia Sports API
Sample API: Professional sports information aggregation
- Teams
- News
- Results
Layer 7 Gateway
Security Control
Authorization &
Authentication
Data Leak Prevention
Attack Prevention Browser Exploit Blocking Transformations
Rate Limiting API Key Management
Traffic Control
SOAP REST
XML JSON
Ensure Privacy & Security Compliance: Optimize API Traffic:
Demo: Exposing an API with the Layer 7 Gateway
API
endpoint
REST Client
Policy Manager
Gateway
Layer 7 Gateway Capabilities
•Authentication: for different IAM, SAML, Oauth,
•Authorization including Oauth, XACML
•Token translation / SAML STS
•Horizon call back into enterprise
• Identity federation across service zones
Access Control
•API threat protection
•XML / JSON schema validation
•Data filtering, redaction
•Data privacy: message- and field-level encryption
•Data integrity: digital signatures, hashing, validation
Security
•Throttling, rate limiting, x-cluster message counter
•Prioritization, traffic shaping and QoS
•Content caching to reduce latency overhead
•Monitoring, reporting on API usage
•Activity reporting to IT management systems
Metering/SLA
•Format conversion: SOAP/REST/JSON/XML
•Protocol mediation: HTTP(S), messaging, file-based, SSH
•Dynamic content- and context-based routing
•Composite services: in-line callouts, message enrichment
•Workflow: fan-in, fan-out, looping, synch/asynch
Abstraction/Mediation
Layer 7 Gateway Form Factors
Packaged virtual image of hardware appliance
“VMWare-ready” certified
Open Virtualization Format (OVF)
Instantiate from your AMI catalog
Integrate with EC2, RDS, Auto Scale, ELB
VMWare Virtual Appliance
Software AWS Virtual Appliance
Hardware Appliance
Rack mountable 1-U device
Common criteria EAL 4+ certification, FIPS 140/2 level 3
Optional hardware accelerator modules for XML, crypto
Software installation for Linux or Solaris based systems
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
Onboarding Reporting
Layer 7 API Portal Objectives
Developer
Enrollment
API Docs
Forums API Explorer
Rankings Analytics
Quotas
45%
28%
Task Tracking
Drive Developer Adoption: Provide Insight for all Stakeholders:
Demo: API Portal
Developer portal
- Discover an API
- Try the API
- Register as a developer
- Register an application
- Get an API key
- Metrics
- Community
Demo
Layer 7 API Portal Capabilities
•Self-service registration and colleague enrollment
•Plans are provided to help you stratify developers into tiers
•Account managers assigned to help manage specific, high‐value partners
•Manage the generation of API keys/OAuth secrets for each developer application
Developer Management
•Discussion Forums, integrated messaging, FAQs, Announcements to foster community among developers
•API Documentation, sample code/applications
•API Explorer to allow you to submit queries and see API responses interactively
•Reports that measure API usage, application usage and API latency
Developer Support
•Out‐of‐the‐box templates for API documents, landing pages, etc.
•Content can be versioned and rolled back
•Personalized default dashboard for all developer and publisher users
•Look and feel easily changed (i.e. logos, fonts, colors, etc.)
•Control access to documentation and forums based on API status (i.e. private vs. public)
Content Management
•Account tiers defined to allow for developer grouping and actions
•Define unique and/or standard plans for each API
•Define quotas, rate limits and other features for each API plan
•Applications tracked as they move from development to test to production
•Application usage measured providing developer understanding and info for planning
Business Management
Time for a Break!!
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
API access control
You got an API key, now what?
- An app is sometimes identified at runtime by including its API key in
a query parameter
- (that doesn’t count as access control)
- Typically, the user of the mobile app needs to be authenticated
- Standard: OAuth 2.0
- Multiple grant types possible
- Opaque, bearer tokens is the most common approach
OAuth Toolkit
API Protection
OAuth 1 OAuth 2
OpenID Connect 2 & 3-legged OAuth
Better Integration
– Leverage Existing Assets
Faster Time to Market
Scaling
– Interpreted vs. Stateful Tokens
– Caching
Anatomy of an OAuth handshake
Subscriber
(resource owner)
OAuth Authorization Server
+access token
+autz code
This is a shared secret
Authorization endpoint
Token endpoint
Mobile App
(client)
1
1
2
(one of many possible grant types illustrated)
consent
Why exchange a secret with an OAuth authorization
server in the first place?
A: In order to consume an API OAuth Provider
OAuth Authorization Server
OAuth Resource Server
Consume REST API
With access token from handshake
API endpoint
access token -> app, user
Enforce access control policies
OAuth: Leverage existing identity, existing SSO
SSO Policy Server
API Management
- Get SSO cookie, integrate with policy server
(web agent)
- Associate SSO cookie with access token
SSO token
Check SSO session
Maintain my SSO
experience!
<handshake>
Token Monitoring, Revocation
Track usage of live tokens
Integrate with portals, BI, provider tooling through open API
Expose token revocation to the right parties
FAIL!
compromise
check
Dev portal
Subscriber portal
exploit
revoke
revoke
revoke
API Provider
Token Management Look for
unusual
usage
patterns
BI
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
A lightweight, low-latency mobile gateway for solving critical mobile challenges in the
following areas:
Layer 7 Mobile Access Gateway
Demo - Mobile Access Gateway
Mobile Access Gateway
- http/websocket/xmpp/push
- Mobile notification hookup
(APNS, Android)
- Targeted notifications
Demo
Layer 7 Mobile Access Gateway Capabilities
•Map Web SSO & SAML to mobile-friendly OAuth, OpenID Connect and JSON Web Tokens
•Create granular access policies at user, app and device levels
•Build composite access policies combining geolocation, message content etc.
•Simplify PKI-based certificate delivery and provisioning
Identity
•Protect REST, SOAP and OData APIs against DoS and API attacks
•Proxy API streaming protocols like HTML5 Web Sockets and XMPP messaging
•Enforce FIPS 140-2 grade data privacy and integrity
•Validate data exchanges, including all JSON, XML, header and parameter content
Security
•Surface any legacy application or database as RESTful APIs
•Quickly map between data formats such as XML and JSON
•Recompose & virtualize APIs to specific mobile identities, apps and devices
•Orchestrate API mashups with configurable workflow
Adoption
•Cache calls to backend applications
•Recompose small backend calls into efficiently aggregated mobile requests
•Compress traffic to minimize bandwidth costs and improve user experience
•Pre-fetch content for hypermedia-based API calls
Optimisation
•Proxy and manage app interactions with social networks
•Broker call-outs to cloud services like Salesforce.com
•Bridge connectivity to iPhone, Windows and Android notification services
• Integrate with legacy applications using ESB capabilities
Integration
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
Financial Services Communications Public Sector Select Others
Layer 7 API Management Implemented at 200+ Enterprise and
Government Customers
1
Case Study: Publishing Telecom APIs
Problem: publicly exposing Telecom APIs presents some unique challenges around
how they get packaged, secured and managed for easy consumption
Solution: SecureSpan Networking Gateway policy-based controls allowed Orange to
define the message, identity and interface level security for their APIs; track usage;
monitor interface health; and update APIs without breaking client applications
Results: Orange has created an agile IT platform on which to develop new offerings
faster and at less cost by reusing/recomposing existing services
Making Nursery [Telecom APIs]
available to local, 3rd world
partners has allowed Orange to
overcome many of the barriers
that had previously limited our
growth in emerging markets.
Benoît Herard, Orange Labs
“
“
Case Study: APIs Expanding Market Reach
Problem: wanted to securely expose existing services to third party developers in
order to expand their market reach
Solution: Layer 7 API Proxy allows Alaska to securely expose and manage their
APIs, while caching Sabre requests
Results: significantly grew market reach, while controlling costs associated with
constantly pulling data from Sabre to service Developer requests
Problem: reduce cost and delay in processing Medicaid member information by
bringing the process online
Solution: SOA Gateway allows iPad application to securely connect to backend
APIs; provides data routing & guards APIs against intrusion with strict authentication,
authorization and comprehensive threat protection
Results: improves Amerigroup’s health care coverage and member services, while
increasing the effectiveness and efficiency of its Medicaid program
Case Study: APIs Enabling the Enterprise
Case Study: Publishing Information Service APIs
Problem: allow customers and partners to use Google Apps to access multiple,
existing information services
Solution: CloudControl authorizes users and applies rate limiting; converts REST
queries to SOAP, and provides API aggregation & orchestration
Results: implemented business logic in policy (not code), decreasing maintenance
costs; customers and partners can now obtain richer results to their queries from
their platform of choice, simplifying and speeding information gathering
Layer 7 offered us the closest fit to our
business requirements in a single
product. No other vendor was even
close.
SOA Architect, World’s leading publisher of
science and health information
““
Case Study: SaaS & Mobile Integration
Problem: securely integrate to SaaS services such as Salesforce.com and
Workday, as well as secure mobile payments for Mastercard’s MoneySend service
Solution: Layer 7 securely gates all interactions with cloud-based SaaS providers
and mobile applications, authenticating and authorizing all inbound/outbound
interactions
Results: users manage only a single login/password for all systems; administrators
manage a single LDAP, thereby enhancing security and lowering administration costs
Agenda
API Management
Overview and Trends
Reaching out to Developers – B2D
Publishing and Consuming APIs
Engaging & Supporting Developers and Reporting the Results
Break
OAuth – the next step in Access Control
Solving Mobile Challenges
Customers Success Stories
Summary and Wrap up
Challenges for the Modern Enterprise
Build a Developer Channel with Open APIs
Cloud Access & Integration Connect Enterprise to Mobile Apps
BYOD Employee Enablement
Field Enablement
API Developer Communities
Smart Grid
Login
Password SaaS Access
IaaS Integration & Governance
Hybrid Private / Public
Burst to the Cloud
Real-time Supply Chain
X-agency information sharing
Media Syndication
Trading Platforms
Publish Public APIs Reliably
Build Developer Ecosystems
Monetize Internal Information
Socialize Applications
X-Departments / X-Agency Connectivity
Layer 7 – One Solution for 4 Hybrid Problem Spaces
Across Divisions & Partners
Cloud Access
Outside Developer Communities
Across Mobile
Simplify Information Sharing
Enable Centralized Shared Services
Improve B2B
Bridge ESB Domains
Mobile Developer Onboarding
BYOD
Mobile application management
App security
Help Enterprises Connect To
The Cloud
Help Service Providers Deliver
New Services
Deploy Security-as-a-cloud
Service
Build a developer channel
Monetize information assets
Improve customer reach
Improve customer retention SOA Gateway
CloudConnect Mobile Access Gateway
API Portal
Established Leader
“Layer 7 SecureSpan is strong across the board. SecureSpan SOA Gateway
scored well in all of the major functional evaluation categories…It has the
broadest array of form factors and one of the strongest strategies for
virtualization and cloud-based deployment.”
“[Layer 7 has a] …. complete offering, with good coverage of general SOA governance (on-premises and in the cloud), B2B, ESB and API management
functionality…[The Company is] fast-moving, well on its way to implementing its good vision for SOA governance and the related marketplaces.”
Gartner Magic Quadrant
For SOA & API Governance Technologies, Oct 2011
niche players visionaries
challengers leaders
ab
ilit
y t
o e
xecu
te
Software AG
Oracle IBM
Progress Software
Layer 7
SOA Software
Tibco Software
HP
Vordel
Crosscheck Networks
Managed Methods
Intel
Mashery
WS02
Additional Notable Recognition
The Forrester Wave:
SOA & API Application Gateways, Nov 2011
Strong
Weak
Risky
Bets Contenders
Strong
Performers
Strong Weak Strategy
Leaders
Vordel Intel
Forum Systems
Progress Software
Software AG
Tibco Software
Bee Ware
Market Presence
IBM
Current
Offering