VP Innovation at Axway, Co-founder at Vordel

Mark O'Neill

Subscribe to Mark O'Neill: eMailAlertsEmail Alerts
Get Mark O'Neill via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Funneling access to your API - The role of the API Gateway together with session management and IAM

Dragan Pendic is at Gartner IAM in London right now, and has shared this excellent slide from Gartner's Mary Ruddy:

The diagram shows the funnel-like progression of API Security from the edge through to the API itself, involving finer and finer levels of authorization as you get closer to the API.

The message to "Evaluate Sessions" at the edge echoes the advice of Gunnar Peterson in the Top Ten API Security Considerations paper to "Think of sessions, not just APIs". In that paper, Gunnar notes session management for APIs is not as simple as it might first appear:
There are substantial security engineering implications here: How will you coordinate
session timeouts? How will you synchronize identifiers? What if one times out?http://www.axway.com/en/gate/1390 
It's true that ADC (Application Delivery Controller) products are sometimes used to connect to WAM (Web Access Management) products like Oracle Access Manager, to validate sessions. But what is less well known is that API Gateways also can connect to WAM products for session validation. In the screenshot below, we see how the Axway API Gateway can connect to Oracle Access Manager to validate an SSO Token (in this case the "obsso" token):

One the session is validated, a common practice is to look up attributes of the client, and do "attribute stuffing" to place these into the API request, to be used for authorization. Traditionally this has been done with SAML, for more heavyweight SOAP APIs, but more recently it's common for OAuth JWTs (JSON Web Tokens) to be used for this purpose.

At the API Gateway, as Mary Ruddy notes, the API calls themselves are evaluated. In the screenshot below, you can see how the Axway API Manager allows API administrators to register APIs and define service calls. These can be done on a per-operation (method) level, and you define parameters which the API expects.

The final step, as you can see in Mary Ruddy's diagram, is that IAM is leveraged for fine-grained authorization. This can be done in policies at the API Gateway, or by leveraging the API Gateway's connections into identity management infrastructure such as CA SiteMinder, IBM Tivoli Access Manager, ForgeRock, or Oracle Access Manager. In addition, the API Gateway can connect to dedicated fine-grained authorization products such as Oracle Entitlements Server (OES) and Axiomatics Policy Server.

It is great to see this access control model for APIs being evangelized. For too long, securing APIs was something of a dark art. Models like this, and Gunnar's API Security white paper, go a long way to helping the state of API Security.

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.