|By Application Security||
|May 17, 2012 08:00 AM EDT||
Enterprises often frustrate developers. Why do Enterprises always seem so behind when it comes to the very latest technology? In particular, a trend we are seeing is the continued struggle to marry Enterprise authentication with the burgeoning world of REST APIs. Developers want to use REST, but Enterprises need enterprise grade API security.
We think this problem will only worsen as Enterprises continue their rapid adoption of APIs. It seems clear that SOAP, while capable of Enterprise grade authentication through X.509 and SAML, will be left behind as the “Skinny jeans Facebook generation” puts the final nail in SOAP’s coffin.
Among our own customers and the stories we’ve heard, Enterprises are left with a dilemma with four horns concerning the protection of REST APIs:
(a) Use mutual authentication with client-side SSL
(b) Use HTTP authentication (password or digest) with server-side SSL
(c) Use OAuth, either 3-legged or 2-legged
(d) Use a de-facto standard or “roll your own”
Each option has challenges and benefits. In particular, the challenges balance time to market and time to value (which I term developer friction), security, and manageability. The success of an API is directly related to it’s perceived ease of access and the amount of friction involved in using it. An Enterprise will get more value out of an API that is actually used versus one that lies dormant. At the same time, however, as APIs become a new tunnel into the Enterprise, security and manageability cannot be sacrificed for the sake of adoption.
Current Options and Challenges
Let’s consider the options and “score” each of them. In option (a), most developers would rather shoot themselves than deal with client-side X.509 certificates, especially after experiencing the apparent ease of use of OAuth as evidenced by SaaS providers such as Salesforce.com and social platforms such as Facebook and Twitter. To compound this, the issue of key rotation and certificate management is a weighty burden to deal with from an Enterprise perspective. Echoes are heard from the grave, “But this year, will be the year of PKI!” Now, the “Year of PKI” conjures up not a picture of a secure Enterprise, but an enterprise fraught with wasteland scenes of Armageddon.
SSL with Mutual Auth Score:
- Security: High
- Friction: Extremely High
- Management Burden: Extremely High
- Developer Attitude: I hate my life
- Result: A secure API that nobody uses has lowered value to the Enterprise
In option (b), HTTP Authentication with server-side SSL, we’ve overloaded an interactive web-authentication mechanism developed in 1996 and tried to marry it to the API economy of 2012.
Well, you say…. At least it is a standard – and we console ourselves by the fact that it is a protected channel. The issue here of course is the proliferation and management of passwords.
Security is reduced because we’ve coded in a username and password and we’re probably using the same username and password for multiple applications and not telling management about it. Security is low when the password is in the clear and somewhere around medium-low when digests are used, depending on your perspective on rainbow tables. Friction is high because eventually I’ll need to (or should) rotate that password if I have even a rudimentary password policy
HTTP Basic Auth with SSL Score:
- Security: Medium-Low
- Friction: High
- Management Burden: High
- Developer Attitude: Really? We’re doing this?
- Result: An API with a “hackish” authentication method and suspect security.
In option (c), OAuth, developers will cheer but problems remain. First and foremost, traditional 3-legged OAuth is an authorization protocol that puts permission control in the hands of a user, who ostensibly owns an asset they are expressing authorization for.
In the traditional Enterprise context, however, control should be given to administrators, not users. Most users don’t own Enterprise assets, the Enterprise owns their own assets. With X.509 certificate authentication models, administrators can revoke permissions easily by revoking a certification while OAuth delegates permissions to users. This is why OAuth works well for social websites – content is owned by users.
One solution to this is to use 2-legged OAuth or some organic variation such as xAuth, which is notionally similar to SAML in that it allows the exchange of a username/password for an access token. Note: If xAuth is still OAuth why is it called something different? Answer: It is different (?)
2-legged OAuth has advantages over the previous option in that it stops the proliferation of passwords, which is a good thing, but the failure of the OAuth 2.0 specification to carefully define what 2-legged OAuth entails is a bit worrisome for both security and interoperability.
Third, depending on the specific OAuth data flow, such as the authorization code flow, implicit grant flow, or client credential flow, these all have varying levels of security and friction associated with them. The most secure OAuth data flows involving a confidential client demand strong client authentication….. …with a public/private key pair (ssshhh!!).
Finally, as history has taught us, never place all your bets in the security of a protocol. Many of us were shocked at the late 2009 news of a critical man-in-the-middle attack on SSL. If we count the Netscape days to the time of the vulnerability, the protocol was battle tested in industry for 14 years before the vulnerability was found. Some would argue that OAuth just hasn’t been around the block long enough.
- Security: Medium (or Low, depending on your view of history)
- Friction: Medium-Low
- Management Burden: Medium
- Developer Attitude: I love my job, it’s like Facebook
- Result: An API that uses a rapidly emerging protocol and avoids the use of passwords with low developer friction
In option (d), roll your own, we’ve seen a number of solutions that involve API keys or shared secrets along with authenticators like HMAC-SHA1. Amazon web services (AWS) is a famous example of this approach, and many of our own customers have copied this approach as a best practice.
These solutions have the advantage over HTTP Basic Authentication in that they don’t shoe-horn themselves into an outdated standard designed for another purpose. The flip-side is that these aren’t official standards. The idea is to use an HTTP header to store the credentials in a bespoke way defined by the Enterprise. The security model here is essentially the same as username and password, except for the fact that we’re calling it an API key to make it sound like it’s not a password. Management burden is increased here because interoperability outside the organization is reduced.
“Roll Your Own” Score:
- Security: Medium-Low
- Friction: Medium
- Management Burden: Medium-High
- Developer Attitude: Eh, It’s not OAuth, but at least I don’t have to deal with X.509 certificates
- Result: A reasonable, albeit non-standard solution to API authentication. Friction is reduced but password or shared secret proliferation remains a problem
Appease your Developers
One approach to solving the API access mechanism dilemma is to reject the dilemma and have it all. This can be done with a front-end or security intermediary that, much like a diligent mediator can make both sides happy. In this model, a front-end proxy is used on top of existing APIs, essentially retrofitting them for OAuth without having to get into the ‘weeds’ of actually modifying enterprise APIs. Everything is done on the wire at network layer 4 and above.
To take one example, if you are an Enterprise with REST APIs that use mutual SSL authentication, you don’ t have to enforce this fact on your developers. Instead, have a gateway handle it for you. You can give your developers a choice – they can fall on the sword of X.509 if they’d like, or use OAuth.
Conceptually, it looks like this:
In the previous diagram the gateway handles the OAuth dance for incoming clients and maps the identity to a username from Active Directory. Then, the gateway initiates a mutual SSL connection to the Enterprise REST API and sends the username of the original requestor over this secure channel in an HTTP header. Simple.
Developers are happy because the Enterprise is now “living in the 21st century” and the enterprise application developers are happy because they don’t need to retrofit something that already works, and the security architects are happy because they can manage it all on a security gateway with a few clicks and drop downs. Party down!
A thumbnail screen shot is shown from the “AAA” Policy from Intel® Expressway Service Gateway:
While there are a few more settings required, particularly to enable the full OAuth dance, as well as exception handling, the screen shot shows that the main credential mapping can be done with selectors and not code. This helps bridge the gap between Enterprise Applications and new emerging standards. At Intel we think this gateway or proxy model is a superb answer for solving some of these real challenges. After all, Enterprises can’t wait for the standards to catch up with the new generation of developers.
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business in 2016. However, IoT is far more complex than most firms expected. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, a renowned visionary and thought leader, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology and business models to adopt and leverage IoT. He will drill down to the components in this fra...
Sep. 25, 2016 03:00 AM EDT Reads: 1,383
There is growing need for data-driven applications and the need for digital platforms to build these apps. In his session at 19th Cloud Expo, Muddu Sudhakar, VP and GM of Security & IoT at Splunk, will cover different PaaS solutions and Big Data platforms that are available to build applications. In addition, AI and machine learning are creating new requirements that developers need in the building of next-gen apps. The next-generation digital platforms have some of the past platform needs a...
Sep. 25, 2016 02:45 AM EDT Reads: 1,677
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service. In his session at 19th Cloud Exp...
Sep. 25, 2016 02:45 AM EDT Reads: 841
I'm a lonely sensor. I spend all day telling the world how I'm feeling, but none of the other sensors seem to care. I want to be connected. I want to build relationships with other sensors to be more useful for my human. I want my human to understand that when my friends next door are too hot for a while, I'll soon be flaming. And when all my friends go outside without me, I may be left behind. Don't just log my data; use the relationship graph. In his session at @ThingsExpo, Ryan Boyd, Engi...
Sep. 25, 2016 02:15 AM EDT Reads: 1,201
SYS-CON Events announced today that Numerex Corp, a leading provider of managed enterprise solutions enabling the Internet of Things (IoT), will exhibit at the 19th International Cloud Expo | @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Numerex Corp. (NASDAQ:NMRX) is a leading provider of managed enterprise solutions enabling the Internet of Things (IoT). The Company's solutions produce new revenue streams or create operating...
Sep. 25, 2016 12:45 AM EDT Reads: 1,927
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Sep. 25, 2016 12:45 AM EDT Reads: 1,030
While DevOps promises a better and tighter integration among an organization’s development and operation teams and transforms an application life cycle into a continual deployment, Chef and Azure together provides a speedy, cost-effective and highly scalable vehicle for realizing the business values of this transformation. In his session at @DevOpsSummit at 19th Cloud Expo, Yung Chou, a Technology Evangelist at Microsoft, will present a unique opportunity to witness how Chef and Azure work tog...
Sep. 25, 2016 12:30 AM EDT Reads: 1,584
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at EMC, will introduce a methodology for capturing, enriching and sharing data (and analytics) across the organizati...
Sep. 24, 2016 09:45 PM EDT Reads: 1,604
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Sep. 24, 2016 09:30 PM EDT Reads: 3,320
SYS-CON Events announced today that Secure Channels will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. The bedrock of Secure Channels Technology is a uniquely modified and enhanced process based on superencipherment. Superencipherment is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm.
Sep. 24, 2016 09:00 PM EDT Reads: 1,426
The vision of a connected smart home is becoming reality with the application of integrated wireless technologies in devices and appliances. The use of standardized and TCP/IP networked wireless technologies in line-powered and battery operated sensors and controls has led to the adoption of radios in the 2.4GHz band, including Wi-Fi, BT/BLE and 802.15.4 applied ZigBee and Thread. This is driving the need for robust wireless coexistence for multiple radios to ensure throughput performance and th...
Sep. 24, 2016 08:30 PM EDT Reads: 1,443
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, will discuss the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports. The session will include a working demo and a technical d...
Sep. 24, 2016 08:00 PM EDT Reads: 1,651
SYS-CON Events announced today the Enterprise IoT Bootcamp, being held November 1-2, 2016, in conjunction with 19th Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA. Combined with real-world scenarios and use cases, the Enterprise IoT Bootcamp is not just based on presentations but with hands-on demos and detailed walkthroughs. We will introduce you to a variety of real world use cases prototyped using Arduino, Raspberry Pi, BeagleBone, Spark, and Intel Edison. Y...
Sep. 24, 2016 07:00 PM EDT Reads: 2,792
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
Sep. 24, 2016 06:45 PM EDT Reads: 1,483
If you’re responsible for an application that depends on the data or functionality of various IoT endpoints – either sensors or devices – your brand reputation depends on the security, reliability, and compliance of its many integrated parts. If your application fails to deliver the expected business results, your customers and partners won't care if that failure stems from the code you developed or from a component that you integrated. What can you do to ensure that the endpoints work as expect...
Sep. 24, 2016 04:30 PM EDT Reads: 1,512