|By Application Security||
|May 17, 2012 08:00 AM EDT||
Enterprises often frustrate developers. Why do Enterprises always seem so behind when it comes to the very latest technology? In particular, a trend we are seeing is the continued struggle to marry Enterprise authentication with the burgeoning world of REST APIs. Developers want to use REST, but Enterprises need enterprise grade API security.
We think this problem will only worsen as Enterprises continue their rapid adoption of APIs. It seems clear that SOAP, while capable of Enterprise grade authentication through X.509 and SAML, will be left behind as the “Skinny jeans Facebook generation” puts the final nail in SOAP’s coffin.
Among our own customers and the stories we’ve heard, Enterprises are left with a dilemma with four horns concerning the protection of REST APIs:
(a) Use mutual authentication with client-side SSL
(b) Use HTTP authentication (password or digest) with server-side SSL
(c) Use OAuth, either 3-legged or 2-legged
(d) Use a de-facto standard or “roll your own”
Each option has challenges and benefits. In particular, the challenges balance time to market and time to value (which I term developer friction), security, and manageability. The success of an API is directly related to it’s perceived ease of access and the amount of friction involved in using it. An Enterprise will get more value out of an API that is actually used versus one that lies dormant. At the same time, however, as APIs become a new tunnel into the Enterprise, security and manageability cannot be sacrificed for the sake of adoption.
Current Options and Challenges
Let’s consider the options and “score” each of them. In option (a), most developers would rather shoot themselves than deal with client-side X.509 certificates, especially after experiencing the apparent ease of use of OAuth as evidenced by SaaS providers such as Salesforce.com and social platforms such as Facebook and Twitter. To compound this, the issue of key rotation and certificate management is a weighty burden to deal with from an Enterprise perspective. Echoes are heard from the grave, “But this year, will be the year of PKI!” Now, the “Year of PKI” conjures up not a picture of a secure Enterprise, but an enterprise fraught with wasteland scenes of Armageddon.
SSL with Mutual Auth Score:
- Security: High
- Friction: Extremely High
- Management Burden: Extremely High
- Developer Attitude: I hate my life
- Result: A secure API that nobody uses has lowered value to the Enterprise
In option (b), HTTP Authentication with server-side SSL, we’ve overloaded an interactive web-authentication mechanism developed in 1996 and tried to marry it to the API economy of 2012.
Well, you say…. At least it is a standard – and we console ourselves by the fact that it is a protected channel. The issue here of course is the proliferation and management of passwords.
Security is reduced because we’ve coded in a username and password and we’re probably using the same username and password for multiple applications and not telling management about it. Security is low when the password is in the clear and somewhere around medium-low when digests are used, depending on your perspective on rainbow tables. Friction is high because eventually I’ll need to (or should) rotate that password if I have even a rudimentary password policy
HTTP Basic Auth with SSL Score:
- Security: Medium-Low
- Friction: High
- Management Burden: High
- Developer Attitude: Really? We’re doing this?
- Result: An API with a “hackish” authentication method and suspect security.
In option (c), OAuth, developers will cheer but problems remain. First and foremost, traditional 3-legged OAuth is an authorization protocol that puts permission control in the hands of a user, who ostensibly owns an asset they are expressing authorization for.
In the traditional Enterprise context, however, control should be given to administrators, not users. Most users don’t own Enterprise assets, the Enterprise owns their own assets. With X.509 certificate authentication models, administrators can revoke permissions easily by revoking a certification while OAuth delegates permissions to users. This is why OAuth works well for social websites – content is owned by users.
One solution to this is to use 2-legged OAuth or some organic variation such as xAuth, which is notionally similar to SAML in that it allows the exchange of a username/password for an access token. Note: If xAuth is still OAuth why is it called something different? Answer: It is different (?)
2-legged OAuth has advantages over the previous option in that it stops the proliferation of passwords, which is a good thing, but the failure of the OAuth 2.0 specification to carefully define what 2-legged OAuth entails is a bit worrisome for both security and interoperability.
Third, depending on the specific OAuth data flow, such as the authorization code flow, implicit grant flow, or client credential flow, these all have varying levels of security and friction associated with them. The most secure OAuth data flows involving a confidential client demand strong client authentication….. …with a public/private key pair (ssshhh!!).
Finally, as history has taught us, never place all your bets in the security of a protocol. Many of us were shocked at the late 2009 news of a critical man-in-the-middle attack on SSL. If we count the Netscape days to the time of the vulnerability, the protocol was battle tested in industry for 14 years before the vulnerability was found. Some would argue that OAuth just hasn’t been around the block long enough.
- Security: Medium (or Low, depending on your view of history)
- Friction: Medium-Low
- Management Burden: Medium
- Developer Attitude: I love my job, it’s like Facebook
- Result: An API that uses a rapidly emerging protocol and avoids the use of passwords with low developer friction
In option (d), roll your own, we’ve seen a number of solutions that involve API keys or shared secrets along with authenticators like HMAC-SHA1. Amazon web services (AWS) is a famous example of this approach, and many of our own customers have copied this approach as a best practice.
These solutions have the advantage over HTTP Basic Authentication in that they don’t shoe-horn themselves into an outdated standard designed for another purpose. The flip-side is that these aren’t official standards. The idea is to use an HTTP header to store the credentials in a bespoke way defined by the Enterprise. The security model here is essentially the same as username and password, except for the fact that we’re calling it an API key to make it sound like it’s not a password. Management burden is increased here because interoperability outside the organization is reduced.
“Roll Your Own” Score:
- Security: Medium-Low
- Friction: Medium
- Management Burden: Medium-High
- Developer Attitude: Eh, It’s not OAuth, but at least I don’t have to deal with X.509 certificates
- Result: A reasonable, albeit non-standard solution to API authentication. Friction is reduced but password or shared secret proliferation remains a problem
Appease your Developers
One approach to solving the API access mechanism dilemma is to reject the dilemma and have it all. This can be done with a front-end or security intermediary that, much like a diligent mediator can make both sides happy. In this model, a front-end proxy is used on top of existing APIs, essentially retrofitting them for OAuth without having to get into the ‘weeds’ of actually modifying enterprise APIs. Everything is done on the wire at network layer 4 and above.
To take one example, if you are an Enterprise with REST APIs that use mutual SSL authentication, you don’ t have to enforce this fact on your developers. Instead, have a gateway handle it for you. You can give your developers a choice – they can fall on the sword of X.509 if they’d like, or use OAuth.
Conceptually, it looks like this:
In the previous diagram the gateway handles the OAuth dance for incoming clients and maps the identity to a username from Active Directory. Then, the gateway initiates a mutual SSL connection to the Enterprise REST API and sends the username of the original requestor over this secure channel in an HTTP header. Simple.
Developers are happy because the Enterprise is now “living in the 21st century” and the enterprise application developers are happy because they don’t need to retrofit something that already works, and the security architects are happy because they can manage it all on a security gateway with a few clicks and drop downs. Party down!
A thumbnail screen shot is shown from the “AAA” Policy from Intel® Expressway Service Gateway:
While there are a few more settings required, particularly to enable the full OAuth dance, as well as exception handling, the screen shot shows that the main credential mapping can be done with selectors and not code. This helps bridge the gap between Enterprise Applications and new emerging standards. At Intel we think this gateway or proxy model is a superb answer for solving some of these real challenges. After all, Enterprises can’t wait for the standards to catch up with the new generation of developers.
Puppet Labs is pleased to share the findings from our 2015 State of DevOps Survey. We have deepened our understanding of how DevOps enables IT performance and organizational performance, based on responses from more than 20,000 technical professionals we’ve surveyed over the past four years. The 2015 State of DevOps Report reveals high-performing IT organizations deploy 30x more frequently with 200x shorter lead times. They have 60x fewer failures and recover 168x faster
Sep. 4, 2015 07:00 AM EDT Reads: 128
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Trel...
Sep. 4, 2015 07:00 AM EDT Reads: 296
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes ab...
Sep. 4, 2015 06:00 AM EDT Reads: 750
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Sep. 4, 2015 06:00 AM EDT Reads: 504
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, will introduce the technologies required for implementing thes...
Sep. 4, 2015 05:00 AM EDT Reads: 127
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the ...
Sep. 4, 2015 05:00 AM EDT Reads: 1,666
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
Sep. 4, 2015 04:30 AM EDT Reads: 1,705
ElasticBox, the agile application delivery manager, announced freely available public boxes for the DevOps community. ElasticBox works with enterprises to help them deploy any application to any cloud. Public boxes are curated reference boxes that represent some of the most popular applications and tools for orchestrating deployments at scale. Boxes are an adaptive way to represent reusable infrastructure as components of code. Boxes contain scripts, variables, and metadata to automate proces...
Sep. 4, 2015 02:15 AM EDT Reads: 130
In his session at @ThingsExpo, Lee Williams, a producer of the first smartphones and tablets, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. He will explain how M2M controllers work through wirelessly connected remote controls; and specifically delve into a retrofit option that reverse-engineers control codes of existing conventional controller systems so the...
Sep. 4, 2015 02:00 AM EDT Reads: 270
To support developers and operations professionals in their push to implement DevOps principles for their infrastructure environments, ProfitBricks, a provider of cloud infrastructure, is adding support for DevOps tools Ansible and Chef. Ansible is a platform for configuring and managing data center infrastructure that combines multi-node software deployment, ad hoc task execution, and configuration management, and is used by DevOps professionals as they use its playbooks functionality to autom...
Sep. 4, 2015 02:00 AM EDT Reads: 126
The 3rd International WebRTC Summit, to be held Nov. 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 15th International Cloud Expo, 6th International Big Data Expo, 3rd International DevOps Summit and 2nd Internet of @ThingsExpo. WebRTC (Web-based Real-Time Com...
Sep. 4, 2015 01:15 AM EDT Reads: 1,629
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
Sep. 4, 2015 01:00 AM EDT Reads: 541
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
Sep. 4, 2015 12:45 AM EDT Reads: 587
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
Sep. 4, 2015 12:00 AM EDT Reads: 448
IBM’s Blue Box Cloud, powered by OpenStack, is now available in any of IBM’s globally integrated cloud data centers running SoftLayer infrastructure. Less than 90 days after its acquisition of Blue Box, IBM has integrated its Blue Box Cloud Dedicated private-cloud-as-a-service into its broader portfolio of OpenStack® based solutions. The announcement, made today at the OpenStack Silicon Valley event, further highlights IBM’s continued support to deliver OpenStack solutions across all cloud depl...
Sep. 4, 2015 12:00 AM EDT Reads: 315