wso2con eu 2015: securing, monitoring and monetizing apis
TRANSCRIPT
Securing, Monitoring and Monetizing APIs
Nuwan Dias Technical Lead
WSO2
What is a Managed API?
● Advertising APIs
● Controlled Subscriptions
● SLAs
● Securing
● Statistics and Monitoring
● Monetization
API Security
● Identity Delegation
API SecurityOAuth 2.0
● Has become the de-facto standard for API Security
● Predeceasing from the OAuth 1.0 and OAuth WRAP
● Primarily operates on an Access Token
● Introduces Grant Types and Token Types
● Common Terminology Used ○ User ○ Client ○ Resource Server ○ Authorization Server
Using Access Tokens
OAuth 2.0 Grant Types
● A grant type defines how a client obtains an access token
● OAuth 2.0 specification defines 4 major grant types ○ Authorization Code ○ Implicit ○ Resource Owner Password Credentials ○ Client Credentials
● Other popular grant types ○ JWT-Bearer ○ SAML 2.0 Bearer Assertion
● The WSO2 API Management and Identity Platforms Supports almost all these grant types out of the box and provides ability to extend and introduce custom grant types as well!
Fine Grained Authorization through OAuth Scopes● A scope defines a particular action performed by a Resource.
● A scope can be restricted to a particular user role
Fine Grained Authorization through OAuth Scopes● Protecting a Resource through a Scope
Fine Grained Authorization through XACML● XACML - eXtensible Access Control Markup Language
● WSO2 Identity Server’s support for XACML can be utilized as a means of protecting Resources at a finer grained level
Authorization through Identity Federation● Perform Authentication through external IDPs
Integrating with an external OAuth Server● The WSO2 API Management platform offers the capability of
integrating with an external OAuth server and operating on access tokens/keys offered by the external server.
{JWT}
• JSON Web Token is compact URL-Safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).
{
"alg": "RS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), …
Advanced API Security by Prabath Siriwardena
Monitoring Your APIs
Monitoring and Statistics
Operational
• Scaling Up Systems • Upgrading System Resources
Business
• For expanding your business and API Ecosystem
Operational Insights - Why they Matter• Production Systems don’t just operate on a single VM
• Operational conditions change over time
• Performance Implications - How to find out Why?
• Avoid applying the wrong fix
Message Tracing using WSO2 DAS and CEP• Find out what happened to your message
Using WSO2 CEP for Real Time Analytics• Identify Access Patterns and propose new Business Models
• Threat Identification
• Trigger Alerts/Notifications on failures and risks.
• Performance monitoring of Servers
• Monitor Response Times
Parties Involved in an API Eco System
Interests of Parties in the API Eco SystemBusiness Owners
• Goals - Increase Sales, Retain Existing Customers, New Business Strategies
• Needs - Commonly Moving Items, Customer Trends, Possible Store Locations
API Creators
• Goals - Design Better APIs, Increase API Usage • Needs - Call Frequency, Response Times, Access Patterns
Application Developers
• Goals - More App Downloads, Better User Experience, Higher Availability • Needs - Call Count, Device Types, Access Locations
The Analytics platform should cater to needs of all interested parties!
Batch Analytics using WSO2 DAS
Some stats offered by default
General API/Resource Usage
API Response Times
API Usage by User
API Usage by Application(s)
Top Users per Application
Faults by API
Stats based on API endpoint
……
Integration with Google AnalyticsIdentify Geographical Usage
Integration with Google AnalyticsIdentify Usage by Device
Benefits of Stats offered by Google Analytics• Application Developers
• Find out on which platforms APIs are used most - Improve those UX on
those platforms
• Identify languages to be supported based on geographical usage
• API Developers
• Prioritise development/testing for platforms on which the API is used most
• Determine languages to be supported by the API.
• Business Owners
• Determine where best to open up a new Store
• Introduce regional varieties.
API Monetization
• Relevance of APIs today are expanding beyond the IT department. Why?
• Consumer demand for seamless experience is driving the need for unprecedented integration.
• Only few direct Monetization strategies actually work. Ex: Amazon.
• Enterprises today are “Data Rich”. APIs can help unleash the power of enterprise data in support of a digital strategy.
• The inability to monetize APIs directly is not necessarily a lack of revenue opportunity.
Exposing Data as APIs• WSO2 offers the perfect platform for aggregating, organising
and exposing your enterprise data for consumption by third parties.
Thank You