Posts tagged APIs
Secure what you put into the cloud, pt. 1

Multi-factor authentication is a popular option, especially with software tokens such as Verisign ID Protection (VIP). Many SaaS vendors also provide SAML-based integration with IAM platforms including CA SiteMinder, IBM Tivoli Access Manager, and Oracle Access Manager. And OAuth-based federation is quickly catching on for enterprise use.

At the very minimum, use your API micro-perimeter to protect the API keys used to authenticate applications calling SaaS APIs. Avoid the unsecure and non-scalable practice of distributing keys that can be hard-coded into applications; instead, consider using a DMZ-based solution (commonly referred to as an API gateway or cloud service broker) to securely manage and store the API keys and broker the authentication of on-premise applications to SaaS.

These technologies can also monitor data traffic going to the cloud in order to block, mask, or encrypt sensitive data.

Learn more here.

Control access and implement SSO for cloud-based services

Today, organizations are leveraging the cloud in a number of ways: Business users are using applications in the cloud (Software-as-a-Service, or SaaS), IT departments are deploying applications hosted in the cloud (Infrastructure-as-a-Service, or IaaS), and developers are creating applications in the cloud (Platform-as-a-Service, or PaaS). In each scenario, the cloud-based application requires access to identity information. But where does/should the identity information come from?

Replicating identity and policy data (or worse, letting identity silos spiral out of control by manually creating separate user accounts or provisioning user identities into each service) doesn’t make sense. Instead, you should extend your existing enterprise identity and access management (IAM) platform — including authentication, authorization, create identity, lookup attribute, etc. — to cover cloud-based applications and services as well as your on-premise systems.

While all enterprise IAM platforms have some Web Services interfaces and Java APIs, few have REST APIs, and none have APIs that are accessible via the Internet. To get around these obstacles, look for a technology solution that can transform your legacy IAM interfaces into REST APIs on-the-wire, enabling “Identity-as-a-Service” using an API gateway. Then take it a step further by using a federation standard such as Security Assertion Mark-up Language (SAML) to enable SSO access to any combination of cloud-based services, traditional B2B services, and on-premise applications.

You will also need to construct a framework for identity management, including audit trails to ensure identities are not compromised, and monitoring that provides a real-time view of what’s going on. And don’t forget the regulations. Different jurisdictions have different rules governing data retention in the cloud, how and where information about your users can be stored, and the user notifications required regarding changes to personal information stored in the cloud. These regulations vary greatly from country to country and must be considered across the geographies in which your company is doing business.

Learn more here.