API World 2018

Due to the advent of mobile and cloud technologies, customers and remote workforce are accessing applications across the perimeter of the enterprise. This is stretching the conventional perimeter security with additional attack vectors. Once firewall is breached, the attacker may acquire unlimited access. To deal with the new paradigm, Google implemented a new enterprise security model called BeyondCorp. The central tenets of BeyondCorp are: 1) Entitlements of a service are granted based on the identity of the user and device. 2) Internet and intranet are equally untrusted networks. 3) Access to services must be encrypted. API gateways currently use OAuth2 to validate clients’ entitlement. Using BeyondCorp model, API security is extended to the tuple of user, device and roles. This talk covers how to implement high performance BeyondCorp model in API gateway. It will also discusses required backend components such as; authentication including single sign on (SSO), device inventory, RBAC/ ABAC service, audit and alert services. RBAC and ABAC matrix can be complicated when a large number of APIs, users and devices are considered. This talk provides guidance on how to make it easy for administrators to create this matrix. Finally, it discusses a plan for gradual migration to BeyondCorp