API – You Can’t Live Without It

The unprecedented explosion of modern technologies combined with a burgeoning mobile space has forced enterprises to rethink previously held beliefs about the static enterprise perimeter. Remember the olden days when you said your enterprise was completely self-contained in one data center, with your apps inside the firewall and with everyone nearly as confident about it as being as secure as Ft. Knox?  With an explosion in mobile computing, demand for cheap or “free” usage of resources, and a sharp reduction in cost with the cloud delivery model,  it is expected (or rather demanded) that every enterprise expose their APIs not only from their enterprise but from a cloud based model. (NOTE:  The cloud is referred to in a  loosely defined delivery model be it —  public, private, community or hybrid variety).

Couple this inexorable progression for having a cloud based model with the need for mobile enablement and web 2.0 technologies,  and you are forced to expose not only your SOAP APIs,  but also JSON, REST and other fast, quick TTM (time to market) APIs that can be easily manipulated and consumed.

This brings an interesting issue to the fore-front. You are forced to rethink your corporate security strategy. Many organizations (and the C levels that I speak with on a regular basis) are scared to move their sensitive applications (and processes, data) to the cloud, mainly, because of security. But that doesn’t stop them from exploring and moving some of the non-sensitive applications to the cloud and “testing the waters”, so to speak. Once they see how easy and cheap it can be, they begin losing sleep thinking about all of the money they can save by moving everything to the “cloud” due to the constant pressure to plan and come in under budget.

It’s no wonder that API traffic has exploded over the past few years. According to a recent survey, about 60% of the enterprise traffic is API based. According to Programmable Web,  75% twitter traffic is API based. According to Programmable Web there are at least 5000+ APIs (http://blog.programmableweb.com/2012/02/06/5000-apis-facebook-google-and-twitter-are-changing-the-web/) and the pace is growing. Programmable Web has a neat tool where you can search all the publicly available APIs (http://www.programmableweb.com/apis/directory). If you check this out you will immediately notice that most of the social APIs are mostly REST/ JSON based. There is obviously a good reason for that.

When it comes to APIs there are two distinct, broad categories – Social APIs and Enterprise APIs. The Social APIs are created by, and for, our society which is hungry for instant data updates. (Remember the AT&T 4G commercial “so 42 seconds ago”  (http://www.youtube.com/watch?feature=player_embedded&v=bvVVQGgbKk0) . I miss the good old days where we found out what happened in the world by checking CNN website once an hour or so.

In general, the social APIs tend to be fast,  easy to implement, REST only — without any enterprise class security, not monetized,  and focused on publishing  content etc.

You can’t afford to have the enterprise APIs published and consumed the same way. Your Enterprise class security needs to move with your applications API wherever it is going or however it is accessed.  And it is not a question of if, it is a question of when. The success of companies with API as the core of their business models transformed the industry – look at Google, Twitter, Facebook, and other smaller players. According to Programmable Web “The most popular API category from the last 1,000 APIs is government. In total, we list 231 government APIs and nearly half of them have been added in the last four months.”  When the government adopts a technology standard, you know that there is no going back, it is here to stay forever .

Read more of this post

Cloud Identity Buyer’s Guide

If you are adopting a cloud strategy and wondering, or confused, about how to manage your user/ partner identities in the cloud you might want to check out our recently published Cloud Identity Buyer’s Guide at http://lnkd.in/TQ_k3H

It talks about Cloud identity management architecture, standards, SSO, etc.

Click here to download your free Cloud Identity Buyer’s Guide.

Federal Security Standards – Alphabet Soup Explored

I always feel that when a new Federal Security standard is formed they look at the left over Alphabet letters and include some of them for pity. Otherwise it is hard to explain the reasoning behind so many Federal security standards and the long abbreviations.   Mapping the alphabet soup of federal cloud security initiatives is a daunting task.

In this Webinar, Tim Grance from NIST,  Federal Security expert Gunnar Peterson, and myself join forces to decompose the funded programs and standards initiatives to recommend an adoption path for cloud security.

Tim begins with  grounding in NIST’s baseline cloud security architectures/guidelines. Our groups discussion centers around timelines, real world use case, and applicable COTs commercial technologies.  Gunnar follows with insight into how these practices are incorporated into programs such as NSTIC, FedRamp, FICAM, Cyberscope, and DOD-PKI.    I then followed with the supplemental guidance covered by  Intel’s solutions.     Attendees of this webinar also received a copy of Gunnar Peterson’s Federal Cloud Security white-paper.

If you are interested in getting a copy of that free report or to find out more details either reach out to me or go to Intel Government-Solutions-Resource-Center

Social SOA with API Gateway

In a recent conversation with a large customer of ours, some interesting facts came to light. This blog is a recapitulation of the insights I got from that discussion. I’ll not only tell you how this customer is using our solution, but also, how it is helping them to take their online presence to the proverbial next level.

Our customer, an online university, is using our solution, as middleware – providing both security and data mediation functions, to push through SOAP & REST API transactions to the backend. They are processing about 18 million messages per day. Now think about that for a second. The number in itself is mind staggering. While most educational institutions use freeware middleware solutions due to being part of an ultra cost-conscious milieu, this University decided to use our solution to bring their presence to a whole new level – while still doing so in a completely cost effective fashion.

We also helped the University integrate with a home grown single sign-on solution fairly easily so they would not be forced to “rip and replace” all of their technology, unlike some of the implementation plans that would be thrust upon them by some of our competitors. We integrate with identity management systems, as well solutions that address governance, various registries ,and an array of monitoring solutions. For us, it’s never about pushing an entire stack to a customer. Instead we feel customers should have the latitude to choose a technology from a range of available options, consistent with a “best of breed approach.”

Though it initially started off as more of an academic security experiment for a University, our solution has been embraced much more widely and has grown into a solution that encompasses SSL offloading, XSLT transformation, service aggregation, and service mediation. In addition, our solution is being used to abstract the authentication layer to communicate with a custom authentication service. We provide the backbone of their social SOA.

Read more of this post

Our SaaS CloudSSO – Sassy

Essentially that is what it is– Sassy!. Recently we announced our Force.com based Cloud SSO solution. What is unique about this is that we are the first (and as of now the ONLY) solution that will allow Force.com user identities to be federated not only across Force.com applications, but also across other cloud providers as well.

We provide Identity for the cloud in the cloud – now that is different, isn’t it?

I know, I know… there are about half of a dozen vendors that claim to provide a Cloud SSO solution. So why are we different or better than others?

We provide a fusion, bringing together the best of McAfee and Intel. We bring years of advanced security research , our multi-tenant offering cloud security suite from McAfee, coupled with Intel’s Identity offering that includes SSO, hardened provisioning/de-provisioning and an escalated authentication (OTP) solution. Even more important, and a big cost saver, is the provisioning and de-provisioning to manage accounts in many applications by seamlessly automating it behind the scenes giving you the comfort and confidence that accounts are consistently and securely managed on build up and teardown tasks for each user.

Everyone knows that salesforce.com is all about the cloud and SaaS, right?. But once you set up your users/ identities in the Force.com platform it can be only used there. If you need to setup another SaaS application then your administrator needs to setup the user base all over again. Even though there are tools available to make this process easier, it is still a chore. Imagine if you could have the power to set up the identities and policies once and run forever. If your users have to remember only ONE password then you could enforce the passwords to be very strong. This would not only reduce the security risk (imagine a SaaS application having a weak password… what can be more dangerous than that) but it could also help with eliminating a lot of help desk password reset calls from frustrated users.

One pivotal and unspoken benefit is the increase in productivity where a user can seamlessly navigate between applications.

Read more of this post

Are you API Shy?

Check out my API webinar with Chenxi Wang of Forrester Research on the best practices of protecting your Cloud API.

Meet the Cloud API – The New Enterprise Control Point

RSA 2012 Interview with Andy Thurai, Chief Architect of Intel’s Application Security Identity Products Group

Watch this interview between Tom Field and myself about API management and the attendant issues including security, management, auditing, metering, monitoring and monetization.

We talked about Social APIs vs Enterprise APIs, as well as how Intel is providing mobile enablement. Good conversation about a platform that is about technology, security, and identity agnostic, so that when messages are sent to a hosted app or a partners app, one has the appropriate mechanism to consume those messages coming in from mobile devices. Also hear about Intel’s latest announcement made at RSA, about Cloud SSO — visit http://www.intelcloudsso.com for more information.