I have been working in the Application Programming Interface (API) management space for over twenty years. At the start of my journey we talked about services and then web-services. These services were either XML- based or SOAP-based, and in the beginning were mainly for B2B interactions, or for some internal applications calling other internal applications. As these services became more important and more open to 3rd parties, etc., security became key.
It’s All About the User
Things like XML encryption and signing morphed into WS Security and all the standards that came with it. But these interactions were rarely about the user. It was the application being approved to call the service. With the mobile explosion, service became more user based and REST overtook web services as the de facto standard for phone based applications making calls to our resources. With this change the applications were not the only thing that needed to be authenticated. The user needed to be identified as well. Standards such as OAuth and OpenID Connect came to our rescue.
This was great, a user (or resource owner), could grant the application permission to make REST calls on its behalf. But not all API calls are the same and there are requirements to authenticate the user with stronger authentication techniques as well as interpreting the risk associated with each API call. Do we really want the same security level for an API call that gets our bank balance compared to the API that transfers funds to a 3rd party account?
One of the projects we are working on right now at Broadcom, is to integrate our Symantec VIP Authentication Services into Layer7 Management, including the OAuth Toolkit. This enables us to authenticate users using standards such as FIDO (Fast ID Online) and passwordless authentication. Think about the apps you use - Multi-Factor Authentication (MFA) should be a minimum for applications that share or use customer information.
By using the combined products, our solution can now authenticate a user using standard passwords along with more secure methods of authentication, such as a one-time-password (OTP) or device based system like YubiKeys. This gives the target of authenticating users based on something they know and something they have and should be part of any strong Identity and Access Management policy.
By using the combined products, our solution can now authenticate a user using standard passwords along with more secure methods of authentication, such as a one-time-password (OTP) or device based system like YubiKeys.
The other great advantage of a system that supports so many different authentication methods is that we can use advanced methods to re-authenticate users based on the risk associated with individual API calls. To go back to the banking example, a transfer of $50 may not need any authentication on top of the standard login. But for larger transactions we may wish to ask the user to re-authenticate using an OTP or FIDO based method. Both the applications user and the service provider see the value and protection of making these calls with this so-called step up authentication. Additionally, these benefits are further enhanced when you combine this level of security with the session management capabilities of a web single sign-on solution, which can provide seamless access to multiple applications and services, but also leverage these risk services and step-up authentication when the user engages with more sensitive services or data.
A Zero Trust Approach
The integration of Layer7 API Management and Symantec VIP Authentication Services provides a Zero Trust approach to protecting mobile-based applications and services, by positively identifying every user and device requesting access. The contextual risk services also minimize the friction to the end user by only prompting them for stronger authentication when it is really needed. And the API security ensures that all communications between the user’s device and the backend applications are protected.
In the future, Symantec as a division of Broadcom, sees more and more applications and services enforcing security in this way. Today we expect banks and medical applications to enforce in this way. But as privacy laws and consent management become more prevalent in the industry, this will expand dramatically. In the following video you can see just how the user flows look and how we have upleveled the security for our API calls.
Watch the video below for a brief demo:
We encourage you to share your thoughts on your favorite social platform.