Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays London 2023 - API Programs - Security b...

apidays
September 21, 2023

apidays London 2023 - API Programs - Security by Design, Privacy by Default, Frederick Purcell, eXate

apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023

API Programs - Security by Design, Privacy by Default
Frederick Purcell, Software solution owner at eXate

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

September 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. API PROGRAMS - SECURITY BY DEFAULT, PRIVACY BY DESIGN w

    w w . e x a t e . c o m | i n f o @ e x a t e . c o m
  2. THE EVOLUTION OF ACCESS MANAGEMENT Privacy by default and security

    by design Username and Password Single Sign On (SSO) + RBA C Central IAM + RBAC Central IAM + RBA C + Security (MFA) The Opportunity Central IAM + RBA C + Security + Weaknesses Nirvana • Operationally challenging • Fragmented • Single username and password • Limited to a single identity provider • Security concerns become apparent • Privacy concerns become apparent • Automation of privacy by default and security by design Where we are today Where we are going
  3. The Growing Complexity 80% of large organisations estimate they have

    up to 25,000 distributed applications, databases, and services that ingest or distribute data in their portfolio The Great Digital Shift Manually Unachievable CHALLENGES IMPLEMENTING PRIVACY In 2023, API abuse became the most-frequent attack vector (Gartner) of organisations had a security incident involving APIs 91% 1 Developer 1 Day 25k services 113 Years $100m+
  4. Internal Policies Third Parties Data Regulation Audit Test Data DEV

    TEST UAT PROD 1 Capture the Policies 2 Automatically classify data SOLUTION: THE EXATE DATA PROTECTION PLATFORM Semi-structured Data { “JSON”, “XML” } Target common data distribution and data ingestion points for a faster and low-cost implementation to centralise entitlements 3 Automatically protect the data Data in Motion Data at Rest Aggregation of Privacy Enhancing Techniques to optimise Data Privacy Aggregation of Privacy Enhancing Techniques to optimise Data Privacy Database Schemas
  5. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN Database Schemas Regulatory

    Policies Semi-structured Data { “JSON”, “XML” } Gateways / Service Mesh Event streaming IPaaS Databases Data Virtualisation Data Science Data protection and Dynamic ABAC enforcement at common data distribution and data ingestion points Data in Motion Data at Rest Enforce Enforce LEARN AND ADAPT Central entitlement Monitoring + operational
  6. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN Event streaming Gateways

    / Service Mesh IPaaS Data protection and Dynamic ABAC enforcement at common data distribution and data ingestion points Data in Motion Data at Rest Enforce Enforce LEARN AND ADAPT Central entitlement
  7. API Gateway US Partners SaaS Products UK Customers Cloud Services

    EU Accounts Accounts Customer US Customer Order Balance EU Customer LUX Accounts YOUR GATEWAY BECOMES POPULAR
  8. API Consumer API Producer API Gateway Data Governance & Compliance

    Data Governance & Compliance WHAT IF YOUR PATTERN CAN SOLVE THIS IN YOUR GATEWAY?
  9. US Partners SaaS Products UK Customers Cloud Services Accounts Customer

    Order Balance API Gateway Data Governance & Compliance Data Governance & Compliance SET THE PATTERN, SIMPLIFY, RE-USE
  10. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN Database Schemas Regulatory

    Policies Semi-structured Data { “JSON”, “XML” } Gateways / Service Mesh Event streaming IPaaS Databases Data Virtualisation Data Science Data protection and Dynamic ABAC enforcement at common data distribution and data ingestion points Data in Motion Data at Rest Enforce Enforce LEARN AND ADAPT Central entitlement Monitoring + operational
  11. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN Database Schemas Regulatory

    Policies Data protection and Dynamic ABAC enforcement at common data distribution and data ingestion points Data at Rest Enforce LEARN AND ADAPT Central entitlement Gateways / Service Mesh Event streaming IPaaS Data in Motion Enforce Monitoring + operational
  12. HOW TO ENFORCE? We need different information to be protected

    in different ways. This helps us to keep our data safe while making the best use of it. Dynamic masking Static masking Anonymisation Purpose of Use Pseudonymisation Consent driven access
  13. HOW TO ENFORCE? Privacy vs. Utility ▪ Can we gain

    insight without breaking privacy? Original Protected [email protected] Frederick Purcell 37 £13.69 **********@exate.com No Access 23rcqcgwaf3wtfxa3wr 30-40 £14.82
  14. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN Database Schemas Regulatory

    Policies Semi-structured Data { “JSON”, “XML” } Gateways / Service Mesh Event streaming IPaaS Databases Data Virtualisation Data Science Data protection and Dynamic ABAC enforcement at common data distribution and data ingestion points Data in Motion Data at Rest Enforce Enforce LEARN AND ADAPT Central entitlement Monitoring + operational
  15. IPaaS Data Science Data in Motion Data at Rest Enforce

    Enforce Central entitlement Database Schemas Regulatory Policies Semi-structured Data { “JSON”, “XML” } LEARN AND ADAPT Monitoring + operational
  16. MONITOR AND OPERATION LEARN The unknown: • Risks and policies

    associated with each data attribute • Jurisdiction and the context in which it is being used How to solve it: • Real-time data from enforcement stages need to work alongside the core service to do the following:  Find and classify your data traffic  Analyse and learn about your data risks  Solve data risks automatically  Test continually for risks during the life cycle
  17. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN Database Schemas Regulatory

    Policies Semi-structured Data { “JSON”, “XML” } Gateways / Service Mesh Event streaming IPaaS Databases Data Virtualisation Data Science Data protection and Dynamic ABAC enforcement at common data distribution and data ingestion points Data in Motion Data at Rest Enforce Enforce LEARN AND ADAPT Central entitlement Monitoring + operational
  18. WHAT PROBLEMS DOES THIS PATTERN SOLVE? Audit of how data

    is being used, by whom, where, and why Autodetect and protect sensitive data Segregation of duties when accessing data Consistent security and data protection by jurisdiction Enforcement of data protection regulation (such as client consent, sharing with 3rd parties, right to be forgotten, etc) eXate aggregates multiple protection techniques to provide maximum flexibility Chain testing Production data in non-production environments
  19. DON’T BECOME A STATISTIC EXATE YOUR DATA w w w

    . e x a t e . c o m | i n f o @ e x a t e . c o m