Who's on first for API security – User identity, Application Identity Or Device Identity? And how are they related?
What role do standards such as OAUTH/OIDC play today/should play in the future for API security? Could properly implemented API security have prevented some of the recent breaches? With the explosive number of applications (especially mobile) we use everyday, many such apps access services using APIs. Therefore, streamlining API security protection is a critical matter. Standards such as OAUTH/OIDC are a key component of an interesting new paradigm in API security.
In earlier implementations of API security, the "application's identity" was verified by the back-end service and used by that service to determine whether to process a request. The application would establish the identity of the user and device, using separate methods, and information about the user and devices they used typically stayed in the application tier. Now, taking advantage of the latest open protocols and security standards, organizations are leveraging application architectures that allow for the flow of "user, device & application identity" information to flow to back-end systems as part of the API requests that move up and down various layers of an organization's services.
It's important to make sure that the "user identity" assurance and verification services leveraged by API calls are the same identity and access management services and infrastructure that is used for verifying the user's identity when they access services using non-API based solutions, such as web-based apps. In other words, It makes sense to avoid creating yet another silo, specific to API-based identity verification. The importance of combining user and application identity became evident in light of recent breaches, where hackers took advantage of inadequate API security. In many cases, the machine to machine protection was in place, the underlying transport was secure, and the applications used unique identities for identity verification. However, lack of adequate user identity assurance on top of the machine identity/application layer, knowing the API URL and impersonating a registered application, enabled hackers to take control of the solutions. The talk will delve deeper into the role OIDC/OAUTH play in improving API security.
Currently, Lead Technologist @ RSA; Identity assurance strategy; co-founder & CEO of PassBan (acquired by RSA), a company focused on mobile identity assurance. Earlier, Kayvan led strategy @ LiteScape (as CTO and later as CEO), creating security & mobile identity solutions for VOIP based networks. He was co-founder & CTO at BeNotified, a cloud mobile communication service provider.
Prior to that, Kayvan co-founded AVIRNEX, a cloud-based enhanced fixed & mobile communication service provider. Earlier, he was a software developer at Microsoft and Siemens. With 25 years of experience, Kayvan serves as a board advisor to multiple technology companies. Kayvan holds a BS degree in EE.