Security to Connect Back-end APIs with HTML5 Cross Platform Apps

Security to Connect Back-end

APIs with HTML5 Cross

Platform Apps

AP

I

Andy Thurai, CTO, Intel Big Data & Application Security Software

Twitter: @AndyThurai

Intel does software (or API) ????

• Intel is a top 10 largest software company in the world. (Forbes)

• Software represents nearly 15% (and growing) of Intel revenue.

• Intel software SVP Renee James is now President of the company.

• Intel acquisition strategy has been software focused:

• McAfee (Security)

• Mashery (API management, SaaS platform) • Sarvega (API Gateway)

• Aepona (Telco/ API monetization engine)

• Wind River (embedded software for devices - IoT) • AppMobi (html5 dev tools company)

Converging Trends Driving the Mobile App Economy

“HTML5 usage and stability will appear first in mobile environments, and then on the desktop.”

Evolution of HTML5 Is Key to Adoption of Mobile BI

Applications -Analyst

“HTML5 offers platform and cost advantages for both Enterprise and third-party developers.”

VisionMobile

“

BaaS market is estimated to grow from $216.5 million in 2012 to $7.7 billion in 2017 -MarketsandMarkets

An API strategy is becoming a must…in terms of speed to market with new products, maximizing business development, and product development opportunities. -USA Today

Intel Enabling the API Economy

• In APIs—we’re investing in an arsenal

of API related assets to be a key

player in the new API app economy.

– 10 yr old mature Expressway gateway (Security, deep integration)

– Mashery for API Mgt SaaS portal part of Expressway API Manager SKU & 300k dev community

– Aepona for telco API integration & monetization

– AppMobi Cross platform push messaging, app promotion, in-app purchasing, integrated analytics

– Intel Cloud Services platform is a cloud hosted BaaS API play

– Intel Capital investment in Feed Henry BaaS player

– Intel Intelligent Systems Framework for embedded APIs

Ultimate driver for Data Center, Enterprise Apps,

Cloud & Client side platforms

Apps & APIs Turn the Enterprise Into a Platform

• Creates a virtuous spiral for

the developers that build

compelling apps and APIs

– APIs extend the reach of apps as they become part of distributed data network.

– As more people & devices use the APIs, the app developer generates more data.

– APIs can expose analytics which create feedback loops to optimize platform performance & user experience

• APIs & Mobile connections are

the new client/servers

… and so on

SERVICES, APIS & ANALYTICS

DEVICES CLOUD

DEVICES

Intel is uniquely positioned with hardware,

Enterprises Have Unique Requirements

for Mobile Enablement

Trying to get a mobile project going at your Enterprise?

Does this look familiar?

• Disparate middleware and database technologies

• Disparate identity management silos • Disparate programming languages • Current architecture optimized for web

browsers

• Vertical integration prohibits cloud outsourcing

• Inconsistent security model across domains • PII/PCI compliance requirements?

On top of this you want:

• BYOD – Any device

• Native application features

• Low development & maintenance costs • Fast time to market

• Robust security for Enterprise data • Enable real-time BI streaming to device

Our mobile reality is fragmented – iPhone, Android, Windows, Blackberry.

How can Enterprises reduce cost drivers & speed revenue

generating innovation from APIs to mobile

Key Drivers

Cost Reduction

Drives the demand for low cost solutions Cross-platform flexibility

New ways to get more from existing resources

Time To Market

Launch new apps faster on more platforms compared to alternatives

Operational Efficiency

Requires efficient practices Fungible resources

Effort saving tools

Security

Require compliance

Desire customer trust and confidence Need to protect IP/Brand

Reliability

Seeking trusted partners and advisors Reduced risk

Incremental Revenue

Why Developers Favor HTML5 Clients for Development

HTML5 is advanced

• Proven web technologies with advanced features

• Intel takes HTML5 further with new APIs and Parallel JavaScript

HTML5 is open

• Built on open web technologies and W3C standards • More than two million HTML5 developers worldwide

• Intel advances HTML5 via open source projects and the W3C

HTML5 is everywhere

• More than one billion mobile devices with HTML5 browsers in 2013

• 40% app developers use HTML5 today, another 40% plan to in the future

Closed ,Stack Centric Solutions

• Custom Solutions/

Vertical Integration

– Vertical Integration – custom app

suite on a single device like iPad

– Server solutions may be custom

proprietary appliances tuned to

their own extensive software

stack

– High prof service & integration

overhead + expense

Device Native APP Back-End API Custom Backend (IBM, SAP, etc).

Single Platform Deployment

Free Readily Available Client Tooling Tied

to Enterprise Grade Middleware Lacking

Open End to End Approach

• HTML5 based Apps/Cross Platform

– BYOD demands cross platform client

solutions

– Heterogeneous data connectors

– Expressway securely exposes Enterprise data to mobile devices at scale connected to Identity Mgt Systems

– Efficient SaaS or Local API Sharing Portals to promote & manage APIs

– HTML5 provides Enterprise with the most efficient, low-cost cross-platform solutions.

Multi-Device Cross- Platform App Existing Back-End API Portals Intel XDK Intel® Expressway

Traditional 3-Tier Server Side Architecture

Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson Web server Web server Web server App server App server App server App server Database Master Database slave 1 Database slave N Load B ala ncer Loa d B ala ncer Load B ala ncer Presentation

Tier (application) Logic Tier

Persistence Tier

3-Tier Shared Nothing Architecture

• Most common architecture, widely deployed

• Gold standard, developed as a result of the web revolution

• Problem: Designed primarily for HTML web browsers, not mobile apps

Browser W eb Applica tion Fi re wa ll

Web server Web server Asset server App server App server App server App server Database Master Database slave 1 Database slave N Loa d B ala ncer Loa d B ala ncer Load B ala ncer Delivery & Governance Tier Logic (application) Tier Persistence Tier

2-Tier, App-Optimized Architecture

Image borrowed from Software engineering for Software as a Service; Coursera course by Armando Fox, Dave Patterson

2-Tier API-optimized architecture using API Gateway design pattern • Emerging standard for app enablement

• Pushes view/presentation to client side

• Delivery tier focuses on integration, mediation, and security instead

API Gateway Mobile Middleware

HTML5 & Native Apps

Retrofitting BaaS for Enterprise

Generic “Commodity” Mobile App Services from

Cloud

• User Mgt (federation), commerce, social messaging, GEO location,

• CMS & Data Storage

• Custom APIs, Data Query, REST façade • Device SDKs, frameworks- e.g. phone gap

Enterprise BaaS Requirements

• API Management, Security & Integration • Mash-up 3rd party BaaS or Provider APIs

• From single use APIs to packaged turn key enterprise delivery platforms designed around the business

Private Cloud APIs

Runtime & Design Time View

App Developer Public or BaaS APIs

Development Cycle

Request side Execution side HTML5/Hybrid Apps Native Apps Local or SaaS API Portal

API Promotion & Management IT as a service (CSB) Legacy & Identity Hybrid Apps “Mash-ups”

16

Intel in HTML5 Apps

• App Dev Center

• App Framework (jqmobi) • App Porter – iOS to Html5

• AppMobi – SDK & 150K Community • Intel XDK w/Source Editing,

Emulation/Phone Gap, Best-in-class Testing • App Game Interface – Augment canvas obj • Optimized libraries

• HTML5 and JavaScript code are wrapped in a container to run as a native app

• Ability to leverage Expressway’s WebSockets streaming, protocol

translation, & Security that reduces MDM dependencies

Intel® XDK Client

SaaS Control

Panel

It's a very good tool-Stephen Campbell, lead developer at Second Fiction Game Studio

Develop HTML5 Apps – App Dev Center

Intel® XDK on software.intel.com/html5

*Other brands and names are the property of their respective owners

Facebook* Appup* Chrome* WebApp iOS* Amazon* Android* Windows* 8 Nook* Developer Apps Intel® API Manager Portal

HTML5 Client Development Workflow

Write once run everywhere – Make security architecture part of design • CORS best practices, API key management security design decisions

19

Security Usages- HTML5 API Key Security

Server HTTP

Request

HTML5/JavaScript

HTML5 Application Deployment Model

API Key Security Concern

• HTML5 apps are pushed to the client, including all API keys • API Keys for cross-platform requests will be distributed to

all clients

• Clients can view source to obtain API keys

• Solution #1: Obfuscate API key – may work for low value APIs • Solution #2: Replace API key with function call to

20

Web server

Web server Asset server

Delivery Tier

Security Usages- HTML5 Security Architecture

with a Service Gateway

Dynamic API Key – Increases Security

• API Key returned at runtime – JavaScript function makes HTTP(S) API call to service gateway

• User forced to strong authentication: Browser mutual SSL or challenge with username/password or OTP (One-time-password)

• Supports Enterprise authentication and authorization systems, such as Oracle, CA, IBM, LDAP/AD

• Minimal impact to existing API key lifecycle

Service Gateway HTML5 Application Enterprise Identity Management Gateway_auth() Challenge

21

Intel IT Use Case

• Real-time conference room availability

• Mashup of reservation system API and sensor information • Upgrade to websocket to give

real-time updates as rooms are occupied

• Streaming pattern applicable to real-time Big Data BI

22

Biotech Client to Mobile Middleware Use Case

22

Challenge: Translation of legacy data to APIs,

securely exposing sensitive data never designed to leave the datacenter, infrastructure scalability and performance

Solution: Middle tier API proxy & portal for threat defense, IaaS cloud authentication/authorization, data translation and high performance RESTful APIs Benefits:

•Scaled BYOD mobile app delivery to 10K users

•Ability to create new app mash-ups from multiple legacy systems

•Optimized server tier for dynamic content requests •Connected client App Dev to server side API runtime •Safely protect PII data in transit to/from mobile

Middle tier & API Management

10K + BYOD Legacy Systems & Protocols Geo Distributed mobile Base

Heterogeneous Back end Driven by M & A

Client Access

Local API Portal

Client app Dev Tools PII Compliance

Secure Delivery of Analytical Data

23

Emerging Uses: Touchless API Security for

Hadoop & PCI & PII Data Controls

Intel Compliance Platform

PCI, PII Data Anonymization

24

Intel® Expressway API Manager & Intel® XDK

Enterprise On-prem or Cloud

API Sharing with Integrated Run-time Enforcement & Mediation Engaged Dev Communities

-130K HTML 5 “App Mobi”