Chris Swan, CTO, @cpswan

API Security

© 2015

Setting the scene

© 2015

A little over a decade ago

© 2015

But it all went horribly wrong

© 2015

Mostly because of XML asymmetry of effort

X

O R Easy

Hard

© 2015

The audit paradox

© 2015

Building in

CC photo by WorldSkills

© 2015

What building in looks like

© 2015

Bolting on

CC photo by arbyreed

© 2015

What bolting on looks like

© 2015

The shifting sands

© 2015

Unified Threat Management

Firewall

NIDS/NIPS

AV

Anti Spam

VPN

DLP

Load Balancer

UTM

© 2015

Application Delivery Controllers

Cache

TLS offload

Compression

WAF

Multiplexing

Load Balancer

ADC

Traffic Shaping

© 2015

PaaS gives us the chance to ‘bolt in’

© 2015

But Docker adoption shows a movement against opinionated platforms

© 2015

If a security event happens and it isn’t monitored

© 2015

SDN and NFV

© 2015

Networks made from and configured by software

© 2015

We can put a bunch of ‘network’ onto a VM

Firewall

VPN

Switch

Router

© 2015

And add more functions into containers

Firewall

VPN

Switch

Router Cache

TLS offload

WAF

Load Balancer

NIDS/NIPS

© 2015

This could be thought of as an app centric perimeter

© 2015

But it refactors very readily into microservices

© 2015

Some challenges remain

© 2015

ToDo: SecDevOps

APIs (to the network) are necessary but not sufficient: Need to have them integrated into the overall system Control metadata (and its mutability): Must be visible and understandable Security events need to be captured: Then turned into something humans can action

© 2015

Questions?