Copyright © 2001-2012 SOA Software, Inc. All Rights Reserved. All content subject to confidentiality agreement between SOA Software and Customer.

API Security

Does My Business Need OAuth?

A Look Ahead

Two significant forces are changing the face of business:

The Effect of Cloud

• Cloud has lowered the barrier for App developers and startups

• The number of mobile devices now exceeds the number of PCs

• The number of connected devices (Internet of Things) will exceed the number of mobile devices by 2020

Mobile Apps

• Apple Store has over 775,000 apps

• Google Play Store currently offers over 800,000 and is predicted to be the first store to reach the 1 million apps mark by June 2012

• BlackBerry 10 has 100,000 apps

• Windows Phone Store has 130,000 apps

• According to ABI Research, 56 billion apps will be downloaded in 2013

Why do I need an API?

• Accelerate adoption through new channels/devices to reach:– Partners– App Developers– Employees (BYOD)

• Extend/embed your brand• Create stickiness

Why do I need an API?

Platforms Support Innovation

Apps are Intermediaries

Platform Success

• Speed of App Development– More Apps– More iteration– More collaboration

• Speed of App Adoption– Simple Trust

Speedy App Development

• Decouple your business processes from the App development process.

• Do not bog things down with traditional security models– Imagine just the legal agreements– Storing user credentials is too daunting –

both for App developers and App users

Speedy App Adoption

• Businesses contain sensitive information and enable sensitive transactions

• For high speed App adoption, Customers need to trust them

Platform Security

• You need a way to remove the friction that security introduces into the equation

• You need to allow Apps to participate in a secure relationship:– Opt in ‘Just in Time’– Without storing credentials– With only the required permissions– With the ability to Opt out

The Result

• App developers can build without friction• Businesses don’t need to limit their

ecosystem

Its up to the customer

An OAuth Example

• A manufacturer, Trux, produces very advanced , highly automated equipment to trucking companies

An OAuth Example

• Trux collects a great deal of confidential information about the semi and his/her loads– Personal data– Equipment data– Satellite tracking data– Service, mechanical information– Load types, delivery info

An OAuth Example

• Trux would like to create an open platform for App development– Apps to be deployed on the semis– Apps to be sold to the trucking companies– Apps to be sold to the drivers

An OAuth Example

• For example, an App developer wants to build an App called SafeTrucking that helps the driver determine the risk of a route based on his:– Load– Crime stats– Equipment– Route

An OAuth Example

1. Driver downloads the SafeTrucking App and opens it

2. Driver is directed to Trux, whom he trusts, to log in with their credentials

3. They are presented with a screen asking if the SafeTrucking App can retrieve the required data from Trux

4. If confirmed, Trux issues a token to SafeTrucking that they can use to retrieve the data securely

5. The driver can view the permissions granted, opt-out, or increase the permission scope

Do you need an OAuth Server?

• Are you trying to create an open platform for App development?

If so, you need one

SOA Software’s OAuth Server

• Integration with most common enterprise identity systems including LDAP, AD, CA SiteMinder, Oracle Access Manager, IBM TAM, RSA ClearTrust and more

• Comprehensive support for the OpenID, OAuth 1.0a and OAuth 2.0 specifications along with a wide array of other authentication and authorization specifications

• Fully brandable• Built-in grant management• Integrated with our Developer

Community and API Gateway for rapid deployment

Thanks…

Alistair Farquharson, CTO, SOA Softwareajf@soa.comwww.soa.com@afarqu@SOASoftwareInc