![Page 1: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/1.jpg)
Securing, Monitoring and Monetizing APIs
Nuwan Dias Technical Lead
WSO2
![Page 2: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/2.jpg)
What is a Managed API?
● Advertising APIs
● Controlled Subscriptions
● SLAs
● Securing
● Statistics and Monitoring
● Monetization
![Page 3: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/3.jpg)
API Security
● Identity Delegation
![Page 4: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/4.jpg)
API SecurityOAuth 2.0
● Has become the de-facto standard for API Security
● Predeceasing from the OAuth 1.0 and OAuth WRAP
● Primarily operates on an Access Token
● Introduces Grant Types and Token Types
● Common Terminology Used ○ User ○ Client ○ Resource Server ○ Authorization Server
![Page 5: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/5.jpg)
Using Access Tokens
![Page 6: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/6.jpg)
OAuth 2.0 Grant Types
● A grant type defines how a client obtains an access token
● OAuth 2.0 specification defines 4 major grant types ○ Authorization Code ○ Implicit ○ Resource Owner Password Credentials ○ Client Credentials
● Other popular grant types ○ JWT-Bearer ○ SAML 2.0 Bearer Assertion
● The WSO2 API Management and Identity Platforms Supports almost all these grant types out of the box and provides ability to extend and introduce custom grant types as well!
![Page 7: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/7.jpg)
Fine Grained Authorization through OAuth Scopes● A scope defines a particular action performed by a Resource.
● A scope can be restricted to a particular user role
![Page 8: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/8.jpg)
Fine Grained Authorization through OAuth Scopes● Protecting a Resource through a Scope
![Page 9: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/9.jpg)
Fine Grained Authorization through XACML● XACML - eXtensible Access Control Markup Language
● WSO2 Identity Server’s support for XACML can be utilized as a means of protecting Resources at a finer grained level
![Page 10: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/10.jpg)
Authorization through Identity Federation● Perform Authentication through external IDPs
![Page 11: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/11.jpg)
Integrating with an external OAuth Server● The WSO2 API Management platform offers the capability of
integrating with an external OAuth server and operating on access tokens/keys offered by the external server.
![Page 12: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/12.jpg)
{JWT}
• JSON Web Token is compact URL-Safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).
{
"alg": "RS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), …
![Page 13: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/13.jpg)
Advanced API Security by Prabath Siriwardena
![Page 14: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/14.jpg)
Monitoring Your APIs
Monitoring and Statistics
Operational
• Scaling Up Systems • Upgrading System Resources
Business
• For expanding your business and API Ecosystem
![Page 15: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/15.jpg)
Operational Insights - Why they Matter• Production Systems don’t just operate on a single VM
• Operational conditions change over time
• Performance Implications - How to find out Why?
• Avoid applying the wrong fix
![Page 16: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/16.jpg)
Message Tracing using WSO2 DAS and CEP• Find out what happened to your message
![Page 17: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/17.jpg)
Using WSO2 CEP for Real Time Analytics• Identify Access Patterns and propose new Business Models
• Threat Identification
• Trigger Alerts/Notifications on failures and risks.
• Performance monitoring of Servers
• Monitor Response Times
![Page 18: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/18.jpg)
Parties Involved in an API Eco System
![Page 19: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/19.jpg)
Interests of Parties in the API Eco SystemBusiness Owners
• Goals - Increase Sales, Retain Existing Customers, New Business Strategies
• Needs - Commonly Moving Items, Customer Trends, Possible Store Locations
API Creators
• Goals - Design Better APIs, Increase API Usage • Needs - Call Frequency, Response Times, Access Patterns
Application Developers
• Goals - More App Downloads, Better User Experience, Higher Availability • Needs - Call Count, Device Types, Access Locations
The Analytics platform should cater to needs of all interested parties!
![Page 20: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/20.jpg)
Batch Analytics using WSO2 DAS
![Page 21: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/21.jpg)
Some stats offered by default
General API/Resource Usage
API Response Times
API Usage by User
API Usage by Application(s)
Top Users per Application
Faults by API
Stats based on API endpoint
……
![Page 22: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/22.jpg)
Integration with Google AnalyticsIdentify Geographical Usage
![Page 23: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/23.jpg)
Integration with Google AnalyticsIdentify Usage by Device
![Page 24: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/24.jpg)
Benefits of Stats offered by Google Analytics• Application Developers
• Find out on which platforms APIs are used most - Improve those UX on
those platforms
• Identify languages to be supported based on geographical usage
• API Developers
• Prioritise development/testing for platforms on which the API is used most
• Determine languages to be supported by the API.
• Business Owners
• Determine where best to open up a new Store
• Introduce regional varieties.
![Page 25: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/25.jpg)
API Monetization
• Relevance of APIs today are expanding beyond the IT department. Why?
• Consumer demand for seamless experience is driving the need for unprecedented integration.
• Only few direct Monetization strategies actually work. Ex: Amazon.
• Enterprises today are “Data Rich”. APIs can help unleash the power of enterprise data in support of a digital strategy.
• The inability to monetize APIs directly is not necessarily a lack of revenue opportunity.
![Page 26: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/26.jpg)
Exposing Data as APIs• WSO2 offers the perfect platform for aggregating, organising
and exposing your enterprise data for consumption by third parties.
![Page 27: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/27.jpg)
![Page 28: WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b39dc8bb61ebee6a8b45c6/html5/thumbnails/28.jpg)
Thank You