by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : January 2015
SUBRA KUMARASWAMY is chief security architect at Apigee. Commentary | SUBRA KUMARASWAMY Many successful application pro- gramming interface initiatives start with the goal of unlocking data that is protected by traditional Web or perimeter-based access controls. Although those back-end applica- tions were designed to address a business problem, over the years they have become monolithic, com- plex and unmanageable. The majority were designed in two- or three-tier models for the Web. A typical three-tier application uses a tightly coupled component architecture that involves the data- base, back-end application, user agent and users, and it relies heavily on business logic to protect the data delivered to end users. In that pre-API world, any change to the business logic necessitated rigorous and laborious quality and change control. Hence, delivery of applications and services took months or years. Furthermore, data security in the pre-API world was enforced by coarse and siloed access controls that used an appli- cation facade to manage identities and permissions, and in some cases, they were isolated by network-level access controls such as virtual pri- vate networks. One of the major shortcomings of tightly coupled architecture is that it doesn’t easily support emerging channels such as mobile platforms or the Internet of Things — not to mention the cost of security chang- es and threat models that must be vetted before being released to customers. An API-first strategy, in contrast, allows data and application owners to provide consistent, secure access to data, independent of the digital channels through which the users’ interactions take place. A success- ful API strategy for government organizations would allow develop- ers to be more agile within their trust boundaries and collaborate with partners. So how can federal IT profes- sionals help their agencies deliver APIs that are secure and flexible? A successful API strategy should: • Protect data delivered via API from end to end, starting with the user and ending at the application. • Enforce consistent security poli- cies irrespective of the channel by which the user interacts with the back-end application. • Not make any assumptions about data protection controls that might or might not be incorporated in the digital supply chain. For example, instead of relying on app develop- ers’ security features, API services must secure the data using appro- priate authentication and authori- zation mechanisms. • Incorporate a security model that supports fine granular access control and allows apps to create, read, update and delete at the data- cell level with appropriate autho- rization privileges. That enables developers to innovate based on user experience without being constrained by rigid data access scopes. • Use version management to over- see the life cycle of security mod- els. For example, a new authenti- cation scheme could be associated with a new version of an API while maintaining compatibility with the existing API. • Log every API interaction with user identities to facilitate robust auditing and investigations. • Use industry-standard authenti- cation and authorization protocols such as OpenID, OpenID Connect and OAuth to deliver consistent access control. • Create consistency and hide com- plexity of security by embedding policies into every API interaction. An API gateway will provide this capability out of the box. In short, a successful API strat- egy demands that IT profession- als understand user interactions across digital channels. A secure API strategy will provide seamless protection without adding security controls that might interfere with the user experience and service availability. n How to launch a successful API initiative IT professionals can create security and access models that transform APIs from unwieldy legacy apps to self-defending services A successful API strategy demands that IT professionals understand user interactions across digital channels. 12 January 2015 FCW.COM 0115fcw_012.indd 12 1/6/15 1:25 PM
November and December 2014