Authentication and Authorization: Reducing The Risk While Still Enabling Collaboration

At the World Economic Forum held in Davos Switzerland last January, Cisco CEO, John Chambers warned, “The number of security incidents this year will be exponentially greater than last year”. If Mr. Chambers’ words did not raise a big red flag with all developers, then the events of the past few months should. Not only are such incidents more common, they are becoming more disruptive.

Attackers are more sophisticated and insidious, able to bypass traditional security measures and systems through the risk companies create for themselves by enabling employees, customers and partners to access applications and systems via an ever-growing ecosystem of powerful smartphone and other connected mobile devices. One of the most likely sources for such security breaks? Enabling mobile apps to access internal business APIs that may have been originally built only for legacy B2B applications.

So how can you walk the line between reducing the risk in the face of an ever-present threat while still enabling an open and simple collaboration between you, your partners and customers?

The answer:
Tying the identities together with the context of the data being accessed; an API gateway

For many companies, the API gateway works as a portal that enables integration of existing enterprise services with external infrastructures. In essence the API becomes the primary channel for business transactions, and in most cases becomes the single device handling an enormous amount of communications and exchange of data. Lets face it though; you have to know with whom you do business, and the extent of information that you are willing to provide to your partners and customers. As you grow, so does the number of partners that transact with you, making your API gateway the most critical part of your enterprise infrastructure.

Effectiveness in doing business should not come at the cost of sacrificing simplicity. Providing a flexible identity platform lets your corporation rapidly utilize a variety of identity tokens, contain an embedded antivirus engine for scanning message payloads, and can replace various specialized security tools like Web and XML firewalls, Intrusion Detection Systems or antimalware products

Forum Sentry’s Authentication and Authorization technology for example supports a wide variety of standards; data formats and transport protocols, including current and legacy messaging protocols to support non-HTTP services.

Authorization capabilities include role-based, attribute-based, and content-based (payload):

  • Multi-Factor Authentication
  • Single Sign-On (SSO)
  • Role Based, Attribute Based, and Content Based Access Control

In todays world it is becoming critical that you implement a hardened integrated solution as part of your long-term API strategy.

Interested in Forum Sentry? Get a free trial here