apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023
API Programs - Security by Design, Privacy by Default
Frederick Purcell, Software solution owner at eXate
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
apidays London 2023 - API Programs - Security by Design, Privacy by Default, Frederick Purcell, eXate
1. API PROGRAMS -
SECURITY BY DEFAULT,
PRIVACY BY DESIGN
w w w . e x a t e . c o m | i n f o @ e x a t e . c o m
2. API Programs –
Security by Design,
Privacy by Default DR. FRED PURCELL
LEAD SOLUTION
ACHITECT
3. THE EVOLUTION OF ACCESS MANAGEMENT
Privacy by default and security by design
Username and
Password
Single Sign On
(SSO)
+
RBA
C
Central IAM
+
RBAC
Central IAM
+
RBA
C
+
Security
(MFA)
The Opportunity
Central IAM
+
RBA
C
+
Security
+
Weaknesses Nirvana
• Operationally challenging
• Fragmented
• Single username and password
• Limited to a single identity provider
• Security concerns become
apparent
• Privacy concerns become apparent • Automation of privacy by default and
security by design
Where we are today
Where we are going
4. The Growing Complexity
80% of large organisations estimate
they have up to 25,000 distributed
applications, databases, and
services that ingest or distribute
data in their portfolio
The Great Digital Shift Manually Unachievable
CHALLENGES IMPLEMENTING PRIVACY
In 2023, API abuse became the
most-frequent attack vector
(Gartner)
of organisations
had a security
incident involving
APIs
91%
1 Developer
1 Day
25k services
113 Years
$100m+
5. Internal Policies Third Parties Data Regulation Audit Test Data
DEV
TEST
UAT
PROD
1
Capture the
Policies
2
Automatically
classify data
SOLUTION: THE EXATE DATA PROTECTION PLATFORM
Semi-structured Data
{ “JSON”, “XML” }
Target common data distribution and data ingestion points for a faster and low-cost implementation to centralise entitlements
3
Automatically
protect the
data
Data in Motion Data at Rest
Aggregation of Privacy Enhancing
Techniques to optimise Data Privacy
Aggregation of Privacy Enhancing
Techniques to optimise Data Privacy
Database
Schemas
6. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN
Database
Schemas
Regulatory
Policies
Semi-structured Data
{ “JSON”, “XML” }
Gateways / Service Mesh
Event streaming
IPaaS
Databases
Data Virtualisation
Data Science
Data protection and Dynamic ABAC enforcement at common
data distribution and data ingestion points
Data in Motion
Data at Rest
Enforce
Enforce
LEARN
AND
ADAPT
Central
entitlement
Monitoring +
operational
7. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN
Event streaming
Gateways / Service Mesh
IPaaS
Data protection and Dynamic ABAC enforcement at common
data distribution and data ingestion points
Data in Motion
Data at Rest
Enforce
Enforce
LEARN
AND
ADAPT
Central
entitlement
11. API Consumer
API Producer
API Gateway
Data Governance & Compliance
Data Governance & Compliance
WHAT IF YOUR PATTERN CAN SOLVE THIS IN YOUR
GATEWAY?
12. US Partners SaaS Products
UK Customers Cloud Services
Accounts Customer Order Balance
API Gateway
Data Governance & Compliance
Data Governance & Compliance
SET THE PATTERN, SIMPLIFY, RE-USE
13. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN
Database
Schemas
Regulatory
Policies
Semi-structured Data
{ “JSON”, “XML” }
Gateways / Service Mesh
Event streaming
IPaaS
Databases
Data Virtualisation
Data Science
Data protection and Dynamic ABAC enforcement at common
data distribution and data ingestion points
Data in Motion
Data at Rest
Enforce
Enforce
LEARN
AND
ADAPT
Central
entitlement
Monitoring +
operational
14. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN
Database
Schemas
Regulatory
Policies
Data protection and Dynamic ABAC enforcement at common
data distribution and data ingestion points
Data at Rest
Enforce
LEARN
AND
ADAPT
Central
entitlement
Gateways / Service Mesh
Event streaming
IPaaS
Data in Motion
Enforce
Monitoring +
operational
15. HOW TO ENFORCE?
We need different information to be
protected in different ways. This helps us to
keep our data safe while making the best
use of it.
Dynamic
masking
Static
masking
Anonymisation
Purpose of
Use
Pseudonymisation
Consent
driven
access
16. HOW TO ENFORCE?
Privacy vs. Utility
▪ Can we gain insight without breaking privacy?
Original Protected
fred.purcell@exate.com
Frederick
Purcell
37
£13.69
**********@exate.com
No Access
23rcqcgwaf3wtfxa3wr
30-40
£14.82
17. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN
Database
Schemas
Regulatory
Policies
Semi-structured Data
{ “JSON”, “XML” }
Gateways / Service Mesh
Event streaming
IPaaS
Databases
Data Virtualisation
Data Science
Data protection and Dynamic ABAC enforcement at common
data distribution and data ingestion points
Data in Motion
Data at Rest
Enforce
Enforce
LEARN
AND
ADAPT
Central
entitlement
Monitoring +
operational
18. IPaaS
Data Science
Data in Motion
Data at Rest
Enforce
Enforce Central
entitlement
Database Schemas Regulatory Policies
Semi-structured Data
{ “JSON”, “XML” }
LEARN
AND
ADAPT
Monitoring +
operational
19. MONITOR AND OPERATION
LEARN
The unknown:
• Risks and policies associated with each data attribute
• Jurisdiction and the context in which it is being used
How to solve it:
• Real-time data from enforcement stages need to work
alongside the core service to do the following:
Find and classify your data traffic
Analyse and learn about your data risks
Solve data risks automatically
Test continually for risks during the life cycle
20. AN EXTENSIBLE ACCESS CONTROL AND SECURITY PATTERN
Database
Schemas
Regulatory
Policies
Semi-structured Data
{ “JSON”, “XML” }
Gateways / Service Mesh
Event streaming
IPaaS
Databases
Data Virtualisation
Data Science
Data protection and Dynamic ABAC enforcement at common
data distribution and data ingestion points
Data in Motion
Data at Rest
Enforce
Enforce
LEARN
AND
ADAPT
Central
entitlement
Monitoring +
operational
21. WHAT PROBLEMS DOES THIS PATTERN SOLVE?
Audit of how data is
being used, by whom,
where, and why
Autodetect and protect sensitive data
Segregation of duties
when accessing data
Consistent security
and data protection
by jurisdiction
Enforcement of data
protection regulation
(such as client
consent, sharing with
3rd parties, right to
be forgotten, etc)
eXate aggregates multiple protection techniques to provide maximum flexibility
Chain testing
Production data in
non-production environments
22. DON’T BECOME A STATISTIC
EXATE YOUR DATA
w w w . e x a t e . c o m | i n f o @ e x a t e . c o m