API Security in Action With the ForgeRock Identity Platform
To celebrate the launch of my book, API Security in Action, which was just published by Manning Publications, I’ve teamed up with my employer, ForgeRock, to demonstrate how some of the techniques in the book can be accomplished with less effort using the ForgeRock Identity Platform.
API Security in Action discusses five primary security mechanisms you can use to strengthen your application programming interfaces (APIs) against common threats:
- Encryption of data in transit and at rest ensures confidentiality and integrity.
- Rate-limiting reduces the damage of denial-of-service (DoS) attacks.
- Authentication checks users are who they say they are.
- Authorization ensures that users can’t do anything they aren’t allowed to do.
- Audit logging allows users to be held accountable for their actions.
In the book, you’ll learn in detail how to build these features into your APIs and really understand how they work and why you need them. ForgeRock’s comprehensive Identity Platform can get you up and running with all of these security controls in no time. Let’s take a closer look at a few examples.
API Protection at the Edge With Identity Gateway
One of the core security controls in API Security in Action is the use of rate-limiting to protect against distributed denial-of-service (DDoS) attacks. To get the most from this protection, you really want to push rate-limiting as far out to the edge of your network as possible to reject requests early before they consume significant resources. ForgeRock Identity Gateway (IG) provides a suite of functionality for protecting your APIs at the edge, including sophisticated rate-limiting and throttling filters.
However, IG can do much more than just rate-limiting, and is a veritable Swiss Army Knife of API security. The Cross-site request forgery (CSRF) protection discussed in Chapter 4 is built right into IG as a general-purpose filter. It can also handle sophisticated authentication and single-sign on flows, protecting APIs with JSON Web Tokens, OAuth2, and OpenID Connect. If that’s not enough, you can extend IG with scripts and Java plugins to implement almost any API security pattern described in the book.
Powerful Authorization Options
Perhaps the most important topic in the book is authorization: working out who is allowed to do what. You’ll learn about three important topics in depth in authorization:
- Identity-based authorization, including role-based access control (RBAC) and attribute-based access control (ABAC).
- Capability-based access control, which uses fine-grained tokens that act a bit like keys in the real world.
- Delegated authorization, using OAuth2, allowing a user to delegate some of their authority to a third-party application or service.
One of the strengths of the ForgeRock Identity Platform is its comprehensive support for authorization technologies, through the ForgeRock Access Management product (AM) and policy enforcement points, such as IG or our dedicated policy agents. AM’s powerful policy engine can be used to implement sophisticated access control decisions, fully integrated with it’s mind-blowing intelligent authentication.
As you might expect, AM also provides one of the most advanced OAuth2 authorization server implementations available today, with excellent support for the latest best practices. IG’s Resource Server Filter makes accepting access tokens at your APIs easy and secure, including support for advanced features like OAuth mutual TLS discussed in Chapter 11. The latest release of AM also supports issuing access tokens as Macaroons, a powerful new token format described in Chapter 9, which brings many of the benefits of capability-based security within the framework of existing OAuth2 standards.
Kubernetes-Ready and Rocking the IoT
The final third of the book looks at protecting APIs in two increasingly important deployment scenarios:
- Microservice architectures running in a Kubernetes container orchestration environment.
- Constrained devices operating in the industrial or consumer Internet of Things (IoT).
ForgeRock has invested heavily in recent years in ensuring that our Identity Platform works well in a Kubernetes (k8s) environment, and provides recipes for deploying our products to k8s. Our ForgeRock Identity Cloud runs on Kubernetes, so we’ve got deep knowledge on how to scale and secure deployments in this platform, some of which is distilled into Part 4 of the book.
IoT environments are very different from the comfortable world of servers running in data centers, both due to the constrained nature of the devices involved and how exposed they can be to external threats. ForgeRock has spent several years investigating the challenges of these environments and developing our ForgeRock Things offerings that can help secure IoT applications and integrate devices with our identity platform.
Get 40% off your copy of API Security in Action here using this code: forgerock40. I hope you enjoy it!
*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by Neil Madden. Read the original post at: https://www.forgerock.com/blog/api-security-action-forgerock-identity-platform
