More Related Content
Similar to Who says Elephant Can't Dance?
Similar to Who says Elephant Can't Dance? (20)
Who says Elephant Can't Dance?
- 1. Who says Elephant Can’t Dance?
Securely Externalizing APIs @ Cisco
Anand Sharma
IT Architect
July 2012
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
- 2. Follow my (re)tweets at @indrayam
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
- 3. 45
Billion Dollars
9.5
Billion Dollars
21%
Cisco Services’
Annual Revenue Annual Revenue Share of Total
(Overall) (Cisco Services) Revenue
© 2012 Cisco and/or its affiliates. All rights reserved. Note: Approximate Numbers with a dash of extrapolation. 45 looks better than 43 on a slide..;-) Cisco Confidential 3
- 4. March 2010
"Cisco’s Partner Program is one
of the most formidable in the
industry."
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
- 5. Manufacturer Distributor Reseller / Partner Customer
Direct
Route(s) to Market
1 Tier (DVAR)
2 Tier
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
- 6. Partners drive a large percentage of Cisco’s Business
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
- 7. Serving the middle of the Long Tail in the
Partner/Customer Experience
Traditional
Enabled Partner Defined Experience
B2B
Hundreds of
partners Make it easy to do business with Cisco!
Extend our Reach
Enable Disruptive Innovation
Externalized Business Services
Thousands of Partners and Customers
Cisco UI / Portals
Tens of Thousands of Partners and Customers
High Cost, High Touch Low Cost, Self Service, Loose integration No Integration
Tight integration “Have it your way. Period.” “Have it our way”
“Have it your way, if
you can afford it” Reach to Number of Partners
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
- 8. Typical Cisco’s SMARTNet Service
24x7 Phone Support
Web 1.0 Apps
(Forums)
Web 2.0 Apps
(Wikis)
Social Media Apps
(Facebook, Twitter)
What’s missing?
Hint: “Have it your way”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
- 9. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
- 10. Mobile Apps
Cisco Support Community
Sales/Partner Deal Mgmt
Quote-to-Order
Marketing Quoting
Product Data Configuration
Pricing
Got API?
Campaigns
Order Status
Product Data
Services
Inventory Service Go to Market
Contract Service
EoX Service Rebates
Field Notice Service Certifications & Specializations
Intelleshield Service Incentives & Promos
PSIRT Service
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
- 11. API Externalization @ Cisco circa 2010
XML Firewall XML Gateway SOA Gateway
Source: “Expanding Role of XML Gateways” Webinar Hosted by Layer 7 and Forrester
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
- 12. Basic Auth Over HTTP(S)
Application ID is a pseudo Human ID
No difference between Human and App
ID
Manually Created Generic IDs. Self-
Service capabilities minimal
HTTPS Basic Auth based authentication
Hard to Manage (Add/Edit/Disable)
Group-based Authorization Logic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
- 13. - Web Services (nomenclature), SOA Gateway, Basic
Authentication, Group-based Access Control
+ APIs, API Management Platform, OAuth 2.0, XACML (ABAC/PBAC)
Note: We stopped calling it Web Services. This was around mid-2010. Everyone else was doing it..;-)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
- 14. Cisco APIx Platform
Addressing Key Cross Cutting Concerns
Cross-Cutting Concerns
Handled by every API
API #2
API #1
API/WS Client
“No Gateway/Proxy Approach”
Key Cross-Cutting Concerns of every API
Cross-Cutting Concerns
Handled by Gateway/Proxy
For every API
App Authentication
API Console
API Entitlement
API #2
API Analytics
API Rate Limiting/Throttling
API #1
API/WS Client API Proxy
Developer Console/On-Boarding
“Proxy Flow through Approach”
API Community
Cross-Cutting Concerns Handled by
In-memory API Interceptor which in
turn communicates with API Proxy
API Console
API Proxy
API #2
API #1
API/WS Client
“Proxy Connector Approach”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
- 15. Cisco APIx Platform
Our API Management Platform Journey…
Home Grown Web Services
Management Console (WSMC) APIx Platform v1.0
Dec 2009 launches launches Jan 2012
Nov 2010 Nov 2011
Cisco PingFederate
6.5 (OAuth2 AS)
goes LIVE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
- 16. Cisco APIx Platform
…that led to our current version
Mar 2012
APIx Platform v2.0 launches
http://apiconsole.cisco.com
o Mashery powered Public Cloud Based API Console and Cisco On-Prem OSGi-based (Equinox) API Proxy Node Cluster
o Human and Application Entitlement powered by Entitlement Framework APIs using Cisco Entitlement Policy Manager
o API Authentication using OAuth 2.0 IETF Draft (soon to be a standard), powered by Cisco OAuth 2.0 Cluster using PingFederate 6.5
o Business Policy & OAuth 2.0 Access Token Enforcement Point (PEP/TEP) implemented as Adapters on OSGi-based (Equinox) API Proxy
o Implemented Access Token Cache Object (ATCO) capability to efficiently provide Human and/or Application Context to backend APIs
o Deployment Flexibility allowing Cisco to securely expose APIs on Cisco DC Footprint and/or Mashery’s API Distribution Network
o Developer On-Boarding (with proper Business Entitlement) handled by Cisco Entitlement Framework UI Tools
o Ready for Multiple API Providers (read, Tenants) within Cisco
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
- 18. Cisco APIx Platform 1.
Highlights
Human (Party Developer) Authentication
APIx Platform Application Registration Architecture 2.
using PingFederate SAML Based SSO
Human (Party Developer) Authorization
using XACML based policies stored in
Cisco Entitlement Policy Manager.
Exposed by Entitlement Framework as
RESTful APIs
3. Application Registration integrated with
PingFederate APIs which acts as SSOT of
Application Credentials
4. Party Centric Identity of the Application
captured during App Registration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
- 19. Cisco APIx Platform 1.
Highlights
OAuth 2.0 Grant Type dance to get “Access
APIx Platform Application Runtime Architecture Token” is driven independent of APIx
Platform
2. An adapter on the OSGi-based API Proxy acts
as the Access Token Enforcement Point
(TEP) as well as the Business Policy
Enforcement Point (PEP)
3. Access Token Cache Object (ATCO) improves
performance significantly by reducing load
on PF OAuth 2 AS and Entitlement
Framework APIs
4. ATCO provides Human and/or Application
Context in Base-64 Encoded JSON Object to
the Backend API.
5. All 3 integration touch points with PF, EF and
Backend API Handshake are configurable per
API Endpoint
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
- 20. Cisco APIx Platform
Access Token Cache Object (ATCO)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
- 21. Entitlement (XACML) Engine
Human/API
API Management Authentication
(OAuth)
Securely Externalizing APIs @ Cisco
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
- 22. What did we observe?
#1. Open APIs are not typical use-case for Cisco
Source: Hey Devs, APIs are good for you (Gigaom.com)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
- 23. What did we observe?
#2. “Dark” or Enterprise APIs (Private/Pseudo-Private/Public) is extremely critical
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
- 24. What did we observe?
#3. Cisco APIs will have to be device and hosting agnostic. No surprises here.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
- 25. What did we observe?
#4. “OAuth Everywhere” for all APIs seems like a daunting task
Preserving App Context
OAuth implementation is non-trivial
OAuth SDKs are maturing
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
- 26. What did we observe?
#5. More OAuth-centric tactical issues
Life of an RT per App (not per Instance)
Token Translation (between ObSSO Cookie and Access Token)
OAuth Grant Types shown to Users during registration
API Console + OAuth Authorization Server Admin capabilities:
Deleting App
Revoking Token
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
- 27. APIs are important for Cisco. We’re just getting warmed up!
Proof-point from our initial Pilot Partners using End-of-Life (EoX) API
“This is huge for us. It allows us to “…breaking new ground”
have very intelligent conversations
with our customers that might have
been the domain of a hard core CCIE
or networking guru.”
“It just worked … It helped close
a $1.3 million renewal … EOX
API was the shining star of our
“… don’t care about
MSCP audit. Even Cisco people
metrics/reports. Give me
were impressed.”
more APIs”
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
- 28. Backup Slides
Q&A
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28