Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Paris 2023 - IAM for API security strategy, Danielle Kayumbi, Deezer

apidays
PRO
December 15, 2023
Programming
0
18

Apidays Paris 2023 - IAM for API security strategy, Danielle Kayumbi, Deezer

Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023

IAM for API security strategy
Danielle Kayumbi, IAM for API security strategy, Deezer

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

December 15, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, Graylog
apidays
PRO
0
7
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by Paolo Malinverno, The Business of Technology
apidays
PRO
0
10
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, APIContext
apidays
PRO
0
11
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, Culture Builder
apidays
PRO
0
10
Apidays New York 2024 - The value of a flexible API Management solution for Open Banking by Steve Melan, State's and Saving's Bank of Luxembourg
apidays
PRO
0
8
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, FinResults
apidays
PRO
0
8
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
PRO
0
9
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the environment by Joanna Reijgersberg-Siew, Avanade
apidays
PRO
0
10
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong, GovTech Singapore
apidays
PRO
0
12

Other Decks in Programming

See All in Programming
Let's learn code review
riofujimon
2
640
AmperとFleetを使ったAndroidアプリ
yoppie
0
300
Exploring the Implementation of “t.Run”, “t.Parallel”, and “t.Cleanup”
akarin
1
160
PHPコードの実行モデルを理解する / Understanding-the-PHP-Execution-Model
shin1x1
0
1.1k
Docker_OSS_ホスティング入門
satokoki645
0
140
RaaP
ksss
0
160
RubyGems on ruby.wasm
kateinoigakukun
0
120
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
10
1.9k
RailsConf 2024: Riffing on Rails: sketch your way to better designed code
kaspth
1
220
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
1
130
CQRS meets modern Java
simas
PRO
2
470
GitHub Actionsの痒いところを埋めるサードパーティーランナー
dora1998
2
260

Featured

See All Featured
Debugging Ruby Performance
tmm1
70
11k
The Illustrated Children's Guide to Kubernetes
chrisshort
32
47k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.7k
Rails Girls Zürich Keynote
gr2m
91
13k
Building an army of robots
kneath
300
41k
A Tale of Four Properties
chriscoyier
153
22k
Building Adaptive Systems
keathley
32
1.9k
The Cult of Friendly URLs
andyhume
74
5.7k
Into the Great Unknown - MozCon
thekraken
15
1.1k
Teambox: Starting and Learning
jrom
128
8.4k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
83
45k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
12
1.1k

Transcript

  1. IAM For API Security Strategy

  2. Danielle HODIEB KAYUMBI Software Engineer danielleKayumbi

  3. None

  4. APIs are everywhere Powering our lives from behind the scenes

  5. None
  6. None

  7. ww.nbcnews.com/mach/science/these-tiny-robots-could-be-disease-fighting-machines-inside-body-ncna861451

  8. More than 83% of web traffic is now processed througth

    APIs 83% Akaimai report

  9. Rapid growth leads to larger attacks

  10. 90% of breaches targeted Applications and APIs 2022 APIs become

    “Most frequent attack vector” https://lab.wallarm.com/evolution-of-api-security-in-2023-a-practical-guide/

  11. Breaches

  12. None

  13. API 01 Broken Access control

  14. Missing Access control PUT, GET, DELETE https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update Privilege escalation

  15. API attacks will jump nearly 1 000 % by 2030

    https://siliconangle.com/2023/07/27/api-cyberattacks-projected-jump-nearly-tenfold-2030/

  16. In 2016, Nissan Leaf Allowed to control remotely the climate,

    the charge of the battery and get the driving range

  17. Only required a Vehicle Identification Number

  18. https://siliconangle.com/2023/07/27/api-cyberattacks-projected-jump-nearly-tenfold-2030/

  19. Get battery status Get climate status Turn climate on/off Get

    details about journeys & distances
  20. None
  21. None
  22. None

  23. https://www.youtube.com/watch?v=Nt33m7G_42Q&t=321s

  24. Security is important Beyond features & functionalities

  25. A simple denial-of-service attack has the potential to kill. Pacemaker

    https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

  26. API Security is lacking

  27. What do we need to expose ? Who are your

    users now ? In the future ? What’s the worst thing someone can do with your API ?

  28. Strong authentication and authorization solution Least privileges Limit data exposure

  29. Identity & Access Management

  30. I A M

  31. Who ? Can do what ? On which resources ?

  32. https://www.tuv.com/usa/en/identity-und-access-management-%28iam%29.html

  33. Authentication Authorization User Management Central User repository IAM

  34. Users Groups Identity

  35. Principle of least privileges

  36. Role-based access control Access control lists Discretionary access control

  37. None

  38. Resource types Identities sources Client types (public, confidential)

  39. None
  40. None
  41. None
  42. None
  43. None

  44. GraphQL Client Resource owner Authorization server Resource server

  45. GraphQL Client Resource owner Authorization server Resource server

  46. GraphQL Client Resource owner Authorization server Resource server

  47. GraphQL Client Resource owner Authorization server Resource server

  48. GraphQL Authorization request Client Authorization server Resource server Resource owner

  49. GraphQL Authorization request Client Authorization server Resource server Authorization grant

    Resource owner

  50. GraphQL Authorization request Client Authorization server Resource server Authorization grant

    Authorization grant Resource owner

  51. GraphQL Authorization request Client Authorization server Resource server Authorization grant

    Authorization grant Access token (role, scope) Resource owner

  52. GraphQL Authorization request Client Resource owner Authorization server Resource server

    Authorization grant Access token (role, scope) Resources Authorization grant Access token (role, scope) ACL

  53. GraphQL Keycloak Cart microservice Role Product-reader Client credential flow

  54. GraphQL public/private key

  55. None
  56. None
  57. None

  58. https://www.keycloak.org/docs/latest/server_admin/#assembly-managing-clients_server_administration_guide

  59. None
  60. None

  61. Centralize authentication & authorization Protocol & standards Principle of limited

    privileges
  62. None

  63. https://logrhythm.com/solutions/security/zero-trust-security-model/

  64. Verify identity and context Control risk Enforce policy

  65. Protect your data at all costs

  66. Thank you danielleKayumbi