Securely API Enable Your IBM i Applications
Securely API Enable Your IBM i Applications
Take advantage of the new business opportunities and cost savings offered by API enabling your IBM i applications without compromising on security.
The business opportunities available through API enablement are growing every day. Companies are creating new revenue channels by connecting to ecommerce sites like Amazon and Shopify. They are realizing significant cost savings by automating functions like PO processing, shipment scheduling and invoice generation through direct API connections with their customers. They are rapidly expanding application features by using readily available Open Source modules. However, all that capability comes with security risks. According to the Gartner Group, by 2022 APIs will become the number one target of hackers attempting to attack IT networks. In this session, we will cover the basics of how to set your company up to take advantage of the value of APIs safely and securely.
What You’ll Learn
During this complementary webinar, we will cover topics including:
Implementing advanced authentication with OAuth
Safely using Open Source modules
Protecting your systems from DDOS (Distributed Denial of Service) attacks
Keeping your web code safe from injection attacks
Using API provider SDKs (software development kits) to implement security so your developers don’t have to do the coding
We will also leave time at the end for our experts to answer your questions on securely API enabling your IBM i applications.
Reserve your seat today!
Chief Executive Officer & IBM Champion, Eradani
Dan has spent over thirty years leading companies that help customers implement new technologies in legacy environments. Previously, Dan led worldwide software development groups that built highly successful modernization and DevOps tools and was the CEO of Aldon, the leading provider of DevOps tools to the IBM i marketplace.
Sean is a rising star having particular experience using modern technologies to help customers integrate IBM i applications with other modern apps. He is passionate about the opportunities customers have when they combine the investment made in their IBM apps with the amazing world of Open Source.
All right. Let’s kick this off. Good morning. Good afternoon. Good evening and good night, everybody. Hello and welcome to the webinar. Secure API enablement for your IBM i applications. We hope that your imagination will be opened up to a whole new world of integrating modern technologies to connect your IBM i environment today. Our speakers are Dan Magid, known in the IBM i world because of his long history in the ISP community. He’s presented at literally hundreds of webinars, dozens of conferences, and as a regular publisher, author of articles around bridging the gap between your eye and everything new coming from the open source world. Sean Calaveri is a rising star at Eradani. He has particular experience using modern technologies to help customers securely integrate their IBM i applications with other modern apps. He is passionate about the opportunities customers have when they combine the investment made in their IBM i with the amazing world of open source. Now, before I hand this over to our speakers, as you can see from the big green light in the corner, this webinar is being recorded. So we will email a link to the webinar replay at the end of today’s session. To everybody who is registered, please feel free to share with your peers. Questions, keep them coming in. You can use the chat or you can use the Q&A or submit questions. There’s lots of different bells and whistles here to get those questions to us and we will address as many as we can. With that, Dan, I hand it over to you to kick things off. Great. Thanks, Mitch. And I just want to add just to Sean’s introduction, Sean is a great example of when you start using open source technology around your IBM i to extend your IBM i, you can hire lots and lots of people, young kids out of college who can start working on your IBM i application. So, Sean is a great example of that. All right, so let me go ahead and share my screen here. You can also now see the PowerPoint presentation. And so I’m going to talk a little bit about API security.
So, as you can see from this chart, people are doing this. I mean, many, many, many, many companies are adding APIs to their applications. So according to this chart, 85% of companies, it’s a strategic part of their digital transformation efforts. So that’s a little bit about why you want to do APIs. Now let’s talk a little bit about some of the threats. So the problem is, is that as we make these connections available, the potential is that malicious actors can use those connections to try to get at our back end system. So you see from Gartner by 2022, APIs will be the most frequent attack vector on systems. And over here from this SALT Security, their annual API security trends report, you can see that the number of malicious attacks are growing faster than the number of actual API calls. So the fact that there are lots and lots of people, including state actors, that are trying to get at those APIs as a way to get into your system. 91% of enterprise professionals have said they’ve had an API security incident in 2020. And this is one that’s particularly concerning, is that 70% of organizations say that they’ve experienced an attack like that from the inside, from the inside of their network. And I talked to a lot of IBM i users who feel safe because they don’t allow their IBM i to talk outside the network. But now we’re seeing that actually a lot of these attacks are coming from the inside. In fact, according to Gartner, the majority of attacks in the coming years will be coming from inside it. And it’s not that you have a malicious person inside your organization, necessarily. It’s that you have a machine that’s been compromised in your network. So somebody has compromised a machine and now there’s somebody using that person’s credentials to get into your machine. So what we want to talk about is how do you take advantage of all the value, all the things that APIs can do for you, but do it safely. And that’s one of the things that Eradani Connect is designed to do. We’re designed to help you create that layer around your IBM i that not only makes it easy to connect either into your IBM i from the outside or out to the open source world from your IBM i, but to also do that in a secure way. So let’s go through some of the basics of the technology. These are some of the basic terms to understand about what’s happening under the covers in a security environment. And I’m going to go through those.
So, there are a couple of different kinds of encryption. This is private key encryption, which is sort of what we’ve been talking about, that is there’s a secret. So the sender has the plain text data, they use the secret to encrypt the data, they send the cipher data, and then the recipient uses the secret to decrypt it. Now the important thing is they both have to know the secret. So they have the shared secret that they both know, so that they can send something and then they can receive it so they can encrypt it and they can decrypt it. So that’s private key encryption that allows me to send information encrypted, where each of us has the secret key that only we know. So there’s a problem there though, and that is, how do we share the key? So when you start getting into these environments where we’re sending out lots and lots of communication with lots and lots of different people, and we need to create an encrypted environment. How do I send out the key in a way that won’t be discovered? I can’t encrypt the key because you can’t read it, so I have to be able to send it to you in some way that allows you to get that key and then we can start to have this encrypted conversation. So I’ve got this, I’ve solved the problem of encrypting the data, but I haven’t figured out how do I get you the key so you can read it? And that’s where public key or asymmetrical encryption comes into play. So this is a real world example to maybe give you a sense of what asymmetrical public key encryption is. What it means is it means that everybody has the public key. Everybody knows the public key, but only the person who’s going to read the message has what’s called the private key. So everybody can encrypt with the public key, but only the person who’s going to read the message is going to have the ability to unlock it. And so in this situation we’ve used mailboxes like this forever, which is that everybody can put letters into the mailbox. We can all put letters into the mailbox and they have this mechanism that won’t let you reach in and pull that message out. But the only person who can get the messages out of the mailbox is somebody who has the key. So a USPS employee is the only one who has the private key that says, okay, I can get the data out of here. And that’s really how public private key communication works. You can think of it as a situation where you have two different keys for a lock, and one of the keys can only turn from right to left, and the other one can only turn from left to right. So I’m going to encrypt some information to send to you. I want to communicate with you. So you’ve given me a public key that allows me to encrypt information. So I encrypt that information and lock it, and then you use your private key, which only can go the other direction, to unlock it. So everybody can lock it, but only you with the private key can unlock it. And this would be an example of doing that with an actual electronic communication.
So let’s look at this key. This is, this is what a private key looks like; it’s a massive mess. This stays on the server perpetually; it is not accessible from outside. So when a token is signed with this key, it can again be verified by that key, but that cannot be spoofed by anyone outside so it is guaranteed that that token that this is being verified came from this IBM server. So you’re up below there’s the verify function that does the symmetry for this which it verifies, it takes a token and key and confirms. So when I got the token from the server I was assigned a token. When I went to verify it, the server verified the token, saw that was correct, signed by its key and everything worked out so a term that this token was valid. And I can then use that token to make calls out to any other API’s the server knows that I am authenticated. That’s demonstrating the JWT’s and I’ll pass this back to Dan. Thanks, Sean. Let me share again. Okay, great. And so the last thing we’re going to talk about so we’ve looked at getting TLS support in we’ve looked at using JWT’s last thing we’re looking at is multi factor authentication multi factor authentication is simply a additional security layer to make sure that you can verify that the person is who they say they are multi factor authentication basically means you have to have more than one of these of these factors and the factors are something that only the user knows something that only the user has and something that is the user. So that would be something the user knows might be like a password or, you know, secret question answers to secret questions, something user has might be their, their mobile device, and something that is the user might be their fingerprint or their, their retinal scan. So you have multiple factors that you use to identify the person and multi factor authentication according to Microsoft study can reduce identity based security breaches by almost 100% by 99.9% dramatically reduce the number of security breaches that are because somebody was spoofing who they were. So we have a lot of MFA suppliers, people who provide the code to do this thing. And one of the objectives for Eradani is to make it really really easy to plug into whatever your company standard is for doing multi factor authentication and allow your IBM i to participate, just like everything else so you can do multi factor authentication on your IBM i just as you would do for any other platform. So, Sean is going to go ahead and give you a quick demo of multi factor, of adding multi factor authentication to support an API call. Yeah, so back on the screen here he was, this looks very similar to the last demo. If you look on the left side of the screen you’ll notice there’s just one difference, which is this requires MFA off. And that’ll just be when you go, this is the authentication route again. When you go to authenticate and get your token. There was an extra step where you have to verify using MFA. And in this case that is using duo, which will send a ping to my phone which will send in a second I will have to confirm on my phone. And then verify who I am by a second method of thinking that I have my phone before getting the token back to me that I can use later. So on the right side and making the exact same call as I made the first time last time to this off route. And when I start this server. I can make a call over here on the right. I hit send. And notice that’s still waiting, it hasn’t had a response come back yet. So if I hit approve on my phone here, I don’t know how easy it is. My virtual background is kind of hiding it, you may want to turn off your background. Yeah, I think I tricked it a little bit there but you can see a green and red. And if I hit approve on my phone. Then the token comes through. I got a notification. I clicked on it and opened the duo app. I clicked a checkmark. And I got this token back and this token works the same way as the token. Last time it holds my information but it just required that extra layer of security to get to it. Now I’m going to test out this token but this time. I’m actually going to use it in a route that can get some data. So again I’m making a call to not off. I’m making a call to the API’s and an SQL call to get a list of customers. So if I put in this new token that I just got right there. So I have a token, I’m making a call to customers. I’m verified. Now, let’s make that call. You’ll see, I get through here, but even though I’m authenticated, I’ve shown my username and password. I verified with my phone two factor. This server knows what I am. I still haven’t actually reached the IBM i, because I didn’t send the correct data. Even though I know who I am, that server still does not trust me nor should it to send the correct data. And it tells me even. I didn’t provide a min balance due for the customers nor max balance due. So if I go and add these parameters, I’m just going to ULL encode them so I had a question mark and set min balance due equal to five. And I’ll also set max balance due equal to. Let’s try hello, see what happens if I give it a little bit of interesting data. From the back. Oh, it still won’t let me through that’s still an invalid value. So try one more time. Give this the actual correct data once it wants two integers, or actually you can take floats but it takes a min balance due, max balance due. I send that call. And boom, I get back customers where the balance is between five and eight. So, that was authenticating me with the token and validating the data that I sent. So if you look back on the left side of the screen, you’ll see how that data that I sent was validated, where I looked in the query, it checked that there was a min balance due parameter it checked that it exists, this is what failed the first time, it checked if it’s numeric, which is what failed the second time when I sent hello, and I didn’t test it but also verifies the numbers of a correct length between one and 10. And if all that goes wrong, the log message you’ll get in the server will tell you exactly what went wrong. So this app verifies that you log in with the username and password securely, you’re verified with something you have on your phone so even if those passwords were stolen, you still need the phone to get in. And the app verifies the data you send correctly to make sure this is a completely secure API call.
And there’s a lot more to it but just wanted to give you a quick demo of that. Oh, gotta cut you off Dan, our full hour is up. I want to thank everybody. We had dozens and dozens and dozens of people at today’s presentation. We will send out the recording afterwards, I wish you all a great afternoon and a very happy week. Thanks for participating today.