API Management for Content Providers Securely Deliver More Content to More Home Entertainment Systems A single, all-in-one solution allows for managing APIs, vendors, reporting and OAuth Delivery of Protected Content: 1. Developer obtains an API key from the Content Provider 2. Developer creates an application for the target console using Content Provider’s APIs 3. User logs into console, launches application and is prompted to log into Content Provider’s system 4. User enters credentials which L7 Gateway validates against local IAM 5. Application obtains signed/ encrypted OAuth request token from L7 Gateway 6. Application sends OAuth token to Content Provider’s APIs 7. Gateway validates token and grants access to content The Problem Home entertainment devices (such as the XBox, PS3, Wii, TiVo, Smart TVs, etc) are introducing novel ways for content providers and distributors (such as Telcos, Cable companies or other media providers) to reach consumers outside traditional broadcast and cable TV, providing new opportunities to deliver content and promote loyalty. APIs are the most cost-effective way to deliver content via these new channels, but controlling what gets shared to whom when it comes to account data and media content requires strong security, such as an OAuth-based authentication model, as well as comprehensive API management controls. The Solution: Layer 7 API Management Suite Layer 7 lets enterprises and service providers securely expose their APIs to device manufacturers, while providing them with everything they need – from documentation to code samples to API reporting and technical support – in order to create an application that presents content to joint customers. Layer 7’s comprehensive suite for API Management comprises: • API Proxy – provides enterprise-grade API security and traffic control • API Portal – streamlines developer on-boarding and management, as well as API reporting • Enterprise Service Manager – enables API migration and lifecycle management The solution also provides support for secure OAuth, simplifying the implementation of 2- and 3-legged OAuth use cases based on the OAuth 1a and 2.0 specifications: • Implement policy and identity STS controls to handle a wide range of OAuth token operations and credential types, including HMAC-SHA1/SHA2 or RSA-SHA1/SHA2 signature methods, SAML and the OAuth WRAP specification • Mix and match how they implement OAuth with SAML in order to address typical use cases such as user-delegated authorization for accessing APIs, or cross-domain federated SSO for website users • Drop in new signature and credential methods without changing their APIs In this way, customers logging into the content provider from one of their console devices can be authenticated via OAuth, and then tracked and reported on to determine which home entertainment platforms are the most valuable to your business. Key Features Enable Device Manufacturers Documentation & • Provide device manufacturers with versioned documentation to help developers quickly Resources understand how to use APIs • Provide resources such as sample applications, code widgets/examples, sample requests/response pairs, etc API Key Management • Assign an API key to each manufacturer’s application • Create, suspend and revoke API keys Registration • Register, approve and manage organizations and developers • Manage users with built in Role Based Access Control (RBAC) API Analytics • Out-of-the-box summary reports, including API usage, developer usage, and utilization rates, etc • Out-of-the-box detailed reports, including API latency, error rates, throughput, availability, etc Implement Secure OAuth Encryption • Support for TLS / SSL encryption over the wire • Support for a variety of cryptographic algorithms, including HMAC, RSA and SHA • Support for asymmetric signatures using RSA Threat Protection • OAuth access token verification • Ability to limit message size • Protection from common Web-based attacks, including Cross-site request forgery (CSRF), man-in-the- middle and message replay Security Token Service • Integrated SAML STS issuer featuring support for SAML 1.1/2.0 authentication, authorization and attribute based policies and Security Context Tokens • STS support for WS-Trust and WS-Federation Manage & Secure APIs API Lifecycle • APIs can be smoothly migrated between environments (i.e., from Dev to Test, East to West, etc) with full dependency resolution and re-mapping • Supports automatic API versioning including rollback to any previous version • Global security settings, threat detection profiles, etc. can be reused across multiple APIs to save time and ensure consistency SLA/Performance • Enforce availability through throttling and/or rate limiting to ensure SLAs and QoS priorities Control • Prioritize traffic to specific APIs based on SLAs • Limit API access based on user, time of day, IP address etc. • Route traffic based on geography, IP address, back-end response times, etc for optimum performance • Integrated clustering for scalability & automatic failover between multiple instances of APIs/services • Define custom data and identity caching parameters for optimal performance tuning Security and • Powerful message content filtering and transformation tools help identify and suppress leakage of Compliance sensitive information (i.e. SSNs, credit card numbers, etc.) • Layer 7’s PCI-DSS installation and configuration guide allows customers to configure and deploy the API Proxy as part of a PCI-compliant process • Support for multiple types of element or message level XML signing and encryption Threat Protection • Protect against Cross-Site Scripting (XSS), SQL Injection, XML content/structural threats & viruses • Create custom threat profiles to extend built-in filters for message structure and XML-specific threats • Track failed authentications and/or policy violations to identify patterns and potential threats • Validate HTTP parameters, REST query/POST parameters, JSON data structures, XML schemas, etc Supported Standards XML, SOAP, REST, PCI-DSS, AJAX, XPath, XSLT, WSDL, XML Schema, LDAP, SAML, XACML, OAuth, PKCS, FIPS 140-2, Kerberos, X.509 Certificates, XML Signature, XML Encryption, SSL/TLS, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, FTP/FTPS, MQ Series, JMS, Raw TCP, Tibco EMS, WS-Security, WS-Trust, WS-Federation, WS-Addressing, WSSecureConversation, WS-I BSP, WS- MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WS-I, WSIL, UDDI, WSRR, MTOM, IPv6, WCF To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377. You can also email us at firstname.lastname@example.org; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on twitter @layer7. Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.