API Management for Content Providers by Layer7Tech


More Info
									                                       API Management for Content Providers
Securely Deliver More Content to More Home Entertainment Systems
A single, all-in-one solution allows for managing APIs, vendors, reporting and OAuth

    Delivery of Protected Content:

    1.    Developer obtains an API key from the Content
    2.    Developer creates an application for the target
          console using Content Provider’s APIs
    3.    User logs into console, launches application and
          is prompted to log into Content Provider’s system
    4.    User enters credentials which L7 Gateway
          validates against local IAM
    5.    Application obtains signed/ encrypted OAuth
          request token from L7 Gateway
    6.    Application sends OAuth token to Content
          Provider’s APIs
    7.    Gateway validates token and grants access to

The Problem
Home entertainment devices (such as the XBox, PS3, Wii, TiVo, Smart TVs, etc) are introducing novel ways for content
providers and distributors (such as Telcos, Cable companies or other media providers) to reach consumers outside traditional
broadcast and cable TV, providing new opportunities to deliver content and promote loyalty.
APIs are the most cost-effective way to deliver content via these new channels, but controlling what gets shared to whom
when it comes to account data and media content requires strong security, such as an OAuth-based authentication model, as
well as comprehensive API management controls.

The Solution: Layer 7 API Management Suite
Layer 7 lets enterprises and service providers securely expose their APIs to device manufacturers, while providing them with
everything they need – from documentation to code samples to API reporting and technical support – in order to create an
application that presents content to joint customers. Layer 7’s comprehensive suite for API Management comprises:
•        API Proxy – provides enterprise-grade API security and traffic control
•        API Portal – streamlines developer on-boarding and management, as well as API reporting
•        Enterprise Service Manager – enables API migration and lifecycle management
The solution also provides support for secure OAuth, simplifying the implementation of 2- and 3-legged OAuth use cases
based on the OAuth 1a and 2.0 specifications:
•        Implement policy and identity STS controls to handle a wide range of OAuth token operations and credential types,
         including HMAC-SHA1/SHA2 or RSA-SHA1/SHA2 signature methods, SAML and the OAuth WRAP specification
•        Mix and match how they implement OAuth with SAML in order to address typical use cases such as user-delegated
         authorization for accessing APIs, or cross-domain federated SSO for website users
•        Drop in new signature and credential methods without changing their APIs
In this way, customers logging into the content provider from one of their console devices can be authenticated via OAuth,
and then tracked and reported on to determine which home entertainment platforms are the most valuable to your business.
 Key Features
 Enable Device Manufacturers
 Documentation &             •    Provide device manufacturers with versioned documentation to help developers quickly
 Resources                        understand how to use APIs
                             •    Provide resources such as sample applications, code widgets/examples, sample
                                  requests/response pairs, etc
 API Key Management          •    Assign an API key to each manufacturer’s application
                             •    Create, suspend and revoke API keys
 Registration                •    Register, approve and manage organizations and developers
                             •    Manage users with built in Role Based Access Control (RBAC)
 API Analytics               •    Out-of-the-box summary reports, including API usage, developer usage, and utilization rates, etc
                             •    Out-of-the-box detailed reports, including API latency, error rates, throughput, availability, etc
 Implement Secure OAuth
 Encryption                  •    Support for TLS / SSL encryption over the wire
                             •    Support for a variety of cryptographic algorithms, including HMAC, RSA and SHA
                             •    Support for asymmetric signatures using RSA
 Threat Protection           •    OAuth access token verification
                             •    Ability to limit message size
                             •    Protection from common Web-based attacks, including Cross-site request forgery (CSRF), man-in-the-
                                  middle and message replay
 Security Token Service      •    Integrated SAML STS issuer featuring support for SAML 1.1/2.0 authentication, authorization and
                                  attribute based policies and Security Context Tokens
                             •    STS support for WS-Trust and WS-Federation
 Manage & Secure APIs
 API Lifecycle               •    APIs can be smoothly migrated between environments (i.e., from Dev to Test, East to West, etc) with
                                  full dependency resolution and re-mapping
                             •    Supports automatic API versioning including rollback to any previous version
                             •    Global security settings, threat detection profiles, etc. can be reused across multiple APIs to save time
                                  and ensure consistency
 SLA/Performance             •    Enforce availability through throttling and/or rate limiting to ensure SLAs and QoS priorities
 Control                     •    Prioritize traffic to specific APIs based on SLAs
                             •    Limit API access based on user, time of day, IP address etc.
                             •    Route traffic based on geography, IP address, back-end response times, etc for optimum performance
                             •    Integrated clustering for scalability & automatic failover between multiple instances of APIs/services
                             •    Define custom data and identity caching parameters for optimal performance tuning
 Security and                •    Powerful message content filtering and transformation tools help identify and suppress leakage of
 Compliance                       sensitive information (i.e. SSNs, credit card numbers, etc.)
                             •    Layer 7’s PCI-DSS installation and configuration guide allows customers to configure and deploy
                                  the API Proxy as part of a PCI-compliant process
                             •    Support for multiple types of element or message level XML signing and encryption
 Threat Protection           •    Protect against Cross-Site Scripting (XSS), SQL Injection, XML content/structural threats & viruses
                             •    Create custom threat profiles to extend built-in filters for message structure and XML-specific threats
                             •    Track failed authentications and/or policy violations to identify patterns and potential threats
                             •    Validate HTTP parameters, REST query/POST parameters, JSON data structures, XML schemas, etc
 Supported Standards
 X.509 Certificates, XML Signature, XML Encryption, SSL/TLS, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, FTP/FTPS, MQ Series,
 JMS, Raw TCP, Tibco EMS, WS-Security, WS-Trust, WS-Federation, WS-Addressing, WSSecureConversation, WS-I BSP, WS-
 MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WS-I, WSIL, UDDI, WSRR,
To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377. You can also
email us at info@layer7.com; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on twitter @layer7.
                 Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
                 trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

To top