Andy Thurai on, “the API – You Can’t Live Without It”

The unprecedented explosion of modern technologies combined with a burgeoning mobile space has forced enterprises to rethink previously held beliefs about the static enterprise perimeter. Remember the olden days when you said your enterprise was completely self-contained in one data center, with your apps inside the firewall and with everyone nearly as confident about it as being as secure as Ft. Knox?  With an explosion in mobile computing, demand for cheap or “free” usage of resources, and a sharp reduction in cost with the cloud delivery model,  it is expected (or rather demanded) that every enterprise expose their APIs not only from their enterprise but from a cloud based model. (NOTE:  The cloud is referred to in a  loosely defined delivery model be it —  public, private, community or hybrid variety).

Couple this inexorable progression for having a cloud based model with the need for mobile enablement and web 2.0 technologies,  and you are forced to expose not only your SOAP APIs,  but also JSON, REST and other fast, quick TTM (time to market) APIs that can be easily manipulated and consumed.

This brings an interesting issue to the fore-front. You are forced to rethink your corporate security strategy. Many organizations (and the C levels that I speak with on a regular basis) are scared to move their sensitive applications (and processes, data) to the cloud, mainly, because of security. But that doesn’t stop them from exploring and moving some of the non-sensitive applications to the cloud and “testing the waters”, so to speak. Once they see how easy and cheap it can be, they begin losing sleep thinking about all of the money they can save by moving everything to the “cloud” due to the constant pressure to plan and come in under budget.

It’s no wonder that API traffic has exploded over the past few years. According to a recent survey, about 60% of the enterprise traffic is API based. According to Programmable Web,  75% twitter traffic is API based. According to Programmable Web there are at least 5000+ APIs ( and the pace is growing. Programmable Web has a neat tool where you can search all the publicly available APIs ( If you check this out you will immediately notice that most of the social APIs are mostly REST/ JSON based. There is obviously a good reason for that.

When it comes to APIs there are two distinct, broad categories – Social APIs and Enterprise APIs. The Social APIs are created by, and for, our society which is hungry for instant data updates. (Remember the AT&T 4G commercial “so 42 seconds ago”  ( . I miss the good old days where we found out what happened in the world by checking CNN website once an hour or so.

In general, the social APIs tend to be fast,  easy to implement, REST only — without any enterprise class security, not monetized,  and focused on publishing  content etc.

You can’t afford to have the enterprise APIs published and consumed the same way. Your Enterprise class security needs to move with your applications API wherever it is going or however it is accessed.  And it is not a question of if, it is a question of when. The success of companies with API as the core of their business models transformed the industry – look at Google, Twitter, Facebook, and other smaller players. According to Programmable Web “The most popular API category from the last 1,000 APIs is government. In total, we list 231 government APIs and nearly half of them have been added in the last four months.”  When the government adopts a technology standard, you know that there is no going back, it is here to stay forever .

As applications migrate out of your own “Ft. Knox”,  the issue will become more pronounced. You’ll still need the same quality of security, management, SLAs,  centralization of usage based information – predicated on policy & identity information.

Most cloud providers just give you the base platform and leave most of this to you.  However, your enterprise class APIs need to provide enterprise class security, governance, lifecycle management , API Key and credential management, throttling and quota management, security, protocol translation and versioning, API performance optimization, key management, discovery. The need to expose your APIs in  multiple formats (as talked above such as REST, JSON, SOAP, etc), can multiply the complexity of an implementation exponentially.

Having set the stage (without wanting to scare you about the inherent risks of exposing your APIs to the cloud), let’s talk about how Intel can help you effortlessly achieve all of these things regardless of your usage model –  without the need to be concerned about whether  APIs are REST based, or full SOAP APIs or even JSON based mobile APIs.

Intel has been in the Web Services, XML, SOAP security space since the acquisition of Sarvega (circa 2005).  Our expansion into the API security space has been a natural progression. We brought out an API security gateway last year which caught the attention of many of our customers. Especially given that it can help enterprises move enterprise grade security policies without having to rewrite the policies (and allow for subsequent enforcement of them in the cloud) makes it even more interesting.

With the addition of OAuth 2.0 to the API gateway in our latest release, it seems like a timely opportunity to talk about the capabilities of our API gateway. When you move your enterprise applications to the cloud and expose APIs from there,you can either retool your application to fit that platform/ delivery model . Or, you have a second option. Use our API gateway as the API middleware which can help you solve a lot of those issues. APIs have become strategic control points for the cloud.

So essentially you want to abstract the following functionality to API middleware:

  1. Keep your implementation technology agnostic. Provide a mechanism to support REST, JSON, SOAP, etc and mediate to the backend supported format in a non-intrusive manner. Most times this end result can be achieved by configuring the API gateway solution to act as a facade to the existing application. This is really important in the ever changing API world.  JSON, REST APIs have evolved in the past few years.  By being agnostic, you’ll be prepared for the next “flavor” in whatever way that instantiates itself.
  2. Keep your security and API management closer to your APIs and be transparent about it with your  customers.
  3. Remove security, scalability, management and audit functionality and issues away from the an actual API implementation.
  4. Ensure that you have strong API monitoring, metering, logging, auditing, & versioning features.

Check out our API Gateway details to see how we can help you make this migration easy and painless.

For more information about Intel Expressway Service Gateway, case studies, testimonials and tech tutorials, please visit

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

Andy Thurai on “Social SOA with API Gateway”

In a recent conversation with a large customer of ours, some interesting facts came to light. This blog is a recapitulation of the insights I got from that discussion. I’ll not only tell you how this customer is using our solution, but also, how it is helping them to take their online presence to the proverbial next level.

Our customer, an online university, is using our solution, as middleware – providing both security and data mediation functions, to push through SOAP &  REST API transactions to the backend. They are processing about 18 million messages per day. Now think about that for a second. The number in itself is mind staggering. While most educational institutions use freeware middleware solutions due to being part of an ultra cost-conscious milieu, this University decided to use our solution to bring their presence to a whole new level  – while still doing so in a completely cost effective fashion.

We also helped the University  integrate with a home grown single sign-on solution fairly easily so they would not be forced to “rip and replace” all of their technology,  unlike some of the implementation plans that would be thrust upon them by some of our competitors.  We integrate with identity management systems,  as well solutions that address governance, various registries ,and an array of monitoring solutions.  For us, it’s never about pushing an entire stack to a customer. Instead we feel customers should have the latitude to choose a technology from a range of available options, consistent with a “best of breed approach.”

Though it initially started off as more of an academic security experiment for a University, our solution has been embraced much more widely and has grown into a solution that encompasses SSL offloading, XSLT transformation, service aggregation, and service mediation. In addition, our solution is being used to abstract the authentication layer to communicate with a custom authentication service. We provide the backbone of their social SOA.

The initial services were mostly SOAP based, however, when the REST services were ready — we were ready too,  to help them out with a product that similarly could address all of the same relevant security concerns.

The true reason everyone is excited, though, is  because the University is looking to move their service offerings to the cloud.  At first glance, moving all your services (or even just a service abstraction layer) to the cloud and exposing that 24×7 to hackers can be quite the daunting task!  Another concern revolves around their customers’ resource utilization.  Especially when you are offering your  services for free (at least most of the time,) if you expose those services without throttling  them,  can be asking for a lot of trouble. Rest assured —  Intel has a feature built in our solution set that will help them with both their security concerns and their ability to implement throttling .

Our Quality of Service (QOS) functionality allows service providers to limit the usage of services, a classic need in a cloud delivery model which is often overlooked due to the perception about the elasticity of the cloud. In my mind, just because you can throw resources without any limit – ignoring fundamental architecture design principles such as TOGAF, DoDAF, Zachman – should be a huge concern, and “top of mind” for everyone. While you can implement some of these functions at the application/services level,  , a lot of overhead will be added to the application itself.  Moreover, here will be no uniformity across applications on how this feature is implemented.

If, on the other hand, you  were to use our QOS functionality -   you can monitor API usage, meter the usage based on the identity of the user (technically,  not only based on the identity, but you can even go lower than that. Think more along the lines of something location + identity + invocation based).

You not only can limit the service usage based on predefined policies,  but you can enforce those policies globally.  Our solution provides for the ability for a backend application to recover in case of overload. This built-in “self healing” feature should allow many services to recover without a need to bounce / reboot often. And the built-in auditing, reporting, logging tool keeps extensive details so it can be used not only for a forensic analysis, should the need arise,  but also when implementing a charge back system if so desired.

For more information about Intel Expressway Service Gateway, case studies, testimonials and tech tutorials, please visit

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

Our SaaS CloudSSO – par excellence

Essentially that is what it is. Recently we announced our based Cloud SSO solution. What is unique about this is that we are the first (and as of now the ONLY) solution that will allow user identities to be federated not only across applications, but also across other cloud providers as well.

We provide Identity for the cloud in the cloud – now that is different, isn’t it?

I know, I know… there are about half of a dozen vendors that claim to provide a Cloud SSO solution. So why are we different or better than the others?

We provide a fusion, bringing together the best of McAfee and Intel.   We bring years of advanced security research ,  our multi-tenant offering cloud security suite from McAfee, coupled with Intel’s Identity offering that includes SSO, hardened provisioning/de-provisioning and an escalated authentication (OTP) solution.

Everyone knows that is all about the cloud and SaaS, right? But once you set up your users/ identities in the platform it can be only used there. If you need to setup another SaaS application then your administrator needs to setup the user base all over again. Even though there are tools available to make this process easier it is still a chore. Imagine if you could have the power to set up the identities and policies once and run forever. If your users have to remember only ONE password then you could enforce the passwords to be very strong. This would not only reduce the security risk (imagine a SaaS application having a weak password… what can be more dangerous than that) but it could also help with eliminating a lot of help desk password reset calls from frustrated users.

One pivotal and unspoken benefit is the  increase in productivity where a user can seamlessly navigate between applications.

Our solution also includes a hardened, proven provisioning/ de-provisioning which takes care of syncing identities across applications and across multiple cloud providers. And there is also a built-in escalated authentication of identity using a second form factor which comes in handy when someone tries to use sensitive applications. Our OTP (One Time Password) solution allows the users to provide the second factor (of what you have in addition to what you know).

If you missed our recent announcement about the beta release at RSA check it out here.

For more details check us out

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.




Intel Expressway Service Gateway deployed at DoD for Cross Domain Sharing

Have you read the latest case study involving a top defense contractor that deployed Intel* Expressway Service Gateway at the DoD?

The top contractor deployed Intel Expressway Service Gateway to secure data sharing and achieve wire-speed content attack prevention, provide support for multiple message formats without the need for custom programming and lower their cost and time to implementation.

You can learn more about Intel Expressway Service Gateway and the other Intel Expressway products by visiting



March 29th Analyst Webinar – Identity and Access Management in the Cloud: Real or Mirage?





Traditional IAM solutions have not kept pace with cloud innovation and new approaches to identity and access management are gaining ground. Should you move your IAM infrastructure to the cloud? What is the role of related standards? These and more questions will be addressed in a free webinar “Identity & Access Management in the Cloud: Real or Mirage?”, hosted by Intel and industry analyst firm KuppingerCole on March 29, 2012 at 10:00 AM Pacific (1:00 PM Eastern, 7:00 PM CEST).

In this webinar KuppingerCole Sr. Analyst Dave Kearns will discuss the benefits and challenges of moving use identities to the cloud. Vikas Jain, Director of Product Management at Intel, will follow with an overview of Intel Cloud SSO, Intel’s newest identity and security solution for the cloud. Click here to register for this informative event.

RSA 2012 Interview with Andy Thurai, Chief Architect of Intel’s Application Security & Identity Products Group

Watch this interview between Tom Field and Intel Application Security & Identity Products Group, Chief Architect Andy Thurai.  Andy talks about API management and the attendant issues including security, management, auditing, metering, monitoring and monetization.

You’ll hear Andy talk about Social APIs vs other APIs, as well as how Intel is providing mobile enablement. Andy talks about a platform that is technology, security, and identity agnostic, so that when messages are sent to a hosted app or a partners app, one has the appropriate mechanism to consume those messages coming in from mobile devices. Listen to Andy talk about Intel’s latest announcement made at RSA, about Cloud SSO  — visit for more information.

RSA 2012 Andy Thurai Interview

RSA 2012 Interview with Andy Thurai

Visit Intel at HIMSS 2012

As HIMSS 2012 approaches  (Feb 20-24 at the Venetian Sands Expo Center in Las Vegas), we’d like to give you the opportunity to sign up for complimentary Intel workshops.

You’ll have a chance to discuss critical healthcare IT challenges and opportunities with industry experts, and to encounter leading-edge solutions and practice models from security to mobile to cloud.
Simply go to the link below, where you can review abstracts and use our easy tool to select the free workshops you’d like to attend.

If you can’t make all of the sessions, make sure not to miss a review of the standardized reference architecture proposed by VisionWare* and Intel for secure, scalable master data management, using the Intel® Expressway Service Gateway and the VisionWare MultiVue* products.

The Need for Secure, Scalable State Healthcare Registries

Tuesday, February 21
9:00am – 10:00am

Read Abstract & Register

At the next session, following an overview of  Healthcare Cloud Service Brokers, the service broker enabling technologies will be demonstrated for a hands-on look at security, API management, and integration workflows.

Simplify Member-Provider Information Exchange through Healthcare Cloud Service Brokers
Tuesday, February 21
10:00am – 11:00am

Read AbstractRegister

Lastly, here’s another session that you should not miss:

The Creation of a Healthcare Insurance Exchange Using Your State Medicaid Management Information System (MMIS) As a Foundation

Wednesday, Feb. 22
5:00pm – 6:00pm

Read Abstract & Register

You can register for any of the sessions  here.

If you would like more information about Intel Expressway Service Gateway for Healthcare, please visit our site:

We look forward to seeing you there!

Case study: Embedding cloud SSO portal into Sharepoint

A Registered Investment Advisor (RIA) firm designed to provide financial services to high net worth individuals is using IAM technology to remain competitive and provide attractive services to both clients and Wealth Advisors. The firm also needed to establish business relationships with strategic partners delivering a variety of services, including fixed income inventory and strategies, retirement planning, a private trust and banking division, insurance & annuities, and more.


  1. Embedding cloud SSO portal into Sharepoint – The firm was already using Sharepoint as their company portal. The cloud IAM SSO portal needed to be integrated into Sharepoint as a webpart.
  2. Non-SAML applications – The firm was using more than a dozen on-demand applications that didn’t support federation standards such as SAML. The solution had to support single sign-on (SSO) into such applications as well.
  3. Branding and customization – The solution should be re-brandable and customizable to company’s look-n-feel as it gets rolled out to the firm’s clients.

On top of it, being part of regulated industry where they are responsible for handling their client’s financial assets, they needed a solution that was secure from end-to-end. The firm chose Intel Expressway Cloud Access 360 (ECA360), and rolled out the solution for its Wealth Advisors initially with a plan to roll it out to its clients in the future.

How did Intel Cloud Access 360 fill their requirements?

  1. Embedding cloud SSO portal into Sharepoint – Cloud Access 360 SSO portal publishing all the applications that can be single signed on, can be fully embedded into Sharepoint as a webpart without requiring any additional authentication.
  2. Non-SAML applications –  Cloud Access 360 supported all the desired applications through either native connectors using custom APIs or form based authentication.
  3. Branding and customization – The logo and look-n-feel of the end-user facing SSO portal page of Cloud Access 360 can be completely branded and customized using CSS style sheets.

According to the firm’s CIO, “The flexibility, security and other capabilities provided by Intel Expressway Cloud Access 360 will enable it’s firm to leapfrog legacy RIA environments and offer an architecture to harness  the entire financial services Rolodex* in a seamless, connected experience.”

Looking for more of such customer case studies – find them here

Gunnar Peterson on Understanding Cloud Security Standards, part 3

Moving applications to the Cloud puts many enterprises in an accustomed position, the technology and processes that their business depends on aren’t under their sole control, but rather a mix of responsibilities. The move to the Cloud is not a simple “forklift” migration where bits are copied to a Cloud Provider, instead the architecture and assumptions must be reviewed and refreshed to meet the needs and constraints of Cloud systems.

Implementing authorization services with standards like XACML empowers the security architect to enforce policy via a Gateway and answer the authorization queries from the source with the freshest and most specific data. Often the information needed to resolve authorization requests is stored beyond the directory and only available in a database or other repository.

The Cloud presents real integration challenges to the enterprise, what Gartner calls Cloudstreams and Cloud Service Brokerages focus on “integration, governance, and security impact points.”

In Part 1, we examined four Anti-Patterns that enterprises should avoid as they move the Cloud. These four Anti-Patterns are at the heart of dealing with the “Complexity Kills” problem that Gartner’s research shows as a recurring theme in Cloud migrations.

Anti-Pattern Description Mitigations
Low/No Access Control “we’ll see if it works and then turn on security later” Strong access control protocols for authentication and authorization
Replicating User Accounts copying in full or an extract your Enterprise directory to the Cloud Provider Retain enterprise provisioning on Cloud Consumer side
Copying Credentials Copying Enterprise Access Credentials to Cloud based services Implement Federated Identity
“Trusted” Proxy Gateway lacks support security services and standards Implement improved access control, audit logging and monitoring on the Gateway

In Part 2, we looked at how open standards like SAML, Oauth, and OpenID can be used to mitigate the Anti-Patterns, when it comes to fine grained authorization and Attribute based Access Control that many Cloud applications require, standards like these are necessary but not sufficient for the overall identity architecture.

The old enterprise perimeter was based on network firewalls, but today applications are integrated, distributed via Cloud and consumed via Mobile apps. The network firewall is severely limited in this context. Fine grained authorization and Attribute Based Access Control help close out the gaps in Cloud Security by providing a Dynamic Perimeter that manages access control across these contexts.

Today’s reality is that users, systems and data are distributed. The genie is not going to be put back in the box, but access control policy enforcement can and should be centralized.

Centralizing access control policy enforcement is essential for:

  • For Security architects to understand the boundaries in the system,
  • For developers to know what and where to code for authorization operations
  • For auditors to be able to review
  • For testers to be able to identify vulnerabilities

Gateways are ideal for providing the Policy Enforcement Point function, to intercept requests before they reach the resource and ensure the request is authorized.

The trend line  in access control points to more fine grained access control and to have authorization decisions be policy based (rather than hard coded).



The four Anti-Patterns that we discussed show why trends continue in the direction of increased granularity and policy based access control.

Low/no access control“we’ll see if it works and then turn on security later”

Access control is too important to be left up to developer discretion. Authorization and access control should be configured in policy, not hard coded. Externalizing the application’s authorization gives the enterprise several important advantages, including flexibility to route authorization requests to the system that has the most specific and freshest information.

Replicating user accounts – copying in full or an extract your Enterprise directory to the Cloud provider

XACML separates the Policy Enforcement Point (PEP: which protects the app) from the Policy Decision Point (PDP: which has the information to grant or deny the authorization request). This logical separation enables the enterprise to deploy its PEP on the Cloud Provider side to implement authorization enforcement while routing requests to PDP’s with the freshest and most specific attributes to answer the authorization request.

Separating the PEP and PDP means that the Gateway can intercept the request to the resource, route the request to the system with the freshest and most specific information, and enforce the policy. This pattern allows for a flexible, best of breed authorization architecture with the PEP and PDP tuned to control the authorization workflow. The PEP is responsible to enforce the chain of responsibilities in authorization and the PDP carries out the responsibility via querying data sources to grant or deny access.  Note, the information needed to make the grant or deny access may cross from Cloud Provider to enterprise Cloud.

Copying credentials – sometimes Enterprise copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage.

Separating the PEP and PDP eliminates the need to hard code individual credentials to resolve access control challenges. This is because the PEP queries the PDP on behalf of the user to verify user’s attributes against the authorization target including the Resource and Action requested.

“Trusted” proxy – where trust is in name only

Trust, but verify means auditability. When authorization logic is strewn across millions of lines of code, auditing is impossible. Auditable systems must have authorization rules and logic that are clear and straightforward to review. Pulling key authorization policies out of the code and into XACML policies allows the Auditor to assess the target and ensure it meets the system owners’ goals.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at

What the Analysts are Saying…

Read what the analysts are saying about Intel & McAfee’s cloud access broker strategy.

Here’s a “birds-eye-view” on our new Analyst Consensus page



Get every new post delivered to your Inbox.

Join 139 other followers