Posts

What is an API Product?

What is an API Product?

This is a concept I have been trying to define in full for a bit now, and haven't found any great write ups on. With that in mind, as always this is a learning and discovery blog, and that's the aim here. I encourage discussion on the topic, and for you to consider this a working definition, share your thoughts and opinions, and hopefully find what I have collected here somewhat useful.

To those of you that have read my blogs, attended my webinars, or seen any of my presentations, you know I like to relate things to analogies. So to answer this question, let's start with a scenario...

Say you are man shopping for a few dress shirts for work (feel free to swap pronouns and clothing articles as desired). You hop onto the home page of your favorite generic shopping site and start to look for what you need. What is the first thing you click on to start to narrow your search? Often you will see several departments (eg. beauty, kids, jewelry, watches) to n…

API Security - The Next Generation with Elastic Beam

Image
The Prime Directive - Open more technology doors without increasing risk.

I can distinctly recall being fresh in the Federally focused aspect of my career and having a conversation with a customer where he said to me "We don't measure failure in dollars, but in the loss of lives." It was a powerful statement that has stuck with me ever since that speaks to the sensitivity of the data and the critical nature of US Federal systems. The challenge becomes that this creates a situation where disruption can be far from ideal, and risk-adverse strategies with a strong focus on security are often paramount.  And yet, recent times have brought an explosion of new technologies and capabilities with tactical and practical value that cannot be ignored. Servicemen and women look to utilize their own devices to accessing PII focused data and services, or basic applications such as time sheets, without all the hassle of going through CAC-secured desktop systems. Officers in command wan…

You See, Mobile Enablement is Like Living In a Trailer Park...

"Mobile is not a device, it is a digital strategy and supporting enterprise architecture."

This has been a favorite statement of mine for a while now when discussing mobile initiatives. As mobile application consumers, generally what you see is the end user application only, and not the underlying components that enable the delivery of the functionality and data to your mobile device. Similar capabilities to desktop app or desktop web experience often seem to lead to the misconception that what you see is the same solution, simply ported to a mobile device, when the truth is that a successful mobile experience encompasses far more. Too often we see tough lessons learned as traditional desktop development teams without mobile development experience are tasked to 'make a mobile app and support omnichannel' and IT teams are told to support these requirements with no new investment in architecture to support mobile channels. Unfortunately, when digitizing services and cr…

Firewall, IDS, IDP, WAF, API Gateway: Choose Your Shield

To long a read? Feel free to jump to the bottom for the exciting conclusion!

Often in US Federal we see different requirements and use cases arise than our commercial counterparts. Quite often I might get asked to provide insight into security, identity, and compliance queries in the same way I might ask for insight on team development or CICD requirements from my commercial focused brethren. It just so happens that this week I have provided some insights on three of four discussions around the role of our API Gateway in enterprise security. The role of an API Gateway in enterprise architecture in general always seems to bring up interesting discussion points (can it replace my load balancer?), but none more so than enterprise security. I have often heard of API Gateways jokingly referred to as a 'Swiss army knife' because you can really do so much with them. Often I find myself saying to both customers and colleagues that 'It's not what you can do with it, it is what …

Cassandra and Consistency - A Simplified Explaination

Cassandra is architected for read-write (RW) anywhere, enabling any client to connect to any node in any datacenter (DC). The concept of a primary or single master node does not exist in Cassandra. This allows for drastically increased RW times as master node is not taking all the traffic. The flip side is that there is not a single source of truth (SSOT) as you would see in a RDBMS such as MySQL where you assume the master or primary is always correct. Cassandra has abilities to manage this though.
REPLICATION FACTOR (RF): This determines how many copies of data exists. CONSISTENCY LEVEL (CL): This determines how many nodes must acknowledge a read or write before an acknowledgement of a write commit or the data is returned. Examples would be ALL, ONE, QUORUM, etc. Effectively a level of assurance that a write occurred or your read is against the freshest data.
Let’s look at two nodes for example.
WRITES: If the data is simply being split between the two nodes evenly and goes down, you…

US Federal PKI: Part I - Getting Started and the Value of Validation

Image
Understanding the Basics: Bare Necessities In order to understand Federal PKI systems, it is first imperative to understand the concepts, components, and challenges around it. The following are high level overviews of these topics.
What is PKE?
Public Key Encryption is a type of asymmetric encryption, used to ensure confidentiality, integrity, and nonrepudiation of a message. In Public Key Cryptography, the user has a private key, which only they will ever have, and a public certificate that is published for external use. The private key and public key work in opposites to encrypt and decrypt data. Anything encrypted by the public key can only be decrypted by the private key, and visa versa. The benefit here is that anything a user signs with their private key proves that they did in fact sign it, as only they have that key. Anything encrypted with the user’s public key, can then only be decrypted by them.
What is PKI?
Public Key Infrastructure is the underlying process, policies, an…