Like many companies, BYOD was the one acronym that forced Cisco to re-evaluate its security and application development.
“We needed to think differently about how we deployed web applications,” said Ranjan Jain, domain architect for enterprise identity and access services at Cisco. Cisco is big into promoting BYOD and Jain explained the transformation as the featured speaker on the recent How to Secure APIs like Cisco webinar sponsored by Ping Identity. (replay available here - sign-in/registration required).
Jain said the challenge was to figure out how to simplify a myriad of layers – services, gateways, proxies and authentication - that mobile devices had to navigate to access applications.
From an IT, information security and business process angle, “we thought OAuth was the best way to resolve all these issues we were trying to solve,” he said.
And it turns out, Cisco was right. After about five months of work, the company achieved a significant milestone in March by going live with its first OAuth-enabled API platform.
But to understand the importance, Jain laid out where Cisco began.
A year ago, a member of the business team came looking for a security solution for a new API platform. It needed to be robust, scalable and without the multiple layers of complexity that currently existed.
It needed to eliminate the ongoing practices of password sharing and storing and, in some cases, passwords hard-coded into apps.
“We also needed a platform that followed industry standards,” says Jain. “Standards” were in use, but an interconnect between them was not easy to obtain.
“What we were looking for was simplicity,” he said.
The company built its API platform in a Red Hat Enterprise Linux 5.5 environment and virtualized its components (sans the database layer) using the Cisco Unified Computing System (UCS). For resiliency and scalability, Jain said,they also used Cisco GSS and ACE to support load balancing, as well as, proximity and round-robin based routing.
As part of the architecture, Cisco deployed Ping Federate 6.5 into its virtualized environment, which was split between two data centers in an active-active deployment. This was a change from Cisco’s Ping Federate 6.0 deployment, which was done in a single data center.
Cisco supports all the major identity federation protocols, and while they mostly act as an identity provider, they also have the capability to act as a relying party.
The new OAuth-enabled platform basically works like this: a mobile client gets a token from the Cisco Ping Federate cluster and uses the token with Cisco’s API platform powered by Mashery. The OAuth Resource Server validates the token, passes it back to the Ping Federate Authentication Server and the client then uses the token to access specific APIs via Mashery. The environment also uses a Cisco Entitlement Policy Manager.
“There is a lot more happening there,” said Jain, “but this is the high-level flow.”
Jain said challenges were presented by the fact the OAuth standard is still in the draft stage and that enterprise use cases expose nuances not addressed in the spec.
One OAuth challenge involved automatic client creation, which forced Cisco to write some custom code and develop some Web services. He said the next version of Ping Federate will smooth those challenges.
Another issue was the spec’s lack of a method to define a timeout for an OAuth refresh token, which led to more custom development at the database level. “From a security perspective we wanted a specific time,” said Jain. He again said the next version of Ping Federate will help fix the development issues.
Cisco also had token refresh issues when multiple mobile clients were used to access the same app, and token translation issues when integrating with APIs not enabled for OAuth.
Overall, Jain called the roll out an “interesting journey” and he said OAuth is something Cisco will roll out enterprise wide on new platforms – for APIs and Web services, and mobile and non-mobile platforms.
“We all understand this is new, it has a lot of catch-up especially for the enterprise world,” he said. “I am pretty confident that with our partnership with Ping Identity we will be able to convey more OAuth to the story.”