Open APIs

The dominant question which is on everyone’s mind and including mine is the Security aspect of the Open APIs. How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it? Also, in addition my particular concern would be for organizations like TM Forum, With so many Open APIs in place, will there be a possibility of having standardization among the different Open API platforms?

------------------------------
Majid Farhan
Netcracker Technology
------------------------------

​Hi Majid
I think I am able to think on standardisation of opeAPIs to great extent.
If Data is modelled in accordance with SID, you have set of Business entities and aggregated business entities, which are base for open APIs. If you expose the entities via Odata then you can expect pretty standard user interface. But all depends on adaptation to SID,OpenAPIs and Odata.If these fail to survive as standard, you have many different standards all over and that is how it is today.

Regards
Neeraj

------------------------------
Neeraj Kumar
Swisscom AG
------------------------------

Original Message:
Sent: 02-09-2017 10:06
From: Majid Farhan
Subject: Security of Open APIs

The dominant question which is on everyone’s mind and including mine is the Security aspect of the Open APIs. How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it? Also, in addition my particular concern would be for organizations like TM Forum, With so many Open APIs in place, will there be a possibility of having standardization among the different Open API platforms?

------------------------------
Majid Farhan
Netcracker Technology
------------------------------

​In the context of management platform and Hybris Infrastructure platforms using Open APIs we publish an initial view on how to address security using the concepts of Software defined perimeters, domains and policy management in TR263D Platform Security and Policy Management R17.0.1. In release 17-5 a number of security APIs have been released and the next step would be to get a number of members to cross validate the TR263D work from Release 17 against the published APIS in Release 17.5, notably UserRoles & Permissions.

------------------------------
Dave Milham
TM Forum Chief Architect
------------------------------

Original Message:
Sent: 02-09-2017 10:06
From: Majid Farhan
Subject: Security of Open APIs

The dominant question which is on everyone’s mind and including mine is the Security aspect of the Open APIs. How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it? Also, in addition my particular concern would be for organizations like TM Forum, With so many Open APIs in place, will there be a possibility of having standardization among the different Open API platforms?

------------------------------
Majid Farhan
Netcracker Technology
------------------------------

Hi,

"How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it?"

Remember the TMForum Open-API's are only the "specifications", it is down to the API Gateway and the implementation behind it to decide on things like:
- Security Termination: eg: SSL/TLS transport, certificates, handshakes etc
- Authentication: Who are you/Am I sure you are who you say you are?
- Authorization: Now I know who you are, am I going to let you do the thing that you want to ...and who you do it to?
etc. (non-repudiation, denial-of-service, spoofing...)

So just because an organisation offers up a (say) ProductOrder API, it does not necessarily follow that they will respond to your request without checking you out and ensuring that you have a billing relationship etc :-)

------------------------------
Stephen Harrop
Principal Integration Architect
Vodafone Group
------------------------------

Original Message:
Sent: 02-09-2017 10:06
From: Majid Farhan
Subject: Security of Open APIs

The dominant question which is on everyone’s mind and including mine is the Security aspect of the Open APIs. How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it? Also, in addition my particular concern would be for organizations like TM Forum, With so many Open APIs in place, will there be a possibility of having standardization among the different Open API platforms?

------------------------------
Majid Farhan
Netcracker Technology
------------------------------

​In the ZOOM team we looked at a related challenge which is defining Software Defined Perimeters to establish and enforce Security policy ( Policy Decision Point) across a set of systems forming a Platform /Domain. The policy enforcement is assumed to be at the exposed APIs e.g. Open APIs which aligns with Steve's contribution. These notions of Software defined perimeters , Policy Domains for security , threat analysis , assessment template/checklist and a example implementation approach based on CSA SDP were documented in​  TR263D Platform Security and Policy Management R17.0.1 
The part we did not address comprehensively were the specific APIs needed to control these policy based approach . With the recent API work on Federated Identity now would be a good time to start some work pulling together the OPEN APIs some of these security Domain concepts in TR 263D and the role of API gateways into a comprehensive exemplar solution . Might be a good subject for a catalyst project

------------------------------
Dave Milham
TM Forum Chief Architect
------------------------------

Original Message:
Sent: 01-23-2018 08:50
From: Stephen Harrop
Subject: Security of Open APIs

Hi,

"How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it?"

Remember the TMForum Open-API's are only the "specifications", it is down to the API Gateway and the implementation behind it to decide on things like:
- Security Termination: eg: SSL/TLS transport, certificates, handshakes etc
- Authentication: Who are you/Am I sure you are who you say you are?
- Authorization: Now I know who you are, am I going to let you do the thing that you want to ...and who you do it to?
etc. (non-repudiation, denial-of-service, spoofing...)

So just because an organisation offers up a (say) ProductOrder API, it does not necessarily follow that they will respond to your request without checking you out and ensuring that you have a billing relationship etc :-)

------------------------------
Stephen Harrop
Principal Integration Architect
Vodafone Group

Original Message:
Sent: 02-09-2017 10:06
From: Majid Farhan
Subject: Security of Open APIs

The dominant question which is on everyone’s mind and including mine is the Security aspect of the Open APIs. How secure would a network be or a software system be if an Open API is exposed to customers and third party members accessing it? Also, in addition my particular concern would be for organizations like TM Forum, With so many Open APIs in place, will there be a possibility of having standardization among the different Open API platforms?

------------------------------
Majid Farhan
Netcracker Technology
------------------------------