Presentation is loading. Please wait.

Presentation is loading. Please wait.

API’s Everywhere! CETPA 2018.

Published byMarcia Richards Modified over 6 years ago

Similar presentations

Presentation on theme: "API’s Everywhere! CETPA 2018."— Presentation transcript:

1 API’s Everywhere! CETPA 2018

2 API security breaches: Facebook restricts its Open API
NEWS RIP Google Plus: Shutdown announced after API bug exposes 500,000 users' details API security API security breaches: Facebook restricts its Open API April 7, 2018 Salesforce.com generates 50% of its revenues through APIs. Expedia.com generates 90%. eBay generates 60%. ! Source: The Strategic Value of APIs, HBR, Jan. 2015!

3 Background “Stuff” Ten years ago enterprises built monolithic enterprise software applications with few interfaces to secure. Now, however, developers break applications down into separate services and publish key functionality of their applications to the cloud as Web APIs (application program interfaces) usually this includes sensitive data. APIs have redefined the way the education vertical delivers value to customers by creating “doorways” that allow a multitude of applications access to data and provide a specialized user interface for every occasion.

4 Opportunities/Risks APIs allow developers to create many architecture for sharing functionality and data between applications. API Security is often mentioned as a critical concern by users and often left out of development and operational discussions. CIOs needs to understand the risks and take the proper precautions when introducing mechanism that can grab, change, and potentially destroy data from anywhere in the world. A new approach is needed to integrate security and privacy as fully part of the API lifecycle!

5 Building Access Standardize? BIZ PROCESSES DATA
ENCRYPTED PAYLOAD / PRIVACY CALLS AUTHENTICATION (SSO, ETC.) SECURE SOCKET FOR EXCHANGE Standardize?

6 API Options Easy Case Real World Case “Many APIs” “Single API” App 1
REST API Real World Case “Many APIs” Middleware

7 SDPC Value Add 1 Districts Integrators Integrators
Vetting & Contracting Framework Vetting & Contracting Framework Districts Integrators Integrators The SDPC Project work has helped streamlined the vetting and contract aspects of connections but not the connections themselves. Marketplace Products

8 APIs Are Not The Web Securing APIs using the same methods / technology that we used to secure the conventional, browser-centric web is not always the same. While it is true that APIs share many of the same threats that plague the web, they are fundamentally different and have an entirely unique risk profile that you need to manage.

9 API “Issues” Allows for targeted hacking – and less focus on security by providers Has given rise to API security programs Made “swiss cheese” out of some firewall set ups Locales must “bend” to vendor specifics API’s The locale must change processes, sometimes without any clear new value. The locale often must do DBA work or even programming to connect their data to the expected API. The locale usually winds with some slick apps, that have stale data due to a lack of timely synchronization between back office systems.

10 Standardizing API’s Organizations need to consider in their journey to make their APIs easy to maintain, adopt and consumed. Most organizations don’t invest enough time in standardizing the way APIs are designed, partly because they don’t realize the value of doing so Can provide great developer experience leading to more powerful and useful API connections Can save time and money on implementation – and change! Dictates and allows for planned upgrades for both developers and customers Can provide consistent access through a single authentication. Can bolster privacy through a consistent view of data.

11 Why Use Openly Developed Technical Standards?
Access to all data Scalability dependent upon funding cycles Easier comparison and quality Allows for best of breed solutions Enables clearer migration paths Easy discovery, access and use of learning resources and tools Integrated instruction, assessment and reporting

12 How We Got Here…

13 Target: Successful Student Learning Progression
Administrative and Operational Analytics, Dashboards, Portals External Entity School / School System Curriculum, Instruction and Assessment Student Enrolls Identity Data Needs Challenges IT choices in schools adding overheads and risk – privacy, data integrity Minimise effort to integrate with multiple systems > data hubs Key to successful integration – careful selection of management of identifiers > local & national use Student Roster Accountability Timeliness Identity Strategies Ability to Manage Risks via Privacy and Security “Simple to Enterprise” Data Integration and Scalability Record Exchange Policy and Technology Underpins the Work

14 SIF Over 20 Years…. And Counting

15 Around Since 1997! SIF Specifications: SIF 3 Infrastructure
Permits simple direct access to data. Empowers efficient batched process. Scales to real time events when needed. SIF 2 Data Model Use case based data objects create clear separation of roles. Remove ambiguity when talking about securing fields of data.

16 SIF Implementation Specification 2.4
158 Objects & Elements … and most recently, the SIF Implementation Specification 2.5 introduced important extensions to the model in the area of Teaching and Learning functionality, including: Extending Assessment to incorporate the individual measures associated with a particular assessment item; providing a more flexible way to include established as well as new types of measures. Providing a more robust structure for Assessment psychometric measures that allow for a wide range of both innovative Measurements and different Test designs. Generalizing Student Participation to encompass multiple Programs.

17 xPress API Line Is a new line of modern, open, standard APIs for education Provides schools/developers a way to simply and securely exchange data among apps – locally, cloud or mobile. Developed from real-world use cases focusing on practical, easy to implement solutions. Uses contemporary technologies like REST and OAuth, enabling direct communication among systems (the “broker” is optional) Built on SIF 3x Infrastructure and Data Model RESTful with both JSON and XML Support No M.O.M. (I.e. ZIS) required Represents commonly used CEDS data in a straightforward manner.

18 xPress Line - Roster Make it easy for consumers to get most commonly used data  ROSTER, DEMOGRAPHIC, CONTACT Guiding principle: Simplify and Flatten Utilize SIF 3 element naming conventions to provide provide a logical link to the full enterprise model Providers maintain a single set of refIds Minimize reliance on XML-specific features (ease transition to JSON)

19 SIF NA 3.2 “roster” objects = 16 Objects
student staff contactPerson school lea section course address schoolCalendar schoolCalendar-Item term contactPerson-Association staffPerson-Assignment staffSection-Association studentSchool-Association studentSection-Association SIF NA 3.2 “roster” objects = 16 Objects

20 SIF NA 3.2 “roster” objects = 16 Objects
student staff contactPerson school lea section course address schoolCalendar schoolCalendar-Item term contactPerson-Association staffPerson-Assignment staffSection-Association studentSchool-Association studentSection-Association SIF NA 3.2 “roster” objects = 16 Objects

21 SIF xPress Roster API = 7 Objects
xStudent xStaff xContact xSchool xLea xCalendar xRoster Simple object model using logical names based on SIF 3 entity model SIF xPress Roster API = 7 Objects

22 xPress Line - SRE Wrapper object to contains all needed SRE “pieces”
Student Record Exchange Wrapper object to contains all needed SRE “pieces” Student Demographic Record Identifies the student Student Academic Record Identifies the schools or institutions student attended Student Special Education Record Provides special education placement and participation data Student Record Content Container object for non-SIF data

23 Puget Sound SRE – Across Standards!
7 school districts around Seattle, WA 153,000 students 16,000 transfers per year Universal translator Hub & Spoke model Real-time Dedicated to open standards

24 IEP Eligibility

25 IEP Program

26 xPress Line – Grade Pass-Back

27 End Game? Start with some basics:
Push suppliers to utilized established and openly developed standardized APIs. Develop API security policies — including authentication and authorization of API users, traffic management and content threat detection Evaluate an API management gateway technologies Evaluate existing platform vendors to determine how they can contribute Remove or tokenize sensitive data in API URL path Maintaining an inventory of your APIs, starting with externally exposed APIs – Student Data Privacy SDPC App?

28 SDPC Value Add 2: Connected Privacy
Districts Vetting & Contracting Framework “Secure/Quick Connections” Privacy Standards Certification Integrators Integrators The next project of the SDPC – Connect – is going to enable those connections to take place in a standardized manner streamlining the work of schools, integrators and marketplace providers. Added here are the multiple integrator to integrator interactions districts sometimes use. Marketplace Products

29 Student Data Privacy Consortium
A4L Web Student Data Privacy Consortium Larry L Fruth II, Ph.D. Assessment Areas for Consideration

Download ppt "API’s Everywhere! CETPA 2018."

Similar presentations

Oracle IDM at First National Bank

Oracle IDM at First National Bank
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DRAFT – For Discussion Only HHSC IT Governance Executive Briefing Materials DRAFT April 2013.

DRAFT – For Discussion Only HHSC IT Governance Executive Briefing Materials DRAFT April 2013.
Capture the Movement: Banner 7.0 and Beyond Susan LaCour, Senior Vice President, Solutions Development California Community Colleges Banner Group.

Capture the Movement: Banner 7.0 and Beyond Susan LaCour, Senior Vice President, Solutions Development California Community Colleges Banner Group.
Improving Integration of Learning and Management Systems Paul Shoesmith Director of Technical Strategy Becta.

Improving Integration of Learning and Management Systems Paul Shoesmith Director of Technical Strategy Becta.
Cloud Computing Project By:Jessica, Fadiah, and Bill.

Cloud Computing Project By:Jessica, Fadiah, and Bill.
Chapter 8 8-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Accurate  Consistent  Compliant Contact: i4i the structured content company the structured content company.

Accurate  Consistent  Compliant Contact: i4i the structured content company the structured content company.
RIC One API Deployment Overview Albany, NY February 2016.

RIC One API Deployment Overview Albany, NY February 2016.
Education Portal Solutions for Higher Education Education portals create a common gateway to the data and services that the people throughout your university.

Education Portal Solutions for Higher Education Education portals create a common gateway to the data and services that the people throughout your university.
ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.

ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.
Portlet Development Konrad Rokicki (SAIC) Manav Kher (SemanticBits) Joshua Phillips (SemanticBits) Arch/VCDE F2F November 28, 2008.

Portlet Development Konrad Rokicki (SAIC) Manav Kher (SemanticBits) Joshua Phillips (SemanticBits) Arch/VCDE F2F November 28, 2008.
WEB API AND CLOUD DEVELOPMENT BY TRAWEX TECHNOLOGIES.

WEB API AND CLOUD DEVELOPMENT BY TRAWEX TECHNOLOGIES.
GIS IN THE CLOUD Cloud computing furnishes scalable GIS technology that is maintained off premises and delivered on demand as services via the Internet.

GIS IN THE CLOUD Cloud computing furnishes scalable GIS technology that is maintained off premises and delivered on demand as services via the Internet.
Data Management Program Introduction

Data Management Program Introduction
NGSS Town Hall Meeting April 27, :00 p.m. – 4:00 p.m.

NGSS Town Hall Meeting April 27, :00 p.m. – 4:00 p.m.
New York regional information centers

New York regional information centers

Similar presentations

Ads by Google