In Cloud-Friendly Web Services Security, “There Is No Enterprise.” Wait. What?
“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)
What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.
No more chewy centers, indeed. And OAuth is playing an increasing role in a variety of business scenarios, from B2B to identity federation to variants on classic SOA security, wherever light weight and agility are prized. I hope you’ll get a chance to check out the report to see my recommendations for using OAuth effectively in whisper-light app environments, and weigh in here with your thoughts.
p.s. Alex Crumb and I experimented a bit in putting this report together, reaching out through a variety of social-media vectors to gather data. Special thanks to those folks on Twitter who gave me great tips!