Tuesday, October 26, 2021

PRO WORKSHOP (API): Posture-Based API Access Control
Join on Hopin
Mourad Cherfaoui
Mourad Cherfaoui
Intel, Cloud Solutions Architect

Access to APIs is usually controlled through authentication and authorization. Authentication establishes the identity of the API client and authorization verifies if an identity can invoke an API and perform the requested actions on the desired resources. API keys, session cookies, signed tokens and client certificates are some of the mechanisms used for authentication and authorization. In this talk, we explore how the posture of the API client can be also used to determine if the API can be accessed. The geo-location of the client and the trust level of its host machine are examples of postures. Some API implementations have used the client posture as a decision point but they have been either unreliable (e.g. using the source IP address to infer the geo-location) or ad hoc solutions for specific postures that cannot be generalized to other cases.This talk examines how a posture can be part of a generic API invocation flow. We define a framework that can support any type of posture or a combination of types. The framework uses signed claims that can be challenged by the API owner. We focus on hardware-backed claims, which are much harder to spoof than software claims. We also look at how posture verification can be integrated into existing authorization frameworks like oAuth. The talk uses 3 examples of postures: geo-location, host trust level and clients running in a Trusted Execution Environment (TEE).