API Management for Content Providers

Securely Deliver More Content to More Home Entertainment Systems

A single, all-in-one solution allows for managing APIs, vendors, reporting and OAuth
Delivery of Protected Content: 1. 2. 3. 4. 5. 6. 7. Developer obtains an API key from the Content Provider Developer creates an application for the target console using Content Providers APIs User logs into console, launches application and is prompted to log into Content Providers system User enters credentials which L7 Gateway validates against local IAM Application obtains signed/ encrypted OAuth request token from L7 Gateway Application sends OAuth token to Content Providers APIs Gateway validates token and grants access to content

The Problem
Home entertainment devices (such as the XBox, PS3, Wii, TiVo, Smart TVs, etc) are introducing novel ways for content providers and distributors (such as Telcos, Cable companies or other media providers) to reach consumers outside traditional broadcast and cable TV, providing new opportunities to deliver content and promote loyalty. APIs are the most cost-effective way to deliver content via these new channels, but controlling what gets shared to whom when it comes to account data and media content requires strong security, such as an OAuth-based authentication model, as well as comprehensive API management controls.

The Solution: Layer 7 API Management Suite

Layer 7 lets enterprises and service providers securely expose their APIs to device manufacturers, while providing them with everything they need from documentation to code samples to API reporting and technical support in order to create an application that presents content to joint customers. Layer 7s comprehensive suite for API Management comprises: API Proxy provides enterprise-grade API security and traffic control API Portal streamlines developer on-boarding and management, as well as API reporting Enterprise Service Manager enables API migration and lifecycle management

The solution also provides support for secure OAuth, simplifying the implementation of 2- and 3-legged OAuth use cases based on the OAuth 1a and 2.0 specifications: Implement policy and identity STS controls to handle a wide range of OAuth token operations and credential types, including HMAC-SHA1/SHA2 or RSA-SHA1/SHA2 signature methods, SAML and the OAuth WRAP specification Mix and match how they implement OAuth with SAML in order to address typical use cases such as user-delegated authorization for accessing APIs, or cross-domain federated SSO for website users Drop in new signature and credential methods without changing their APIs

In this way, customers logging into the content provider from one of their console devices can be authenticated via OAuth, and then tracked and reported on to determine which home entertainment platforms are the most valuable to your business.

Key Features
Enable Device Manufacturers
Documentation & Resources API Key Management
Registration

Provide device manufacturers with versioned documentation to help developers quickly understand how to use APIs Provide resources such as sample applications, code widgets/examples, sample requests/response pairs, etc Assign an API key to each manufacturers application Create, suspend and revoke API keys
Register, approve and manage organizations and developers Manage users with built in Role Based Access Control (RBAC) Out-of-the-box summary reports, including API usage, developer usage, and utilization rates, etc Out-of-the-box detailed reports, including API latency, error rates, throughput, availability, etc Support for TLS / SSL encryption over the wire Support for a variety of cryptographic algorithms, including HMAC, RSA and SHA Support for asymmetric signatures using RSA OAuth access token verification Ability to limit message size Protection from common Web-based attacks, including Cross-site request forgery (CSRF), man-in-themiddle and message replay Integrated SAML STS issuer featuring support for SAML 1.1/2.0 authentication, authorization and attribute based policies and Security Context Tokens STS support for WS-Trust and WS-Federation APIs can be smoothly migrated between environments (i.e., from Dev to Test, East to West, etc) with full dependency resolution and re-mapping Supports automatic API versioning including rollback to any previous version Global security settings, threat detection profiles, etc. can be reused across multiple APIs to save time and ensure consistency Enforce availability through throttling and/or rate limiting to ensure SLAs and QoS priorities Prioritize traffic to specific APIs based on SLAs Limit API access based on user, time of day, IP address etc. Route traffic based on geography, IP address, back-end response times, etc for optimum performance Integrated clustering for scalability & automatic failover between multiple instances of APIs/services Define custom data and identity caching parameters for optimal performance tuning Powerful message content filtering and transformation tools help identify and suppress leakage of sensitive information (i.e. SSNs, credit card numbers, etc.)

API Analytics

Implement Secure OAuth

Encryption

Threat Protection

Security Token Service

Manage & Secure APIs

API Lifecycle SLA/Performance Control Threat Protection

Security and Compliance

Layer 7s PCI-DSS installation and configuration guide allows customers to configure and deploy the API Proxy as part of a PCI-compliant process Support for multiple types of element or message level XML signing and encryption Protect against Cross-Site Scripting (XSS), SQL Injection, XML content/structural threats & viruses Create custom threat profiles to extend built-in filters for message structure and XML-specific threats Track failed authentications and/or policy violations to identify patterns and potential threats Validate HTTP parameters, REST query/POST parameters, JSON data structures, XML schemas, etc

Supported Standards
XML, SOAP, REST, PCI-DSS, AJAX, XPath, XSLT, WSDL, XML Schema, LDAP, SAML, XACML, OAuth, PKCS, FIPS 140-2, Kerberos, X.509 Certificates, XML Signature, XML Encryption, SSL/TLS, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, FTP/FTPS, MQ Series, JMS, Raw TCP, Tibco EMS, WS-Security, WS-Trust, WS-Federation, WS-Addressing, WSSecureConversation, WS-I BSP, WSMetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WS-I, WSIL, UDDI, WSRR, MTOM, IPv6, WCF To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377. You can also email us at info@layer7.com; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on twitter @layer7.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.