Anda di halaman 1dari 60

Security & Anypoint platform

April 26th, 2019


Aaron Murphy– NA Alliance Director - Capgemini
Venkat Sharma– Principal Solutions Consultant
Today’s Agenda

6. Security & Anypoint Platform

API security – OAuth 2.0, SAML, clientid/secret, Single sign-on, Mutual authentication etc-Demo ·

Perimeter security

Edge Security – policy firewall, Dos, content attacks

Tokenization – Data protection, Vaults, format preserving

Encryption, Masking

All contents © MuleSoft Inc.


APIs Enable Businesses

Connect With Customers and Streamline Operations

An effective API can give existing and potential customers


new reasons to interact with a business and connect with it
on a personal level — and to share their experiences with
others. *

* https://www.mulesoft.com/resources/api/connected-business-strategy

All contents © MuleSoft Inc. 3


APIs Enable Businesses

Connect With Customers and Streamline Operations


§ APIs expose sensitive data

§ The attack surface is expanding

§ APIs are the attack vector of choice


for hackers to disrupt your service or
gain access to private information

All contents © MuleSoft Inc. 4


All contents © MuleSoft Inc.
Modern Security Posture

§ Security has changed from keeping the


bad guys out and the good guys in, to
TRUST NOBODY (zero-trust model).
Insider Threats are more prevalent than
previously understood

§ Security by Obscurity is unacceptable.


Protection is about applying industry
standards across layers of security and
defense in depth (OWASP, SANS, NIST,
PCI, ISACA ISO27k)
https://www.business.com/articl
§ The strategy is no longer security by “no”, es/cybersecurity-inside-outside-
it is now security by ”know” threats/

All contents © MuleSoft Inc. 6


Applying Layers of Security

Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)

All contents © MuleSoft Inc.


Applying Layers of Security

Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)

All contents © MuleSoft Inc.


Applying Layers of Security

Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)

All contents © MuleSoft Inc.


The social graph

Anna David
frie nd
nd
frie

es

like
lik

comm
Jessica

s
likes

ented

d
movies

a te
books

cre
on
posting

All contents © MuleSoft Inc.


The application network graph

customer API spec


onboarding d by
d escribe

ls
cal
customer API
offers protec
ted by

customer implemen
ted by OAuth policy

customer flow

All contents © MuleSoft Inc.


Applying Layers of Security

Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats –s Denial of
o p etc
Service, injection protection,
L o
• @ the Implementation
c k – Secure By
ba
Design – Authorization & Identity (PKI,
d
Federation,ee
openid connect), Contract
F
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)

All contents © MuleSoft Inc.


Applying Layers of Security

Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)

All contents © MuleSoft Inc.


Anypoint Security: Layered Solution Overview

Anypoint Edge Anypoint API Anypoint


Anypoint Security Management and Tokenization
Platform @Perimeter API Design Center @Data
@Implementation

• Operations Construct Create new Secure


• Data multiple APIs and data in
Security layers of
defense with integrations motion
• Passwords rapidly from prebuilt across the
and configured, API security enterprise
Credentials policy-driven fragments, with
• Facilities perimeter
access automatic
gateways. E tokenizatio
and Network asily isolate patterns, and n and
• Secure compromise policies vetted encryption
Connectivity d nodes by security and reduce
• Data behind
hardened, experts. the risk of
Sovereignty dedicated data
• AllThird
contents ©Party
MuleSoft Inc.
chokepoints. breaches. 14
Ways to protect API
What is OAuth ?

• “An open protocol to allow secure authorization in


simple and standard method from web, mobile and
desktop applications”.

• A form of HTTP-based Single Sign On (SSO)


– Similar to SAML , OpenID, Kerberos.

• Primarily focused on Authorization , although it is


commonly used for Authentication as well.

All contents © MuleSoft Inc. 16


Before OAuth2

• Before OAuth
– You would have to provide your username and
password to third-party app.
– Apps store user’s passwords
– Apps get complete access to user’s account
– Only way users would be able to revoke access to the
app is by changing password
– Compromised apps expose user’s password
• Then cames OAuth1
– OAuth1 standardized how different services
implemented authorization
– But there were some limitations

All contents © MuleSoft Inc. 17


OAuth2 Introduction

• Open standard to authorization


• Specifies how resource owners authorizes third-party
access to their server resources.
• Terminologies:
• Resource Owner : the API administrator
• Resource Server : the API
• Client: The third party application
• Authorization Server: The server authorizing the client app to
access the resources of the resource owner.

All contents © MuleSoft Inc. 18


Oauth2 Architecture with Mule as provider

API
Portal API

1
o API AP
I
cess t es
u est ac o k
t(s) req i nv
Clien lid,
ti l l va
8 s
o ken
If t
6
API proxy
Makes API call using token Gateway

Va
lida
tes
clie
n t to
ken
Requ 7
es
Provides client id and client secret

ts tok
en by
t
es

passin
u

g clie
eq

ntid/
sr

4 secre
s

t
ce
ac
PI
sA
ive
ce
re

Oauth
2
in

Provider
dm
Ia
AP

3
Creates Client object in OAuth store

API administrator
Client Object
Key
Client id
Client Secret
Client Name

DB
Description
All contents © MuleSoft Inc. 19
OAuth2 -Client Authentication

Client
1. The client application, receives client id and client secret from BAC API Aplication

administrator.
2. Client application sends a access token request to the OAuth provider www
1
application to retrieve client id, client secret. If valid credentials , then Oauth
provider returns access token. 2
3

Sample Request:
http://171.135.20.188:22107/bac/api/
token?grant_type=client_credentials&client_id=5ab9af1544604f8da18f82640 DMZ
1e760f6&client_secret=D9a6179Da5c64192Bc02963cdD69275f&scope=POST Mule Gateway
_RESOURCE proxy
OAuth token enforcement policy
/access_token
Sample response:
{
"access_token":
"V60RAUK4KNzk_kjlAJNN50P1RNENgooxZLGZDXffWQDEaSWCqzL_avXga- Implementation tier 4 5
dVrsyLqi13noFcuFacZdXBap0JZw", /validate
"scope": "POST_RESOURCE",
"token_type": "bearer",
"expires_in": 86400 Oauth
API
Provider
} /oauth

3.Client app sends a request to the API, appending the access token to the API administrator
request API
Sample Request:
http://171.135.20.188:22106/
accounts?access_token=9LUukoZIjwucSBLTB6YoHyvY_JfjSBtIhNNbeVnFA3xD7
fdmdZMDbKZQ8yz_Xnc7GVhnWYZhh5K0KshNOjyCfA Client Object
Key
Client id
Client Secret
Client Name

DB
Description
All contents © MuleSoft Inc. 20
OAuth2– Client Authentication(cont)

Client
Aplication

www
4. The OAuth 2.0 token enforcement policy in DMZ Mule Gateway, 1
intercepts the request and validates the token by making validate
2
token call to OAuth provider. 3

Sample request the proxy makes :


http://171.135.20.188:22108/ DMZ
validate?access_token=9LUukoZIjwucSBLTB6YoHyvY_JfjSBtIhNNbe Mule Gateway
proxy
OAuth token enforcement policy
VnFA3xD7fdmdZMDbKZQ8yz_Xnc7GVhnWYZhh5K0KshNOjyCfA /access_token

Sample response the proxy receives:


{"expires_in":19239,"scope":"POST_RESOURCE",
4
"client_id":"5ab9af1544604f8da18f826401e760f6"} Implementation tier 5

/validate
If invalid token proxy receives 401 unauthorized response code
Oauth
API
5. If the access token is valid, the mule proxy forwards the request /oauth
Provider

to the API.
API administrator

The API returns the response to the client app.

Client Object
Key
Client id
Client Secret
Client Name

DB
Description

All contents © MuleSoft Inc. 21


Anypoint Platform – External Identity Management

• Use an external Identity Store for Developers and Admin login


• Support SAML & OpenID Connect identity exchange protocol

All contents © MuleSoft Inc. 22


SAML 2.0 Support as External Identity

Full Support
• Salesforce
• PingFederate (versions: 6, 7, 8)
• OpenAM (versions : 11, 12, 14)
• Okta

Work, but aren’t actively tested:


• Active Directory Federation Services (AD FS)
• Shibboleth
• onelogin
• CA Single Sign-On
• SecureAuth

All contents © MuleSoft Inc. 23


OpenID Connect Support as External Identity

Full Support
• Salesforce
• PingFederate (versions: 6, 7, 8)
• OpenAM (versions : 11, 12, 14)
• Okta

All contents © MuleSoft Inc. 24


Anypoint Platform Provided Policies (1/2)

● Basic Authentication: LDAP: Establishes the configuration details for an Open LDAP or Active Directory LDAP that you set up for your
enterprise.

● Basic Authentication: Simple: Protects the API by requiring username and password when calling apps make a request.

● Client ID Enforcement: Enforces the requirement for calls to the API must include a valid client ID and client secret. See footnote.

● Cross-Origin Resource Sharing: Allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from
non-origin domains. CORS is a commonly implemented solution to the "same-origin policy" that is enforced by all browsers.

● Header Injection and Removal: Adds headers to the request/response of the message or removes headers.

● HTTP Caching: Provides a way to store HTTP responses from an API implementation or an API proxy for later reuse.

● IP Blacklist: Denies API calls from a defined set of IP addresses.

● IP Whitelist: Limits API calls to a defined set of IP addresses.

● JSON Threat Protection: Protects the target API against malicious JSON that could cause problems.

● Message Logging Policy: Logs a custom message with the information available between policies, proxy, or backend in any point of the
execution.

● OAuth 2.0 Access Token Enforcement Using External Provider Policy: Configures the API so that its endpoints require a mandatory
and valid OAuth 2.0 token.

● OpenAM Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid OpenAM token. This policy is
only available to organizations using an OpenAM Federated Identity Management system.

All contents © MuleSoft Inc. 25


Anypoint Platform Provided Policies (2/2)

● OpenID Connect Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid token.
This policy is only available to organizations using an OpenID Connect Management system.

● PingFederate Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid PingFederate
token. This policy is only available to organizations using a PingFederate Federated Identity Management system.

● Rate Limiting – SLA-Based: Limits the number of messages per time period processed by an API at a maximum value specified
in the SLA tier. Any messages beyond the maximum are rejected. Enforcement is based on the client ID passed in the request.
See footnote.

● Rate Limiting: Limits the number of messages processed by an API per time period at a maximum value specified in the policy.
The rate limiting is applied to all API calls, regardless of the source. Any messages beyond the maximum are rejected.

● Simple Security Manager: Supports a placeholder security manager that can be configured with a hard-coded username and
password for testing purposes.

● Spike Control Policy Reference: Smooths traffic by ensuring that within any given period of time, no more than the maximum
configured requests are processed.

● Throttling -SLA-Based: Throttles the number of messages per time period processed by an API at a maximum value specified in
the SLA tier. Any messages beyond the maximum are queued for later processing. Enforcement is based on the client ID passed in
the request. See footnote.

● Throttling: Throttles the number of messages processed by an API per time period at a maximum value specified in the policy.
The throttling is applied to all API calls, regardless of the source. Any messages beyond the maximum are queued for later
processing.

●All contents © MuleSoft Inc.


XML Threat Protection: Protects the target API against malicious XML that could cause problems. 26
Authentication and Authorization

Sample Client ID (API Key)


enforcement policy

Out of the box API Policies for


authentication and authorization
All contents © MuleSoft Inc. 27
Oauth 2.0 Demo
1. API Design – Security Best Practices

2. Data In Movement – Security and Approach

3. Anypoint Platform Security & Compliance Model

All contents © MuleSoft Inc.


Anypoint Security blueprint

All contents © MuleSoft Inc. 30


API-Led single sign-on

All contents © MuleSoft Inc. 31


Anypoint Platform - Data Traffic across the components

Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

IPSEC
Firewall Firewall

Metadata Traffic

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 32
1 - How to design the APIs to maximize the agility, including security
testing?
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

IPSEC
Firewall Firewall

Metadata Traffic

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 33
Anypoint Platform Runtime Traffic
Customer /External Application Runtime Plane (CloudHub) Control Plane

• All external requests access


directly the APIs without going
through the Control Plane

IPSEC
Firewall
• Multiple
Firewall
layer of APIs (API-Led
Connectivity) to expose data
and functions securely

• Certified against industry


standard that sensitive data
are not stored or manipulated
by the runtime itself

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 34
The API-led connectivity reminder

Mobile API Web app API Experience


APIs

Order
status
Shipment Order Process
status history APIs
Customers

Orders
System
Toll UPS SAP Salesforce
shipments shipments customers customers APIs

All contents © MuleSoft Inc.


Different Layer with different security concerns
- Layer used to create additional cross domains
functions and to mesh up domains data

- Requires high level of security to avoid


access for non authorized API Consumer,
and only expose the data required by the
authorized API consumer/end-user.

- In addition it must be protected with


perimeter security such as SQL/JSON/XML
injections and throttling/rate limit control.

- Layer used to create additional cross domains


functions and to mesh up domains data

- Requires high level of security to avoid


unauthorized access to enrich functions
and data based on the authenticated user
profile

- Required testing to ensure the functions


and data are exposed to the right Id profile
from a functional perspective, aligned with
the data in the system of records

- First line of defense to protect the system of


records, throttling/rate limit are need

- Requires high level of security to avoid


unauthorized access to core data and
functions (mainly CRUD) based on the
authenticated user profile

- Requires testing to ensure the functions


access are only allowed to authorized
APIs, and the exposed data are returned
by on Id profile and encrypted or tokenized
All contents © MuleSoft Inc.
Security Considerations per each API layer
By Configuration
- Throttling/Rate Limit (for fair-usage or SLA)
- SQL/XML/Json Injection protection
- Identify User (for role extraction)

By Design
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt Data if needed

By Configuration
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction)

By Design
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt Data if needed

By Configuration
- Throttling/Rate Limit (to protect backend
systems)
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction)
- SQL/XML/Json Injection protection
By Design
- Use Connector as much as possible (with
built in security control)
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt or Tokenize Data if needed
All contents © MuleSoft Inc.
Testing Considerations per each API layer
By Configuration
- Throttling/Rate Limit (for fair-usage or SLA) - Security Test to ensure that the APIs only serve under the allowed throughput per API
- SQL/XML/Json Injection protection Consumer
- Identify User (for role extraction)
- Security Test to ensure that the APIs are protected against SQL/XML/JSON injections
By Design - Functional Test to ensure that the process operations only return the correct data set per API
- Control Logged Data & Level Consumer and per id profile
- Data ”ownership” per role
- Encrypt Data if needed - Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Technical Test to ensure that the encrypted data are properly handled with the right key
- Technical Test to ensure that the tokenized data integrity during mashup

By Configuration
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction)
- Security Test to ensure that the APIs only serve requests from the allowed APIs
By Design - Functional Test to ensure that the process operations are aligned with the system of records
- Control Logged Data & Level and only return the correct data set per id profile
- Data ”ownership” per role
- Encrypt Data if needed
- Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Technical Test to ensure that the encrypted data are properly handled with the right key
Technical Test to ensure that the tokenized data integrity during mashup

By Configuration
- Throttling/Rate Limit (to protect backend - Security Test to ensure that the APIs only serve requests from the allowed APIs & under the
systems) allowed throughput
- IP Whiltelist / 2-way SSL
- Identify User (for role extraction) - Security Test to ensure that the APIs are protected against SQL/XML/JSON injections
- SQL/XML/Json Injection protection - Functional Test to ensure that the CUD operations are aligned with the system of records
By Design
- Functional Test to ensure that the R operation only return correct data set per id profile
- Use Connector as much as possible (with
built in security control) - Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Control Logged Data & Level - Technical Test to ensure that the encrypted or tokenized data are properly handled
- Data ”ownership” per role
- Encrypt or Tokenize Data if needed
All contents © MuleSoft Inc.
Top Ten OWASP Implementation Recommendation

A1. Injection • Use Database Connector “Parameterized” Mode id the API implementation is MuleSoft based
• Use SQL Injection Policy to protect non-secure API implementation

A2. Broken Authentication • Use any 3rd party or MuleSoft provided OAuth provider to manage sessions
and Session Management • Use the out-of-the box OAuth Access Token enforcement policies to protect the API Access
• Implement stateless API

A3. Sensitive Data • Enforce SSL for data in flight


Exposure • Tokenize in flight and to be stored data using an external Tokenization Server
• In case of open API, adopt the 2-layers API approach to allow internal API (datacenter with sensitive
data) to callout external API (public) using caching, in order to avoid directly inbound network request
to the private data center
A4. XML External Entity • Disable XXE in XML Parser (disabled by default in MuleSoft)
(XXE) • Use out-of-the-box XML Threat Protection Policy

A5. Broken Access Control • Use LDAP Authorization Policy to restrict access at the User level
• Use IP Whitelist/Blacklist Policies to restrict access at the System level

All contents © MuleSoft Inc. 39


Top Ten OWASP Implementation Recommendation

A6. Security • Use MuleSoft Credential Vault to encrypt all servers/credentials information
Misconfiguration

A7. Cross Site Scripting • Use IP Whitelist to restrict API access at the System Level
(XSS) • Use Cross Site Scripting policy for GET requests
• Use CORS, JSON Threat and/or XML Threat policies

A8. Insecure • MuleSoft is largely Spring-based and Spring has hardened its susceptible classes
Deserialization • Enable SSL
• Use IP Whitelist to restrict API access at the System Level

A9. Using Components • Use only approved enterprise libraries


with Known • Subscribe to MuleSoft monthly newsletter
Vulnerabilities • Using static code scanning tool to scan the code

A10. Insufficient Logging • Use MuleSoft Runtime Manager for System Level Logging, API Analytics for Usage Level Logging and
and Monitoring Insight for Functional Level Logging
• Use Splunk or ELK to aggregate MuleSoft or external systems logs for further in depth analysis

All contents © MuleSoft Inc. 40


Agenda

1. API Design – Security Best Practices

2. Data In Movement – Security and Approach

3. Anypoint Platform Security & Compliance Model

All contents © MuleSoft Inc.


Anypoint Platform - Data Traffic across the components

Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

IPSEC
Firewall Firewall

Metadata Traffic

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 42
2 – How to maximize the Data Security in Movement?

Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

IPSEC
Firewall Firewall

Metadata Traffic

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 43
Transport Level Security

Customers /External Applications Runtime Plane (CloudHub) Mainly HTTPS driven, via VPC Peering that
allows the isolation of the Process APIs and can
only be access via the specific Experience APIs

It acts as a firewall between the public facing


zone

Runtime Traffic

Mainly HTTPS driven, via a secure VPC IPSec


Tunnel connection to call internal System
APIs that expose the core domain data and
AWS (US, EU, SA, APAC) functions.

By unified the access through HTTPS,


organization can better control the access with a
modern, lightweight, and non-persistent
protocol, that allows throttling, fine-grained ACL
model, compared to other protocol such as JMS

IPSEC
Public facing APIs that serves external
customer and applications via HTTPS Firewall or S/FTP.

Native protocol to access the internal systems


from the System APIs.
Runtime Plane (OnPrem)
All contents © MuleSoft Inc. 44
Virtual Private Cloud (VPC)

•The Virtual Private Cloud (VPC) offering allows you to virtually create a private and
isolated network in the cloud to host workers

•Choose to use this isolated network as it best suites your needs


– Host your applications in a VPC and take advantage of its load balancer
• Defining a custom load balancer is possible
– Configure your own firewall rules for your VPC
– Connect your VPC to your corporate intranet
• whether on-premises or in other clouds
• via a VPN connection as if they were all part of a single, private network
– Set a private DNS server so the workers hosted in a VPC communicate with your internal network
using your private host names

All contents © MuleSoft Inc. 45


VPC connectivity methods

•Public internet
– Default connectivity to CloudHub VPC

•VPN tunnel with network-to-network configuration


– Connects a (sub)network to a CH VPC with an IPSec VPN connection

•VPC Peering
– Connect an Amazon VPC directly to a CloudHub VPC

•CloudHub Direct Connect


– Create a hosted virtual interface to a CloudHub VPC in case of an existing Amazon VPC using Amazon Direct Connect

All contents © MuleSoft Inc. 46


Data Movement Patterns
Transport Level Only (TLS)

Synchronous Asynchronous
API Call Batch Execution • “https” all the way between the APIs

• All data are encrypted during the movement,


https ”abc” https ”abc” but the API implementation still get the data in
clear

https ”abc” https


api key ”abc”
api key

https ”abc” https ”abc”


api key api key

jdbc jdbc

”abc” ”abc”

All contents © MuleSoft Inc. 47


Data Movement Patterns
Transport Level + Message Level Encryption/Signature
Synchronous Asynchronous
API Call Batch Execution • “https” all the way between the APIs

• The messages are further encrypted at the API


https ”abc” https ”abc” implementation level to provide more
advanced security

https ”#y2!f” https


api key ”l*94”
api key
• The messages can also be signed to prove the
request authenticity
https ”ats1%” https ”y1$x”
api key api key

• API might need to be able to decrypt and re-


jdbc jdbc encrypt the data in case further
transformation/mash-up is required
”abc” ”abc”

All contents © MuleSoft Inc. 48


Anypoint Enterprise Security

•Collection of security features that enforce secure access to


information in Mule applications
•Provides various methods for applying security to Mule applications
•Requires an Enterprise license
•Add-on module that needs to be installed in Anypoint Studio
•Consists of 6 modules
•Suitable for both customer-hosted and CloudHub applications

All contents © MuleSoft Inc. 49


Enterprise Security modules

•Mule Filter Processor


– Compares messages with filter criteria before processing
– Filter by IP/timestamp features are available

•Mule Credentials Vault


– Encrypts the property file
– Flow can access the data from property files

•Mule Message Encryption Processor


– Encrypt or Decrypt part of messages or entire payload
– JCE Encrypter, XML Encrypter, PGP Encrypter

All contents © MuleSoft Inc. 50


Enterprise Security modules

•Mule Secure Token Service (STS) OAuth 2.0a Provider


– Security for REST service provider/consumer

•Mule Digital Signature Processor


– Ensure the integrity and authenticity of the message source

•Mule CRC32 processor


– Cyclic redundancy check (CRC) to messages to ensure message integrity

All contents © MuleSoft Inc. 51


Data Movement Patterns
Transport Level + Message Tokenization in transit
Synchronous Asynchronous
API Call Batch Execution • “https” all the way between the APIs

• The messages are tokenized by the


System APIs, and will transit to
https ”abc” https ”abc”
other APIs as a token

https https
api key
”a57”
api key
”a57” • Other APIs can use the token for
data mapping or master/detail
mapping without any extra
https ”a57” https ”a57”
detokenization step
api key api key

Anypoint Security
Tokenization
jdbc jdbc

”abc” ”abc”

All contents © MuleSoft Inc. 52


Data Movement Patterns
Transport Level + Message Tokenization at Rest
Synchronous Asynchronous
API Call Batch Execution • “https” all the way between the APIs

• The data at rest will go through a


bootstrapping phase, to turn all the
https ”abc” https ”abc”
as a token

https https
api key
”a57”
api key
”a57” • Other APIs can use the token for
data mapping or master/detail
mapping without any extra
https ”a57” https ”a57”
detokenization step
api key api key

Anypoint Security
Tokenization
jdbc jdbc

”a57” ”a57”

All contents © MuleSoft Inc. 53


Anypoint Security - Tokenization Overview

Format Preserving Tokenization Edge tokenization policy


Credit Card # Token Value
Application data validation logic work “as is” 4111-1111-1111-1111 3594-6249-5432-1111
No downstream application changes needed
Compliance scope reduction (PCI, HIPAA, GDPR)
Preserve – Last 4 of CC #

Edge encryption / decryption


Format Preserving Encryption { policy
{
"Name":"MuleSoft Encryption
Demo", "Name":"MuleSoft Encryption
"Email":"encryptiondemo@mulesoft. Demo",
Information anonymization com", "Email":"4-f6vTf-IITLh1@L7Pw9-
”Company":"MuleSoft", g6RfPa",
Analytics without exposing sensitive data "PhoneNumber":"1234567890" "Company":"MuleSoft",
} Encrypt / Decrypt Email and Phone"PhoneNumber":"0878087072”
#
}

Edge data masking policy


Data Masking {
”Account #":”12345678900987", {
”Account #":”1234567890####",
"Email":”maskingdemo@mulesoft.
"Email":"maskingdemo@mulesoft.co
Sensitive data obfuscation com",
m",
”Company":"MuleSoft",
"Company":"MuleSoft",
One way process: Cannot get original value back "PhoneNumber":"1234567890"
} "PhoneNumber":”*******456”
}
Mask Account and Phone #’s

All contents © MuleSoft Inc. 54


1. API Design – Security Best Practices

2. Data In Movement – Security and Approach

3. Anypoint Platform Security & Compliance Model

All contents © MuleSoft Inc.


Anypoint Platform - Data Traffic across the components

Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

IPSEC
Firewall Firewall

Metadata Traffic

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 56
3 – What level of native security/compliance Anypoint Platform provides
for the Runtime & Control Planes?
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

IPSEC
Firewall Firewall

Metadata Traffic

Runtime Plane (OnPrem)


All contents © MuleSoft Inc. 57
Compliance Level – By Mulesoft
Regarding the handling of Sensitive Data at Rest & Penetration Test

• Control Plane compliance


– FIPS 140-2
– ISO27001
– SSAE 16 Soc 2
– PCI-DSS Level 1
– HiTrust (HIPAA/HiTECH)
– GDPR Ready

• Runtime Plane (CloudHub)


– FIPS 140-2
– SSAE 16 Soc 2
– PCI-DSS Level 1
– HiTrust (HIPAA/HiTECH)

• Runtime Plane (OnPrem)


– FIPS 140-2
– PCI-DSS Level 1
– HiTrust (HIPAA/HiTECH)

All contents © MuleSoft Inc. 58


Compliance Leve – By AWS as IaaS Provider
Regarding Sensitive Data at Rest, Penetration Test and Physical Data Center Protection

• ISO 27001

• PCI-DSS Level 1

• DIACAP Level 2 for DoD systems


• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 TypeII)

• SOC 2

• ITAR

All contents © MuleSoft Inc. 59


Communication between Runtime and Control Planes

• 2-Ways TLS between each Runtime and the


Control Plane
– OnPrem: use “amc_setup” to register the
runtime into the Control Plane automatically
establish the handshaking process
– CloudHub/RTF: the deployment of APIs as a
container automatically establish the Metadata Traffic
handshaking process

• Only Metadata are uploaded :


Firewall
– System logs
– CPU usage
Metadata Traffic
– Memory usage
– Performance metrics…

• Application Logs:
– Log setting in Cloudhub is overwritten by
Mulesoft to avoid logging of sensitive data.
Customer can request to disable the default
logging, but then the Customer will be
responsible for the compliance check

All contents © MuleSoft Inc. 60