#6security AnypointPlatform PDF

Security & Anypoint platform
April 26th, 2019

Aaron Murphy– NA Alliance Director - Capgemini
Venkat Sharma– Principal Solutions Consultant
Today’s Agenda
6. Security & Anypoint Platform
API security – OAuth 2.0, SAML, clientid/secret, Single sign-on, Mutual authentication etc-Demo ·
Perimeter security
Edge Security – policy firewall, Dos, content attacks
Tokenization – Data protection, Vaults, format preserving
Encryption, Masking
All contents © MuleSoft Inc.

APIs Enable Businesses
Connect With Customers and Streamline Operations
An effective API can give existing and potential customers

new reasons to interact with a business and connect with it
on a personal level — and to share their experiences with
others. *
* https://www.mulesoft.com/resources/api/connected-business-strategy
All contents © MuleSoft Inc. 3

APIs Enable Businesses
Connect With Customers and Streamline Operations

§ APIs expose sensitive data
§ The attack surface is expanding
§ APIs are the attack vector of choice

for hackers to disrupt your service or
gain access to private information

Modern Security Posture
§ Security has changed from keeping the

bad guys out and the good guys in, to
TRUST NOBODY (zero-trust model).
Insider Threats are more prevalent than
previously understood
§ Security by Obscurity is unacceptable.

Protection is about applying industry
standards across layers of security and
defense in depth (OWASP, SANS, NIST,
PCI, ISACA ISO27k)
https://www.business.com/articl
§ The strategy is no longer security by “no”, es/cybersecurity-inside-outside-
it is now security by ”know” threats/

Applying Layers of Security
Categories
• @ the Platform – Datacenter security,
penetration testing, static code review,
response plans, etc
• @ the Perimeter – Threats – Denial of
Service, injection protection, etc
• @ the Implementation – Secure By
Design – Authorization & Identity (PKI,
Federation, openid connect), Contract
Based protections
• @ the Data- integrity (cryptography),
obfuscation (tokenization)

Categories
response plans, etc
Based protections

Categories
response plans, etc
Based protections

The social graph
Anna David
frie nd
nd
frie
es
like
lik
comm
Jessica
s
likes
ented
d
movies
a te
books
cre
on
posting

The application network graph
customer API spec

onboarding d by
d escribe
ls
cal
customer API
offers protec
ted by
customer implemen
ted by OAuth policy
customer flow

Categories
response plans, etc
• @ the Perimeter – Threats –s Denial of
o p etc
Service, injection protection,
L o
• @ the Implementation
c k – Secure By
ba
d
Federation,ee
openid connect), Contract
F
Based protections

Categories
response plans, etc
Based protections

Anypoint Security: Layered Solution Overview
Anypoint Edge Anypoint API Anypoint

Anypoint Security Management and Tokenization
Platform @Perimeter API Design Center @Data
@Implementation
• Operations Construct Create new Secure

• Data multiple APIs and data in
Security layers of
defense with integrations motion
• Passwords rapidly from prebuilt across the
and configured, API security enterprise
Credentials policy-driven fragments, with
• Facilities perimeter
access automatic
gateways. E tokenizatio
and Network asily isolate patterns, and n and
• Secure compromise policies vetted encryption
Connectivity d nodes by security and reduce
• Data behind
hardened, experts. the risk of
Sovereignty dedicated data
• AllThird
contents ©Party
MuleSoft Inc.
chokepoints. breaches. 14
Ways to protect API
What is OAuth ?
• “An open protocol to allow secure authorization in

simple and standard method from web, mobile and
desktop applications”.
• A form of HTTP-based Single Sign On (SSO)

– Similar to SAML , OpenID, Kerberos.
• Primarily focused on Authorization , although it is

commonly used for Authentication as well.

Before OAuth2
• Before OAuth
– You would have to provide your username and
password to third-party app.
– Apps store user’s passwords
– Apps get complete access to user’s account
– Only way users would be able to revoke access to the
app is by changing password
– Compromised apps expose user’s password
• Then cames OAuth1
– OAuth1 standardized how different services
implemented authorization
– But there were some limitations

OAuth2 Introduction
• Open standard to authorization

• Specifies how resource owners authorizes third-party
access to their server resources.
• Terminologies:
• Resource Owner : the API administrator
• Resource Server : the API
• Client: The third party application
• Authorization Server: The server authorizing the client app to
access the resources of the resource owner.

Oauth2 Architecture with Mule as provider
API
Portal API
1
o API AP
I
cess t es
u est ac o k
t(s) req i nv
Clien lid,
ti l l va
8 s
o ken
If t
6
API proxy
Makes API call using token Gateway
Va
lida
tes
clie
n t to
ken
Requ 7
es
Provides client id and client secret
ts tok
en by
t
es
passin
u
g clie
eq
ntid/
sr
4 secre
s
t
ce
ac
PI
sA
ive
ce
re
Oauth
2
in
Provider
dm
Ia
AP
3
Creates Client object in OAuth store
API administrator
Client Object
Key
Client id
Client Secret
Client Name
DB
Description
OAuth2 -Client Authentication
Client
1. The client application, receives client id and client secret from BAC API Aplication
administrator.
2. Client application sends a access token request to the OAuth provider www
1
application to retrieve client id, client secret. If valid credentials , then Oauth
provider returns access token. 2
3
Sample Request:
http://171.135.20.188:22107/bac/api/
token?grant_type=client_credentials&client_id=5ab9af1544604f8da18f82640 DMZ
1e760f6&client_secret=D9a6179Da5c64192Bc02963cdD69275f&scope=POST Mule Gateway
_RESOURCE proxy
OAuth token enforcement policy
/access_token
Sample response:
{
"access_token":
"V60RAUK4KNzk_kjlAJNN50P1RNENgooxZLGZDXffWQDEaSWCqzL_avXga- Implementation tier 4 5
dVrsyLqi13noFcuFacZdXBap0JZw", /validate
"scope": "POST_RESOURCE",
"token_type": "bearer",
"expires_in": 86400 Oauth
API
Provider
} /oauth
3.Client app sends a request to the API, appending the access token to the API administrator
request API
Sample Request:
http://171.135.20.188:22106/
accounts?access_token=9LUukoZIjwucSBLTB6YoHyvY_JfjSBtIhNNbeVnFA3xD7
fdmdZMDbKZQ8yz_Xnc7GVhnWYZhh5K0KshNOjyCfA Client Object
Key
Client id
Client Secret
Client Name
DB
Description
OAuth2– Client Authentication(cont)
Client
Aplication
www
4. The OAuth 2.0 token enforcement policy in DMZ Mule Gateway, 1
intercepts the request and validates the token by making validate
2
token call to OAuth provider. 3
Sample request the proxy makes :

http://171.135.20.188:22108/ DMZ
validate?access_token=9LUukoZIjwucSBLTB6YoHyvY_JfjSBtIhNNbe Mule Gateway
proxy
OAuth token enforcement policy
VnFA3xD7fdmdZMDbKZQ8yz_Xnc7GVhnWYZhh5K0KshNOjyCfA /access_token
Sample response the proxy receives:

{"expires_in":19239,"scope":"POST_RESOURCE",
4
"client_id":"5ab9af1544604f8da18f826401e760f6"} Implementation tier 5
/validate
If invalid token proxy receives 401 unauthorized response code
Oauth
API
5. If the access token is valid, the mule proxy forwards the request /oauth
Provider
to the API.
API administrator
The API returns the response to the client app.
Client Object
Key
Client id
Client Secret
Client Name
DB
Description

Anypoint Platform – External Identity Management
• Use an external Identity Store for Developers and Admin login

• Support SAML & OpenID Connect identity exchange protocol

SAML 2.0 Support as External Identity
Full Support
• Salesforce
• PingFederate (versions: 6, 7, 8)
• OpenAM (versions : 11, 12, 14)
• Okta
Work, but aren’t actively tested:

• Active Directory Federation Services (AD FS)
• Shibboleth
• onelogin
• CA Single Sign-On
• SecureAuth

OpenID Connect Support as External Identity
Full Support
• Salesforce
• PingFederate (versions: 6, 7, 8)
• OpenAM (versions : 11, 12, 14)
• Okta

Anypoint Platform Provided Policies (1/2)
● Basic Authentication: LDAP: Establishes the configuration details for an Open LDAP or Active Directory LDAP that you set up for your
enterprise.
● Basic Authentication: Simple: Protects the API by requiring username and password when calling apps make a request.
● Client ID Enforcement: Enforces the requirement for calls to the API must include a valid client ID and client secret. See footnote.
● Cross-Origin Resource Sharing: Allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from
non-origin domains. CORS is a commonly implemented solution to the "same-origin policy" that is enforced by all browsers.
● Header Injection and Removal: Adds headers to the request/response of the message or removes headers.
● HTTP Caching: Provides a way to store HTTP responses from an API implementation or an API proxy for later reuse.
● IP Blacklist: Denies API calls from a defined set of IP addresses.
● IP Whitelist: Limits API calls to a defined set of IP addresses.
● JSON Threat Protection: Protects the target API against malicious JSON that could cause problems.
● Message Logging Policy: Logs a custom message with the information available between policies, proxy, or backend in any point of the
execution.
● OAuth 2.0 Access Token Enforcement Using External Provider Policy: Configures the API so that its endpoints require a mandatory
and valid OAuth 2.0 token.
● OpenAM Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid OpenAM token. This policy is
only available to organizations using an OpenAM Federated Identity Management system.

Anypoint Platform Provided Policies (2/2)
● OpenID Connect Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid token.
This policy is only available to organizations using an OpenID Connect Management system.
● PingFederate Access Token Enforcement: Configures the API so that its endpoints require a mandatory and valid PingFederate
token. This policy is only available to organizations using a PingFederate Federated Identity Management system.
● Rate Limiting – SLA-Based: Limits the number of messages per time period processed by an API at a maximum value specified
in the SLA tier. Any messages beyond the maximum are rejected. Enforcement is based on the client ID passed in the request.
See footnote.
● Rate Limiting: Limits the number of messages processed by an API per time period at a maximum value specified in the policy.
The rate limiting is applied to all API calls, regardless of the source. Any messages beyond the maximum are rejected.
● Simple Security Manager: Supports a placeholder security manager that can be configured with a hard-coded username and
password for testing purposes.
● Spike Control Policy Reference: Smooths traffic by ensuring that within any given period of time, no more than the maximum
configured requests are processed.
● Throttling -SLA-Based: Throttles the number of messages per time period processed by an API at a maximum value specified in
the SLA tier. Any messages beyond the maximum are queued for later processing. Enforcement is based on the client ID passed in
the request. See footnote.
● Throttling: Throttles the number of messages processed by an API per time period at a maximum value specified in the policy.
The throttling is applied to all API calls, regardless of the source. Any messages beyond the maximum are queued for later
processing.
●All contents © MuleSoft Inc.

XML Threat Protection: Protects the target API against malicious XML that could cause problems. 26
Authentication and Authorization
Sample Client ID (API Key)

enforcement policy
Out of the box API Policies for

authentication and authorization
Oauth 2.0 Demo
1. API Design – Security Best Practices
2. Data In Movement – Security and Approach
3. Anypoint Platform Security & Compliance Model

Anypoint Security blueprint

API-Led single sign-on

Anypoint Platform - Data Traffic across the components
Customers /External Applications Runtime Plane (CloudHub) Control Plane (API Management)
Runtime Traffic Metadata Traffic
AWS (US & EU)
AWS (US, EU, SA, APAC)
IPSEC
Firewall Firewall
Metadata Traffic
Runtime Plane (OnPrem)

1 - How to design the APIs to maximize the agility, including security
testing?
AWS (US & EU)
IPSEC
Firewall Firewall
Metadata Traffic

Anypoint Platform Runtime Traffic
Customer /External Application Runtime Plane (CloudHub) Control Plane
• All external requests access

directly the APIs without going
through the Control Plane
IPSEC
Firewall
• Multiple
Firewall
layer of APIs (API-Led
Connectivity) to expose data
and functions securely
• Certified against industry

standard that sensitive data
are not stored or manipulated
by the runtime itself

The API-led connectivity reminder
Mobile API Web app API Experience

APIs
Order
status
Shipment Order Process
status history APIs
Customers
Orders
System
Toll UPS SAP Salesforce
shipments shipments customers customers APIs

Different Layer with different security concerns
- Layer used to create additional cross domains
functions and to mesh up domains data
- Requires high level of security to avoid

access for non authorized API Consumer,
and only expose the data required by the
authorized API consumer/end-user.
- In addition it must be protected with

perimeter security such as SQL/JSON/XML
injections and throttling/rate limit control.
- Layer used to create additional cross domains

functions and to mesh up domains data

unauthorized access to enrich functions
and data based on the authenticated user
profile
- Required testing to ensure the functions

and data are exposed to the right Id profile
from a functional perspective, aligned with
the data in the system of records
- First line of defense to protect the system of

records, throttling/rate limit are need

unauthorized access to core data and
functions (mainly CRUD) based on the
authenticated user profile
- Requires testing to ensure the functions

access are only allowed to authorized
APIs, and the exposed data are returned
by on Id profile and encrypted or tokenized
Security Considerations per each API layer
By Configuration
- Throttling/Rate Limit (for fair-usage or SLA)
- SQL/XML/Json Injection protection
- Identify User (for role extraction)
By Design
- Control Logged Data & Level
- Data ”ownership” per role
- Encrypt Data if needed
By Configuration
- IP Whiltelist / 2-way SSL
By Design
By Configuration
- Throttling/Rate Limit (to protect backend
systems)
- SQL/XML/Json Injection protection
By Design
- Use Connector as much as possible (with
built in security control)
- Encrypt or Tokenize Data if needed
Testing Considerations per each API layer
By Configuration
- Throttling/Rate Limit (for fair-usage or SLA) - Security Test to ensure that the APIs only serve under the allowed throughput per API
- SQL/XML/Json Injection protection Consumer
- Security Test to ensure that the APIs are protected against SQL/XML/JSON injections
By Design - Functional Test to ensure that the process operations only return the correct data set per API
- Control Logged Data & Level Consumer and per id profile
- Encrypt Data if needed - Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Technical Test to ensure that the encrypted data are properly handled with the right key
- Technical Test to ensure that the tokenized data integrity during mashup
By Configuration
- Security Test to ensure that the APIs only serve requests from the allowed APIs
By Design - Functional Test to ensure that the process operations are aligned with the system of records
- Control Logged Data & Level and only return the correct data set per id profile
- Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Technical Test to ensure that the encrypted data are properly handled with the right key
Technical Test to ensure that the tokenized data integrity during mashup
By Configuration
- Throttling/Rate Limit (to protect backend - Security Test to ensure that the APIs only serve requests from the allowed APIs & under the
systems) allowed throughput
- Identify User (for role extraction) - Security Test to ensure that the APIs are protected against SQL/XML/JSON injections
- SQL/XML/Json Injection protection - Functional Test to ensure that the CUD operations are aligned with the system of records
By Design
- Functional Test to ensure that the R operation only return correct data set per id profile
- Use Connector as much as possible (with
built in security control) - Technical Test to ensure that the Logs are not too verbose and with sensitive data
- Control Logged Data & Level - Technical Test to ensure that the encrypted or tokenized data are properly handled
- Encrypt or Tokenize Data if needed
Top Ten OWASP Implementation Recommendation
A1. Injection • Use Database Connector “Parameterized” Mode id the API implementation is MuleSoft based
• Use SQL Injection Policy to protect non-secure API implementation
A2. Broken Authentication • Use any 3rd party or MuleSoft provided OAuth provider to manage sessions
and Session Management • Use the out-of-the box OAuth Access Token enforcement policies to protect the API Access
• Implement stateless API
A3. Sensitive Data • Enforce SSL for data in flight

Exposure • Tokenize in flight and to be stored data using an external Tokenization Server
• In case of open API, adopt the 2-layers API approach to allow internal API (datacenter with sensitive
data) to callout external API (public) using caching, in order to avoid directly inbound network request
to the private data center
A4. XML External Entity • Disable XXE in XML Parser (disabled by default in MuleSoft)
(XXE) • Use out-of-the-box XML Threat Protection Policy
A5. Broken Access Control • Use LDAP Authorization Policy to restrict access at the User level
• Use IP Whitelist/Blacklist Policies to restrict access at the System level

Top Ten OWASP Implementation Recommendation
A6. Security • Use MuleSoft Credential Vault to encrypt all servers/credentials information
Misconfiguration
A7. Cross Site Scripting • Use IP Whitelist to restrict API access at the System Level
(XSS) • Use Cross Site Scripting policy for GET requests
• Use CORS, JSON Threat and/or XML Threat policies
A8. Insecure • MuleSoft is largely Spring-based and Spring has hardened its susceptible classes
Deserialization • Enable SSL
• Use IP Whitelist to restrict API access at the System Level
A9. Using Components • Use only approved enterprise libraries

with Known • Subscribe to MuleSoft monthly newsletter
Vulnerabilities • Using static code scanning tool to scan the code
A10. Insufficient Logging • Use MuleSoft Runtime Manager for System Level Logging, API Analytics for Usage Level Logging and
and Monitoring Insight for Functional Level Logging
• Use Splunk or ELK to aggregate MuleSoft or external systems logs for further in depth analysis

Agenda

AWS (US & EU)
IPSEC
Firewall Firewall
Metadata Traffic

2 – How to maximize the Data Security in Movement?
AWS (US & EU)
IPSEC
Firewall Firewall
Metadata Traffic

Transport Level Security
Customers /External Applications Runtime Plane (CloudHub) Mainly HTTPS driven, via VPC Peering that
allows the isolation of the Process APIs and can
only be access via the specific Experience APIs
It acts as a firewall between the public facing

zone
Runtime Traffic
Mainly HTTPS driven, via a secure VPC IPSec

Tunnel connection to call internal System
APIs that expose the core domain data and
AWS (US, EU, SA, APAC) functions.
By unified the access through HTTPS,

organization can better control the access with a
modern, lightweight, and non-persistent
protocol, that allows throttling, fine-grained ACL
model, compared to other protocol such as JMS
IPSEC
Public facing APIs that serves external
customer and applications via HTTPS Firewall or S/FTP.
Native protocol to access the internal systems

from the System APIs.
Virtual Private Cloud (VPC)
•The Virtual Private Cloud (VPC) offering allows you to virtually create a private and
isolated network in the cloud to host workers
•Choose to use this isolated network as it best suites your needs

– Host your applications in a VPC and take advantage of its load balancer
• Defining a custom load balancer is possible
– Configure your own firewall rules for your VPC
– Connect your VPC to your corporate intranet
• whether on-premises or in other clouds
• via a VPN connection as if they were all part of a single, private network
– Set a private DNS server so the workers hosted in a VPC communicate with your internal network
using your private host names

VPC connectivity methods
•Public internet
– Default connectivity to CloudHub VPC
•VPN tunnel with network-to-network configuration

– Connects a (sub)network to a CH VPC with an IPSec VPN connection
•VPC Peering
– Connect an Amazon VPC directly to a CloudHub VPC
•CloudHub Direct Connect

– Create a hosted virtual interface to a CloudHub VPC in case of an existing Amazon VPC using Amazon Direct Connect

Data Movement Patterns
Transport Level Only (TLS)
Synchronous Asynchronous
API Call Batch Execution • “https” all the way between the APIs
• All data are encrypted during the movement,

https ”abc” https ”abc” but the API implementation still get the data in
clear
https ”abc” https

api key ”abc”
api key
https ”abc” https ”abc”

api key api key
jdbc jdbc
”abc” ”abc”

Transport Level + Message Level Encryption/Signature
• The messages are further encrypted at the API

https ”abc” https ”abc” implementation level to provide more
advanced security
https ”#y2!f” https

api key ”l*94”
api key
• The messages can also be signed to prove the
request authenticity
https ”ats1%” https ”y1$x”
api key api key
• API might need to be able to decrypt and re-

jdbc jdbc encrypt the data in case further
transformation/mash-up is required
”abc” ”abc”

Anypoint Enterprise Security
•Collection of security features that enforce secure access to

information in Mule applications
•Provides various methods for applying security to Mule applications
•Requires an Enterprise license
•Add-on module that needs to be installed in Anypoint Studio
•Consists of 6 modules
•Suitable for both customer-hosted and CloudHub applications

Enterprise Security modules
•Mule Filter Processor

– Compares messages with filter criteria before processing
– Filter by IP/timestamp features are available
•Mule Credentials Vault

– Encrypts the property file
– Flow can access the data from property files
•Mule Message Encryption Processor

– Encrypt or Decrypt part of messages or entire payload
– JCE Encrypter, XML Encrypter, PGP Encrypter

Enterprise Security modules
•Mule Secure Token Service (STS) OAuth 2.0a Provider

– Security for REST service provider/consumer
•Mule Digital Signature Processor

– Ensure the integrity and authenticity of the message source
•Mule CRC32 processor

– Cyclic redundancy check (CRC) to messages to ensure message integrity

Transport Level + Message Tokenization in transit
• The messages are tokenized by the

System APIs, and will transit to
other APIs as a token
https https
api key
”a57”
api key
”a57” • Other APIs can use the token for
data mapping or master/detail
mapping without any extra
https ”a57” https ”a57”
detokenization step
api key api key
Anypoint Security
Tokenization
jdbc jdbc
”abc” ”abc”

Transport Level + Message Tokenization at Rest
• The data at rest will go through a

bootstrapping phase, to turn all the
as a token
https https
api key
”a57”
api key
”a57” • Other APIs can use the token for
data mapping or master/detail
mapping without any extra
https ”a57” https ”a57”
detokenization step
api key api key
Anypoint Security
Tokenization
jdbc jdbc
”a57” ”a57”

Anypoint Security - Tokenization Overview
Format Preserving Tokenization Edge tokenization policy

Credit Card # Token Value
Application data validation logic work “as is” 4111-1111-1111-1111 3594-6249-5432-1111
No downstream application changes needed
Compliance scope reduction (PCI, HIPAA, GDPR)
Preserve – Last 4 of CC #
Edge encryption / decryption

Format Preserving Encryption { policy
{
"Name":"MuleSoft Encryption
Demo", "Name":"MuleSoft Encryption
"Email":"encryptiondemo@mulesoft. Demo",
Information anonymization com", "Email":"4-f6vTf-IITLh1@L7Pw9-
”Company":"MuleSoft", g6RfPa",
Analytics without exposing sensitive data "PhoneNumber":"1234567890" "Company":"MuleSoft",
} Encrypt / Decrypt Email and Phone"PhoneNumber":"0878087072”
#
}
Edge data masking policy

Data Masking {
”Account #":”12345678900987", {
”Account #":”1234567890####",
"Email":”maskingdemo@mulesoft.
"Email":"maskingdemo@mulesoft.co
Sensitive data obfuscation com",
m",
”Company":"MuleSoft",
"Company":"MuleSoft",
One way process: Cannot get original value back "PhoneNumber":"1234567890"
} "PhoneNumber":”*******456”
}
Mask Account and Phone #’s


AWS (US & EU)
IPSEC
Firewall Firewall
Metadata Traffic

3 – What level of native security/compliance Anypoint Platform provides
for the Runtime & Control Planes?
AWS (US & EU)
IPSEC
Firewall Firewall
Metadata Traffic

Compliance Level – By Mulesoft
Regarding the handling of Sensitive Data at Rest & Penetration Test
• Control Plane compliance

– FIPS 140-2
– ISO27001
– SSAE 16 Soc 2
– PCI-DSS Level 1
– HiTrust (HIPAA/HiTECH)
– GDPR Ready
• Runtime Plane (CloudHub)

– FIPS 140-2
– SSAE 16 Soc 2
– PCI-DSS Level 1
• Runtime Plane (OnPrem)

– FIPS 140-2
– PCI-DSS Level 1

Compliance Leve – By AWS as IaaS Provider
Regarding Sensitive Data at Rest, Penetration Test and Physical Data Center Protection
• ISO 27001
• PCI-DSS Level 1
• DIACAP Level 2 for DoD systems

• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 TypeII)
• SOC 2
• ITAR

Communication between Runtime and Control Planes
• 2-Ways TLS between each Runtime and the

Control Plane
– OnPrem: use “amc_setup” to register the
runtime into the Control Plane automatically
establish the handshaking process
– CloudHub/RTF: the deployment of APIs as a
container automatically establish the Metadata Traffic
handshaking process
• Only Metadata are uploaded :

Firewall
– System logs
– CPU usage
Metadata Traffic
– Memory usage
– Performance metrics…
• Application Logs:
– Log setting in Cloudhub is overwritten by
Mulesoft to avoid logging of sensitive data.
Customer can request to disable the default
logging, but then the Customer will be
responsible for the compliance check

#6security AnypointPlatform PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

#6security AnypointPlatform PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Security & Anypoint platform

April 26th, 2019

6. Security & Anypoint Platform

Edge Security – policy firewall, Dos, content attacks

Tokenization – Data protection, Vaults, format preserving

All contents © MuleSoft Inc.

Connect With Customers and Streamline Operations

An effective API can give existing and potential customers

All contents © MuleSoft Inc. 3

Connect With Customers and Streamline Operations

§ The attack surface is expanding

§ APIs are the attack vector of choice

All contents © MuleSoft Inc. 4

§ Security has changed from keeping the

§ Security by Obscurity is unacceptable.

All contents © MuleSoft Inc. 6

All contents © MuleSoft Inc.

All contents © MuleSoft Inc.

All contents © MuleSoft Inc.

All contents © MuleSoft Inc.

customer API spec

All contents © MuleSoft Inc.

All contents © MuleSoft Inc.

All contents © MuleSoft Inc.

Anypoint Edge Anypoint API Anypoint

• Operations Construct Create new Secure

• “An open protocol to allow secure authorization in

• A form of HTTP-based Single Sign On (SSO)

• Primarily focused on Authorization , although it is

All contents © MuleSoft Inc. 16

All contents © MuleSoft Inc. 17

• Open standard to authorization

All contents © MuleSoft Inc. 18

Sample request the proxy makes :

Sample response the proxy receives:

The API returns the response to the client app.

All contents © MuleSoft Inc. 21

• Use an external Identity Store for Developers and Admin login

All contents © MuleSoft Inc. 22

Work, but aren’t actively tested:

All contents © MuleSoft Inc. 23

All contents © MuleSoft Inc. 24

● IP Blacklist: Denies API calls from a defined set of IP addresses.

● IP Whitelist: Limits API calls to a defined set of IP addresses.

All contents © MuleSoft Inc. 25

●All contents © MuleSoft Inc.

Sample Client ID (API Key)

Out of the box API Policies for

2. Data In Movement – Security and Approach

3. Anypoint Platform Security & Compliance Model

All contents © MuleSoft Inc.

All contents © MuleSoft Inc. 30

All contents © MuleSoft Inc. 31

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

Runtime Plane (OnPrem)

Runtime Traffic Metadata Traffic

AWS (US & EU)

AWS (US, EU, SA, APAC)

Runtime Plane (OnPrem)

• All external requests access

• Certified against industry