Secure API Manager provides a specialized layer of security for public facing API’s that are frequently used as an interface to valuable and often sensitive information. Built to plug into your existing infrastructure, Secure API Manager allows you to extend your Access Management, authentication and security across your entire environment, including your API integration points. It leverages NetIQ Access Manager for client as well as API authentication and authorization. The combined solution allows you to use consistent access control policies across web, mobile and API targets providing comprehensive security across all the end points. You will be able to extend your existing Access Manager access control policies for managing API targets in the Secure API Manager. This integrated solution allows you to apply Risk Based access policies to your API’s as well as enforce second factor authentication for API client and developer access.
Secure API Manager also integrates with enterprise identity systems through an LDAP interface. This integration allows you to implement role-based access control for managing users to specific privilege levels. Serving as an API protection layer, its gateway is designed to be deployed in your DMZ while the authentication and access control components are kept safe behind the firewall.
Since the developer portal provides full authentication and access control, you can use it as a collaboration center for joint publication across internal and partner development teams. For ubiquitous access, the portal can be placed in the DMZ while the management components of it reside behind the firewall. For safety, the API publication engine is also placed inside the firewall for maximum protection. Using the portal's graphical interface, developers can browse and search APIs by provider, tags, or name. Access is managed through roles that are typically set up as tiers. Within these tiers, developers can subscribe to sets of API’s that they are responsible for as they collaborate across teams. Roles also define the views for each subscription level that the developer is assigned to.
The portal also includes an interactive API test console with notifications are sent out to subscribers about results and updates. Just as the administration component, the actual publication engine deploys from behind the protection of the corporate firewall.
At the highest level, Secure API Manager provides API lifecycle management from inception to end of life: create, publish, block, deprecate, and retire. Within Secure API Manager, you can model APIs to allow collaboration with others as they are refined and updated. You have the option to start from scratch or to import existing API definitions to give you a head start. Secure API Manager supports SOAP, REST, JSON API interfaces, as well as XML style services.
Once you’re done with your API design and prototyping phase, you can securely manage visibility and access to get early feedback. Secure API Manager provides management of both sandbox and production keys to allow secure testing. This level of control can be applied for internal users, collaborating partners, and even specific external API consumers. This allows you to secure, deliver, and customize the API lifecycle. When you’re ready, Secure API Manager offers one-click deployment to the preconfigured gateway(s) for immediate publishing.
Access control isn’t limited to the pre-release phases, can also be applied to consumers authenticating using OAuth2, OpenID Connect, or SAML protocols. This provides secure access across a broad range of platforms including existing web apps.
Secure API Manager lets you segment production traffic from sandbox sessions, ensuring a higher level of security as well as protection against unexpected performance degradation. Secure API Manager also gives you access control beyond just user privilege but can be configured by timeframe or frequency of use. By managing beyond just limiting who can access a specific set of API’s, you can setup trial periods, exclude access by countries, or even set up a cost structure based on consumption. Moreover, as microservices continue their expansion as a digital resource of various types, (simple data, audio, video, other rich media) tailored to different consumers, this level of flexibility becomes a more fundamental control criterion. So, this type of access management extends beyond just on/off access but also may include throttling or prioritization.