Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

111
The IAM-as-an-API Era Has Arrived And You Can Blame/Thank Mobility Eve Maler, Principal Analyst, Security & Risk Mobile Security Workshop February 7, 2013

description

The bring-your-own-device (BYOD) trend is in full swing as the growth of mobile devices within the enterprise explodes. How do you enable secure data access for mobile applications? How do you deal with user authentication? How do you allow broader adoption of enterprise applications on user owned devices? CA and Layer 7 outline solutions to these issues, explore different approaches to mobile security, and use case studies to illustrate how others have solved these problems. This workshop was all about: • The latest mobile trends and opportunities • Emerging mobile risks and how these can be addressed • A reference architecture for secure enterprise mobility

Transcript of Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Page 1: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

The IAM-as-an-API Era Has Arrived And You Can Blame/Thank Mobility

Eve Maler, Principal Analyst, Security & Risk

Mobile Security Workshop February 7, 2013

Page 2: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

!   Consumerization of IT and its cousins are challenging IAM traditions

!   Apply Zero Trust to your identity, security, and agility problems in "bring-your-own" environments

!   Leverage emerging technologies to provide identity services that are mobile-cloud ready

3

Page 3: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

“It was Colonel Mustard in the research library with a smartphone…”

Page 4: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

The future of IT is bring-your-own everything

5

Partner apps

On-premises enterprise apps

SaaS apps

Employees Contractors

Partners Members

Enterprise computers

Enterprise-issued devices

Personal devices

Public computers

Customers

Apps in public clouds

Apps in private clouds

App sourcing and hosting

App access channels User populations

Source: March 22, 2012, Forrester report “Navigate The Future Of Identity And Access Management”

Page 5: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Genentech’s Salesforce app trumps native Salesforce.com

Source: Genentech webinar

Page 6: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Steve Yegge describes why

7 Source: Rip Rowan on Google Plus

[Jeff Bezos] issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses. … “1) All teams will henceforth expose their data and functionality through service interfaces.” …

Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, there's more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds.

But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.

… and the next challenge

Page 7: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Now many APIs have direct business models, all enabling mobile

8

Source: John Musser of ProgrammableWeb.com

Page 8: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

“Classic” IAM: Sounds awesome, maybe later?

Source: satterwhiteb | CC BY 2.0 | flickr.com

Page 9: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Didn’t we already solve the web services security problem?

Transport-layer solutions Platform-specific solutions XML signature, XML encryption, XML canonicalization WS-Security, WS-Trust, WS-I Basic Security Profile SAML ID-WSF

10

Page 10: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

The API economy forces you to confront the webdevification of IT

11

value X

friction Y

Page 11: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

!   Consumerization of IT and its cousins are challenging IAM traditions

!   Apply Zero Trust to your identity, security, and agility problems in "bring-your-own" environments

!   Leverage emerging technologies to provide identity services that are mobile-cloud ready

12

Page 12: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

In Zero Trust, all interfaces are treated as untrusted

13

Apply Zero Trust all the way up the stack, including – most particularly – identity and access management functions.

Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report

Page 13: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Plan for inward, outward, and circular identity propagation

14 Source: March 22, 2012 “Navigate The Future of IAM” Forrester report

Organization serves asan identity server for

business functions

Organization serves asan identity client of

user stores

A security token service (STS)handles token issuance, translation,and consumption.

Staffuser store

Consumeruser store

Internal to theorganization

At externalpartners

Exposed tocustomers

For functions internalto the organization

Staffuser store

Institutionaluser store

Consumeruser store

Page 14: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Go from IDaaS to IAM-as-an-API

15 Source: March 22, 2012 “Navigate The Future of IAM” Forrester report

The business app’sown API determinesaccess controlgranularity

Robustly protect allinterfaces, regardlessof their sourcingmodel

Back-end apps, web apps, mobile apps . . .

API clientAPI client

Internet

Web service and app APIs

Scale-outinfrastructure

API façade pattern

IAMinfrastructure

Applying the patternto IAM functions

IAM API client IAM API client

APIs for authentication,authorization, provisioning . . .

Business apps

Internet

Page 15: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Who’s already doing it?

16

Page 16: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Agenda

!   Consumerization of IT and its cousins are challenging IAM traditions

!   Apply Zero Trust to your identity, security, and agility problems in "bring-your-own" environments

!   Leverage emerging technologies to provide identity services that are mobile-cloud ready

17

Page 17: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

New identity solutions disrupt…but attract.

Source: tom-margie | CC BY-SA 2.0 | flickr.com

Or, The good thing about reinventing the wheel is that you can get a round one.*

*Douglas Crockford, inventor of JavaScript Object Notation (JSON)

Page 18: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited 19 Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012”

Emerging IAM standards have an edge over traditional ones for Zero Trust

Key features: •  Governance •  Hubris

Key features: •  “Solving the right problem” •  Enterprise-only scope

Key features: •  Agility •  Mobile/cloud friendliness •  Robustness

Page 19: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

The new Venn of access control for the API economy

20

Page 20: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Web 2.0 players invented OAuth just to solve the “password anti-pattern”

21

Page 21: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited 22

WS-SECURITY IN THE MODERN ERA IS PRONOUNCED “OAUTH”

What it really does is let a resource owner delegate constrained access

Page 22: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

OAuth can help manage risk, cost, and complexity

Gets client apps out of the business of storing passwords Friendly to a variety of user authentication methods and user devices, including smartphones and tablets Allows app access to be tracked and revoked on a per-client basis Allows for least-privilege access to API features Can capture explicit user authorization for access Lowers the cost of secure app development Bonus: provides plumbing for a much larger class of needs around security, identity, access, and privacy

23

FOR INTERNET-SCALE ZERO TRUST, YOU NEED IT ALL

Page 23: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Use case: consumer-facing web and mobile apps

Third parties offer productivity apps to eBay sellers who list items and do other tasks through the eBay API. These apps never see the seller’s eBay credentials. They don’t merely “impersonate” the seller. The app can take action even if the user is offline.

EBAY HAS “CHANNEL PARTNERS” THAT CREATE APPS FOR SELLERS

eBay seller (in resource owner role)

eBay (in authorization server

and resource server roles)

Third-party seller app (in client role)

24

Page 24: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Use case: B2B and business SaaS app integration through SAML SSO

Partner apps integrate with the construction firm’s valve-design service. On-site partner engineers log in to their home systems through a company-issued tablet. They can then use special apps that call the valve-design service, bootstrapped by SAML.

CONSTRUCTION FIRM LETS PROJECT PARTNERS “SSO IN” TO APIS USING NATIVE APPS

Partner workforce member (in resource owner role)

Construction firm (in authorization server

resource server, and SP (RP) roles)

Partner app (in client and IdP roles)

25

Page 25: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Use case: “Two-legged” userless protection of low-level web service calls

Includes services such as sales tax calculation, shipping label formatting, credit card number verification, and HTML code checking. In all use cases: The two servers are typically separate but communicate in a proprietary fashion.

EBAY SECURES INTERNAL SERVICES TO MEET AUDITING AND COMPLIANCE GOALS

eBay service (in resource server role)

eBay calling app (in client role)

26

eBay STS (in authorization server role)

Page 26: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

OpenID Connect turns SSO into a standard OAuth-protected identity API

SAML 2.0, OpenID 2.0

27

OAuth 2.0 OpenID Connect

X

Initiating user’s login session Not responsible for collecting user consent

High-security identity tokens (SAML only)

Distributed and aggregated claims

Session timeout

X

X

Dynamic introduction (OpenID only)

X Not responsible for session initiation Collecting user’s consent to share attributes

No identity tokens per se X

Client onboarding is static X

No claims per se; protects arbitrary APIs X

Initiating user’s login session Collecting user’s consent to share attributes High-security identity tokens (using JSON Web Tokens)

Distributed and aggregated claims

Session timeout (in the works)

Dynamic introduction

No sessions per se X

Page 27: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

Where SAML is “rich,” OpenID Connect holds promise for “reach”

Already exposing customer identities using a draft OpenID Connect-style API

Working to expose workforce identities through OpenID Connect

LOB apps and smaller partners can get into the federation game more easily; complex SAML solutions will see price pressure over time

28

Page 28: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited 29

Same user assumed on both sides of the

equation

Proprietary communication

between the servers*

The classic OAuth scenarios enable lightweight web services security

Page 29: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

OpenID Connect also has limitations

30

The IdP/AP split requires brokering

Same user on both sides of the equation

Page 30: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

UMA turns online sharing, with arbitrary other parties, into a “privacy by design” solution

31

I want to share this stuff selectively, in an efficient way •  Among my own apps •  With family and friends •  With organizations

I want to protect this stuff from being seen by everyone in the world, from a central location

Historical Biographical Reputation Vocational User-generated Social Geolocation Computational Biological/health Legal Corporate ...

Page 31: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

What about config-time synchronization? “I DON’T ALWAYS SYNCHRONIZE, BUT WHEN I DO, I PREFER SCIM”

Synch solution proposed by

software vendors in the last decade:

Service Provisioning Markup Language

(SPML)

The winner: A RESTful identity

synch API, protectable by

OAuth, endorsed by cloud providers:

System for Cross-domain Identity

Management (SCIM)

Maximum PII disclosure,

brittleness, and authorization

latency: Nightly secure FTP sessions to transfer CSV files containing

employee records

HR, auditors

Page 32: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited

So, what should you do next? Get ready: Zero Trust is pulling along new Security solutions to meet Accessibility needs

33

Page 33: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited 34

Expose accessible identity APIs for (all and only) what you’re authoritative for

Page 34: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited 35

Assist your smaller partners in exposing identity APIs you can begin relying on

Page 35: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

© 2012 Forrester Research, Inc. Reproduction Prohibited 36

Count on mobility to disrupt old security paradigms and pull API security to the fore

Page 36: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Thank you Eve Maler +1 617.613.8820 [email protected] @xmlgrrl, +Eve Maler

Page 37: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Secure Mobility: Reward & Risk

February 7, 2013

Jason Hammond, CISSP Advisor, Solution Strategy

Page 38: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Transformational Power of Mobility

New Mobile Risks

Mobile Security Framework

CA Secure Mobility Solutions

Agenda

2 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Page 39: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

3

Mobility Transforms the Customer Experience How do you plan to leverage mobile customer engagement?

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

*Mobile is the New Face of Engagement, Forrester Research, Inc., Feb 13, 2012

More than half of business decision-makers will increase their mobile apps budget in 2012 as they look for better ways to engage with customers and partners.”*

“Mobile spend will reach $1.3 trillion as the mobile apps market reaches $55 billion in 2016.”*

$1.3 trillion

“Business spending on mobile projects will grow 100% by 2015.

Mobile is the New Face of Customer Engagement

Page 40: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Mobility Enables the Workforce How do you plan to leverage mobility to enable the workforce?

4 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Security Concerns - % of “Very Significant”

How significant are the following security concerns to your organization for individually-owned mobile devices being used by employees for work?

Cost of providing technical support

26%

Lack of integration with traditional IT systems 29%

Legal data ownership issues 35%

Data on device will go with employee to next employer

41%

Compliance requirements 48%

Malware could be introduced to corporate network

58%

Device may be stolen and corporate data exposed

61%

n = 353

CISO Market Survey

*Source: Info Workers Using Mobile And Personal Devices For Work Will Transform

Personal Tech Markets, Forrester Research, Inc. February 22, 2012,

Page 41: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Multiple Users; Multiple Channels

Page 42: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Web

API

Mobile

Non-

Traditional

Devices

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Engage Mobile Users Multi-channel support

Security

Policy

Phone / Tablet

Native Mobile Apps

Phone / Tablet

Browsers

PC / Laptop

Browsers

Multi-Channel 360 Degree View Scale with Volume

6

Page 43: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

New Mobile Risks

Page 44: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

New Mobile Risks BYOD

• Consumerization

• Privacy expectations

• Personal and corporate data

• Legal liability Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 8

Page 45: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

New Mobile Risks Lost Devices

Size, mobility and

business impact of

data increases risk

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 9

Page 46: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

New Mobile Risks Disappearing Perimeter

Inhibits visibility and

control of data

Lack of visibility and

control of sensitive

information

Persistent sync of sensitive

information

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 10

Page 47: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

New Mobile Risks Mobile Usage Threats

Personal

download of

vulnerable apps

Users sharing

data between

apps

Exposed APIs to

threats

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 11

Page 48: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Cloud Apps/Platforms & Web Services

SaaS

Enterprise Apps

On Premise

12

Identity is the new network perimeter

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Centralized identity service

to control access to all enterprise

applications (SaaS & on-

premise) Mobile employee

Customer

Partner User

Internal Employee

GOOGLE

Page 49: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

+ PURPOSE

SECURELY ENABLE ONLINE

BUSINESS

PROTECT THE BUSINESS

Reduce risk

Enable control & compliance

The “new balance” of security

GROW THE BUSINESS

Improve customer experience

Increase customer loyalty

IMPROVE EFFICIENCY

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 13

Page 50: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Market Shift Mobile Device to Mobile Apps & Data Solutions

14 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Device

Apps

Data IT

Management

(MDM)

Business Service

Innovation

(MEAP, IAM, MAM)

Data-Centric

Security

(Encryption, DLP)

Page 51: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Market Shift CA Security Focus on Mobile Apps & Data Solutions

15 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Device

Apps

Data IT

Management

(MDM)

Business Service

Innovation

(MEAP, IAM, MAM)

Data-Centric

Security

(Encryption, DLP)

Page 52: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Market Shift CA Security Focus on Mobile Apps & Data Solutions

16 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Device

Apps

Data IT

Management

(MDM)

Business Service

Innovation

(MEAP, IAM, MAM)

Data-Centric

Security

(Encryption, DLP)

Access

Management

Data Protection

API

Management

Advanced

Authentication App Wrapping

Page 53: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Mobile Security Framework Balancing security with business enablement

Access

Management

Advanced

Authentication

API

Management

Containerization

Data

Protection

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 17

Page 54: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Reference Architecture

Page 55: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Mobile

19

Page 56: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

20

Page 57: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

• SSO

• OpenID,OAuth2.0

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

21

Page 58: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

• SSO

• OpenID,OAuth2.0

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

Advanced

Authentication

• Multi-factor AuthN

• ID, Geographic

• Risk-based Auth

• Soft tokens

2

22

Page 59: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

• SSO

• OpenID,OAuth2.0

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

Advanced

Authentication

• Multi-factor AuthN

• ID, Geographic

• Risk-based Auth

• Soft tokens

2

3 App Wrapping

• App AuthN, AuthZ &

Audit

• Support for custom

and 3rd party apps

• Connected and

offline security

23

Page 60: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

• SSO

• OpenID,OAuth2.0

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

Advanced

Authentication

• Multi-factor AuthN

• ID, Geographic

• Risk-based Auth

• Soft tokens

2

3 App Wrapping

• App AuthN, AuthZ &

Audit

• Support for custom

and 3rd party apps

• Connected and

offline security

4 Data Protection

• In-motion & at-rest

• Classification

• Encryption

• Intelligent data-centric

security

Email

Files

24

Page 61: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

• SSO

• OpenID,OAuth2.0

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

Advanced

Authentication

• Multi-factor AuthN

• ID, Geographic

• Risk-based Auth

• Soft tokens

2

3 App Wrapping

• App AuthN, AuthZ &

Audit

• Support for custom

and 3rd party apps

• Connected and

offline security

4 Email

Files

Web Applications

5 Web Service Protection

• Secure API

• Audit integration

• Threat Protection

Data Protection

• In-motion & at-rest

• Classification

• Encryption

• Intelligent data-centric

security

25

Page 62: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Inside Organization

Mobile Security Framework Balancing security with business enablement

1 Access Management

• AuthN, AuthZ

• Multi-channel support

• Central policies

• 360 degree view of users

• SSO

• OpenID,OAuth2.0

Cloud Services

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Web API

Mobile

Advanced

Authentication

• Multi-factor AuthN

• ID, Geographic

• Risk-based Auth

• Soft tokens

2

3 App Wrapping

• App AuthN, AuthZ &

Audit

• Support for custom

and 3rd party apps

• Connected and

offline security

4 Email

Files

Web Applications

5 Web Service Protection

• Secure API

• Audit integration

• Threat Protection

CA AuthMinder

& RiskMinder

CA SiteMinder

CA DataMinder

Future

CA SiteMinder

Data Protection

• In-motion & at-rest

• Classification

• Encryption

• Intelligent data-centric

security

26

Page 63: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Benefits

ENABLE MOBILE ENGAGEMENT • Support access across range of

channels: platforms, OS, apps • 360° view of the user enhances each

moment of engagement • Seamless and convenient experience

REDUCE RISKS • Mitigate the risk of physical access • Enable secure access to cloud

services • Intelligent data-centric security

reduces human error • End-to-end security stays through life

of the data

BYOD • Separate corp. & personal apps and

data • Support corp. data investigation, user

privacy expectations and reduction in corp. liability

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 27

Page 64: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Thank You!

Page 65: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

legal notice

© Copyright CA 2012. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their

respective companies. No unauthorized use, copying or distribution permitted.

THIS MEDIA IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the

information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS MEDIA “AS IS” WITHOUT WARRANTY OF ANY

KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,

OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this

presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is

expressly advised of the possibility of such damages.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect

the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement

relating to any CA software product; or (ii) amend any product documentationor specifications for any CA software product. The

development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this media to the contrary, upon the general availability of any future CA product release referenced in

this media, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly

scheduled major product release. Such releases may be made available to current licensees of such product who are current

subscribers to CA maintenance and support on a when and if-available basis.

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted 29

Page 66: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Mobile APIs And The New Governance K Scott Morrison CTO

February 2013

Page 67: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Democracy  is  the  worst  form  of  government,    

except  for  all  those  other  forms  that  have  been  tried  

from  9me  to  9me.  Sir Winston Churchill

Page 68: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Governance

Page 69: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Governance appeals to the architect in us!

Page 70: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Yet there is an imbalance between!run time and design time governance!

Page 71: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Secure Zone

Application Servers

Firewall

DMZ

Trading Partner

Vendors are happy to provide tooling

Enterprise Network

PEP

Registry

Directory

Repository

Workflow

Page 72: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

But  this  never  caught  on  with  the  developers  

Page 73: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Controlling,  not  enabling  

Page 74: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Change  Agent  

Page 75: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Client Server

Page 76: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Contractor Regular

Page 77: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Outside Inside

Page 78: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Partner Enterprise

Page 79: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Partner Enterprise No Affiliation

Page 80: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Us Them

Page 81: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Here is the new group to manage!

Page 82: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

The New Roles!

API Client Developers

API Server Developers External Internal

Page 83: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Governance Fails Here

Page 84: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Marketing is taking control!

CMO API Developer

Security Officer

Business Manager

Product Manager

Page 85: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

IT  Needs  To  Own  This  

Page 86: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Learn from modern development!

Page 87: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Agile!Simple!Courageous!

Page 88: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Bug Report:! File properties.xml isn’t, well, XML…!

Page 89: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

It’s about the app!

Page 90: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

But simple can under define!

Page 91: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Look to habit!

Page 92: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Combine components to solve problems!

Page 93: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

What do we really need?

Page 94: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

The Client!

Discovery  Sign  up  Learning  Experimen9ng  Social  Promo9on  

Search  CMS  Wiki  Browser/Explorer  Forum  

Blog  

This  is  SDLC,  21st  century-­‐style  

Page 95: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Don’t reinvent!

Page 96: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Let’s Build It.

Page 97: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

The Challenge

Firewall 1

Enterprise Network

API Client

iPhone Developer

API Server

Firewall 2

Phone User

Page 98: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

First We Need Identity

Firewall 1

Enterprise Network

API Client

iPhone Developer

API Server

Firewall 2

SiteMinder

Page 99: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

We could try this to deal with firewalls…

Firewall 1

Enterprise Network

API Client

iPhone Developer

API Server

Firewall 2

SiteMinder

Page 100: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

An API Gateway Is A Better Solution

Firewall 1

Enterprise Network

API Server

API Client

iPhone Developer

API Proxy

Firewall 2

SiteMinder

Page 101: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Now Add Client Developer Libraries For Authentication

Firewall 1

Enterprise Network

API Server

API Client

iPhone Developer

API Proxy

Firewall 2

SiteMinder

Page 102: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Finally, Add In An API Portal To Enable The New Governance

Firewall 1

Enterprise Network

API Server

API Client

iPhone Developer

API Portal

API Proxy

Firewall 2

SiteMinder

Page 103: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Our customers led us here!

Page 104: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Have we swung too far outside the enterprise?!

Page 105: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

50%

Page 106: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

The New Governance!

Documenta9on  Discovery  Approval  Enforcement  User  Provisioning  Community  

WSDL  Reg/Rep  G10  PlaQorm  Gateway  IAM  What’s  that?  

Wiki/Blog  Search  Email  Gateway  Portal  Forum  

Old   New  

What’s  that?  

Page 107: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Simple wins!

(But simple takes courage.)!

Page 108: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Democracy wins!

Page 109: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Layer 7 Confidential 44

The Forrester Wave™: API Management Platforms, Q1 2013

By Eve Maler and Jeffrey S. Hammond, February 5, 2013 Free Copy for all Attendees! Everyone who has attended today’s workshop will receive a free copy of this report in a follow up email from Layer 7. Keep an eye on your inbox.

The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Page 110: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Picture  Credits  ²  Antelope  Canyon  4  by  klsmith–  stock.exchg  ²  Band  silhoue=es  by  mr_basmt–  stock.exchg  

Page 111: Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

September 2012

K. Scott Morrison Chief Technology Officer Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 [email protected] http://www.layer7.com

For further information: