5 Steps for End-to-End Mobile App
Security with Consumer Apps
Tyson Whitten
Mobile Security Product Marketing - CA Technol...
Housekeeping

Leif Bildoy

Tyson Whitten

Leif.Bildoy@ca.com

Tyson.Whitten@ca.com

CA Technologies

CA Technologies

laye...
Mobile Growth Continues

82%

40

268B

Time spent with apps

Average apps per
device

Mobile app
downloads
by 2017

vs. b...
Everyone is working on a mobility revenue strategy
Zillow Mobile App
RealQuest.com

Device GPS

DiverseSolutions.com

Owne...
Mobility Form Factors Power Innovation

Nike+ Mobile App

6

© 2014 CA. All rights reserved.
Consumer App Security Risks
Protected Health Information
(PHI)

sync

7

© 2014 CA. All rights reserved.
How to Achieve End-to-End Security for Consumer Apps

 App Risk
 Understanding the Solution Landscape
 Securing the bac...
Step #1: Identify Risk Level of Your Apps
IP, NPI,
PHI & PII

WHAT
Business impact

WHERE
Likelihood of a threat

WHO
9

R...
What Consumer App Security Solutions are Available?

Control the App by controlling the device
10

© 2014 CA. All rights r...
Step #2: Understand Where MDM/MAM Fits

Features

Enterprise Consumer

Authentication





Authorization





Social L...
Step #2: Understand Where MDM/MAM Fits

Features

Enterprise Consumer

Authentication





Authorization





Social L...
What does that leave for App Solutions?

Web

API

Web Browser

13

Native App

© 2014 CA. All rights reserved.
Understanding APIs are Core to Consumer Apps

Web

API

Web Browser

14

Native App

© 2014 CA. All rights reserved.
Step #3: Securing the App starting with the API

Threats
Composite Apps

Malicious Apps

15

Performance

Developer
Access...
What about the Other End?

API

API

API

16

© 2014 CA. All rights reserved.
Step #4: How Secure App Development Complements API
Security

User

Apps
17

© 2014 CA. All rights reserved.

Devices
Step #4: How Secure App Development Complements API
Security
Name
Address
Email

Group

UserID
Phone
number

Password

Use...
Step #4: How Secure App Development Complements API
Security
Name
Address
Email

Group

UserID

Martial
Status

Phone
numb...
Step #4: How Secure App Development Complements API
Security
OAuth + OpenID Connect + PKI
 Profiled for mobile
 Clear di...
Step #4: How Secure App Development Complements API
Security

Two-factor Auth
Social Login
Single Sign-On

21

© 2014 CA. ...
Securing the Mobile App to the Backend API
Mutual SSL
Mutual SSL
API

API

Fine-grained API
Access Control
Threat Protecti...
Step #5: How the Right End-to-End Mobile Security
Solution Improves the User Experience
Social
Login

APIs

API
A B C

SSO...
Mobile Access Gateway

24

© 2014 CA. All rights reserved.
Mobile SDK – Simplified & secure consumption of APIs


Leverage mobile OS security to create a
secure sign-on container

...
CA Technologies Provides Unique Capabilities to Meet
the Evolving Needs of the Open Enterprise
End-to-End Mobile Security
...
Questions?
Copyright © 2014 CA. The Windows logo is either a registered trademark or trademark of Microsoft Corporation in the United...
5 Steps for End-to-End Mobile Security with Consumer Apps
Upcoming SlideShare
Loading in...5
×

5 Steps for End-to-End Mobile Security with Consumer Apps

1,209

Published on

Overview
Delivering services to consumers via mobile apps is essential for differentiation and competitiveness in today’s business climate. But as more services are exposed, more risk is incurred – putting mobile app security at the top of the list for any security professional.

While strict BYOD policies, device-level security and application management solutions may fit enterprise requirements, the privacy and usability implications of these approaches are likely to negatively affect the consumer experience.

This webinar, presented by Tyson Whitten of CA Technologies and Leif Bildoy of CA Layer 7, will explain how enterprises can secure services exposed by mobile apps in a way that satisfies internal security requirements without impacting the user experience for external consumers.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,209
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

5 Steps for End-to-End Mobile Security with Consumer Apps

  1. 1. 5 Steps for End-to-End Mobile App Security with Consumer Apps Tyson Whitten Mobile Security Product Marketing - CA Technologies Leif Bildoy CA Layer 7 Product Management - CA Technologies February 20, 2014 © 2014 CA. All rights reserved.
  2. 2. Housekeeping Leif Bildoy Tyson Whitten Leif.Bildoy@ca.com Tyson.Whitten@ca.com CA Technologies CA Technologies layer7.com & security.com layer7.com/blogs @layer7 & @CASecurity Layer 7 & CATechnologies 2 © 2014 CA. All rights reserved. Chat questions into the sidebar or use hashtag: #L7webinar
  3. 3. Mobile Growth Continues $77B Mobile app revenue generated by 2017 ? ... It’s An App, Happy World • Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013. 3 © 2014 CA. All rights reserved.
  4. 4. Mobile Growth Continues 82% 40 268B Time spent with apps Average apps per device Mobile app downloads by 2017 vs. browsers ... It’s An App, Happy World • Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013. • Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013. 4 © 2014 CA. All rights reserved.
  5. 5. Everyone is working on a mobility revenue strategy Zillow Mobile App RealQuest.com Device GPS DiverseSolutions.com Owner Input WalkScore.com GeoScan.com 5 © 2014 CA. All rights reserved.
  6. 6. Mobility Form Factors Power Innovation Nike+ Mobile App 6 © 2014 CA. All rights reserved.
  7. 7. Consumer App Security Risks Protected Health Information (PHI) sync 7 © 2014 CA. All rights reserved.
  8. 8. How to Achieve End-to-End Security for Consumer Apps  App Risk  Understanding the Solution Landscape  Securing the backend  Protecting the app  Maintaining the user experience 8 © 2014 CA. All rights reserved.
  9. 9. Step #1: Identify Risk Level of Your Apps IP, NPI, PHI & PII WHAT Business impact WHERE Likelihood of a threat WHO 9 Risk level = Business impact reserved. © 2014 CA. All rights Likelihood of a threat
  10. 10. What Consumer App Security Solutions are Available? Control the App by controlling the device 10 © 2014 CA. All rights reserved.
  11. 11. Step #2: Understand Where MDM/MAM Fits Features Enterprise Consumer Authentication   Authorization   Social Login   SSO   Encryption (inmotion, atrest)   11 © 2014 CA. All rights reserved.
  12. 12. Step #2: Understand Where MDM/MAM Fits Features Enterprise Consumer Authentication   Authorization   Social Login   SSO   Encryption (inmotion, atrest)   Device Management Policies (camera, GPS, etc)  - BYOD Policies not for Consumer Scenarios 12 © 2014 CA. All rights reserved.
  13. 13. What does that leave for App Solutions? Web API Web Browser 13 Native App © 2014 CA. All rights reserved.
  14. 14. Understanding APIs are Core to Consumer Apps Web API Web Browser 14 Native App © 2014 CA. All rights reserved.
  15. 15. Step #3: Securing the App starting with the API Threats Composite Apps Malicious Apps 15 Performance Developer Access © 2014 CA. All rights reserved.
  16. 16. What about the Other End? API API API 16 © 2014 CA. All rights reserved.
  17. 17. Step #4: How Secure App Development Complements API Security User Apps 17 © 2014 CA. All rights reserved. Devices
  18. 18. Step #4: How Secure App Development Complements API Security Name Address Email Group UserID Phone number Password User Package name Managed Group Name Screen Size Signer App mix AppID SW Permissions HW version Footprint SW version Apps HW Accelerated 18 DeviceID © 2014 CA. All rights reserved. Devices
  19. 19. Step #4: How Secure App Development Complements API Security Name Address Email Group UserID Martial Status Phone number Social Graph Password User Package name Name Screen Size AppID HW version Apps SW version DeviceID 19 © 2014 CA. All rights reserved. Devices
  20. 20. Step #4: How Secure App Development Complements API Security OAuth + OpenID Connect + PKI  Profiled for mobile  Clear distinction between device, user and app username/password ID Token (JWT Or SM Session Cookie A B C Per app Access Token/Refresh Token Certificate Signing Request MAG Signed Cert 20 Authorization Server © 2014 CA. All rights reserved.
  21. 21. Step #4: How Secure App Development Complements API Security Two-factor Auth Social Login Single Sign-On 21 © 2014 CA. All rights reserved.
  22. 22. Securing the Mobile App to the Backend API Mutual SSL Mutual SSL API API Fine-grained API Access Control Threat Protection Two-factor Auth Social Login Single Sign-On 22 © 2014 CA. All rights reserved. API
  23. 23. Step #5: How the Right End-to-End Mobile Security Solution Improves the User Experience Social Login APIs API A B C SSO The Right Combination of Content & Security Features 23 © 2014 CA. All rights reserved.
  24. 24. Mobile Access Gateway 24 © 2014 CA. All rights reserved.
  25. 25. Mobile SDK – Simplified & secure consumption of APIs  Leverage mobile OS security to create a secure sign-on container  Standards based OAuth 2.0, OpenID Connect, and JWT  Secure provisioning through CA Layer 7 Mobile Access Gateway  Client-side libraries implementing common security aspects – iOS 6/7, Android 4.x & Adobe PhoneGap – Easy-to-use device API for adding app to SSO session and mutual SSL – Single API call to leverage cryptographic security, OAuth, OpenID Connect, and JWT – SDK with sample code & documentation 25 © 2014 CA. All rights reserved. Layer 7 Mobile Single Sign On Solution is a complete end-to-end standards-based security solution.
  26. 26. CA Technologies Provides Unique Capabilities to Meet the Evolving Needs of the Open Enterprise End-to-End Mobile Security Accelerate secure application delivery: Build, Deploy & Secure Convenience 26 Balance Security and User Convenience © 2014 CA. All rights reserved.
  27. 27. Questions?
  28. 28. Copyright © 2014 CA. The Windows logo is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The Symantec is either a registered trademark or trademark of Symantec Corporation in the United States and/or other countries. The Good logo is either a registered trademark or trademark of Good Corporation in the United States and/or other countries. The Airwatch logo is either a registered trademark or trademark of Airwatch Corporation in the United States and/or other countries. The MobileIron logo is either a registered trademark or trademark of MobileIron Corporation in the United States and/or other countries. The Samsung logo is either a registered trademark or trademark of Samsung Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. Certain information in this publication may outline CA’s general product direction. However, CA may make modifications to any CA product, software program, method or procedure described in this publication at any time without notice, and the development, release and timing of any features or functionality described in this publication remain at CA’s sole discretion. CA will support only the referenced products in accordance with (i) the documentation and specifications provided with the referenced product, and (ii)CA’s then-current maintenance and support policy for the referenced product. Notwithstanding anything in this publication to the contrary, this publication shall not: (i) constitute product documentation or specifications under any existing or future written license agreement or services agreement relating to any CA software product, or be subject to any warranty set forth in any such written agreement; (ii) serve to affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (iii) serve to amend any product documentation or specifications for any CA software product. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. 28 © 2014 CA. All rights reserved.

×