5 steps end to end security consumer apps
 

Like this? Share it with your network

Share

5 steps end to end security consumer apps

on

  • 170 views

 

Statistics

Views

Total Views
170
Views on SlideShare
170
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

5 steps end to end security consumer apps Presentation Transcript

  • 1. © 2014 CA. All rights reserved. 5 Steps for End-to-End Mobile App Security with Consumer Apps February 20, 2014 Tyson Whitten Mobile Security Product Marketing - CA Technologies Leif Bildoy CA Layer 7 Product Management - CA Technologies
  • 2. 2 © 2014 CA. All rights reserved. Housekeeping Tyson Whitten CA Technologies Tyson.Whitten@ca.com Layer 7 & CATechnologies @layer7 & @CASecurity layer7.com/blogs layer7.com & security.com Leif Bildoy CA Technologies Leif.Bildoy@ca.com Chat questions into the sidebar or use hashtag: #L7webinar
  • 3. 3 © 2014 CA. All rights reserved. Mobile Growth Continues Mobile app revenue generated by 2017 $77B ?? ... It’s An App, Happy World • Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013.
  • 4. 4 © 2014 CA. All rights reserved. Mobile Growth Continues Mobile app downloads by 2017 268B ... It’s An App, Happy World • Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013. • Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013. Time spent with apps vs. browsers 82% Average apps per device 40
  • 5. 5 © 2014 CA. All rights reserved. Everyone is working on a mobility revenue strategy Device GPS RealQuest.com DiverseSolutions.com WalkScore.comGeoScan.com Owner Input Zillow Mobile App
  • 6. 6 © 2014 CA. All rights reserved. Mobility Form Factors Power Innovation Nike+ Mobile App
  • 7. 7 © 2014 CA. All rights reserved. Consumer App Security Risks Protected Health Information (PHI) sync
  • 8. 8 © 2014 CA. All rights reserved. How to Achieve End-to-End Security for Consumer Apps  App Risk  Understanding the Solution Landscape  Securing the backend  Protecting the app  Maintaining the user experience
  • 9. 9 © 2014 CA. All rights reserved. Step #1: Identify Risk Level of Your Apps IP, NPI, PHI & PII Risk level = Business impact Likelihood of a threat WHO WHERE WHAT Likelihood of a threat Business impact
  • 10. 10 © 2014 CA. All rights reserved. What Consumer App Security Solutions are Available? Control the App by controlling the device
  • 11. 11 © 2014 CA. All rights reserved. Step #2: Understand Where MDM/MAM Fits Features Enterprise Consumer Authentication   Authorization   Social Login   SSO   Encryption (in- motion, at- rest)  
  • 12. 12 © 2014 CA. All rights reserved. Step #2: Understand Where MDM/MAM Fits BYOD Policies not for Consumer Scenarios Features Enterprise Consumer Authentication   Authorization   Social Login   SSO   Encryption (in- motion, at- rest)   Device Management Policies (camera, GPS, etc)  -
  • 13. 13 © 2014 CA. All rights reserved. What does that leave for App Solutions? Web API Native AppWeb Browser
  • 14. 14 © 2014 CA. All rights reserved. Understanding APIs are Core to Consumer Apps Web API Native AppWeb Browser
  • 15. 15 © 2014 CA. All rights reserved. Step #3: Securing the App starting with the API Developer Access Malicious Apps Threats Composite Apps Performance
  • 16. 16 © 2014 CA. All rights reserved. What about the Other End? API API API
  • 17. 17 © 2014 CA. All rights reserved. Step #4: How Secure App Development Complements API Security User Apps Devices
  • 18. 18 © 2014 CA. All rights reserved. Step #4: How Secure App Development Complements API Security User Apps Devices Name Email Phone number Address Group Password Package name Name Signer HW Accelerated Permissions HW version SW version App mix Group Managed Footprint Screen Size SW AppID UserID DeviceID
  • 19. 19 © 2014 CA. All rights reserved. Step #4: How Secure App Development Complements API Security User Apps Devices Name Email UserID Phone number Address Group Martial Status Password Package name Name HW version SW version Screen Size AppID Social Graph DeviceID
  • 20. 20 © 2014 CA. All rights reserved. Step #4: How Secure App Development Complements API Security A B C username/password Access Token/Refresh Token Per app Authorization Server OAuth + OpenID Connect + PKI  Profiled for mobile  Clear distinction between device, user and app MAG Signed Cert Certificate Signing Request ID Token (JWT Or SM Session Cookie
  • 21. 21 © 2014 CA. All rights reserved. Step #4: How Secure App Development Complements API Security Two-factor Auth Social Login Single Sign-On
  • 22. 22 © 2014 CA. All rights reserved. Securing the Mobile App to the Backend API Mutual SSL API API API Two-factor Auth Social Login Single Sign-On Fine-grained API Access Control Threat Protection Mutual SSL
  • 23. 23 © 2014 CA. All rights reserved. Step #5: How the Right End-to-End Mobile Security Solution Improves the User Experience A B C SSO Social Login APIs API The Right Combination of Content & Security Features
  • 24. 24 © 2014 CA. All rights reserved. Mobile Access Gateway
  • 25. 25 © 2014 CA. All rights reserved. Mobile SDK – Simplified & secure consumption of APIs  Leverage mobile OS security to create a secure sign-on container  Standards based OAuth 2.0, OpenID Connect, and JWT  Secure provisioning through CA Layer 7 Mobile Access Gateway  Client-side libraries implementing common security aspects – iOS 6/7, Android 4.x & Adobe PhoneGap – Easy-to-use device API for adding app to SSO session and mutual SSL – Single API call to leverage cryptographic security, OAuth, OpenID Connect, and JWT – SDK with sample code & documentation Layer 7 Mobile Single Sign On Solution is a complete end-to-end standards-based security solution.
  • 26. 26 © 2014 CA. All rights reserved. CA Technologies Provides Unique Capabilities to Meet the Evolving Needs of the Open Enterprise Balance Security and User Convenience End-to-End Mobile Security Accelerate secure application delivery: Build, Deploy & Secure Convenience
  • 27. Questions?
  • 28. 28 © 2014 CA. All rights reserved. Copyright © 2014 CA. The Windows logo is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The Symantec is either a registered trademark or trademark of Symantec Corporation in the United States and/or other countries. The Good logo is either a registered trademark or trademark of Good Corporation in the United States and/or other countries. The Airwatch logo is either a registered trademark or trademark of Airwatch Corporation in the United States and/or other countries. The MobileIron logo is either a registered trademark or trademark of MobileIron Corporation in the United States and/or other countries. The Samsung logo is either a registered trademark or trademark of Samsung Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. Certain information in this publication may outline CA’s general product direction. However, CA may make modifications to any CA product, software program, method or procedure described in this publication at any time without notice, and the development, release and timing of any features or functionality described in this publication remain at CA’s sole discretion. CA will support only the referenced products in accordance with (i) the documentation and specifications provided with the referenced product, and (ii)CA’s then-current maintenance and support policy for the referenced product. Notwithstanding anything in this publication to the contrary, this publication shall not: (i) constitute product documentation or specifications under any existing or future written license agreement or services agreement relating to any CA software product, or be subject to any warranty set forth in any such written agreement; (ii) serve to affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (iii) serve to amend any product documentation or specifications for any CA software product. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.