Mobile SSO: Give App Users a Break from Typing Passwords

Like this? Share it with your network

Share

Mobile SSO: Give App Users a Break from Typing Passwords

  • 2,458 views
Uploaded on

Why do we use mobile devices? Simple – they’re easy to use and very convenient. So, why do we make it so hard for mobile consumers to do business with us by confronting them with multiple login......

Why do we use mobile devices? Simple – they’re easy to use and very convenient. So, why do we make it so hard for mobile consumers to do business with us by confronting them with multiple login screens and passwords? While security is essential to protecting mobile usage, convenience cannot be sacrificed.

With the release of the CA Layer 7 Mobile Access Gateway 2.0 and its Mobile SDK, organizations can now achieve faster mobile consumer engagement, end-to-end mobile app security and convenient mobile Single Sign-On (SSO). In this webinar, Tyson Whitten and Leif Bildoy of CA Technologies explore the why and how of mobile SSO and the Mobile Access Gateway.

You will learn
• The mobile app choices you need to make to enable better consumer engagement
• The connectivity and security implications of these choices
• The mobile security solutions that balance security and convenience

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,458
On Slideshare
2,452
From Embeds
6
Number of Embeds
2

Actions

Shares
Downloads
46
Comments
0
Likes
1

Embeds 6

http://www.linkedin.com 5
https://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Mobile SSO: Give App Users a Break from Typing Passwords September 19th 2013 Tyson Whitten Director, Mobile Solutions Marketing CA Technologies Leif Bildoy Sr. Security Product Manager CA Technologies
  • 2. 2 Housekeeping Copyright © 2013 CA. All rights reserved. Tyson Whitten CA Technologies Tyson.Whitten@ca.com Layer 7 & CATechnologies @layer7 & @CASecurity layer7.com/blogs layer7.com & security.com Leif Bildoy CA Technologies Leif.Bildoy@ca.com Chat questions into the sidebar or use hashtag: #L7webinar
  • 3. Password Frustration Copyright © 2013 CA. All rights reserved.
  • 4. Experience vs. Risk More Convenience More Risk Less Convenience Less Risk Challenge is finding that right balance No passcode Device passcode App security Copyright © 2013 CA. All rights reserved.
  • 5. — Understand users don’t want to enter passwords — Mobile app strategy will drive different security solutions — Different mobile app solutions will deliver various levels of security with tradeoffs Right balance of security with convenience – get SSO! Copyright © 2013 CA. All rights reserved.
  • 6. Web browser vs. native apps Copyright © 2013 CA. All rights reserved.
  • 7. Enterprise or the cloud Copyright © 2013 CA. All rights reserved.
  • 8. Consumers & BYOD Copyright © 2013 CA. All rights reserved.
  • 9. Different mobile apps require different security solutions Web API Custom App COTS AppWeb Browser 3rd Party
  • 10. Different mobile apps require different security solutions Web API Custom App COTS AppWeb Browser 3rd Party • Access Management • Federation • API Security/Management • SDK: Advanced Auth, SSO • App Wrapping
  • 11. App Wrapping End-to-end Mobile Security Web API Identity / Device Management Adaptation Optimize Traffic Protect Data Notification Services Centralized Security Policy Mobile SDK Web Access Enterprise App Store Browser COTS Mobile Apps Custom Mobile Apps Developer Portal
  • 12. CA Mobile Strategy Device Management Application Development Application Management & Security API Management & Security Content Management & Security Apps ContentDevice Copyright © 2013 CA. All rights reserved.
  • 13. Who’s involved in a new mobile app project? App DevelopersEnterprise Architect Information Security Chief Mobility Officer Product Manager How does it fit into my mobile strategy? How will it enable better customer engagement? How will it create a great user experience? How will it connect to my enterprise data? How will it expose my enterprise data?
  • 14. The challenges - how do you bridge the gap? Security - Control access to assets - Focus on restricting access - Don’t understand app dev requirements App Development - Get to market quickly - Measured on number of downloads - Security is something that obstructs UX - Speed vs. stability? User Experience - Improve user app experience - Don’t have time for evolving security standards
  • 15. What’s enabling mobile connectivity? APIs
  • 16. How are APIs Exposed? APIs
  • 17. How are APIs fundamental to enabling a convenient app experience?
  • 18. The MAG SDK Section Backend Security Mobile Apps Internet of Things Developer Community
  • 19. Mobile API Security and Management Backend Security API Management at Edge of Network  DMZ deployment  Hardware appliance, virtual appliance or software Enterprise Network API/Service Servers … Firewall 2 Firewall 1 Partners Mobile Devices Cloud API/Service Client Directory
  • 20. The MAG SDK Section Mobile App Security
  • 21. The Essence of the Problem: Secure Mobile Access to Apps and Data How Do We Make APIs Available?  Firewall mazes  Diversity of clients and back end systems  Clients and servers change at different rates Enterprise Network API/Service Client API/Service Servers Firewall 2 Firewall 1 Internet Directory Of Particular Interest:  Authentication, Authorization & SSO  Secure Transmission
  • 22. We Want Classic SSO In An Active Profile For REST Could leverage WS-Fed here  SAML’s second act? API/Service Servers Apps making RESTful API calls Internet Directory
  • 23. But We Also Want Local App SSO Single Sign On App Group (these apps will share sign- on sessions) A B C API/Service Servers So now it’s getting interesting… Like a VPN… but with a better experience
  • 24. App layer Persistence layer Mobile OS Isolation is an issue Silos
  • 25. Solution: MAG+SDK for end-to-end mobile app security and management Enterprise Network iPhone Android iPad API Servers Optional Client Component  iOS and Android libraries to simplify secure access CA Layer 7 Gateway at Network Edge  Server-side security and API management  Optimized for mobile use cases
  • 26. Native Single Sign-On SDK For Mobile Developers Enterprise Network iPhone Android iPad App-sharable Secure Key Store One time PIN SMS, APNS, call API Servers Strong Security for Mobile Apps  Cross-platform and built for a consumer or BYOD world  100% Standards-based using OAuth+OpenID Connect  X-app SSO with multi-factor auth & secure channel  X.509 Certificate provisioning for strong auth and transaction signing
  • 27. Client Deployment Strategy — Don’t make me work hard − But give me a strong and extensible security model — Transfer of security responsibility − Let developers do what they do best — Simple SDK − Align with common development time environments • iOS, Android, Javascript, etc — Mirror REST frameworks — Future − Aspects, wrapping, etc.
  • 28. User should be able to log out if device is lost or stolen Copyright © 2013 CA. All rights reserved.
  • 29. Three Important Entities enable fine-grained security User Apps Devices
  • 30. Three Important Entities enable fine-grained security
  • 31. Protocol Strategy A B C username/password ID Token Access Token/Refresh Token Per app Authorization Server OAuth + OpenID Connect + PKI  Profiled for mobile  Clear distinction between device, user and app MAG Signed Cert Certificate Signing Request
  • 32. Overall Architecture
  • 33. Mobile SDK Benefits — Single Sign-On for Mobile apps − Simplified & Consistent UX across all Enterprise apps − Remove password typing on devices (as much as possible) − No insecure browser redirects − Will leverage advanced auth schemes in the future — Secure Transport − Configure mutual SSL for API calls help ensure apps use secure access to enterprise data — PKI Provisioning − Keys available for 2-factor auth or transaction signing — Easy to use SSO admin console − SSO Admin console allowing easy configuration and management of Users, Apps, and Devices − SSO Self Service portal – providing a simple UI where Users can manage their enterprise app entitlements and token sharing — Improved Developer experience − Simple device API for apps to participate in SSO session & decorate API calls with appropriate security mechanism − Easily benefit from cryptographic-based security leveraging standards OAuth, OpenID Connect, JWT and PKI
  • 34. Mobile Access Gateway 2.0 •Surface legacy data source as RESTful APIs •XML and JSON transforms •Recompose & virtualize APIs to specific mobile identities, apps and devices •Orchestrate API mashups with configurable workflow Adaptation: Translate & Orchestrate Data & APIs •Cache calls to backend applications •Aggregated mobile requests •Compress traffic to reduce bandwidth costs and improve user experience •Pre-fetch content for hypermedia-based API calls Optimization: Handle Scale • Protect REST and SOAP APIs against DoS and API attacks • Proxy API streaming protocols like HTML5 Websocket and XMPP messaging • Enforce FIPS 140-2 grade data privacy and integrity • Validate data exchanges, including all JSON, XML, header and parameter content Security: Mobile Application Firewalling • Apple Push Notifications Service • Android Cloud to Device Messaging Framework • Proxy and manage app interactions with social networks Integration: Centralize Cloud Connectivity •Mobile SSO •Multi-layered security •Granular access policies at user, app and device levels •OAuth 2.0 •OpenID Connect Identity: Extending Enterprise Identity to Mobile
  • 35. When is the Mobile Access Gateway relevant? Are you: - exposing backend APIs? - writing mobile apps that consume the exposed APIs? - requiring mobile SSO for enterprise apps? - requiring mutual SSL for secure consumption of APIs? - integrating cloud services into mobile apps? - integrating backend or legacy data into mobile apps? - requiring location-based access control?
  • 36. Thank You Questions?
  • 37. © Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis. notices Copyright © 2013 CA. All rights reserved.