Today’s enterprise mobility solutions emphasize heavy-handed IT governance of devices and applications that impose a burden on developers and/or users. However, managing data and applications using high performance mobile-optimized infrastructure can enable secure, scalable apps while minimizing the effort required by developers and allowing them to focus on their strengths. Come learn how to facilitate the best of both worlds – multi-layer mobile security using modern standards and a fantastic user experience.
Two sides Two constituencies Leads to confrontation
Users / General Secure access to enterprise data while maintaining usability (UX & DX) Passwords are cumbersome on mobile devices
Developers: Hard for developers to keep track of the latest standards and to get security right Multiple implementations, per app basis, leads to confusing UX User personalization of apps difficult without mobile identity Native apps need to integrate with existing enterprise identity governance Mobile browser is not a trusted party
Enterprise architect Bootstrapping trust between users, devices, apps and data centers Enterprise access policies enforcement per app and user is non-trivial API Security
We segmented the MAG features in 5 groups of features. Identity & Access Data & API Security Backend Adaptation Optimization for Mobile Orchestration with Outside Cloud & mobile Services
Caching, compression and aggregation of requests for mobile use cases Recompose existing services, existing message formats, and existing protocols into new Web APIs that will appeal to today’s developer Centrally manage connectivity to SaaS and other outbound connections (social networks, push notifications, etc) Reuse an existing investment in IAM systems, or simplify access using social login; modernize by adding Oauth/OpenID Connect frontend Secure data and applications; protocol, threat protection, encryption, signing, rate limiting, token validation
Set up all these backend systems, put security in place – now how does the developer build clients?
Use the mobile SDK that does secure provisioning to and through that MAG Leverage built-in security on devices – native keychains Client-side libraries to implement complex interactions
The solution provides several hooks for client or server integration with: Additional sources of trust like biometrics, CAC, SIM MDM solutions to provided jailbreak detection Location data providers
Additional point: How do you leverage your existing identity infrastructure in mobile apps? Layer 7 Gateway integrates with a number of identity solutions. The MSSO will help you surface that in a secure and mobile friendly manner.
CA SiteMinder Oracle Access Manager Oracle Entitlements Server IBM Tivoli Access Manager IBM Tivoli FIM Novell Access Manager Sun OpenSSO Ping Federate Microsoft Active Directory Microsoft ADFS
What’s important for a system that is managing apps that consume APIs?
You must track a number of entities to make sure you are making the right access control decisions to the APIs.
You may find yourself in a position where you want to revoke access to an particular App B but not App A. Maybe its only when the app is running on a specific device you need to revoke access.
The good news is that we have standards that cover some of this ground. OAuth 2.0 will help you with provisioning access tokens, on a per app basis. Usually today an App would need to register upfront to get a client id & secret. In future profiles like Dynamic Client Registration will simplify this process. But its important to keep in mind that you need to be able to uniquely identify an app. OpenID Connect will enable you to track a user session through a user token, a Jason Web Token. This is ideal for creating single sign on sessions. PKI as technology has been around for some time and is the basis for many strong auth systems. The key benefit is tapping into crypto-based security for authentication. This is a requirement in many sectors such as financial, banking, and US Federal. The problem with PKI is its hard to deploy and leverage for app developers who nearly always lack the skills and tooling to use it effectively.
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan, Director of Product Management & Security, CA Technologies @ Gartner Catalyst
Balancing Security and Developer
Enablement in Enterprise
Senior Director, Product Management & Strategy
August 12, 2014
“By 2015 mobile app development projects will outnumber
native PC projects by a ratio of 4-to-1.”