Balancing Mobile UX & Security: An API Management Perspective Presentation from Gartner Catalyst 2013

1,877 views

Published on

Chief Architect Francois Lascelles gave this presentation at Gartner Catalyst 2013. The user experience associated with mobile applications is a critical determinant of the adoption of the APIs that powers them. Mobile platforms and their public app stores create challenges when it comes to securing APIs consumed by mobile applications in such a way that does not require constant user prompts. This presentation will describe the challenge of providing positive UX patterns such as single sign-on on mobile platforms and explore API provider-side architectures enabling them.

Published in: Technology
  • Be the first to comment

Balancing Mobile UX & Security: An API Management Perspective Presentation from Gartner Catalyst 2013

  1. 1. Reconciling Mobile UX and Security An API Management Perspective Francois Lascelles Chief architect Layer 7 Technologies @flascelles
  2. 2. Layer 7 Confidential 2 Mobile UX matters UX Adoption
  3. 3. Layer 7 Confidential 3 Security too Most Businesses Probably Had a Mobile Security Incident in the Past Year Securing corporate information cited as greatest BYOD challenge (67%) THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A SURVEY OF IT PROFESSIONALS Dimensional research, June 2013 “Securing [data]-to- mobile is my top concern” Everybody, all the timeCompliance
  4. 4. Layer 7 Confidential 4 Secure what? MDM Protect data at-rest API Man Protect data source / data in-motion Mobile browser Any other app Web APIs
  5. 5. Layer 7 Confidential 5 UX Disruptors  Key defensive techniques, such as user authentication disrupt UX  The impact on user experience is more severe on mobile devices  Compounding factors: - Challenge frequency - Number of secrets - Secret complexity
  6. 6. Layer 7 Confidential 6 Reconciling UX and Security Identify yourself Show me my data
  7. 7. Layer 7 Confidential 7 Implants? - Not mobile enough HSM NFC
  8. 8. Layer 7 Confidential 8 Authentication Context Lifespan  Shorter token lifespan - More secure  Longer token lifespan - Better UX
  9. 9. Layer 7 Confidential 9 Complexity VS Frequency  Parallel sessions with varying secret complexity  Risk assessment-determined challenge
  10. 10. Layer 7 Confidential 10 Biometrics  Great alternative to PIN - Fingerprint, Voice, …  Client-side unlocking of long-lived auth context - Client-side policy  Multi-factor - API-side validation
  11. 11. Layer 7 Confidential 11 Elevated, Risk-Based Authentication  Stronger security not necessarily less UX - Auth only elevated when it counts most … (and is expected)
  12. 12. Layer 7 Confidential 12 Single sign-on challenge: Mobile App Isolation  Mobile web  Mobile apps User-agent Webapp 1 Webapp 2 Webapp 3 Cookie domain A Cookie domain B Access token 1 APP A API 1 API 2 API 3 Access token 2 APP B Access token 3 APP C (can be different parties) Domain A Domain A
  13. 13. Layer 7 Confidential 13 Shared Authentication Context  Client side platforms allow applications within a domain (signed by a common developer key) to access a common key chain  This allows them to share an authentication context App A App B KC A KC B App A App B Shared Key Chain
  14. 14. Layer 7 Confidential 14 Standard: Federated access token grants  App gets an access token in exchange for another token - SAML Bearer grant type [urn:ietf:params:oauth:grant-type:saml2-bearer] - JWT Bearer grant type [urn:ietf:params:oauth:grant-type:jwt-bearer]  Let apps leverage authentication context without disturbing UX Token endpoint API ProviderClient App API Call incl proof of authentication Get back access token
  15. 15. Layer 7 Confidential 15 Mobile App Domain  Across a group of apps - Consistent Auth UX - Single sign-on  Does not cover „3rd party‟ app
  16. 16. Layer 7 Confidential 16 3rd Party Mobile SSO  Client side redirections and callback - App register URL scheme to allow switching between apps - Passing a token in a redirection callback allows an authentication context to be extended to a 3rd party app App A App B openURL AppA://something?callback=AppB://somethingelse openURL AppB://somethingelse?arg=that_thing_you_need step 1 step 2
  17. 17. Layer 7 Confidential 17 App-to-app redirection limitations, risks  Un-verified URL schemes opens possibility of “app-in-the-middle” attack APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. ” --link
  18. 18. Layer 7 Confidential 18 App Wrapping  Single sign-on across mobile apps normally requires the active participation of each app - Wrapping an app can compensate for a 3rd party app‟s lack of awareness  Adding a wrapper to an existing app re-signs app and enables access to shared authentication context - On the API side, federation still requires active participation or API calls themselves need be redirected 3rd P App App A App B Auth Context 3rd P API ?
  19. 19. Layer 7 Confidential 19 API-Side Brokering user@corp  API Broker - Domain ID <> 3rd party ID corp@sp  Federating 3rd party is also be achieved at API side
  20. 20. Layer 7 Confidential 20 Mobile app/API solution components  API Routing  API Brokering  OAuth Endpoints - Access token issuing - OpenID Connect  Protected endpoints  Identity infrastructure  Secure API invocation libs - User prompts, redirections - Handshake - Share auth context - Biometrics integration - PKI/MDM integration Backend Data/IdentityEdge API/OAuth GWClient-side framework
  21. 21. Layer 7 Confidential 21 Enabling Mobile Application Developer  API discovery  App registration  API key provisioning  Client side libraries
  22. 22. Layer 7 Confidential 22 Layer 7 Mobile Access Gateway Mobile API Delivery Access Control, UX Increased Developer Velocity • Secure Mobile Endpoint • Manage permissions across users, devices, apps • Integration, Scaling • Mobile PKI Provisioning • Mobile app-to-app SSO • Latest standards (OAuth, OpenID Connect, JWT/JWS/JWE) • Mobile SDK for iOS and Android • Configure, not code • Form factors, deployment options 2.0
  23. 23. Thank you For more information: • http://www.layer7.com/products/mobile-access-gateway • http://www.layer7.com/solutions/mobile-access-solutions-overview

×