Downloaded 32 times
Uploaded byCA API Management
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan, Director of Product Management & Security, CA Technologies @ Gartner Catalyst
The document discusses the challenges and strategies of balancing security with developer enablement in enterprise mobility, highlighting the anticipated growth of mobile app development. It emphasizes the need for varied security solutions tailored to different mobile applications and introduces the Mobile Access Gateway as a tool for enhancing app development while maintaining security. Key features of this gateway include API management, identity integration, and mobile security measures aimed at improving user experience and developer efficiency.
More Related Content
Similar to Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan, Director of Product Management & Security, CA Technologies @ Gartner Catalyst
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan, Director of Product Management & Security, CA Technologies @ Gartner Catalyst
- 1. Balancing Security andDeveloper Enablement in Enterprise Mobility Jaime Ryan Senior Director, Product Management & Strategy Gartner Catalyst August 12, 2014
- 2. “By 2015 mobileapp development projects will outnumber native PC projects by a ratio of 4-to-1.”
- 3. 3 © 2014CA. ALL RIGHTS RESERVED. Mobility Adoption is Only Accelerating… Apple App Store: 44B downloads by 2016 App Proliferation > 75% of enterprises support personally- owned mobile devices Bring Your Own Device Tablets will be the primary computing device by 2017 Rapid Adoption
- 4. 4 © 2014CA. ALL RIGHTS RESERVED. ... It’s An App, App, App World Average apps per device 41 Business apps deployed per device by 2015 25 Mobile app downloads by 2016 44B Apps Are A Bigger Challenge Than Devices
- 5. 5 © 2014CA. ALL RIGHTS RESERVED. Different mobile apps require different security solutions Web API Custom App COTS AppWeb Browser 3rd Party • Access Management • Federation • API Security/Management • SDK: Advanced Auth, SSO • App Wrapping
- 6. 6 © 2014CA. ALL RIGHTS RESERVED. End-to-end Mobile Security App Wrapping Web API Identity / Device Management Adaptation Optimize Traffic Protect Data Notification Services Centralized Security Policy Mobile SDK Web Access Enterprise App Store Browser COTS Mobile Apps Custom Mobile Apps Developer Portal
- 7. 7 © 2014CA. ALL RIGHTS RESERVED. Device Management Application Development Application Management & Security API Management & Security Content Management & Security Apps ContentDevice Identity & Access Management Mobile Services Management* CA Mobility Strategy
- 8. 8 © 2014CA. ALL RIGHTS RESERVED. What’s Enabling Mobile App to Enterprise Connectivity? APIs
- 9. 9 © 2014CA. ALL RIGHTS RESERVED. The challenge - how do you bridge the gap? Security/IT Administrator - Control access to assets - Focusing on restricting access - Don’t understand app dev requirements App Development & UX - Get to market quickly - Measured on number of downloads - Security is something that obstructs UX - Improve user app experience - Don’t have time for evolving security standards
- 10. 10 © 2014CA. ALL RIGHTS RESERVED. Mobile Access Gateway Lightweight Secure Mobile Backend for Enterprise: enable enterprises to develop more apps faster that leverage their existing data and application assets provide a centrally controlled way of exposing backend data to mobile developers (design time) and apps (runtime) Securing mobile apps Increasing developer velocity
- 11. 11 © 2014CA. ALL RIGHTS RESERVED. Mobile Access Gateway Features
- 12. 12 © 2014CA. ALL RIGHTS RESERVED. Mobile Access Gateway - Features Optimization: Handle Scale • Cache calls to backend applications • Aggregated mobile requests • Compress traffic to minimize bandwidth costs and improve user experience • Pre-fetch content for hypermedia-based API calls Adaptation: Translate & Orchestrate Data & APIs • Legacy data source as RESTful APIs • XML and JSON transforms • Recompose & virtualize APIs to specific mobile identities, apps and devices • Orchestrate API mashups with configurable workflow Integration: Centralize Cloud Connectivity • Apple Push Notifications Service • Android Cloud to Device Messaging Framework • Proxy and manage app interactions with social networks Identity: Extending Enterprise Identity to Mobile • Mobile SSO for Android, iOS and Adobe PhoneGap • SM Session Cookie managed by mobile SDK • Granular access policies at user, app and device levels • OAuth 2.0 & OpenID Connect • Mobile Social Login (SalesForce, Gmail, LinkedIn, & Facebook) Security: Mobile Application Firewalling • Protect REST and SOAP APIs against DoS and API attacks • Proxy API streaming protocols like HTML5 Websocket and XMPP messaging • Enforce FIPS 140-2 grade data privacy and integrity • Validate data exchanges, including all JSON, XML, header and parameter content
- 13. 13 © 2014CA. ALL RIGHTS RESERVED. Mobile SDK – Simplified & secure consumption of APIs Layer 7 Mobile Single Sign On Solution is a complete end-to-end standards-based security solution. Secure provisioning through CA Layer 7 Mobile Access Gateway Leverage the underlying security in the mobile operating systems to create in effect a secure sign-on container Client-side libraries implementing common security aspects – Easy-to-use device API for adding app to SSO session and set up mutual SSL – Single API call to leverage cryptographic security, OAuth, OpenID Connect, and PKI – iOS 6/7, Android 4.x & Adobe PhoneGap API Portal IdM
- 14. 14 © 2014CA. ALL RIGHTS RESERVED. Features Cross app SSO – Provide a secure single sign on container by leveraging device OS security features PKI Provisioning – Provide secure transfer, storage and pinning of certs Secure transport – Configuration of secure communication (Mutual SSL) Multi-Layered Security – Use certificates to provide additional trust to authentication
- 15. 15 © 2014CA. ALL RIGHTS RESERVED. Mobile SDK Benefits Single Sign-On for Mobile apps – Simplified & Consistent UX across all Enterprise apps – Remove password typing on devices (as much as possible) – Access grant without browser redirection for authentication – Support for social login (Salesforce, LinkedIn, Google, Facebook) – Support for proprietary SSO tokens (SiteMinder) Secure Transport – Configure mutual SSL for API calls ensuring apps use secure access to enterprise data Easy to use SSO admin console – SSO Admin console allowing easy configuration and management of Users, Apps, and Devices – SSO Self Service portal – providing a simple UI where Users can manage their enterprise app entitlements and token sharing Improved Developer eXperience – Simple device API for apps to participate in SSO session & decorate API calls with appropriate security mechanism – Easily benefit from cryptographic based security leveraging standards OAuth, OpenID Connect, JWT and PKI
- 16. 16 © 2014CA. ALL RIGHTS RESERVED. Native SDK For Mobile Developers + MAG Enterprise Network iPhone Android iPad App-sharable Secure Key Store API Servers Strong Security for Mobile Apps Cross-platform and built for a consumer or BYOD world 100% Standards-based using OAuth+OpenID Connect X-app SSO & secure channel X.509 Certificate provisioning for strong auth and transaction signing
- 17. 17 © 2014CA. ALL RIGHTS RESERVED. Three entities enable fine-grained API security All three are managed by the SDK+MAG
- 18. 18 © 2014CA. ALL RIGHTS RESERVED. Protocol Strategy A B C username/password Access Token/ Refresh Token Per app Authorization Server OAuth + OpenID Connect + PKI Profiled for mobile Clear distinction between device, user and app MAG Signed Cert Certificate Signing Request ID Token (JWT Or SM Session Cookie
- 19. 19 © 2014CA. ALL RIGHTS RESERVED. Mobile Security Challenges Secure access to enterprise data while maintaining usability (UX & DX) Passwords are cumbersome on mobile devices Hard for developers to keep track of the latest standards and to get security right Multiple implementations, per app basis, leads to confusing UX User personalization of apps difficult without mobile identity Native apps need to integrate with existing enterprise identity governance Mobile browser is not a trusted party Bootstrapping trust between users, devices, apps and data centers Enterprise access policies enforcement per app and user is non-trivial
- 20. 20 © 2014CA. ALL RIGHTS RESERVED. When is the CA Layer 7 Mobile Access Gateway relevant? Are you: - exposing backend APIs? - writing mobile apps that consume the exposed APIs - requiring mobile SSO for enterprise apps? - requiring mutual SSL for secure consumption of APIs for consumer or employee apps? - integrating cloud services into mobile apps? - integrating backend or legacy data into mobile apps? - requiring location based access control?
- 21. Senior Director, ProductManagement & Strategy Jaime.Ryan@ca.com JRyanL7 slideshare.net/CAinc linkedin.com/company/ca-technologies ca.com Jaime Ryan
Editor's Notes
- #9 Two sides Two constituencies Leads to confrontation
- #10 Users / General Secure access to enterprise data while maintaining usability (UX & DX) Passwords are cumbersome on mobile devices Developers: Hard for developers to keep track of the latest standards and to get security right Multiple implementations, per app basis, leads to confusing UX User personalization of apps difficult without mobile identity Native apps need to integrate with existing enterprise identity governance Mobile browser is not a trusted party Enterprise architect Bootstrapping trust between users, devices, apps and data centers Enterprise access policies enforcement per app and user is non-trivial API Security http://en.wikipedia.org/wiki/File:Professional_System_Administrator.jpg
- #12 We segmented the MAG features in 5 groups of features. Identity & Access Data & API Security Backend Adaptation Optimization for Mobile Orchestration with Outside Cloud & mobile Services
- #13 Caching, compression and aggregation of requests for mobile use cases Recompose existing services, existing message formats, and existing protocols into new Web APIs that will appeal to today’s developer Centrally manage connectivity to SaaS and other outbound connections (social networks, push notifications, etc) Reuse an existing investment in IAM systems, or simplify access using social login; modernize by adding Oauth/OpenID Connect frontend Secure data and applications; protocol, threat protection, encryption, signing, rate limiting, token validation Set up all these backend systems, put security in place – now how does the developer build clients?
- #14 Use the mobile SDK that does secure provisioning to and through that MAG Leverage built-in security on devices – native keychains Client-side libraries to implement complex interactions
- #15 The solution provides several hooks for client or server integration with: Additional sources of trust like biometrics, CAC, SIM MDM solutions to provided jailbreak detection Location data providers
- #16 Additional point: How do you leverage your existing identity infrastructure in mobile apps? Layer 7 Gateway integrates with a number of identity solutions. The MSSO will help you surface that in a secure and mobile friendly manner. CA SiteMinder Oracle Access Manager Oracle Entitlements Server IBM Tivoli Access Manager IBM Tivoli FIM Novell Access Manager Sun OpenSSO Ping Federate Microsoft Active Directory Microsoft ADFS
- #18 What’s important for a system that is managing apps that consume APIs? You must track a number of entities to make sure you are making the right access control decisions to the APIs. You may find yourself in a position where you want to revoke access to an particular App B but not App A. Maybe its only when the app is running on a specific device you need to revoke access. The good news is that we have standards that cover some of this ground. OAuth 2.0 will help you with provisioning access tokens, on a per app basis. Usually today an App would need to register upfront to get a client id & secret. In future profiles like Dynamic Client Registration will simplify this process. But its important to keep in mind that you need to be able to uniquely identify an app. OpenID Connect will enable you to track a user session through a user token, a Jason Web Token. This is ideal for creating single sign on sessions. PKI as technology has been around for some time and is the basis for many strong auth systems. The key benefit is tapping into crypto-based security for authentication. This is a requirement in many sectors such as financial, banking, and US Federal. The problem with PKI is its hard to deploy and leverage for app developers who nearly always lack the skills and tooling to use it effectively.