WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Architecture

626 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
626
On SlideShare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Architecture

  1. 1. Securing  Cloud  and  Mobile   Pragma&c  Enterprise  Security   Architecture   Prabath  Siriwardena  (@prabath) WSO2   Director,  Security  Architecture      
  2. 2. Within  the  first  decade  of  the  21st  century  –   internet  worldwide  increased  from  350  million   to  more  than  2  billion.    
  3. 3. Mobile  phone  subscribers  increased  from     750  million  to  5  billion   Today  it’s  around  6  billion    
  4. 4. Only  30%  of  mobile  users,  password  protect   their  mobile  devices        
  5. 5. Many  SaaS  providers  ignore  mulJfactor   authenJcaJon  for  mobile  applicaJons        
  6. 6. 113  cell  phones  are  lost  or  stolen  every   minute  in  the  U.S  and  $7  million  worth  of   smartphones  are  lost  daily        
  7. 7. 62%  of  mobile  workers     currently  use  their  personal  smartphones  for   work  
  8. 8. hAp://www.websense.com/assets/reports/websense-­‐2013-­‐threat-­‐report.pdf  
  9. 9. Mobile  Device  Management  systems  need  to   be  an  integral  part  of  the  corporate     IdenJty  Management      
  10. 10. Cloud  service  providers  are     becoming  mobile  friendly  with  REST/JSON  APIs        
  11. 11. OAuth  2.0  dominates  Mobile  and  API  security        
  12. 12. Avoid  using  Resource  Owner  Password  OAuth   grant  type        
  13. 13. Mobile  applicaJons  secured  with  OAuth  can  be   vulnerable  to  phishing        
  14. 14. Your  Facebook  or  TwiYer  account  credenJals   can  be  quite  easily  phished  through  your   mobile  phone  -­‐  than  from  a  laptop  computer  
  15. 15. The  need  to  bake-­‐in  client  key  and  the  secret   key  into  the  mobile  app  itself  is  an  issue  yet  to   solve  
  16. 16.  OAuth  has  given  a  beYer  failover  capability  to   mobile  applicaJons  in  case  of  an  aYack  
  17. 17. It  takes  an  average  of  20  seconds  for  a   user  to  log  into  a  resource  
  18. 18. Single  Sign  On  increases  user  producJvity  
  19. 19. Browser  based  Single  Sign  On   Authoriza&on  Server  (IdP)   Mobile  Device   Na&ve  App   Na&ve  Web  Browser  
  20. 20. NaJve  Single  Sign  On   Mobile  Device   Na&ve  App   Na&ve  IdP  App  
  21. 21. OpenID  FoundaJon  is  working  on  standardizing   NaJve  Single  Sign  On  based  on     OpenID  Connect  
  22. 22. SAML2  IdP   SAML2  IdP   Federated  Single  Sign  On   Authoriza&on  Server  (IdP)   Mobile  Device   Na&ve  App   Na&ve  Web  Browser  
  23. 23. Federated  Single  Sign  On  with  heterogeneous   AuthorizaJon  Servers    
  24. 24. Secured  /  ConfidenJal  data  channels  
  25. 25. TLS,  JSON  Web  EncrypJon  (JWE)  
  26. 26. Managed  Cloud  APIs   Cloud  API   Mobile  App   API  Gateway  
  27. 27. Thank  You  

×