balancing security & developer enablement in enterprise mobility - jaime ryan, director of...
TRANSCRIPT
Balancing Security and Developer Enablement in Enterprise Mobility
Jaime RyanSenior Director, Product Management & Strategy
Gartner Catalyst
August 12, 2014
“By 2015 mobile app development projects will outnumber native PC projects by a ratio of 4-to-1.”
3 © 2014 CA. ALL RIGHTS RESERVED.
Mobility Adoption is Only Accelerating…
Apple App Store:
44B downloads
by 2016
App Proliferation
> 75% of enterprises
support personally-
owned
mobile devices
Bring Your Own
Device
Tablets will be the
primary computing
device by 2017
Rapid Adoption
4 © 2014 CA. ALL RIGHTS RESERVED.
... It’s An App, App, App World
Average apps per device
41Business apps deployed
per device by 2015
25Mobile app downloads
by 2016
44B
Apps Are A Bigger Challenge Than Devices
5 © 2014 CA. ALL RIGHTS RESERVED.
Different mobile apps require different security solutions
Web API
Custom App COTS AppWeb Browser
3rd Party
• Access Management• Federation
• API Security/Management• SDK: Advanced Auth, SSO
• App Wrapping
6 © 2014 CA. ALL RIGHTS RESERVED.
End-to-end Mobile Security
App Wrapping
Web
API
Identity / Device Management
Adaptation
OptimizeTraffic
Protect Data
Notification Services
Centralized Security Policy
Mobile SDK
Web Access
Enterprise App Store
Browser
COTS MobileApps
Custom MobileApps Developer
Portal
7 © 2014 CA. ALL RIGHTS RESERVED.
Device Management
Application Development
Application Management
& Security
API Management
& Security
Content Management
& Security
Apps ContentDevice
Identity & Access Management
Mobile Services Management*
CA Mobility Strategy
8 © 2014 CA. ALL RIGHTS RESERVED.
What’s Enabling Mobile App to Enterprise Connectivity?
APIs
9 © 2014 CA. ALL RIGHTS RESERVED.
The challenge - how do you bridge the gap?
Security/IT Administrator - Control access to assets- Focusing on restricting access- Don’t understand app dev requirements
App Development & UX- Get to market quickly - Measured on number of downloads- Security is something that obstructs UX- Improve user app experience- Don’t have time for evolving security
standards
10 © 2014 CA. ALL RIGHTS RESERVED.
Mobile Access Gateway
Lightweight Secure Mobile Backend for Enterprise:
enable enterprises to develop more apps faster that leverage their existing data and application assets
provide a centrally controlled way of exposing backend data to mobile developers (design time) and apps (runtime)
Securing mobile apps
Increasing developer velocity
11 © 2014 CA. ALL RIGHTS RESERVED.
Mobile Access Gateway Features
12 © 2014 CA. ALL RIGHTS RESERVED.
Mobile Access Gateway - Features
Optimization: Handle Scale
• Cache calls to backend applications
• Aggregated mobile requests
• Compress traffic to minimize bandwidth costs and improve user experience
• Pre-fetch content for hypermedia-based API calls
Adaptation: Translate & Orchestrate Data & APIs
• Legacy data source as RESTful APIs
• XML and JSON transforms
• Recompose & virtualize APIs to specific mobile identities, apps and devices
• Orchestrate API mashups with configurable workflow
Integration: Centralize Cloud Connectivity
• Apple Push Notifications Service
• Android Cloud to Device Messaging Framework
• Proxy and manage app interactions with social networks
Identity: Extending Enterprise Identity to Mobile
• Mobile SSO for Android, iOS and Adobe PhoneGap
• SM Session Cookie managed by mobile SDK
• Granular access policies at user, app and device levels
• OAuth 2.0 & OpenID Connect
• Mobile Social Login (SalesForce, Gmail, LinkedIn, & Facebook)
Security: Mobile Application Firewalling
• Protect REST and SOAP APIs against DoS and API attacks
• Proxy API streaming protocols like HTML5 Websocket and XMPP messaging
• Enforce FIPS 140-2 grade data privacy and integrity
• Validate data exchanges, including all JSON, XML, header and parameter content
13 © 2014 CA. ALL RIGHTS RESERVED.
Mobile SDK – Simplified & secure consumption of APIs
Layer 7 Mobile Single Sign On Solution is a complete end-to-end standards-based security solution.
Secure provisioning through CA Layer 7
Mobile Access Gateway
Leverage the underlying security in the
mobile operating systems to create in
effect a secure sign-on container
Client-side libraries implementing
common security aspects
– Easy-to-use device API for adding app to SSO session and set up mutual SSL
– Single API call to leverage cryptographic security, OAuth, OpenID Connect, and PKI
– iOS 6/7, Android 4.x & Adobe PhoneGap
APIPortal
IdM
14 © 2014 CA. ALL RIGHTS RESERVED.
Features
Cross app SSO – Provide a secure single sign on container by leveraging device OS
security features
PKI Provisioning– Provide secure transfer, storage and pinning of certs
Secure transport– Configuration of secure communication (Mutual SSL)
Multi-Layered Security– Use certificates to provide additional trust to authentication
15 © 2014 CA. ALL RIGHTS RESERVED.
Mobile SDK Benefits
Single Sign-On for Mobile apps
– Simplified & Consistent UX across all
Enterprise apps
– Remove password typing on devices (as
much as possible)
– Access grant without browser
redirection for authentication
– Support for social login (Salesforce,
LinkedIn, Google, Facebook)
– Support for proprietary SSO tokens
(SiteMinder)
Secure Transport
– Configure mutual SSL for API calls
ensuring apps use secure access to
enterprise data
Easy to use SSO admin console
– SSO Admin console allowing easy
configuration and management of
Users, Apps, and Devices
– SSO Self Service portal – providing a
simple UI where Users can manage their
enterprise app entitlements and token
sharing
Improved Developer eXperience
– Simple device API for apps to participate
in SSO session & decorate API calls with
appropriate security mechanism
– Easily benefit from cryptographic based
security leveraging standards OAuth,
OpenID Connect, JWT and PKI
16 © 2014 CA. ALL RIGHTS RESERVED.
Native SDK For Mobile Developers + MAG
Enterprise
Network
iPhone
Android
iPad
App-sharable Secure
Key Store
API ServersStrong Security for Mobile Apps
Cross-platform and built for a consumer or BYOD world
100% Standards-based using OAuth+OpenID Connect
X-app SSO & secure channel
X.509 Certificate provisioning for strong auth and transaction
signing
17 © 2014 CA. ALL RIGHTS RESERVED.
Three entities enable fine-grained API securityAll three are managed by the SDK+MAG
18 © 2014 CA. ALL RIGHTS RESERVED.
Protocol Strategy
A B C
username/password
Access Token/Refresh Token
Per app
Authorization Server
OAuth + OpenID Connect + PKI
Profiled for mobile
Clear distinction between device, user and app
MAG Signed Cert
Certificate Signing Request
ID Token (JWT Or SM Session Cookie
19 © 2014 CA. ALL RIGHTS RESERVED.
Mobile Security Challenges
Secure access to enterprise data while maintaining usability (UX & DX)
Passwords are cumbersome on mobile devices
Hard for developers to keep track of the latest standards and to get security right
Multiple implementations, per app basis, leads to confusing UX
User personalization of apps difficult without mobile identity
Native apps need to integrate with existing enterprise identity governance
Mobile browser is not a trusted party
Bootstrapping trust between users, devices, apps and data centers
Enterprise access policies enforcement per app and user is non-trivial
20 © 2014 CA. ALL RIGHTS RESERVED.
When is the CA Layer 7 Mobile Access Gateway relevant?
Are you:- exposing backend APIs?- writing mobile apps that consume the exposed APIs- requiring mobile SSO for enterprise apps?- requiring mutual SSL for secure consumption of APIs for
consumer or employee apps?- integrating cloud services into mobile apps?- integrating backend or legacy data into mobile apps?- requiring location based access control?
Senior Director, Product Management & Strategy
JRyanL7
slideshare.net/CAinc
linkedin.com/company/ca-technologies
ca.com
Jaime Ryan