Balancing Security and Developer Enablement in Enterprise Mobility

Jaime RyanSenior Director, Product Management & Strategy

Gartner Catalyst

August 12, 2014

“By 2015 mobile app development projects will outnumber native PC projects by a ratio of 4-to-1.”

3 © 2014 CA. ALL RIGHTS RESERVED.

Mobility Adoption is Only Accelerating…

Apple App Store:

44B downloads

by 2016

App Proliferation

> 75% of enterprises

support personally-

owned

mobile devices

Bring Your Own

Device

Tablets will be the

primary computing

device by 2017

Rapid Adoption

4 © 2014 CA. ALL RIGHTS RESERVED.

... It’s An App, App, App World

Average apps per device

41Business apps deployed

per device by 2015

25Mobile app downloads

by 2016

44B

Apps Are A Bigger Challenge Than Devices

5 © 2014 CA. ALL RIGHTS RESERVED.

Different mobile apps require different security solutions

Web API

Custom App COTS AppWeb Browser

3rd Party

• Access Management• Federation

• API Security/Management• SDK: Advanced Auth, SSO

• App Wrapping

6 © 2014 CA. ALL RIGHTS RESERVED.

End-to-end Mobile Security

App Wrapping

Web

API

Identity / Device Management

Adaptation

OptimizeTraffic

Protect Data

Notification Services

Centralized Security Policy

Mobile SDK

Web Access

Enterprise App Store

Browser

COTS MobileApps

Custom MobileApps Developer

Portal

7 © 2014 CA. ALL RIGHTS RESERVED.

Device Management

Application Development

Application Management

& Security

API Management

& Security

Content Management

& Security

Apps ContentDevice

Identity & Access Management

Mobile Services Management*

CA Mobility Strategy

8 © 2014 CA. ALL RIGHTS RESERVED.

What’s Enabling Mobile App to Enterprise Connectivity?

APIs

9 © 2014 CA. ALL RIGHTS RESERVED.

The challenge - how do you bridge the gap?

Security/IT Administrator - Control access to assets- Focusing on restricting access- Don’t understand app dev requirements

App Development & UX- Get to market quickly - Measured on number of downloads- Security is something that obstructs UX- Improve user app experience- Don’t have time for evolving security

standards

10 © 2014 CA. ALL RIGHTS RESERVED.

Mobile Access Gateway

Lightweight Secure Mobile Backend for Enterprise:

enable enterprises to develop more apps faster that leverage their existing data and application assets

provide a centrally controlled way of exposing backend data to mobile developers (design time) and apps (runtime)

Securing mobile apps

Increasing developer velocity

11 © 2014 CA. ALL RIGHTS RESERVED.

Mobile Access Gateway Features

12 © 2014 CA. ALL RIGHTS RESERVED.

Mobile Access Gateway - Features

Optimization: Handle Scale

• Cache calls to backend applications

• Aggregated mobile requests

• Compress traffic to minimize bandwidth costs and improve user experience

• Pre-fetch content for hypermedia-based API calls

Adaptation: Translate & Orchestrate Data & APIs

• Legacy data source as RESTful APIs

• XML and JSON transforms

• Recompose & virtualize APIs to specific mobile identities, apps and devices

• Orchestrate API mashups with configurable workflow

Integration: Centralize Cloud Connectivity

• Apple Push Notifications Service

• Android Cloud to Device Messaging Framework

• Proxy and manage app interactions with social networks

Identity: Extending Enterprise Identity to Mobile

• Mobile SSO for Android, iOS and Adobe PhoneGap

• SM Session Cookie managed by mobile SDK

• Granular access policies at user, app and device levels

• OAuth 2.0 & OpenID Connect

• Mobile Social Login (SalesForce, Gmail, LinkedIn, & Facebook)

Security: Mobile Application Firewalling

• Protect REST and SOAP APIs against DoS and API attacks

• Proxy API streaming protocols like HTML5 Websocket and XMPP messaging

• Enforce FIPS 140-2 grade data privacy and integrity

• Validate data exchanges, including all JSON, XML, header and parameter content

13 © 2014 CA. ALL RIGHTS RESERVED.

Mobile SDK – Simplified & secure consumption of APIs

Layer 7 Mobile Single Sign On Solution is a complete end-to-end standards-based security solution.

Secure provisioning through CA Layer 7

Mobile Access Gateway

Leverage the underlying security in the

mobile operating systems to create in

effect a secure sign-on container

Client-side libraries implementing

common security aspects

– Easy-to-use device API for adding app to SSO session and set up mutual SSL

– Single API call to leverage cryptographic security, OAuth, OpenID Connect, and PKI

– iOS 6/7, Android 4.x & Adobe PhoneGap

APIPortal

IdM

14 © 2014 CA. ALL RIGHTS RESERVED.

Features

Cross app SSO – Provide a secure single sign on container by leveraging device OS

security features

PKI Provisioning– Provide secure transfer, storage and pinning of certs

Secure transport– Configuration of secure communication (Mutual SSL)

Multi-Layered Security– Use certificates to provide additional trust to authentication

15 © 2014 CA. ALL RIGHTS RESERVED.

Mobile SDK Benefits

Single Sign-On for Mobile apps

– Simplified & Consistent UX across all

Enterprise apps

– Remove password typing on devices (as

much as possible)

– Access grant without browser

redirection for authentication

– Support for social login (Salesforce,

LinkedIn, Google, Facebook)

– Support for proprietary SSO tokens

(SiteMinder)

Secure Transport

– Configure mutual SSL for API calls

ensuring apps use secure access to

enterprise data

Easy to use SSO admin console

– SSO Admin console allowing easy

configuration and management of

Users, Apps, and Devices

– SSO Self Service portal – providing a

simple UI where Users can manage their

enterprise app entitlements and token

sharing

Improved Developer eXperience

– Simple device API for apps to participate

in SSO session & decorate API calls with

appropriate security mechanism

– Easily benefit from cryptographic based

security leveraging standards OAuth,

OpenID Connect, JWT and PKI

16 © 2014 CA. ALL RIGHTS RESERVED.

Native SDK For Mobile Developers + MAG

Enterprise

Network

iPhone

Android

iPad

App-sharable Secure

Key Store

API ServersStrong Security for Mobile Apps

Cross-platform and built for a consumer or BYOD world

100% Standards-based using OAuth+OpenID Connect

X-app SSO & secure channel

X.509 Certificate provisioning for strong auth and transaction

signing

17 © 2014 CA. ALL RIGHTS RESERVED.

Three entities enable fine-grained API securityAll three are managed by the SDK+MAG

18 © 2014 CA. ALL RIGHTS RESERVED.

Protocol Strategy

A B C

username/password

Access Token/Refresh Token

Per app

Authorization Server

OAuth + OpenID Connect + PKI

Profiled for mobile

Clear distinction between device, user and app

MAG Signed Cert

Certificate Signing Request

ID Token (JWT Or SM Session Cookie

19 © 2014 CA. ALL RIGHTS RESERVED.

Mobile Security Challenges

Secure access to enterprise data while maintaining usability (UX & DX)

Passwords are cumbersome on mobile devices

Hard for developers to keep track of the latest standards and to get security right

Multiple implementations, per app basis, leads to confusing UX

User personalization of apps difficult without mobile identity

Native apps need to integrate with existing enterprise identity governance

Mobile browser is not a trusted party

Bootstrapping trust between users, devices, apps and data centers

Enterprise access policies enforcement per app and user is non-trivial

20 © 2014 CA. ALL RIGHTS RESERVED.

When is the CA Layer 7 Mobile Access Gateway relevant?

Are you:- exposing backend APIs?- writing mobile apps that consume the exposed APIs- requiring mobile SSO for enterprise apps?- requiring mutual SSL for secure consumption of APIs for

consumer or employee apps?- integrating cloud services into mobile apps?- integrating backend or legacy data into mobile apps?- requiring location based access control?

Senior Director, Product Management & Strategy

Jaime.Ryan@ca.com

JRyanL7

slideshare.net/CAinc

linkedin.com/company/ca-technologies

ca.com

Jaime Ryan