pre-con ed: knock, knock, the iot wants to come in

World®’16

Pre-ConEd: Knock,Knock,theIoTWantstoComeInTabishTanzeem,CISSP DanielBrudner,CISSP,CISA,CCSKSeniorPrincipalConsultant SeniorPrincipalConsultantCATechnologies CATechnologies

SCX11E

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ForInformationalPurposesOnlyTermsofthisPresentation

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.


Abstract

Today,digitaliseverywhere—bigdata,cloud,mobilityandtheInternetofThings(IoT)arechangingthewayweallworkandplay.Thisrapidlyevolvingdigitalworldisalsoredefiningtherelationshipbetweenyourbusinessandyourcustomers,whonowexpectaconvenient,frictionless,interactiveandsecureexperiencewithyourbrand.Buthowwillwedeliverthissecureaccesswithoutimpactingtheuserexperience?Inthissession,we’lldiscusshowCAAdvancedAuthenticationcanbeintegratedwithCAAPIGatewaytosecuremobileappsandtheIoT.

DanielBrudner&TabishTanzeem

CATechnologiesSecurity


Agenda

IOTANDMOBILETRENDS

CYBERSECURITYCHALLENGES

INTEGRATION

CAADVANCEDAUTHENTICATION

DEMONSTRATIONOFASAMPLEMOBILEAPPLICATION

CAAPIGATEWAY

1

2

3

4

5

6


TheIoT Ecosystem

Sensor

Network/Carriers

IoTGateway

Cloud

OpenData

Platform

IoTPlatform

ConnectedCar

SmartProducts

SmartUtilities

SmartAnalytics

‘Makers’‘Users’

HomeIoT

IndustrialIoT

InformationTechnology

OperationsTechnology

Wearables

Platforms

IntelligentGateways

Consumers

ConnectedHealth SmartEnergy

SmartTransportation SmartFactories

Enterprise ‘Edge’

SystemsIntegration/Services


0

10

20

30

40

50

60

70

80

90

2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

IoT– TodayandTomorrow2015– 2025*

*ScenarioBased(2020– 2025)

Billion

s

1 5 2 2 0 0, connectedIoTdevicesperminuteBy20254 8 0 0, connectedIoTdevicesperminuteToday


TheDataSourcesForIoT:2015– 2025

*ScenarioBased(2020– 2025)

ZBytes

GrowthFrom2020- 2025

1.3X

3.8X

8.6X

-

50

100

150

200

2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

ClassicallyCreated IoTRelevant IoTActionable


ChallengeswithIoT

§ 80BillionIoTdevicesby2025(theyallwanttohaveIdentities…)– needtomanageexponentiallymoreidentitiesthancurrenthumans’Identities

§ DynamichighmobilityofIoTdevicescreatesmoreRisk– Devicesappearanddisappearindifferentlocations– Needtouniquelyidentifythedevice– Needtoidentifychangesindevicefingerprint


ChallengeswithIoT

§ Manageinteraction/relationshipofIoT withotherdevices,humans,services– IRM– Authentication– Authorization– Auditing– Administration

§ Traditionalboardersaregone

§ Computeconstrainedresources(IoT devices)requiredelegationofauthenticationandauthorizationtoless-constraineddevices

§ HowdoIknowthedevicehasbeencompromised?


SomethingaboutMobileDevices

63%Ofmobileuserswillaccessonlinecontentthroughtheirmobiledevicesby20171.1. http://www.pcmag.com/article2/0,2817,2485277,00.asp

2. http://www.statista.com/topics/779/mobile-internet

70%Ofpopulationworldwidewillusesmartphonesby20201.


HowMobileDeviceisChangingAuthentication

1http://www.statista.com/topics/779/mobile-internet/

AuthenticateWITH

AuthenticateTO

AuthenticateTHROUGH

In2017,figuressuggestthatmorethan63.4percentofmobilephoneuserswillaccessonlinecontentthroughtheirdevices.1


ButWhatAbouttheMobileApps?

§ Authenticationisdifferent

§ Appdevelopershaveachoice– Trustthedeviceunlockingmechanism(e.g.,TouchID)– Supplementdevicesecuritywithapplogin

§ Ifauthenticationisbuiltintoapp,thenmustdecide– Doyoupromptforcredentialseverytimeapp

isopened(notuser-friendly)– Ordoyousavecredentialsondevice(notverysecure)


ContextualAuthentication

CARiskAuthentication™

Whereistheidentity?

Whatistheidentitytryingtodo?

Istheactionconsistentwith

history?

Whatdeviceisbeingused?

IntroducingCAAdvancedAuthenticationTwobest-of-breedcomponentsthatcanbedeployedindividuallyortogether

VersatileAuthentication

CAStrongAuthentication™

CAAuth ID

Q&A OATHTokens

OTP– OutofBand

CAMobileOTP


RiskAssessmentisaStrongCredential

RISKDATAAVAILABLE

Whereistheidentity?

Whatdeviceisbeingused?

Whatistheidentitytryingtodo?

Istheactionconsistentwithhistory?

§ Isthelocationinherentlysuspect?

§ Havetheybeentherebefore?

§ Whereweretheyrecently?

LOCATION

§ Whatkindofdeviceisit?

§ Havetheyuseditbefore?

§ Hasitchangedsincetheylastusedit?

DEVICEDNA

§ Isthisatypicalactionfortheidentity?

§ Istheactioninherentlyrisky?

§ Havetheytakensimilaractionsbefore?

BEHAVIOR

§ Isthisanormaltimeofdayforthem?

§ Istheirfrequencyofloginabnormal?

§ Istheircurrentactionconsistentwithprioractions?

HISTORY


Transaction Geo-Location IP Device User OtherTime

Date

Day-ofWeek

TransactionType(Action)Velocity

CountryListLookup

NegativeCountryCheck

ZoneHopping

AnonymizingProxyCheck

IPVelocity

TrustedIPCheck

TrustedAggregatorCheck

NegativeIPCheck

AssociatedwithDevice

MachineFingerprintmatched

DeviceVelocity

NewDeviceCheck

ExceptionUserCheck

UnknownUserCheck

UserVelocity

NumericComparison

StringComparison

GeneralListLookup

LogicalOperations

RISKDATA

Location

DeviceDNA

UserBehavoir Wizard-basedruledevelopment

Inputsareextensiblefordeepintegration

Rulescanrepresentcomplexconditions

ProvidingEnterpriseswithaBetterView


ApplyingtheAppropriateActionsbasedonRisk

Location DeviceDNA IdentityBehaviorMultipleDevices

RiskRules&RiskScore

1 2

3

Policies

RISKADVICE

LOW MEDIUM HIGH

IdentityCompletesEventorLoginTransaction

SUCCESS

STEP-UPAUTHENTICATION

AccessorEventDenied

SUCCESS

RISKDATACOLLECTED

FAIL FAIL

CaseMgmt

5

6

4


DeviceDNA:TheCombinationofTwoTechnologies

§ DeviceDNA™isCATechnologies’patentedsolutiontodeviceidentification

DEVICEID MACHINEFINGERPRINTS(MFP)


DeviceIdentificationHelpsCreateaPositiveUserExperienceandPreventAttacks

Thisdeviceisrecognizedforthisidentity.Theyhaveestablishedarecordofgoodaccessfromthedevice.(UserAssociatedwithDeviceandMFPMatched)

Thisappearstobenewdeviceforthisidentity.Thedevicehasnototherwisebeenseeninthesystem.(UserNotAssociatedwithDevice)

Thisdevicehasbeenemployedbyawidevarietyofidentities.(HighDeviceVelocity)

Thisdevicehasbeenassociatedwithpreviousattacks.(NegativeDeviceList)


CARiskAuthentication:ConceptualArchitecture

UserStores

OtherRiskModels

WAM/SSOAdapters

REST-basedWebServices

Integration

RiskEngine

Step-Up

RiskAdvice

Approve Deny

Step-UpAuthentication

Custom

Callouts BehavioralProfiling

GeolocationDeviceFingerprinting

RiskScore Policies

Q&ASecurity OutofBand

OTP OTPCAMobile

Audit&Reporting

CaseMgmt

FraudStatistics

Analytics

Rule/PolicyChanges

[CASSO,IBMTAM,OracleAM]


EnhancingAppSecuritywithMobileRisk

Thetypicalprocessisthattheuseropenstheappontheirmobiledevice,andmayormaynotpromptedtoauthenticatebeforeaccessingenterpriseapplicationsanddata.

ProcessFlow

But…thereisnorealsecuritybeyondthepasswordorPINenforcedbytheApp.Inaddition,becausemanyAppsstoreasessiontokenonthedevice,accesscanbeeasilycompromisedifthemobiledeviceisstolenorlost.MobileRiskcanAddressthisWeakness!

Consumer

MobileApp

Applications ApplicationData

MobileDevices

WebServices



ThefirststepistoembedtheMobileDeviceDNAdatacollectorswithintheMobileAppthatyouwishtoprotect.

ProcessFlow

TheSDKwillcommunicatewiththeCAAdvancedAuthenticationservers.

Consumer

MobileApp


MobileDevices

WebServices

CAAdv.Auth

SDK



Whentheidentityopenstheapp,theSDKwilltransparentlyconductariskevaluation,whichcouldoccurafterauthenticationbutbeforeuserisgivenaccesstoanydata.

ProcessFlow

Analysisincludes:§ Location§ DeviceIdentification§ IdentityBehavior

TheSDKwillcollectdevicedataandsendittotheriskengineforanalysis.

Consumer

MobileApp


MobileDevices

WebServices

CAAdv.Auth

SDK



IftheriskanalysisreturnsaLOWRiskScore,theriskenginewillreturnan“Approve”messageandtheidentitywillbeallowedtocontinuetoaccessapplicationdata.

ProcessFlow

Consumer

MobileApp


MobileDevices

WebServices

CAAdv.Auth

SDK



IftheriskanalysisreturnsaMEDIUMRiskScore,theriskenginecaninitiateaStep-UpAuthenticationprocess(e.g.,pushnotificationorout-of-bandOTP).

ProcessFlow

Consumer

MobileApp


MobileDevices

WebServices

CAAdv.Auth

SDK PushNotification

OutofBandAuthentication

Afteridentityanswersstep-upchallenge,theyareallowedtoaccessapplicationdata.



IftheriskanalysisreturnsaHIGHRiskScore,theriskenginecouldreturna“Deny”messageandtheuserwouldnotbeallowedtoaccessanyapplicationdata.

ProcessFlow

Consumer

MobileApp


MobileDevices

WebServices

CAAdv.Auth

SDK

AccessDenied


SomeoftheFactorsGathered…


AddRiskAuthenticationtoYourMobileApplicationGeneratedevicedna - //triggerthedna generatorRiskHelper *rh =[RiskHelper sharedManager];rh.dnaDelegate =self;[rh generateDeviceDNA];

Resultcalledbackinyourappwith(void)dnaUpdated:(NSDictionary *)dnaValue;

Evaluaterisk- //settheriskhelperwithlatestservervaluesRiskHelper *rh =[RiskHelper sharedManager];[rh setRiskServer:server riskServerPort:port defaultOrg:org];rh.riskDelegate=self;[rh evaluateRiskwithDeviceID:deviceid withDeviceDNA:[rh getDeviceDNA]userID:userID];Resultcalledbackwith:(void)riskUpdated:(int )riskValue withServerResponse:(NSDictionary*)response;Posteval riskRiskHelper *rh =[RiskHelper sharedManager];[rh setRiskServer:server riskServerPort:riskAuthPort defaultOrg:org];rh.postRiskDelegate =self;[rh evaluateSupplementSecondAuth:secondAuth associationName:@"UNNAMEDASSOCIATION"];

Resultscalledbackwith(void)secondRiskUpdated:(NSString *)postRiskAdvice :(NSDictionary *)response;Errorscalledbackonanycallwith(void)riskCallError:(NSString*)errorMsg;


Demonstration


RiskAuthenticationInterfaces&Extensibility

§ Interfaces– SDKsinwebservices,JAVA,RESTfulAPI

§ APIextensibility– Customparameters(name,valuepairs)

§ AddOnRules– Attributepassthrough– AddOnLogic– Calloutsfor3rdparties– AdministrationsupportforAddOnRules

§ Calloutframework– EventDriven(pre,during,post)– 3rdpartyintegrations– AD,LDAP,userstoresforQnA,otherinfo


APIsaretheBuildingBlocksofDigitalTransformation

IOTDevices

Cloud

Mobile

Partners/ExternalDivisions

ExternalDevelopers

Data

YourDigitalBusiness


API101Primer

"alerts":[{“type":”FLW”

"description":”FloodWatch"

§ Integration

§ Speed§ Monetization

§ Experience

§ InternetofThings


EDIBatchPvt VPN

TheApplicationEconomy APIManagement

1– SecureIntegration

3– ThreatProtection

APIGateway

AwesomeApp

RoutingTranslatingBrokeringOrchestrating

PublishAnalyzeManageMonetize

DeveloperPortal

DiscoverExploreLearnCollaborate

RegisterCreateSubscribe

2– OpenAPI>11kpublicapi est.

API

API

???

CorporateIDPrivateIDSocialID

PhishingBruteForceClientImpersonationInjectionUnauthorizedAccess

ControlTrackEnforce

SDK

OAuthOIDCJWTJWE


OUTSIDETHEENTERPRISE

InternetofThings

Mobile

SaaS/CloudSolutionsAWS,Google,SFDC…

PartnerEcosystems

ExternalDevelopers

WITHINTHEENTERPRISE

SecureData

ApplicationPortfolio

ID/Authentication

Reporting&Analytics

InternalTeams

CAAPIManagementTheBuildingBlocksofDigitalTransformation

SecuretheOpenEnterpriseü ProtectagainstthreatsandOWASPvulnerabilitiesü ControlaccesswithSSOandidentitymanagementü Provideend-to-endsecurityforapps,mobile,andIoT

IntegrateandCreateAPIsü EasilyconnectSOA,ESB,andlegacyapplicationsü AggregatedataincludingNoSQLupto10xfasterü Buildscalableconnectionstocloudsolutionsü AutomaticallycreatedataAPIswithlivebusinesslogic

UnlocktheValueofDataü MonetizeAPIstogeneraterevenueü Builddigitalecosystemstoenhancebusinessvalueü Createefficienciesthroughanalyticsandoptimization

AccelerateMobile/IoTDevelopmentü Simplifyandcontroldeveloperaccesstodataü Buildawiderpartnerorpublicdeveloperecosystemü Leveragetoolsthatreducemobileappdeliverytime


TheIntegration:ValueProposition

§ ReturnonInvestment– Enhancedsecurityreducesfraudlossesbyprotectingthebrand

§ FasterTimetoValue– SDKallowsorganizationstoquicklydeployriskcollectorsintotheir

mobileappsandIoT devices

§ UserConvenience– Transparentriskanalysisenhancesappsecuritywithoutimpacting

userexperience

§ Adaptability– Configurablerulesengineallowsadministratorstocreate&modifyriskrules

tobalanceuser/deviceconveniencewiththreatmitigation


CAAdvancedAuthenticationIntegration

§ MAGassertionsprovideintegrationwithCAAdvancedAuthenticationallowingcustomerstoevaluateriskduringAPIcalls.– EvaluateriskAPIcallenddatatoriskserviceandreceiveascoreand

adviceinreturn– CARiskAuthenticationwillreturnariskSCOREandADVICE(ALERT,

ALLOW,DENY,INCREASEAUTH)thatMAGcanuseinpolicyandalsopasstotheapptherequestingapplication

– Post-evaluateriskAPIcallupdatesthestateofAdvancedAuthafterstep-upauthentication

RiskevaluationserviceforbetterAPIprotection


CAAdvancedAuthenticationIntegration

§ StrongAuthenticationcanissueOTP– EmailorSMSOTPtoknownmobilenumber– UsersubmitsOTPinapp– GatewayvalidateOTPwithStrongAuthentication

§ StrongAuthenticationServerUserInfo– StrongAuthenticationservercanprovideemail,ormobilenumberto

Gateway.ThiscanalsobeobtainedfromCASSO,orbytheCAGatewaydirectlyfromanLDAPorDatabase.

StrongAuthenticationforStepUpAuthentication


CAAdvancedAuthenticationIntegrationFlow

1. APIRequestevaluatedbyGWPolicy– Riskcheckisrequired2. GWsendsinformationtoRiskAuthenticationusingOOTBassertions3. RiskscoreandadvicereturnedtoGW4. GWPolicyprocessesresponseanddeterminesifOTPisrequired5. GWaccessesStrongAuthenticationservices

a) RequestsOTP,useremailaddress/mobilephonenumberb) GWsendsresponsetoapptopromptusertoenterOTPc) VerifiesOTPreturnedbyuserwithStrongAuthentication

6. GWupdatespolicytoshowOTPwassuccessful7. GWroutesrequesttobackendservice


LogicalArchitecture

Riskanalysis,behaviorprofiling,&step-upauthentication

AAMobileSDKtocollectriskdatafromdevice

Consumer

MobileApp

MobileDevices

AASDKCAAPIGateway

CAAdvancedAuthentication

Applications Data

APISDK


IoT/MobileAppRiskAnalysis

ThefirststepistoembedtheCAAdvancedAuthenticationSDKwithintheMobileAppthatyouwishtoprotect.

InitialProcess

TheSDKwillcollectriskdata,whichistransmittedforanalysistotheAAserversviatheGateway

Consumer

MobileApp

MobileDevices

AASDKCAAPIGateway



IoT/MobileAppRiskAnalysisinAction

WhenuserdownloadsMobileAppandRegistersforthefirsttime,theSDKwillcollectDeviceDNA datasothatCAAdvancedAuthenticationcanfingerprintthedevice.

RegistrationProcess

Thedeviceisassociatedwiththeidentityandthefingerprintisstoredforfuturecomparisons.Inaddition,thesolutioncaninitiatesanout-of-bandoralternativeauthenticationtovalidatetheidentity.

Consumer

MobileApp

MobileDevices

AASDKCAAPIGateway



IoT/MobileAppRiskAnalysisinActionTheImprovedProcess ProcessSteps:

1. IdentitiesopensappandauthenticateswiththeirUserID/password

2. CredentialsvalidatedbytheCAAPIGateway

3. Riskdatacollectedfrommobiledeviceandsentforanalysis

4. Riskengineevaluatescontextualdataanddeterminesriskscore

Knowndevice?Jailbroken?NegativeIPorCountry?TypicalBehavior?Velocity?etc.

5. Ifriskscoreishigh,anout-of-band(OOB)challengesenttoidentity

6. IdentityrespondstoOOBchallengetovalidatetheiridentity

7. Ifidentityisvalidated,gatewayroutesAPIrequestandreturnsresponse

NOTE:Ifriskscoreistotoohigh,theAPIrequestcanalsobeblocked

Consumer

MobileApp

MobileDevices

AASDKCAAPIGateway


Applications

APISDK


Policy– APIM&AA


RecommendedSessions

SESSION# TITLE DATE/TIME

SCX25V APIRisk:TakingYourAPISecuritytotheNextLevel 11/16/2016at1:45pm

SCX73S BestWesternImprovesSecurityfor5M+RewardsMemberswithSimeio IdentityasaService(IDaaS)PoweredbyCASecurity 11/16/2016at3:00pm

SCX20S CARoadmap:Authentication,SingleSign-On,Directory 11/17/2016at1:45pm

SCX50S ConvenienceandSecurityforbankingcustomerswithCAAdvancedAuthentication 11/17/2016at3:00pm

SCX75S Risk-awareaccesstoOffice365™ 11/17/2016at3:45pm


Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!



WeWanttoHearfromYou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.

§ ITCSstaffmaybeatthissessionnow!(lookfortheirshirts).Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired


Questions?


Stayconnectedatcommunities.ca.com

Thankyou.