mobile sso: give app users a break from typing passwords

Mobile SSO: Give App Users a Break from Typing Passwords September 19th 2013 Tyson Whitten Director, Mobile Solutions Marketing CA Technologies Leif Bildoy Sr. Security Product Manager CA Technologies

2

Housekeeping

Copyright © 2013 CA. All rights reserved.

Tyson Whitten CA Technologies [email protected]

Layer 7 & CATechnologies

@layer7 & @CASecurity

layer7.com/blogs

layer7.com & security.com

Leif Bildoy CA Technologies [email protected]

Chat questions into the sidebar or use hashtag: #L7webinar

Password Frustration


Experience vs. Risk

More Convenience More Risk

Less Convenience Less Risk

Challenge is finding that right balance

No passcode Device passcode App security


— Understand users don’t want to enter passwords

— Mobile app strategy will drive different security solutions

— Different mobile app solutions will deliver various levels of security with tradeoffs

Right balance of security with convenience – get SSO!


Web browser vs. native apps


Enterprise or the cloud


Consumers & BYOD


Different mobile apps require different security solutions

Web API

Custom App COTS App Web Browser

3rd Party

Different mobile apps require different security solutions

Web API

Custom App COTS App Web Browser

3rd Party

• Access Management

• Federation

• API Security/Management

• SDK: Advanced Auth, SSO

• App Wrapping

App Wrapping

End-to-end Mobile Security

Web

API

Identity / Device Management

Adaptation

Optimize Traffic

Protect

Data

Notification Services

Centralized Security Policy

Mobile SDK

Web Access

Enterprise App Store

Browser

COTS Mobile Apps

Custom Mobile Apps Developer

Portal

CA Mobile Strategy

Device

Management Application

Development

Application

Management &

Security

API

Management

& Security

Content

Management &

Security

Apps Content Device


Who’s involved in a new mobile app project?

App Developers Enterprise Architect

Information Security

Chief Mobility Officer

Product Manager

How does it fit into my mobile strategy?

How will it enable better customer engagement?

How will it create a great user experience?

How will it connect to my enterprise data?

How will it expose my enterprise data?

The challenges - how do you bridge the gap?

Security - Control access to assets

- Focus on restricting access

- Don’t understand app dev requirements

App Development - Get to market quickly

- Measured on number of downloads

- Security is something that obstructs UX

- Speed vs. stability?

User Experience - Improve user app experience

- Don’t have time for evolving security standards

What’s enabling mobile connectivity?

APIs

How are APIs Exposed?

APIs

How are APIs fundamental to enabling a convenient app experience?

The MAG SDK Section

Backend Security

Mobile Apps

Internet of Things

Developer Community

Mobile API Security and Management Backend Security

API Management at Edge of Network DMZ deployment

Hardware appliance, virtual appliance or software

Enterprise Network

API/Service Servers

…

Firewall 2

Firewall 1

Partners

Mobile Devices

Cloud

API/Service Client

Directory

The MAG SDK Section

Mobile App Security

The Essence of the Problem: Secure Mobile Access to Apps and Data

How Do We Make APIs Available? Firewall mazes

Diversity of clients and back end systems

Clients and servers change at different rates

Enterprise Network

API/Service Client

API/Service Servers

Firewall 2

Firewall 1

Internet

Directory

Of Particular Interest: Authentication, Authorization & SSO

Secure Transmission

We Want Classic SSO In An Active Profile For REST

Could leverage WS-Fed here SAML’s second act?

API/Service Servers

Apps making RESTful API

calls

Internet

Directory

But We Also Want Local App SSO

Single Sign On App Group (these apps will share sign-

on sessions)

A B C

API/Service Servers

So now it’s getting interesting…

Like a VPN… but with a better experience

App layer

Persistence layer

Mobile OS Isolation is an issue

Silos

Solution: MAG+SDK for end-to-end mobile app security and management

Enterprise Network

iPhone

Android

iPad

API Servers

Optional Client Component iOS and Android libraries to simplify

secure access

CA Layer 7 Gateway at Network Edge Server-side security and API management

Optimized for mobile use cases

Native Single Sign-On SDK For Mobile Developers

Enterprise Network

iPhone

Android

iPad

App-sharable Secure Key Store

One time PIN SMS, APNS, call

API Servers Strong Security for Mobile Apps Cross-platform and built for a consumer or BYOD world

100% Standards-based using OAuth+OpenID Connect

X-app SSO with multi-factor auth & secure channel

X.509 Certificate provisioning for strong auth and transaction signing

Client Deployment Strategy

— Don’t make me work hard − But give me a strong and extensible security model

— Transfer of security responsibility − Let developers do what they do best

— Simple SDK − Align with common development time environments

• iOS, Android, Javascript, etc

— Mirror REST frameworks

— Future − Aspects, wrapping, etc.

User should be able to log out if device is lost or stolen


Three Important Entities enable fine-grained security

User

Apps

Devices

Three Important Entities enable fine-grained security

Protocol Strategy

A B C

username/password

ID Token

Access Token/Refresh Token

Per app

Authorization Server

OAuth + OpenID Connect + PKI Profiled for mobile

Clear distinction between device, user and app

MAG Signed Cert

Certificate Signing Request

Overall Architecture

Mobile SDK Benefits

— Single Sign-On for Mobile apps − Simplified & Consistent UX across all

Enterprise apps

− Remove password typing on devices (as much as possible)

− No insecure browser redirects

− Will leverage advanced auth schemes in the future

— Secure Transport − Configure mutual SSL for API calls help

ensure apps use secure access to enterprise data

— PKI Provisioning − Keys available for 2-factor auth or

transaction signing

— Easy to use SSO admin console − SSO Admin console allowing easy

configuration and management of Users, Apps, and Devices

− SSO Self Service portal – providing a simple UI where Users can manage their enterprise app entitlements and token sharing

— Improved Developer experience − Simple device API for apps to participate in

SSO session & decorate API calls with appropriate security mechanism

− Easily benefit from cryptographic-based security leveraging standards OAuth, OpenID Connect, JWT and PKI

Mobile Access Gateway 2.0

• Surface legacy data source as RESTful APIs • XML and JSON transforms • Recompose & virtualize APIs to specific mobile

identities, apps and devices • Orchestrate API mashups with configurable workflow

Adaptation: Translate & Orchestrate Data

& APIs

• Cache calls to backend applications • Aggregated mobile requests • Compress traffic to reduce bandwidth costs and

improve user experience • Pre-fetch content for hypermedia-based API calls

Optimization: Handle Scale

• Protect REST and SOAP APIs against DoS and API attacks • Proxy API streaming protocols like HTML5 Websocket

and XMPP messaging • Enforce FIPS 140-2 grade data privacy and integrity • Validate data exchanges, including all JSON, XML,

header and parameter content

Security: Mobile Application Firewalling

• Apple Push Notifications Service • Android Cloud to Device Messaging Framework • Proxy and manage app interactions with social networks

Integration: Centralize Cloud Connectivity

• Mobile SSO • Multi-layered security

• Granular access policies at user, app and device levels • OAuth 2.0 • OpenID Connect

Identity: Extending Enterprise Identity to Mobile

When is the Mobile Access Gateway relevant?

Are you: - exposing backend APIs? - writing mobile apps that consume the exposed APIs? - requiring mobile SSO for enterprise apps? - requiring mutual SSL for secure consumption of APIs? - integrating cloud services into mobile apps? - integrating backend or legacy data into mobile apps? - requiring location-based access control?

Thank You Questions?

© Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis.

notices


mobile sso: give app users a break from typing passwords

Technology