Mobile SSO: Give App Users a Break from Typing Passwords

Mobile SSO: Give App Users a
Break from Typing Passwords
September 19th 2013
Tyson Whitten
Director, Mobile Solutions Marketing
CA Technologies
Leif Bildoy
Sr. Security Product Manager
CA Technologies

2
Housekeeping
Copyright © 2013 CA. All rights reserved.
Tyson Whitten
CA Technologies
Tyson.Whitten@ca.com
Layer 7 & CATechnologies
@layer7 & @CASecurity
layer7.com/blogs
layer7.com & security.com
Leif Bildoy
CA Technologies
Leif.Bildoy@ca.com
Chat questions into the
sidebar or use hashtag:
#L7webinar

Password Frustration

Experience vs. Risk
More Convenience
More Risk
Less Convenience
Less Risk
Challenge is finding that right balance
No passcode Device passcode App security

— Understand users don’t want to enter passwords
— Mobile app strategy will drive different security solutions
— Different mobile app solutions will deliver various levels of security with tradeoffs
Right balance of security with convenience – get SSO!

Web browser vs. native apps

Enterprise or the cloud

Consumers & BYOD

Different mobile apps require different security solutions
Web API
Custom App COTS AppWeb Browser
3rd Party

Different mobile apps require different security solutions
Web API
Custom App COTS AppWeb Browser
3rd Party
• Access Management
• Federation
• API Security/Management
• SDK: Advanced Auth, SSO
• App Wrapping

App Wrapping
End-to-end Mobile Security
Web
API
Identity / Device
Management
Adaptation
Optimize
Traffic
Protect
Data
Notification
Services
Centralized
Security Policy
Mobile SDK
Web Access
Enterprise
App Store
Browser
COTS Mobile
Apps
Custom Mobile
Apps Developer
Portal

CA Mobile Strategy
Device
Management
Application
Development
Application
Management &
Security
API
Management
& Security
Content
Management &
Security
Apps ContentDevice

Who’s involved in a new mobile app project?
App DevelopersEnterprise Architect
Information Security
Chief Mobility Officer
Product Manager
How does it
fit into my
mobile
strategy?
How will it
enable better
customer
engagement?
How will it
create a
great user
experience?
How will it
connect to
my
enterprise
data?
How will it
expose my
enterprise
data?

The challenges - how do you bridge the gap?
Security
- Control access to assets
- Focus on restricting access
- Don’t understand app dev requirements
App Development
- Get to market quickly
- Measured on number of downloads
- Security is something that obstructs UX
- Speed vs. stability?
User Experience
- Improve user app experience
- Don’t have time for evolving security standards

What’s enabling mobile connectivity?
APIs

How are APIs fundamental to enabling a convenient app experience?

The MAG SDK Section
Backend Security
Mobile Apps
Internet of Things
Developer Community

Mobile API Security and Management
Backend Security
API Management at Edge of Network
 DMZ deployment
 Hardware appliance, virtual appliance or
software
Enterprise
Network
API/Service
Servers
…
Firewall 2
Firewall 1
Partners
Mobile Devices
Cloud
API/Service
Client
Directory

The MAG SDK Section
Mobile App Security

The Essence of the Problem:
Secure Mobile Access to Apps and Data
How Do We Make APIs Available?
 Firewall mazes
 Diversity of clients and back end systems
 Clients and servers change at different
rates
Enterprise
Network
API/Service
Client
API/Service
Servers
Firewall 2
Firewall 1
Internet
Directory
Of Particular Interest:
 Authentication, Authorization & SSO
 Secure Transmission

We Want Classic SSO In An Active Profile For REST
Could leverage WS-Fed here
 SAML’s second act?
API/Service
Servers
Apps making
RESTful API
calls
Internet
Directory

But We Also Want Local App SSO
Single Sign On App Group
(these apps will share sign-
on sessions)
A B C
API/Service
Servers
So now it’s getting
interesting…
Like a VPN… but with a better experience

App layer
Persistence layer
Mobile OS Isolation is an issue
Silos

Solution: MAG+SDK for end-to-end mobile app security and management
Enterprise
Network
iPhone
Android
iPad
API Servers
Optional Client Component
 iOS and Android libraries to simplify
secure access
CA Layer 7 Gateway at Network Edge
 Server-side security and API management
 Optimized for mobile use cases

Native Single Sign-On SDK For Mobile Developers
Enterprise
Network
iPhone
Android
iPad
App-sharable Secure
Key Store
One time PIN
SMS, APNS, call
API Servers
Strong Security for Mobile Apps
 Cross-platform and built for a consumer or BYOD world
 100% Standards-based using OAuth+OpenID Connect
 X-app SSO with multi-factor auth & secure channel
 X.509 Certificate provisioning for strong auth and transaction signing

Client Deployment Strategy
— Don’t make me work hard
− But give me a strong and extensible security model
— Transfer of security responsibility
− Let developers do what they do best
— Simple SDK
− Align with common development time environments
• iOS, Android, Javascript, etc
— Mirror REST frameworks
— Future
− Aspects, wrapping, etc.

User should be able to log out if device is lost or stolen

Three Important Entities enable fine-grained security
User
Apps
Devices

Three Important Entities enable fine-grained security

Protocol Strategy
A B C
username/password
ID Token
Access Token/Refresh Token
Per app
Authorization
Server
OAuth + OpenID Connect + PKI
 Profiled for mobile
 Clear distinction between device, user and app
MAG
Signed Cert
Certificate Signing
Request

Mobile SDK Benefits
— Single Sign-On for Mobile apps
− Simplified & Consistent UX across all
Enterprise apps
− Remove password typing on devices (as
much as possible)
− No insecure browser redirects
− Will leverage advanced auth schemes in
the future
— Secure Transport
− Configure mutual SSL for API calls help
ensure apps use secure access to
enterprise data
— PKI Provisioning
− Keys available for 2-factor auth or
transaction signing
— Easy to use SSO admin console
− SSO Admin console allowing easy
configuration and management of Users,
Apps, and Devices
− SSO Self Service portal – providing a
simple UI where Users can manage their
enterprise app entitlements and token
sharing
— Improved Developer experience
− Simple device API for apps to participate in
SSO session & decorate API calls with
appropriate security mechanism
− Easily benefit from cryptographic-based
security leveraging standards OAuth,
OpenID Connect, JWT and PKI

Mobile Access Gateway 2.0
•Surface legacy data source as RESTful APIs
•XML and JSON transforms
•Recompose & virtualize APIs to specific mobile
identities, apps and devices
•Orchestrate API mashups with configurable workflow
Adaptation: Translate & Orchestrate Data
& APIs
•Cache calls to backend applications
•Aggregated mobile requests
•Compress traffic to reduce bandwidth costs and
improve user experience
•Pre-fetch content for hypermedia-based API calls
Optimization: Handle Scale
• Protect REST and SOAP APIs against DoS and API attacks
• Proxy API streaming protocols like HTML5 Websocket
and XMPP messaging
• Enforce FIPS 140-2 grade data privacy and integrity
• Validate data exchanges, including all JSON, XML,
header and parameter content
Security: Mobile Application Firewalling
• Apple Push Notifications Service
• Android Cloud to Device Messaging Framework
• Proxy and manage app interactions with social networks
Integration: Centralize Cloud Connectivity
•Mobile SSO
•Multi-layered security
•Granular access policies at user, app and device levels
•OAuth 2.0
•OpenID Connect
Identity: Extending Enterprise Identity to Mobile

When is the Mobile Access Gateway relevant?
Are you:
- exposing backend APIs?
- writing mobile apps that consume the exposed APIs?
- requiring mobile SSO for enterprise apps?
- requiring mutual SSL for secure consumption of APIs?
- integrating cloud services into mobile apps?
- integrating backend or legacy data into mobile apps?
- requiring location-based access control?

© Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective
companies. No unauthorized use, copying or distribution permitted.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the
information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event
will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost
investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or
obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or
(ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or
functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this
presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major
product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support
on a when and if-available basis.
notices

Mobile SSO: Give App Users a Break from Typing Passwords

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Mobile SSO: Give App Users a Break from Typing Passwords

Similar a Mobile SSO: Give App Users a Break from Typing Passwords (20)

Más de CA API Management

Más de CA API Management (20)

Último

Último (20)

Mobile SSO: Give App Users a Break from Typing Passwords