Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

The IAM-as-an-API Era Has Arrived
And You Can Blame/Thank Mobility
Eve Maler, Principal Analyst, Security & Risk

Mobile Security Workshop
February 7, 2013

Agenda

!  Consumerization of IT and its
cousins are challenging IAM
traditions
!  Apply Zero Trust to your identity,
security, and agility problems in
"bring-your-own" environments
!  Leverage emerging technologies to
provide identity services that are
mobile-cloud ready

© 2012 Forrester Research, Inc. Reproduction Prohibited 3

“It was Colonel Mustard in the
research library with a smartphone…”

The future of IT is bring-your-own
everything
App sourcing and hosting

SaaS apps

Apps in public clouds

Partner apps

Apps in private clouds

On-premises enterprise apps

Enterprise computers Employees
Contractors
Enterprise-issued devices
Partners
Public computers Members
Personal devices Customers

App access channels User populations

Source: March 22, 2012, Forrester report
“Navigate The Future Of Identity And Access Management”

Genentech’s Salesforce app trumps
native Salesforce.com

Source: Genentech webinar

© 2012 Forrester Research, Inc. Reproduction Prohibited

Steve Yegge describes why
… and the next challenge
[Jeff Bezos] issued a mandate that was so out there, so huge and
eye-bulgingly ponderous, that it made all of his other mandates look
like unsolicited peer bonuses. … “1) All teams will henceforth
expose their data and functionality through service interfaces.” …

Like anything else big and important in life, Accessibility has an evil
twin who, jilted by the unbalanced affection displayed by their parents
in their youth, has grown into an equally powerful Arch-Nemesis (yes,
there's more than one nemesis to accessibility) named Security. And
boy howdy are the two ever at odds.

But I'll argue that Accessibility is actually more important than Security
because dialing Accessibility to zero means you have no product at
all, whereas dialing Security to zero can still get you a reasonably
successful product such as the Playstation Network.

© 2012 Forrester Research, Inc. Reproduction Prohibited Source: Rip Rowan on Google Plus 7

Now many APIs have direct business
models, all enabling mobile

Source: John Musser of ProgrammableWeb.com


“Classic” IAM:
Sounds awesome, maybe later?

Source: satterwhiteb | CC BY 2.0 | flickr.com

Didn’t we already solve the web
services security problem?

Transport-layer
solutions
Platform-specific
solutions
XML signature, XML
encryption, XML
canonicalization
WS-Security, WS-Trust,
WS-I Basic Security
Profile
SAML
ID-WSF


The API economy forces you to
confront the webdevification of IT

friction Y

value X

Agenda

traditions
mobile-cloud ready


In Zero Trust, all interfaces are treated
as untrusted

Apply Zero Trust all the way up the stack,
including – most particularly – identity and
access management functions.
Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report


Internal to the
organization
Staff
user store

Organization serves as
an identity server for At external
business functions partners

Consumer
user store

Plan for Exposed to
customers

inward,
outward, A security token service (STS)

and circular
handles token issuance, translation,
and consumption.

identity Staff

propagation user store

Organization serves as
an identity client of Institutional
user stores user store
For functions internal
to the organization

Consumer
user store

© 2012 Forrester Research, Inc. Reproduction Prohibited Source: March 22, 2012 “Navigate The Future of IAM” Forrester report 14

Go from IDaaS to IAM-as-an-API
The business app’s
own API determines
access control
Back-end apps, web apps, mobile apps . . . granularity Business apps
API client API client IAM API client IAM API client

Internet Robustly protect all Internet
interfaces, regardless
of their sourcing
model

Web service and app APIs APIs for authentication,
authorization, provisioning . . .

Scale-out IAM
infrastructure infrastructure

Applying the pattern
API façade pattern
to IAM functions

© 2012 Forrester Research, Inc. Reproduction Prohibited Source: March 22, 2012 “Navigate The Future of IAM” Forrester report 15

Who’s already
doing it?


Agenda

traditions
mobile-cloud ready


New identity solutions disrupt…but attract.
Or, The good thing about reinventing the wheel is that
you can get a round one.*
*Douglas Crockford, inventor of JavaScript Object Notation (JSON)

Source: tom-margie | CC BY-SA 2.0 | flickr.com

Emerging IAM standards have an edge over traditional ones for Zero Trust

Key features:
•  Agility
•  Mobile/cloud friendliness
•  Robustness

Key features:
•  “Solving the right problem”
•  Enterprise-only scope

Key features:
•  Governance
•  Hubris

© 2012 Forrester Research, Inc. Reproduction Prohibited Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012” 19

The new Venn of access control for the
API economy


Web 2.0 players invented OAuth just to
solve the “password anti-pattern”


What it really does is let a resource
owner delegate constrained access
WS-SECURITY IN THE MODERN ERA IS PRONOUNCED “OAUTH”


OAuth can help manage risk, cost, and
complexity
FOR INTERNET-SCALE ZERO TRUST, YOU NEED IT ALL

Gets client apps out of the business of storing passwords
Friendly to a variety of user authentication methods and
user devices, including smartphones and tablets
Allows app access to be tracked and revoked on a per-
client basis
Allows for least-privilege access to API features
Can capture explicit user authorization for access
Lowers the cost of secure app development
Bonus: provides plumbing for a much larger class of
needs around security, identity, access, and privacy


Use case: consumer-facing web and
mobile apps
EBAY HAS “CHANNEL PARTNERS” THAT CREATE APPS FOR SELLERS

Third parties offer eBay seller
productivity apps to eBay (in resource owner role)

sellers who list items and do eBay
(in authorization server
other tasks through the and resource server roles)

eBay API.
These apps never see the Third-party seller app
seller’s eBay credentials. (in client role)

They don’t merely
“impersonate” the seller.
The app can take action
even if the user is offline.

Use case: B2B and business SaaS app
integration through SAML SSO
CONSTRUCTION FIRM LETS PROJECT PARTNERS “SSO IN” TO APIS USING
NATIVE APPS

Partner workforce member
Partner apps integrate with
(in resource owner role)
Construction firm
the construction firm’s
(in authorization server
resource server,
valve-design service.
and SP (RP) roles)
On-site partner engineers
log in to their home systems
through a company-issued
tablet.
Partner app
(in client and IdP roles)
They can then use special
apps that call the valve-
design service, bootstrapped
by SAML.

Use case: “Two-legged” userless
protection of low-level web service calls
EBAY SECURES INTERNAL SERVICES TO MEET AUDITING AND COMPLIANCE
GOALS

Includes services such as
sales tax calculation,
eBay service shipping label formatting,
(in resource server role)
credit card number
verification, and HTML
code checking.
eBay STS
(in authorization server role) eBay calling app In all use cases: The two
(in client role)
servers are typically
separate but communicate
in a proprietary fashion.


OpenID Connect turns SSO into a
standard OAuth-protected identity API
SAML 2.0, OpenID 2.0 OAuth 2.0 OpenID Connect
Initiating user’s login
session X Not responsible for
session initiation
Initiating user’s login
session
Not responsible for
X
Collecting user’s Collecting user’s
collecting user consent to share consent to share
consent attributes attributes
High-security identity
X
High-security identity No identity tokens tokens (using JSON
tokens (SAML only) per se Web Tokens)

X X
Distributed and No claims per se; Distributed and
aggregated claims protects arbitrary APIs aggregated claims

X
Dynamic introduction Client onboarding is Dynamic introduction
(OpenID only) static

X X
Session timeout (in
Session timeout No sessions per se
the works)


Where SAML is “rich,” OpenID Connect
holds promise for “reach”
Already exposing customer identities using a draft
OpenID Connect-style API

Working to expose workforce identities through
OpenID Connect

LOB apps and smaller partners can get into the federation game more
easily; complex SAML solutions will see price pressure over time


The classic OAuth scenarios enable
lightweight web services security
Same user assumed
on both sides of the
equation

Proprietary
communication
between the
servers*


OpenID Connect also has limitations

The IdP/AP split
requires
brokering

Same user on both sides
of the equation


UMA turns online sharing, with arbitrary
other parties, into a “privacy by design”
solution I want to share this stuff
selectively, in an efficient way
•  Among my own apps
•  With family and friends
•  With organizations

Historical
Biographical
Reputation
Vocational
I want to protect this stuff from
User-generated
being seen by everyone in the
Social world, from a central location
Geolocation
Computational
Biological/health
Legal
Corporate
...


What about config-time synchronization?
“I DON’T ALWAYS SYNCHRONIZE, BUT WHEN I DO, I PREFER SCIM”

Maximum PII
disclosure,
brittleness, and Synch solution
authorization proposed by
latency: software vendors in
the last decade: The winner:
Nightly secure FTP
Service Provisioning A RESTful identity
sessions to transfer
Markup Language synch API,
CSV files containing
(SPML) protectable by
employee records
OAuth, endorsed by
cloud providers:
System for Cross-
domain Identity
Management (SCIM)
HR, auditors

© 2012 Forrester Research, Inc. Reproduction Prohibited

So, what should you do next?
Get ready: Zero Trust is pulling along new
Security solutions to meet Accessibility needs


Expose accessible identity
APIs for (all and only) what
you’re authoritative for


Assist your smaller partners
in exposing identity APIs you
can begin relying on


Count on mobility to disrupt
old security paradigms and
pull API security to the fore

Thank you
Eve Maler
+1 617.613.8820
emaler@forrester.com
@xmlgrrl, +Eve Maler

Secure Mobility:
Reward & Risk

Jason Hammond, CISSP
Advisor, Solution Strategy
February 7, 2013

Agenda

 Transformational Power of Mobility
 New Mobile Risks
 Mobile Security Framework
 CA Secure Mobility Solutions

2 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

Mobility Transforms the Customer Experience
How do you plan to leverage mobile customer engagement?

Mobile is the New Face of Customer Engagement

“Business spending on mobile projects will grow 100% by 2015.
More than half of business decision-makers will increase their mobile
apps budget in 2012 as they look for better ways to engage with
customers and partners.”*

“Mobile spend will reach $1.3 trillion
as the mobile apps market reaches
$55 billion in 2016.”*

$1.3 trillion

*Mobile is the New Face of Engagement, Forrester Research, Inc., Feb 13, 2012


Mobility Enables the Workforce
How do you plan to leverage mobility to enable the workforce?

CISO Market Survey

How significant are the following security concerns
to your organization for individually-owned mobile
devices being used by employees for work?
Security Concerns - % of “Very Significant”

Device may be stolen
61%
and corporate data exposed
Malware could be introduced
58%
to corporate network

Compliance requirements 48%

Data on device will go with
41%
employee to next employer

Legal data ownership issues 35%

Lack of integration
with traditional IT systems 29%

Cost of providing
26%
technical support
*Source: Info Workers Using Mobile And Personal Devices For Work Will Transform
n = 353
Personal Tech Markets, Forrester Research, Inc. February 22, 2012,


Multiple Users; Multiple Channels

Engage Mobile Users
Multi-channel support

PC / Laptop
Browsers Security
Policy
Phone / Tablet
Browsers Web

Non- API
Traditional
Devices

Mobile

Phone / Tablet
Native Mobile Apps

Multi-Channel 360 Degree View Scale with Volume
6
Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted

New Mobile Risks
BYOD

• Consumerization
• Privacy expectations
• Personal and corporate data
• Legal liability

New Mobile Risks
Lost Devices

Size, mobility and
business impact of
data increases risk


New Mobile Risks
Disappearing Perimeter
Lack of visibility and
Persistent sync of sensitive control of sensitive
information information

Inhibits visibility and
10 Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying data
control of or distribution permitted

New Mobile Risks
Mobile Usage Threats

Personal
download of
vulnerable apps

Users sharing
data between
apps

Exposed APIs to
threats


Identity is the new network perimeter

Partner
User
Cloud Apps/Platforms
& Web Services

Centralized
identity service
Customer to control access
to all enterprise GOOGLE
applications SaaS

(SaaS & on-
Mobile premise)
employee

Enterprise
Apps
Internal
Employee On Premise


The “new balance” of security

SECURELY
GROW THE BUSINESS ENABLE PROTECT THE
+ PURPOSE ONLINE BUSINESS
Improve customer BUSINESS
experience Reduce risk
Increase customer Enable control &
loyalty compliance
IMPROVE EFFICIENCY

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution
13 permitted

Market Shift
Mobile Device to Mobile Apps & Data Solutions

Data-Centric IT
Security Data Device Management
(Encryption, DLP) (MDM)

Apps

Business Service
Innovation
(MEAP, IAM, MAM)


Market Shift
CA Security Focus on Mobile Apps & Data Solutions

Data-Centric IT

Apps

Business Service
Innovation
(MEAP, IAM, MAM)


Market Shift
CA Security Focus on Mobile Apps & Data Solutions

Data-Centric IT

Data Protection

Apps
Access API
Management Management
Business Service
Advanced Innovation
App Wrapping
Authentication (MEAP, IAM, MAM)


Mobile Security Framework
Balancing security with business enablement

Access
Management

Advanced
Authentication

Containerization

Data
Protection

API
Management


Inside Organization Cloud Services

1 Access Management
• AuthN, AuthZ

Mobile



1 Access Management
• AuthN, AuthZ
API Web • Multi-channel support
• Central policies
• 360 degree view of users

Mobile



1 Access Management
• AuthN, AuthZ
API Web • Multi-channel support
• Central policies
• 360 degree view of users
• SSO
• OpenID,OAuth2.0

Mobile



2 Advanced
1 Access Management Authentication
• AuthN, AuthZ • Multi-factor AuthN
API Web • Multi-channel support • ID, Geographic
• Central policies • Risk-based Auth
• 360 degree view of users • Soft tokens
• SSO
• OpenID,OAuth2.0

Mobile



2 Advanced
• SSO
• OpenID,OAuth2.0

Mobile

3
App Wrapping
• App AuthN, AuthZ &
Audit
• Support for custom
and 3rd party apps
• Connected and
offline security



2 Advanced
• SSO
• OpenID,OAuth2.0

Mobile

3
App Wrapping
Audit
Email 4 • Support for custom
Data Protection and 3rd party apps
• In-motion & at-rest • Connected and
• Classification offline security
• Encryption
• Intelligent data-centric
security
Files



2 Advanced
• SSO
• OpenID,OAuth2.0

Mobile

3
App Wrapping
Audit
• Encryption
security
Files

5 Web Service Protection
• Secure API
• Audit integration
• Threat Protection
Web Applications

Inside Organization CA AuthMinder Cloud Services
& RiskMinder
CA SiteMinder 2 Advanced
• SSO
• OpenID,OAuth2.0

Mobile

3 Future

CA DataMinder App Wrapping
Audit
• Encryption
security
Files

5 Web Service Protection
• Secure API
• Audit integration
CA SiteMinder • Threat Protection
Web Applications

Benefits

ENABLE MOBILE ENGAGEMENT REDUCE RISKS
• Support access across range of • Mitigate the risk of physical access
channels: platforms, OS, apps • Enable secure access to cloud
• 360° view of the user enhances each services
moment of engagement • Intelligent data-centric security
• Seamless and convenient experience reduces human error
• End-to-end security stays through life
of the data

BYOD
• Separate corp. & personal apps and
data
• Support corp. data investigation, user
privacy expectations and reduction in
corp. liability


legal notice

© Copyright CA 2012. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their
respective companies. No unauthorized use, copying or distribution permitted.

THIS MEDIA IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the
information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS MEDIA “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this
presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is
expressly advised of the possibility of such damages.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect
the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement
relating to any CA software product; or (ii) amend any product documentationor specifications for any CA software product. The
development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this media to the contrary, upon the general availability of any future CA product release referenced in
this media, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly
scheduled major product release. Such releases may be made available to current licensees of such product who are current
subscribers to CA maintenance and support on a when and if-available basis.

Copyright © 2013 CA Technologies. All rights reserved. No unauthorized copying or distribution permitted
29

Mobile APIs And The New Governance
K Scott Morrison
CTO

February 2013

Democracy
is
the
worst
form

of
government,

except
for
all
those
other

forms
that
have
been
tried

from
9me
to
9me.

Sir Winston Churchill

Governance appeals
to the architect in us!

Yet there is an imbalance between!
run time and design time governance!

Vendors are
happy to provide
tooling

Firewall
Trading
Partner

Directory

PEP
Application
Servers

Workflow

Registry DMZ
Repository

Secure
Zone Enterprise
Network

But
this
never

caught
on
with

the
developers

Controlling,

not
enabling

No Afﬁliation
Enterprise
Partner

Here is the new group to manage!

The New Roles!

API Client API Server
Developers External Internal Developers

Marketing is taking control!

Product API
CMO
Manager Developer
Business Security
Manager Officer

IT
Needs
To

Own
This

Learn from modern development!

Bug Report:! File properties.xml isn’t, well,
XML…!

Combine components
to solve problems!

The Client!

Discovery
Search

Sign
up
CMS

Learning
Wiki

Experimen9ng
Browser/Explorer

Social
Forum

Promo9on
Blog

This
is
SDLC,
21st
century-‐style

The Challenge

API
Client

Phone
User
Firewall 1

Firewall 2 iPhone
Developer

API
Server

Enterprise
Network

First We Need Identity

API
Client

Firewall 1

Firewall 2 iPhone
Developer

API
Server

Enterprise
SiteMinder Network

We could try this to
deal with firewalls…
API
Client

Firewall 1

Firewall 2 iPhone
Developer

API
Server

Enterprise
SiteMinder Network

An API Gateway Is
A Better Solution
API
Client

Firewall 1

API
Proxy
Firewall 2 iPhone
Developer

API
Server

Enterprise
SiteMinder Network

Now Add Client
Developer Libraries
For Authentication API
Client

Firewall 1

API
Proxy
Firewall 2 iPhone
Developer

API
Server

Enterprise
SiteMinder Network

Finally, Add In An API
Portal To Enable The
New Governance API
Client

Firewall 1

API
Proxy
Firewall 2 iPhone
Developer

API
Server
API
Portal

Enterprise
SiteMinder Network

Have we swung
too far outside
the enterprise?!

The New Governance!
Old
New

Documenta9on
WSDL
Wiki/Blog

Discovery
Reg/Rep
Search

Approval
G10
PlaQorm
Email

Enforcement
Gateway
Gateway

User
Provisioning
IAM
Portal

Community
What’s
that?
Forum

Simple wins!

(But simple takes courage.)!

The Forrester Wave™: API Management Platforms, Q1 2013

By Eve Maler and Jeffrey S.
Hammond, February 5, 2013

Free Copy for all Attendees!

Everyone who has attended
today’s workshop will receive a
free copy of this report in a
follow up email from Layer 7.
Keep an eye on your inbox.

The Forrester Wave is copyrighted by Forrester Research, Inc.
Forrester and Forrester Wave are trademarks of Forrester Research,
Inc. The Forrester Wave is a graphical representation of Forrester's
call on a market and is plotted using a detailed spreadsheet with
exposed scores, weightings, and comments. Forrester does not
endorse any vendor, product, or service depicted in the Forrester
Wave. Information is based on best available resources. Opinions
reflect judgment at the time and are subject to change.

Layer 7 Confidential 44

Picture
Credits

²  Antelope
Canyon
4
by
klsmith–
stock.exchg

²  Band
silhoue=es
by
mr_basmt–
stock.exchg

For further information:

K. Scott Morrison
Chief Technology Officer
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377

scott@layer7.com
http://www.layer7.com

September 2012

Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.

Similaire à Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc. (20)

Plus de CA API Management

Plus de CA API Management (20)

Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research Inc.