Contenu connexe
Similaire à 5 steps end to end security consumer apps
Similaire à 5 steps end to end security consumer apps (20)
Plus de CA API Management
Plus de CA API Management (8)
5 steps end to end security consumer apps
- 1. © 2014 CA. All rights reserved.
5 Steps for End-to-End Mobile App
Security with Consumer Apps
February 20, 2014
Tyson Whitten
Mobile Security Product Marketing - CA Technologies
Leif Bildoy
CA Layer 7 Product Management - CA Technologies
- 2. 2 © 2014 CA. All rights reserved.
Housekeeping
Tyson Whitten
CA Technologies
Tyson.Whitten@ca.com
Layer 7 & CATechnologies
@layer7 & @CASecurity
layer7.com/blogs
layer7.com & security.com
Leif Bildoy
CA Technologies
Leif.Bildoy@ca.com
Chat questions into the
sidebar or use hashtag:
#L7webinar
- 3. 3 © 2014 CA. All rights reserved.
Mobile Growth Continues
Mobile app revenue
generated by 2017
$77B
??
... It’s An App, Happy World
• Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie
Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013.
- 4. 4 © 2014 CA. All rights reserved.
Mobile Growth Continues
Mobile app
downloads
by 2017
268B
... It’s An App, Happy World
• Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013.
• Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie
Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013.
Time spent with apps
vs. browsers
82%
Average apps per
device
40
- 5. 5 © 2014 CA. All rights reserved.
Everyone is working on a mobility revenue strategy
Device GPS
RealQuest.com
DiverseSolutions.com
WalkScore.comGeoScan.com
Owner Input
Zillow Mobile App
- 6. 6 © 2014 CA. All rights reserved.
Mobility Form Factors Power Innovation
Nike+ Mobile App
- 7. 7 © 2014 CA. All rights reserved.
Consumer App Security Risks
Protected Health Information
(PHI)
sync
- 8. 8 © 2014 CA. All rights reserved.
How to Achieve End-to-End Security for Consumer Apps
App Risk
Understanding the Solution Landscape
Securing the backend
Protecting the app
Maintaining the user experience
- 9. 9 © 2014 CA. All rights reserved.
Step #1: Identify Risk Level of Your Apps
IP, NPI,
PHI & PII
Risk level = Business impact Likelihood of a threat
WHO
WHERE
WHAT
Likelihood of a threat
Business impact
- 10. 10 © 2014 CA. All rights reserved.
What Consumer App Security Solutions are Available?
Control the App by controlling the device
- 11. 11 © 2014 CA. All rights reserved.
Step #2: Understand Where MDM/MAM Fits
Features Enterprise Consumer
Authentication
Authorization
Social Login
SSO
Encryption (in-
motion, at-
rest)
- 12. 12 © 2014 CA. All rights reserved.
Step #2: Understand Where MDM/MAM Fits
BYOD Policies not for Consumer Scenarios
Features Enterprise Consumer
Authentication
Authorization
Social Login
SSO
Encryption (in-
motion, at-
rest)
Device
Management
Policies
(camera, GPS,
etc)
-
- 13. 13 © 2014 CA. All rights reserved.
What does that leave for App Solutions?
Web API
Native AppWeb Browser
- 14. 14 © 2014 CA. All rights reserved.
Understanding APIs are Core to Consumer Apps
Web API
Native AppWeb Browser
- 15. 15 © 2014 CA. All rights reserved.
Step #3: Securing the App starting with the API
Developer
Access
Malicious Apps
Threats
Composite Apps
Performance
- 16. 16 © 2014 CA. All rights reserved.
What about the Other End?
API
API
API
- 17. 17 © 2014 CA. All rights reserved.
Step #4: How Secure App Development Complements API
Security
User
Apps
Devices
- 18. 18 © 2014 CA. All rights reserved.
Step #4: How Secure App Development Complements API
Security
User
Apps
Devices
Name
Email
Phone
number
Address
Group
Password
Package
name
Name
Signer
HW
Accelerated
Permissions
HW version
SW version
App mix
Group
Managed
Footprint
Screen
Size
SW
AppID
UserID
DeviceID
- 19. 19 © 2014 CA. All rights reserved.
Step #4: How Secure App Development Complements API
Security
User
Apps
Devices
Name
Email
UserID
Phone
number
Address
Group
Martial
Status
Password
Package
name
Name
HW version
SW version
Screen
Size
AppID
Social
Graph
DeviceID
- 20. 20 © 2014 CA. All rights reserved.
Step #4: How Secure App Development Complements API
Security
A B C
username/password
Access Token/Refresh Token
Per app
Authorization
Server
OAuth + OpenID Connect + PKI
Profiled for mobile
Clear distinction between device, user and app
MAG
Signed Cert
Certificate Signing
Request
ID Token (JWT Or
SM Session Cookie
- 21. 21 © 2014 CA. All rights reserved.
Step #4: How Secure App Development Complements API
Security
Two-factor Auth
Social Login
Single Sign-On
- 22. 22 © 2014 CA. All rights reserved.
Securing the Mobile App to the Backend API
Mutual SSL
API
API
API
Two-factor Auth
Social Login
Single Sign-On
Fine-grained API
Access Control
Threat Protection
Mutual SSL
- 23. 23 © 2014 CA. All rights reserved.
Step #5: How the Right End-to-End Mobile Security
Solution Improves the User Experience
A B C SSO
Social
Login
APIs
API
The Right Combination of Content & Security Features
- 24. 24 © 2014 CA. All rights reserved.
Mobile Access Gateway
- 25. 25 © 2014 CA. All rights reserved.
Mobile SDK – Simplified & secure consumption of APIs
Leverage mobile OS security to create a
secure sign-on container
Standards based OAuth 2.0, OpenID Connect,
and JWT
Secure provisioning through CA Layer 7
Mobile Access Gateway
Client-side libraries implementing common
security aspects
– iOS 6/7, Android 4.x & Adobe PhoneGap
– Easy-to-use device API for adding app to
SSO session and mutual SSL
– Single API call to leverage cryptographic
security, OAuth, OpenID Connect, and
JWT
– SDK with sample code & documentation
Layer 7 Mobile Single Sign On Solution is
a complete end-to-end standards-based
security solution.
- 26. 26 © 2014 CA. All rights reserved.
CA Technologies Provides Unique Capabilities to Meet
the Evolving Needs of the Open Enterprise
Balance Security and User
Convenience
End-to-End Mobile Security
Accelerate secure application
delivery: Build, Deploy & Secure
Convenience
- 28. 28 © 2014 CA. All rights reserved.
Copyright © 2014 CA. The Windows logo is either a registered trademark or trademark of Microsoft Corporation in the United States
and/or other countries. The Symantec is either a registered trademark or trademark of Symantec Corporation in the United States
and/or other countries. The Good logo is either a registered trademark or trademark of Good Corporation in the United States and/or
other countries. The Airwatch logo is either a registered trademark or trademark of Airwatch Corporation in the United States and/or
other countries. The MobileIron logo is either a registered trademark or trademark of MobileIron Corporation in the United States
and/or other countries. The Samsung logo is either a registered trademark or trademark of Samsung Corporation in the United States
and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.
Certain information in this publication may outline CA’s general product direction. However, CA may make modifications to any CA
product, software program, method or procedure described in this publication at any time without notice, and the development,
release and timing of any features or functionality described in this publication remain at CA’s sole discretion. CA will support only the
referenced products in accordance with (i) the documentation and specifications provided with the referenced product, and (ii)CA’s
then-current maintenance and support policy for the referenced product. Notwithstanding anything in this publication to the contrary,
this publication shall not: (i) constitute product documentation or specifications under any existing or future written license
agreement or services agreement relating to any CA software product, or be subject to any warranty set forth in any such written
agreement; (ii) serve to affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement
or services agreement relating to any CA software product; or (iii) serve to amend any product documentation or specifications for any
CA software product.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of
the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation,
including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly
advised in advance of the possibility of such damages.