Today’s enterprise mobility solutions emphasize heavy-handed IT governance of devices and applications that impose a burden on developers and/or users. However, managing data and applications using high performance mobile-optimized infrastructure can enable secure, scalable apps while minimizing the effort required by developers and allowing them to focus on their strengths. Come learn how to facilitate the best of both worlds – multi-layer mobile security using modern standards and a fantastic user experience.
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Similar to Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan, Director of Product Management & Security, CA Technologies @ Gartner Catalyst
Enterprise Mobile Development Best Practices for 2015AnyPresence
Similar to Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan, Director of Product Management & Security, CA Technologies @ Gartner Catalyst (20)
Two sides
Two constituencies
Leads to confrontation
Users / General
Secure access to enterprise data while maintaining usability (UX & DX)
Passwords are cumbersome on mobile devices
Developers:
Hard for developers to keep track of the latest standards and to get security right
Multiple implementations, per app basis, leads to confusing UX
User personalization of apps difficult without mobile identity
Native apps need to integrate with existing enterprise identity governance
Mobile browser is not a trusted party
Enterprise architect
Bootstrapping trust between users, devices, apps and data centers
Enterprise access policies enforcement per app and user is non-trivial
API Security
http://en.wikipedia.org/wiki/File:Professional_System_Administrator.jpg
We segmented the MAG features in 5 groups of features.
Identity & Access
Data & API Security
Backend Adaptation
Optimization for Mobile
Orchestration with Outside Cloud & mobile Services
Caching, compression and aggregation of requests for mobile use cases
Recompose existing services, existing message formats, and existing protocols into new Web APIs that will appeal to today’s developer
Centrally manage connectivity to SaaS and other outbound connections (social networks, push notifications, etc)
Reuse an existing investment in IAM systems, or simplify access using social login; modernize by adding Oauth/OpenID Connect frontend
Secure data and applications; protocol, threat protection, encryption, signing, rate limiting, token validation
Set up all these backend systems, put security in place – now how does the developer build clients?
Use the mobile SDK that does secure provisioning to and through that MAG
Leverage built-in security on devices – native keychains
Client-side libraries to implement complex interactions
The solution provides several hooks for client or server integration with:
Additional sources of trust like biometrics, CAC, SIM
MDM solutions to provided jailbreak detection
Location data providers
Additional point: How do you leverage your existing identity infrastructure in mobile apps? Layer 7 Gateway integrates with a number of identity solutions. The MSSO will help you surface that in a secure and mobile friendly manner.
CA SiteMinder
Oracle Access Manager
Oracle Entitlements Server
IBM Tivoli Access Manager
IBM Tivoli FIM
Novell Access Manager
Sun OpenSSO
Ping Federate
Microsoft Active Directory
Microsoft ADFS
What’s important for a system that is managing apps that consume APIs?
You must track a number of entities to make sure you are making the right access control decisions to the APIs.
You may find yourself in a position where you want to revoke access to an particular App B but not App A. Maybe its only when the app is running on a specific device you need to revoke access.
The good news is that we have standards that cover some of this ground.
OAuth 2.0 will help you with provisioning access tokens, on a per app basis. Usually today an App would need to register upfront to get a client id & secret. In future profiles like Dynamic Client Registration will simplify this process. But its important to keep in mind that you need to be able to uniquely identify an app.
OpenID Connect will enable you to track a user session through a user token, a Jason Web Token. This is ideal for creating single sign on sessions.
PKI as technology has been around for some time and is the basis for many strong auth systems. The key benefit is tapping into crypto-based security for authentication. This is a requirement in many sectors such as financial, banking, and US Federal. The problem with PKI is its hard to deploy and leverage for app developers who nearly always lack the skills and tooling to use it effectively.