Upload
ca-api-management
View
1.115
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Mobile platforms have taken the world by storm. Smart phones and tablets, connected watches, thermostats, light fixtures and alarm systems, connected cars, even remote control drones – whether it’s our clients, customers, or employees – everyone’s got them. And they are going to use them. What this means for those of us who work in businesses, even stodgy old ones with systems implemented decades ago, is a sudden demand to support new applications connecting directly in to those systems from devices outside of our control, on the public Internet. In his talk, Greg will describe how to open up core business services to mobile applications safely and securely, without fear of opening serious vulnerabilities in the firewall, or allowing unauthorized access to sensitive corporate or personal information.
Citation preview
Getting Into Mobile Without Getting Into Trouble
Greg Kliewer Senior Solutions Strategist
October, 2014
2 © 2014 CA. ALL RIGHTS RESERVED.
The good old days
Network separation
No programmatic access from the Public Internet
Safety through total isolation and control
3 © 2014 CA. ALL RIGHTS RESERVED.
56% Canadian smartphone
ownership in 2013. Up from 33%
in 2012 1
2013 Time spent on non-
voice mobile surpasses time spent
on workstations 3
2014 Smartphone and
tablet sales surpass workstations 4
2 http://www.forbes.com/sites/benedictevans/2012/12/31/the-end-of-the-beginning-mobile-blows-past-pcs-so-what
2012 Mobile devices
outnumber workstations by 2:1 2
3 http://www.emarketer.com/Article.aspx?R=1010095
4 http://www.gartner.com/newsroom/id/2610015
1 http://www.cbc.ca/news/business/smartphone-use-way-up-in-canada-google-finds-1.1384916
4 © 2014 CA. ALL RIGHTS RESERVED.
Today
5 © 2014 CA. ALL RIGHTS RESERVED.
Threats
Inauthentic user
Careless user
Poorly coded apps
Spoofed apps
Lost or stolen devices
Hijacked or tampered with devices
What are you going to do about it? building blocks for secure mobile access
7 © 2014 CA. ALL RIGHTS RESERVED.
Reverse proxy in the DMZ using a hardened platform
• Terminate inbound connection
• Establish a new connection to fulfill the request
• The only open port to the public Internet should be 443
• All extraneous ports should be closed
• All services not strictly necessary should be stopped or removed, preferably
• Management ports are on separate network not accessible from the public Internet
• Be ready to patch at a moment’s notice (e.g. heartbleed, bash shellshock)
8 © 2014 CA. ALL RIGHTS RESERVED.
Validate user credentials before making the backend connection
• Extract credentials • Validate them
against the existing user directory
• THEN make the backend connection
9 © 2014 CA. ALL RIGHTS RESERVED.
PROBLEM It’s the app that calls the API. Do you want it holding on to the user’s username and password?
10 © 2014 CA. ALL RIGHTS RESERVED.
Introduce an OAuth 2.0 Authorization Server …
• Authenticate User • Authenticate App (request user to grant access to the App) • Issue an Access Token
that represents an ephemeral session with the client
•App Creds • Token Sessions
with permissions
• NOTE the requirement for a new set of
credentials, identifying the app
11 © 2014 CA. ALL RIGHTS RESERVED.
…and an OAuth 2.0 Resource Server
• Validate Access Token • Retrieve permissions • Authorize access to
requested resources • Rinse and repeat
•App Creds • Token Sessions
with permissions
• The session eliminates the need for an app to
cache or store the user credentials
• Instead, you keep a temporary-use token for
a short period of time
12 © 2014 CA. ALL RIGHTS RESERVED.
PROBLEM Sessions can be hijacked.
13 © 2014 CA. ALL RIGHTS RESERVED.
SOLUTION This one, at least, has a fairly simple solution.
14 © 2014 CA. ALL RIGHTS RESERVED.
Keep the Access Token private
• 443 ONLY • Strong crypto only
•App Creds • Token Sessions
with permissions
• The Access Token is a secret and must be treated as such.
• Use HTTP keep alives to limit resource utilization impact.
• You may want SSL acceleration for this.
• Did we mention? Be ready to patch / step up key
strength / cipher suite requirements at any time
SSL / TLS
15 © 2014 CA. ALL RIGHTS RESERVED.
PROBLEM Aren’t mobile devices and apps just inherently unsecure?
16 © 2014 CA. ALL RIGHTS RESERVED.
• Relaxes device security (no screen lock)
(no PIN / passphrase) • Leaves device behind at
the gym or on the bus
• Tricks user into downloading fake app
• Steals phone, bypasses protections, unlocks it
• Caches or persists user ID credentials
• Stores sensitive data • Stores sensitive data
without safeguards
17 © 2014 CA. ALL RIGHTS RESERVED.
Mobile Device Management
Mobile Application Management
• Relaxes device security (no screen lock)
(no PIN / passphrase) • Leaves device behind at
the gym or on the bus
• Tricks user into downloading fake app
• Steals phone, bypasses protections, unlocks it
• Caches or persists user ID credentials
• Stores sensitive data • Stores sensitive data
without safeguards
18 © 2014 CA. ALL RIGHTS RESERVED.
SDKs can provide a lighter-weight solution
• Takes security out of the hands of app devs (they will thank you!)
• Tie in to device safeguards Key stores (hdw backed) Native Containers Biometrics Geolocation Remote control (for wipe) Manufacturer Attestation
• Tie enhanced crypto to user authentication and consent Dynamic app secret provisioning Dynamic certificate provisioning
Gateway SDK
19 © 2014 CA. ALL RIGHTS RESERVED.
Solutions for secure enterprise mobility
20 © 2014 CA. ALL RIGHTS RESERVED.
1. Securely gate all access from mobile platforms
Comprehensive Access Control
MOBILE API GATEWAY
Appliance Pre-hardened for exposure to public Internet Onboard OAuth 2.0 Authorization and Resource Servers Control sign on and sign off across apps, devices, and web properties Enforce multi-factor authentication (e.g. OTP, Biometrics, Attestation)
Secure Platform MOBILE API GATEWAY
21 © 2014 CA. ALL RIGHTS RESERVED.
2. Extend your security reach onto the devices themselves
PLATFORM SDKs
Take security out of the hands of application developers Bind to device security primitives to leverage native capabilities (e.g. keystores, containers, hardware-backed crypto, biometrics, etc.) Block access from inauthentic applications Detect device and OS tampering
MOBILE API GATEWAY SDK
22 © 2014 CA. ALL RIGHTS RESERVED.
“The most radical and transformative of inventions are often those that empower others to unleash their creativity – to pursue their dreams.” -Jeff Bezos
Come see us at booth 603
Senior Solution Strategist
@cainc
slideshare.net/CAinc
linkedin.com/company/ca-technologies
ca.com
Greg Kliewer