5 steps end to end security consumer apps

© 2014 CA. All rights reserved.

5 Steps for End-to-End Mobile App Security with Consumer Apps

February 20, 2014

Tyson Whitten Mobile Security Product Marketing - CA Technologies Leif Bildoy CA Layer 7 Product Management - CA Technologies

2 © 2014 CA. All rights reserved.

Housekeeping

Tyson Whitten CA Technologies [email protected]

Layer 7 & CATechnologies

@layer7 & @CASecurity

layer7.com/blogs

layer7.com & security.com

Leif Bildoy CA Technologies [email protected]

Chat questions into the sidebar or use hashtag: #L7webinar


Mobile Growth Continues

Mobile app revenue generated by 2017

$77B

? ?

... It’s An App, Happy World

• Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013.


Mobile Growth Continues

Mobile app downloads

by 2017

268B

... It’s An App, Happy World

• Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013. • Gartner. “Predicts 2014: Apps, Personal Cloud and Data Analytics Will Drive New Consumer Interactions.” Stephanie

Baghdassarian, Brian Blau, Jessica Ekholm, Sandy Shen. November 22, 2013.

Time spent with apps

vs. browsers

82% Average apps per

device

40

http://www.google.com.au/aclk?sa=l&ai=CcF2K-ZZPUamlL6WUmQXN6IG4BamC2KcD0aT-_UiBt8S4VwgGEAEgsYrfBigIUMiCtaUFYKXAo4CkAaAB19L-_QPIAQepAqCdLOUXhrE-qgQkT9B4xPy2lG5Xcc3-26-KzDqgcuuC6q5hwGCosdzazdxgcW3dgAWQTsAFBaAGJoAHka2BAuASpby9uPKR09OFAQ&sig=AOD64_0SR2O8oQdrWR4mJrtcTlcIG5oc7w&ctype=5&ved=0CNoBEPMO&adurl=http://www.officeworks.com.au/retail/products/Technology/Computers/Tablets/iPads/IPAD2WI16B?catargetid=1825182877&rct=j&frm=1&q=ipad


Everyone is working on a mobility revenue strategy

Device GPS RealQuest.com

DiverseSolutions.com

WalkScore.com GeoScan.com

Owner Input

Zillow Mobile App


Mobility Form Factors Power Innovation

Nike+ Mobile App


Consumer App Security Risks

Protected Health Information (PHI)

sync


How to Achieve End-to-End Security for Consumer Apps

App Risk

Understanding the Solution Landscape

Securing the backend

Protecting the app

Maintaining the user experience


Step #1: Identify Risk Level of Your Apps

IP, NPI, PHI & PII

Risk level = Business impact Likelihood of a threat

WHO

WHERE

WHAT

Likelihood of a threat

Business impact


What Consumer App Security Solutions are Available?

Control the App by controlling the device


Step #2: Understand Where MDM/MAM Fits

Features Enterprise Consumer

Authentication Authorization Social Login SSO Encryption (in-motion, at-rest)


Step #2: Understand Where MDM/MAM Fits

BYOD Policies not for Consumer Scenarios

Features Enterprise Consumer

Authentication Authorization Social Login SSO Encryption (in-motion, at-rest)

Device Management Policies (camera, GPS, etc)

-


What does that leave for App Solutions?

Web API

Native App Web Browser


Understanding APIs are Core to Consumer Apps

Web API

Native App Web Browser


Step #3: Securing the App starting with the API

Developer Access

Malicious Apps

Threats

Composite Apps

Performance


What about the Other End?

API

API

API


Step #4: How Secure App Development Complements API Security

User

Apps

Devices



User

Apps

Devices

Name

Email

Phone number

Address

Group

Password

Package name

Name

Signer

HW Accelerated

Permissions

HW version

SW version

App mix

Group

Managed

Footprint

Screen Size

SW AppID

UserID

DeviceID



User

Apps

Devices

Name

Email

UserID

Phone number

Address

Group

Martial Status

Password

Package name

Name

HW version

SW version

Screen Size

AppID

Social Graph

DeviceID



A B C

username/password

Access Token/Refresh Token Per app

Authorization Server

OAuth + OpenID Connect + PKI Profiled for mobile

Clear distinction between device, user and app

MAG Signed Cert

Certificate Signing Request

ID Token (JWT Or SM Session Cookie



Two-factor Auth Social Login

Single Sign-On


Securing the Mobile App to the Backend API

Mutual SSL

API

API

API

Two-factor Auth Social Login

Single Sign-On

Fine-grained API Access Control

Threat Protection

Mutual SSL


Step #5: How the Right End-to-End Mobile Security Solution Improves the User Experience

A B C SSO

Social Login

APIs

API

The Right Combination of Content & Security Features


Mobile Access Gateway


Mobile SDK – Simplified & secure consumption of APIs

Leverage mobile OS security to create a secure sign-on container

Standards based OAuth 2.0, OpenID Connect, and JWT

Secure provisioning through CA Layer 7 Mobile Access Gateway

Client-side libraries implementing common security aspects

– iOS 6/7, Android 4.x & Adobe PhoneGap

– Easy-to-use device API for adding app to SSO session and mutual SSL

– Single API call to leverage cryptographic security, OAuth, OpenID Connect, and JWT

– SDK with sample code & documentation

Layer 7 Mobile Single Sign On Solution is a complete end-to-end standards-based security solution.


CA Technologies Provides Unique Capabilities to Meet the Evolving Needs of the Open Enterprise

Balance Security and User Convenience

End-to-End Mobile Security

Accelerate secure application delivery: Build, Deploy & Secure

Convenience

Questions?


Copyright © 2014 CA. The Windows logo is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The Symantec is either a registered trademark or trademark of Symantec Corporation in the United States and/or other countries. The Good logo is either a registered trademark or trademark of Good Corporation in the United States and/or other countries. The Airwatch logo is either a registered trademark or trademark of Airwatch Corporation in the United States and/or other countries. The MobileIron logo is either a registered trademark or trademark of MobileIron Corporation in the United States and/or other countries. The Samsung logo is either a registered trademark or trademark of Samsung Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Certain information in this publication may outline CA’s general product direction. However, CA may make modifications to any CA product, software program, method or procedure described in this publication at any time without notice, and the development, release and timing of any features or functionality described in this publication remain at CA’s sole discretion. CA will support only the referenced products in accordance with (i) the documentation and specifications provided with the referenced product, and (ii)CA’s then-current maintenance and support policy for the referenced product. Notwithstanding anything in this publication to the contrary, this publication shall not: (i) constitute product documentation or specifications under any existing or future written license agreement or services agreement relating to any CA software product, or be subject to any warranty set forth in any such written agreement; (ii) serve to affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (iii) serve to amend any product documentation or specifications for any CA software product.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.

Documents

5 steps end to end security consumer apps