O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

API Risk: Taking Your API Security to the Next Level

850 visualizações

Publicada em

API Risk: Taking Your API Security to the Next Level

Publicada em: Tecnologia
  • Seja o primeiro a comentar

API Risk: Taking Your API Security to the Next Level

  1. 1. World® ’16 API Risk: Taking Your API Security to the Next Level Tabish Tanzeem, CISSP - Senior Principal Consultant - CA Technologies Daniel Brudner, CISSP, CISA, CCSK - Senior Principal Consultant - CA Technologies SCX25V SECURITY
  2. 2. 2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract Mobile applications and the Internet of Things will continue to transform the way users interact with the business—but how will we secure this access? For example, even as mobile payments have grown exponentially in the past 12–18 months, payment fraud from mobile devices has grown even faster. In this session, we’ll discuss how CA Advanced Authentication can be integrated with the CA API Gateway to provide a solution we call API Risk to address this challenge. API Risk provides a way to embed contextual risk analysis and/or strong authentication within the API calls to confirm device identities and ensure that end users are who they claim to be. Daniel Brudner & Tabish Tanzeem CA Technologies Security
  4. 4. 4 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda IOT AND MOBILE TRENDS TRADITIONAL APPROACHES TO AUTHENTICATION LOGICAL ARCHITECTURE CA ADVANCED AUTHENTICATION CA API GATEWAY INTEGRATION 1 2 3 4 5 6
  5. 5. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The IoT Ecosystem Sensor Network /Carriers IoT Gateway Cloud Open Data Platform IoT Platform Connected Car Smart Products Smart Utilities Smart Analytics ‘Makers’‘Users’ Home IoT Industrial IoT Information Technology Operations Technology Wearables Platforms Intelligent Gateways Consumers Connected Health Smart Energy Smart Transportation Smart Factories Enterprise ‘Edge’ Systems Integration /Services
  6. 6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IoT – Today and Tomorrow 2015 – 2025* 0 10 20 30 40 50 60 70 80 90 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 Billions * Scenario Based ( 2020 – 2025) 1 5 2 2 0 0 , connected IoT devices per minuteBy 2025 4 8 0 0 , connected IoT devices per minuteToday
  7. 7. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Challenges with IoT § 80 Billion IoT devices by 2025 (they all want to have Identities…) – need to manage exponentially more identities than current humans’ Identities § Dynamic high mobility of IoT devices creates more Risk – Devices appear and disappear in different locations – Need to uniquely identify the device – Need to identify changes in device fingerprint
  8. 8. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Challenges with IoT § Manage interaction/relationship of IoT with other devices, humans, services - IRM – Authentication – Authorization – Auditing – Administration § Traditional boarders are gone § Compute constrained resources (IoT devices) require delegation of authentication and authorization to less-constrained devices § How do I know the device has been compromised?
  9. 9. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
  10. 10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD A Shift in Criminal Activity Cybercriminals are expanding their reach beyond traditional targets of consumer banking and credit cards. They are now looking to steal valuable data that is accessible online. The Top 5 Sectors Breached1 Healthcare 37% Retail 11% Education 10% Gov/Public 8% Financial 6% 95% Of [Web] incidents involve harvesting credentials stolen from customer devices, then logging into web apps with them2.1. Symantec Internet Threat Report 2015 2. Verizon Data Breach Report 2015 World® ’16© 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD10
  11. 11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Traditional Approaches to Authentication 1. Forrester, “How To Get Away With Murder: Authentication Technologies That Will Help You Kill Passwords”, Andras Cser and Merritt Maxim, Sep. 2015. Something that you KNOW Something that you HAVE Something that you ARE 56% Of enterprises plan to move away from passwords in the next 36 months1. Passwords are the primary mechanism used for most online Internet Sites, but… And… [Forrester’s] survey found device-based authentication, fingerprinting, and one-time passwords combined with biometrics as having the greatest chance of augmenting then replacing passwords [for business-to-customer IAM].1
  12. 12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Have you considered the impact to your users? “User experience (UX) is an important selection criteria, ahead of both trust and total cost of ownership in a majority of organizations”1 “A Gartner survey of U.S. bank customers, conducted in the wake of banks introducing new authentication methods for retail banking in response to Federal Financial Institutions Examination Council (FFIEC) guidance, revealed that 12% of customers had considered changing banks because they found what their banks had done to be too onerous, and 3% actually changed banks. Poor UX led to lost businesss”1 1. Gartner, “Market Guide for User Authentication”, Ant Allan, Anmol Singh, and David Anthony Mahdi, 12 February 2016.
  13. 13. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What if you could… Authenticate User with Simple Password From a Single Authentication Solution? Analyze Risk based on Behavior, Device and Location Initiate Step-Up Authentication when Risk is High
  14. 14. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Contextual Authentication CA Risk Authentication™ Where is the identity? What is the identity trying to do? Is the action consistent with history? What device is being used? Introducing CA Advanced Authentication Versatile Authentication CA Strong Authentication™ CA Auth ID Q&A OATH Tokens OTP – Out of Band CA Mobile OTP Two best-of-breed components that can be deployed individually or together
  15. 15. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Risk Authentication AUTHENTICATION METHODS RISK ANALYSIS TECHNIQUES Make real-time decisions based on the risk of the login attempt Where is the identity? What is the identity trying to do? Is the action consistent with history? What device is being used? § Behavioral risk modeling § Dynamic Rules § DeviceDNA™ device identification § Transparent data collection § Mobile Risk KEY FEATURES § Frictionless customer experience § Deep integration with CA SSO § Reduce fraud risk § Control costs associated with fraud KEY BENEFITS
  16. 16. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Strong Authentication § Eliminates risk of stolen passwords § Converts device into 2F credential § Variety of integration options § Highly configurable/scalable § Available on premise or in cloud KEY FEATURES § Easy for customer to use § Choice of authentication methods § Use across multiple channels § Enhanced security & compliance KEY BENEFITS AUTHENTICATION METHODS Identify the user using a range of authentication options CA Auth ID Q&A OATH Tokens OTP – Out of Band CA Mobile OTP
  17. 17. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD But isn’t the Internet Portal dead? The digital transformation is underway Sources: 1. CA Vanson Bourne Study 2. eMarketer study 3. McKinsey Global Institute, Disruptive Technologies, advances that will transform life, business and the global economy, May 2013 4. GMSA Intelligence, From Concept to Delivery, the M2M Market Today, Feb. 17, 2014 1.75B smartphone users in 2014 1 50B Connected devices (IoT) by 2020 3 25 Business apps per device2 >$100B in cloud spending this year 4
  18. 18. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Something about Mobile Devices 63% Of mobile users will access online content through their mobile devices by 20171. 1. http://www.pcmag.com/article2/0,2817,2485277,00.asp 2. http://www.statista.com/topics/779/mobile-internet 70% Of population worldwide will use smartphones by 20201. World® ’16© 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD18
  19. 19. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD How Mobile Device Is Changing Authentication Authenticate WITH Authenticate TO Authenticate THROUGH In 2017, figures suggest that more than 63.4 percent of mobile phone users will access online content through their devices1. 1. http://www.statista.com/topics/779/mobile-internet/
  20. 20. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD But What About the Mobile Apps? § Authentication is different § App developers have a choice – Trust the device unlocking mechanism (e.g., Touch ID) – Supplement device security with app login § If authentication is built into app, then must decide – Do you prompt for credentials every time app is opened (not user-friendly) – Or do you save credentials on device (not very secure)
  21. 21. 21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD How Our Solution Addresses Mobile Devices… AUTHENTICATION CA ADVANCED AUTHENTICATION AUTHENTICATE WITH CA Advanced Authentication provides a CA Mobile OTP app for most smartphones and tablets. This 2FA credential is a secure software passcode generator that allows mobile phones and tablets to become a convenient authentication device. In addition, CA Advanced Authentication can also support out-of-band authentication, sending an OTP to the user via email, text, or voice. AUTHENTICATE TO When relying on the device security, CA Advanced Authentication can increase the security of the mobile app via a capability called Mobile Risk. This approach embeds libraries into the mobile app. When the user opens the app, the libraries will collect data from the device and forward it to CA Advanced Authentication for analysis. If the risk score exceeds a defined threshold, the solution can initiate a step-up authentication. AUTHENTICATE THROUGH CA Advanced Authentication can be integrated with external biometric solutions to support authentication through the device. This could include leveraging Apple Touch ID, voice prints, facial images, etc.
  22. 22. 22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Risk Analytics – Why it’s Cool • Effective analytics technique ideally suited for customers where routine fraud marking is not available. • Approach is based on assessing whether behavior is normal or abnormal. It is not based on prior fraud data. • Learns quickly, starts active assessment upon deployment. • No configuration or training. It can adapt to your user population.
  23. 23. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Outside the Enterprise Internet of Things Mobile SaaS/Cloud Solutions AWS, Google, SFDC … Partner Ecosystems External Developers Within the Enterprise Secure Data Application Portfolio ID/Authentication Reporting & Analytics Internal Teams CA API Management The Building Blocks of Digital Transformation Secure the Open Enterprise ü Protect against threats and OWASP vulnerabilities ü Control access with SSO and identity management ü Provide end-to-end security for apps, mobile, and IoT Integrate and Create APIs ü Easily connect SOA, ESB, and legacy applications ü Aggregate data including NoSQL up to 10x faster ü Build scalable connections to cloud solutions ü Automatically create data APIs with live business logic Unlock the Value of Data ü Monetize APIs to generate revenue ü Build digital ecosystems to enhance business value ü Create efficiencies through analytics and optimization Accelerate Mobile/IoT Development ü Simplify and control developer access to data ü Build a wider partner or public developer ecosystem ü Leverage tools that reduce mobile app delivery time
  24. 24. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Integration: Value Proposition § Return on Investment – Enhanced security reduces fraud losses by protecting the brand § Faster Time to Value – SDK allows organizations to quickly deploy risk collectors into their mobile apps and IoT devices § User Convenience – Transparent risk analysis enhances app security without impacting user experience § Adaptability – Configurable rules engine allows administrators to create & modify risk rules to balance user/device convenience with threat mitigation
  25. 25. 25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Mobile Devices Consumer Web Services Applications Application Data Mobile App Enhancing App Security With Mobile Risk Process Flow The typical process is that the user opens the app on their mobile device, and may or may not prompted to authenticate before accessing enterprise applications and data. But…there is no real security beyond the password or PIN enforced by the App. In addition, because many Apps store a session token on the device, access can be easily compromised if the mobile device is stolen or lost. Mobile Risk can Address this Weakness!
  26. 26. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Enhancing App Security With Mobile Risk Process Flow The first step is to embed the Mobile Device DNA data collectors within the Mobile App that you wish to protect. The SDK will communicate with the CA Advanced Authentication servers. CA Adv. AuthMobile Devices Consumer Web Services Applications Application Data Mobile App SDK
  27. 27. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Adv. AuthMobile Devices Consumer Web Services Applications Application Data Mobile App Enhancing App Security With Mobile Risk Process Flow When the identity opens the app, the SDK will transparently conduct a risk evaluation, which could occur after authentication but before user is given access to any data. SDK The SDK will collect device data and send it to the risk engine for analysis. Analysis includes: • Location • Device Identification • Identity Behavior
  28. 28. 28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Adv. AuthMobile Devices Consumer Web Services Applications Application Data Mobile App Enhancing App Security With Mobile Risk Process Flow If the risk analysis returns a LOW Risk Score, the risk engine will return an “Approve” message and the identity will be allowed to continue to access application data. SDK
  29. 29. 29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Adv. AuthMobile Devices Consumer Web Services Applications Application Data Mobile App Enhancing App Security With Mobile Risk Process Flow If the risk analysis returns a MEDIUM Risk Score, the risk engine can initiate a Step- Up Authentication process (e.g., push notification or out-of-band OTP). SDK After identity answers step-up challenge, they are allowed to access application data. Push Notification Out of Band Authentication
  30. 30. 30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Adv. AuthMobile Devices Consumer Web Services Applications Application Data Mobile App Enhancing App Security With Mobile Risk Process Flow If the risk analysis returns a HIGH Risk Score, the risk engine could return a “Deny” message and the user would not be allowed to access any application data. SDK Access Denied
  31. 31. 31 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Consumer Mobile Devices Mobile App CA API Gateway Applications Data CA Advanced Authentication Logical Architecture Risk analysis, behavior profiling, & step-up authentication AA Mobile SDK to collect risk data from device API SDK AA SDK
  32. 32. 32 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Consumer Mobile Devices Mobile App CA API Gateway CA Advanced Authentication IoT/Mobile App Risk Analysis Initial Process The SDK will collect risk data, which is transmitted for analysis to the AA servers via the Gateway The first step is to embed the CA Advanced Authentication SDK within the Mobile App that you wish to protect. AA SDK
  33. 33. 33 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Consumer Mobile Devices Mobile App CA API Gateway CA Advanced Authentication IoT/Mobile App Risk Analysis in Action Registration Process When user downloads Mobile App and Registers for the first time, the SDK will collect DeviceDNA data so that CA Advanced Authentication can fingerprint the device. The device is associated with the identity and the fingerprint is stored for future comparisons. In addition, the solution can initiates an out-of-band or alternative authentication to validate the identity. AA SDK
  34. 34. 34 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Consumer Mobile Devices Mobile App CA API Gateway Applications CA Advanced Authentication IoT/Mobile App Risk Analysis in Action The Improved Process Process Steps: 1. Identities opens app and authenticates with their User ID / password 2. Credentials validated by the CA API Gateway 3. Risk data collected from mobile device and sent for analysis 4. Risk engine evaluates contextual data and determines risk score Known device ? Jailbroken ? Negative IP or Country ? Typical Behavior ? Velocity ? etc. 5. If risk score is high, an out-of-band (OOB) challenge sent to identity 6. Identity responds to OOB challenge to validate their identity 7. If identity is validated, gateway routes API request and returns response NOTE: If risk score is to too high, the API request can also be blocked API SDK AA SDK
  35. 35. 35 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Top 5 Takeaways 1. The mobile device improves the browser authentication experience – Easy intuitive experience – Provides a platform for security Mobility index 2. And mobile app authentication is becoming increasing important – Organizations are looking to apps as a way to reach their customers – Authentication is of course necessary 3. Mobile app authentication is lagging the browser – Risk assessment not prevalent – But will become important quickly 4. Users use multiple devices in multiple locations – You have to tie the activity together – Risk assessment that uses behavioral profiling and a mobility index can account for this 5. Mobile Device Identification gives us an important tool – More precise and more data available to make a decision – Can be done without invading the user’s privacy
  36. 36. 36 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCX73S Best Western Improves Security for 5M+ Rewards Members with Simeio Identity as a Service (IDaaS) Powered by CA Security 11/16/2016 at 3:00 pm SCX20S CA Roadmap: Authentication, Single Sign-On, Directory 11/17/2016 at 1:45 pm SCX50S Convenience and Security for banking customers with CA Advanced Authentication 11/17/2016 at 3:00 pm SCX75S Risk-aware access to Office 365™ 11/17/2016 at 3:45 pm SCX52S Protecting Qualcomm IP with CA Advanced Authentication 11/17/2016 at 4:30 pm
  37. 37. 37 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Don’t Miss Our INTERACTIVE Security Demo Experience! SNEAK PEEK! 37 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
  38. 38. 38 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD We want to hear from you! § IT Central is a leading technology review site. CA has them to help generate product reviews for our Security products. § ITCS staff may be at this session now! (look for their shirts). If you would like to offer a product review, please ask them after the class, or go by their booth. Note: § Only takes 5-7 mins § You have total control over the review § It can be anonymous, if required
  39. 39. 39 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Questions?
  40. 40. 40 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Stay connected at communities.ca.com Thank you.
  41. 41. @CAWORLD #CAWORLD © 2016 CA. All RIGHTS RESERVED.41 @CAWORLD #CAWORLD Security For more information on Security, please visit: http://cainc.to/EtfYyw

×