Mais conteúdo relacionado Semelhante a 5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Distinguished Engineer, CA (20) Mais de CA API Management (20) 5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Distinguished Engineer, CA1. 5 Reasons Why APIs Must Be A
Part Of Your Mobile Strategy
K. Scott Morrison
Senior Vice President and Distinguished Engineer
February 2014
© 2014 CA. All rights reserved.
3. Layer 7 SecureSpan Gateway
Secure and Manage Enterprise APIs
Gateway Cluster at Edge of Network
API/Service
Servers
DMZ deployment
Hardware appliance, virtual appliance
or software
Firewall 2
Firewall 1
…
Enterprise
Network
Cloud
SSG
Cluster
Mobile Devices
API/Service
Client
Partners
3
Directory
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
4. The MAG SDK
4
Copyright © 2013 CA. All 2013 CA. All rights reserved.
© rights reserved. No unauthorized copying or distribution permitted
5. The Essence of the Problem:
Secure Mobile Access to Apps and Data
API/Service
Servers
How Do We Make APIs Available?
Firewall mazes
Firewall 2
Diversity of clients and back end systems
Clients and servers change at different
rates
Firewall 1
Directory
Enterprise
Network
Internet
Of Particular Interest:
Authentication, Authorization & SSO
Secure Transmission
API/Service
Client
5
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
6. We Want Classic SSO In An Active Profile For REST
API/Service
Servers
Could leverage WS-Fed here
SAML’s second act?
Directory
Internet
Apps making
RESTful API
calls
6
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
7. But We Also Want Local App SSO
API/Service
Servers
“Like a VPN… but without all
of the negatives”
Single Sign On App Group
(these apps will share
sign-on sessions)
A
B
C
So now it’s getting
interesting…
7
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
8. Mobile OS Isolation is an issue
App layer
Persistence layer
Silos
8
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
9. Self Service: User should be able to log out if device
is lost or stolen
9
Copyright 2013 CA. CA. reserved. No unauthorized copying or
Copyright ©©2012All rights All rights reserved. distribution permitted
10. Solution: Native Single Sign-On SDK For Mobile
Developers
Strong Security for Mobile Apps
API Servers
Cross-platform and built for a consumer or BYOD world
100% Standards-based using OAuth+OpenID Connect
X-app SSO with multi-factor auth & secure channel
X.509 Certificate provisioning for strong auth and transaction signing
One time PIN
SMS, APNS, call
Enterprise
Network
iPhone
App-sharable Secure
Key Store
Android
10
iPad
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
11. Client Deployment Strategy
Don’t make me work hard
– But give me a strong and extensible security model
Transfer of security responsibility
– Let developers do what they do best
Simple SDK
– Align with common development time environments
iOS, Android, Javascript, etc
Mirror REST frameworks
Future
– Aspects, wrapping, etc.
11
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
12. Three Important Entities
All three are managed by the SDK+MAG
User
Apps
Devices
12
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
13. Protocol Strategy
OAuth + OpenID Connect
Profiled for mobile
Clear distinction between device, user and app
Authorization
Server
username/password
A
B
ID Token
C
Per app
13
Access
Token/Refresh
Token
Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Notas do Editor APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management. APIs come with their own problems. You never have just one API. So quickly the issue is scaling access and management.