ca security - deloitte iam summit - vasu

© 2013 CA. All rights reserved.

CA Security -Enabling the Open Enterprise

The Changing Security Landscape

3 © 2013 CA. All rights reserved.

New trends impact the Security strategy

Mobile Apps

IoT / Big Data

Developer Community

Cloud ServicesPartners/Divisions

Social Registration35ZB of data by 20205

79%of organizations are using SaaS³

102Bmobile app downloads in 2013²

50BConnected devices by 20204

Sources: 1. Pew Research 2. Cnet 3. Ponemon Institute; 4. Cisco; 5. CSC

72% of online adults use social media1


Cloudchanges the IT cost equation

Private Cloud

Public Cloud

SaaS

Even IAM can be a cloud service

79%of organizations are using SaaS

SaaS

Cloud Apps/Platforms& Web Services


Mobility is transforming customer engagement

Mobile Customer

Cloud Services Customer AppsGeo-locationMobility

Internet

of Things

Context

Intimacy

Immediacy

MOBILEDELIVERS


Information / Big Data / Internet of Thingsfree flowing information is more difficult to protect

“Connected

Devices”

Systems of Record

Big Data

Business Intelligence

Internetof Things

Business Lines

Partners

Developers

Big Data

?

2.5EB Exabytes (2**18) of data are created every day


Translating priorities into IT initiatives

DELIVER SECURE NEW

BUSINESS SERVICES

PROTECT AGAINST

INSIDER THREATS AND

TARGETED ATTACKS

SECURE THE MOBILE,

CLOUD-CONNECTED

ENTERPRISE

Securely connect employees

to Cloud applications

Secure collaboration for

employees & partners

Streamline & govern user

access

Protect against insider

threats from employees

Protect against external

attacks

Accelerate service delivery

Improve customer engagement

Externalize the business

(engage with developers)


What this really means is the Enterprise must be open

Mobile Apps

IoT / Big Data

Developer Community

Cloud ServicesPartners/Divisions

The Open Enterprise

Social Registration


Solution requires an integrated set of capabilities

Enable AccessManage Identity

Protect Sensitive Data

Drive New RevenueAchieve Operational Excellence

Protect the Brand

SHARED ACCOUNTMANAGEMENT

DIRECTORY

WEB SINGLE SIGN-ONFEDERATION

API SECURITY

API PORTAL

ADVANCED AUTHENTICATION

ACCESSCERTIFICATION

IDENTITYMANAGEMENT

MOBILE APPPSECURITY

MOBILE CONTENTMANAGEMENT

EMAIL CONTROL FILE CONTROLMOBILE DEVICE MANAGEMENT

The Open Enterprise^

The CA Technologies Security Suite


CA Security PortfolioThe building blocks to success

Mobileemployee

InternalEmployee

Partner User

Consumer

On-premise apps

Cloud apps

Identity� CA IdentityMinder

� CA GovernanceMinder

Access

� CA ControlMinder

� CA SiteMinder

� CA AuthMinder

� CA Layer7 API Gateway

Data� CA DataMinder

� CA Email Control for the

Enterprise

CA Solution Proof Points

Identity

Access

� CA CloudMinder Identity Mgmt.

� CA CloudMinder Adv. Auth.

� CA CloudMinder SSO

� >1,500 customers

� 15 of the top 18 global

banks

� 13 of the top 20 Fortune 20

� 8 of the top 10 government

agencies

� 5 of the top 5 Telecom

companies

TM

Source: Fortune, 2012


CA Identity Management & Governance product family

Identity ManagementIdentity Management

• User provisioning & de-provisioning• User self service & password mgmt.• Support for a wide range of applications

and cloud services• Configurable workflow• Delegated administration• Access request• Mobile application• CA GovernanceMinder integration

• User provisioning & de-provisioning• User self service & password mgmt.• Support for a wide range of applications

and cloud services• Configurable workflow• Delegated administration• Access request• Mobile application• CA GovernanceMinder integration

Access GovernanceAccess Governance

• Entitlement certification• Role mining and modeling• Privileged clean-up• Patented analytics• Identity segregation of duty violations• Reporting & workflow• Integration with CA IdentityMinder• Integration with CA ControlMinder

• Entitlement certification• Role mining and modeling• Privileged clean-up• Patented analytics• Identity segregation of duty violations• Reporting & workflow• Integration with CA IdentityMinder• Integration with CA ControlMinder

CA IdentityMinder CA GovernanceMinder


CA Identity Management & Governance

CAIdentity Mgmt &

Governance

User

Management

Mobile

application

Role

analytics &

modeling

Entitlement

certification

Provisioning

to cloud &

on-premise

apps


Xpress Technologies

PolicyXpress

ConnectorXpress

ConfigXpress

Customization without coding

Create connectors to databases and ldap

Environment management

Gx

Px

Cx

Cfx

CA GovernanceMinderAnalyze/Audit/Model access rights


IdentityMinder mobile app

— Extends the “reach” of CA IdentityMinder

— Self-Configuration of App

— Business Approvals

— Password Self-service

— Demo Mode


CA SiteMinder®Web Access Management


Adjunct FunctionalityAdjunct Functionality

CA SiteMinder Product Family

SSO & Access Management SSO & Access Management

• Web single sign-on• Centralized, policy-based

authorization• Password management services• Secure auditing

• High performance directory server

• High availability, reliability, scalability

• Session management for mobile

• Provides optional deployment model

• High performance directory server

• High availability, reliability, scalability

• Session management for mobile

• Provides optional deployment model

Web Services SecurityWeb Services Security

• Centralized security policy administration and enforcement

• Requester authentication based on message content

• Centralized security policy administration and enforcement

• Requester authentication based on message content

Identity FederationIdentity Federation

• Cross-domain single sign-on• Browser and document-based

federation• Standards-based (SAML, WS-Fed,

OAuth, OpenID)

• Cross-domain single sign-on• Browser and document-based

federation• Standards-based (SAML, WS-Fed,

OAuth, OpenID)

CA SiteMinder Web Services SecurityCA SiteMinder Web Services SecurityCA SiteMinder FederationCA SiteMinder Federation

CA SiteMinderCA SiteMinder CA Directory, CA Secure Proxy ServerCA Directory, CA Secure Proxy Server


Secure the Mobile, Cloud-Connected Enterprise

PC / LAPTOP

BROWSERS

BROWSERS ON

PHONE / TABLET

PHONE / TABLET

NATIVE APPS

NON-TRADITIONAL

DEVICESWEB SERVICES

BIG BROWSERS, SMALL BROWSERS AND MOBILE APPLICATIONS

APPLICATION

SSO

USE ONE SECURITY SOLUTION REGARDLESS OF ACCESS POINT


CA SiteMinder…What Is It? What Does It Do?

A market-leading centralized, policy-based flexible access management and distributed

Web-based secure Single Sign-On (SSO) policy enforcement solution

AUTHENTICATION MANAGEMENT

� Broad strong auth. support � User directory chaining� Step-up authentication, levels, fall

backs, password services, etc.

� Web Single Sign-On� Flexible access policies based on user,

time, location, risk, etc.� Enterprise scalability (100M+ users)

AUDITING AND REPORTING

� Standardized on CA Business Intelligence platform

� Auditing to files or RDBMS� Configuration of events-based audit

CENTRALIZED ADMINISTRATION

� Centralized user, group and policy administration

� User self-service� Delegation of permissions

POLICY-BASED AUTHORIZATION


CA SiteMinder – Different SSO Architectures

OPEN

STANDARDS

SOAP AND

REST APIs

AGENT-LESS SS0

(PROXY)

OPEN FORMAT COOKIE

WEB AGENTS

CA

SITEMINDER


Recent CA SiteMinder Releases

MARCH 2012CA SiteMinder Family 12.5Simplified Federation Administration, Risk-based Identity Assurance, Enhanced Federation, Identity Mapping

AUGUST 2012CA SiteMinder® Secure Proxy Server 12.5UI, enhanced proxy rules, monitoring, session linking, instance discovery

OCTOBER 2012Standalone version of CA SiteMinder®Federation 12.5– Admin SOD, Cert mgmt, attribute mapping, eGov, auth context

DECEMBER 2012CA CloudMinder™ SSO service

APRIL 2013CA SiteMinder Family 12.51Integrated UI for WAM/FED/SOA, Social Media support, Multi-Channel SSO support

DECEMBER 2013CA SiteMinder Family 12.52- Enhanced Session Assurance with DeviceDNA™, SSO between Office 365 & Microsoft Rich Clients, Enhanced Social Sign-On


CA SiteMinder 12.51 (+Fed+WSS)

THEME FEATURE DESCRIPTION

Enable the Business Web Service InterfacesRESTful & SOAP-based web service interfaces for

authentication, authorization

Enable the Business Social media identities Ability to consume OAuth 2.0-based identities produced

by Google and Facebook

Enable the BusinessWS-Federation 1.2 passive

profileSupport for SSO to Microsoft Office365, Azure

Enable the Business Open Format CookieAgent-less form of SSO to applications that have less

stringent security needs

Enable the BusinessInternationalization and

Localization

Standardized internationalization with Japanese (initial)

localization

Simplify ManagementIntegrated SiteMinder Web

Services Security

Integrated installation of CA SiteMinder® Web Services

Security with the Policy Server and Admin UI

Simplify Management Federation enhancements

Various enhancements:

• SAML attribute query

• Attribute transformation

• UI enhancement for attributes from session store

• Log attributes to audit log


Enhanced Session Assurance with DeviceDNADeployment Architectures

Browser Web Server

with CA SiteMinder

Agent

CA SiteMinder

Secure Proxy

Server (w/ DeviceDNA)

CA SiteMinder

Policy Server

Agent Focused

Browser CA SiteMinder

Secure Proxy

Server

CA SiteMinder

Secure Proxy Server (w/

DeviceDNA)

CA SiteMinder

Policy Server

Web Severs

Proxy Focused

Hybrids of Agent and Proxy

architectures also supported


Enhanced Social Sign-on with OAuth 2.0 and 1.0a

� OAuth 2.0 and 1.0a RP side

� Simpler administration via web UI and partnerships

� Just-in-time provisioning integration

� Out-of-the box pre-validated social provider support:

– Facebook, Google+, LinkedIn,

Twitter, Microsoft Live


Enabling SSO between Office 365 & Microsoft Rich Clients

� Simple administration as part

of WS-Fed Federation Partnership

� Verification with:

– Outlook

– Office clients

– Lync

– Dynamics CRM for Outlook


CA Advanced Authentication product family

Strong AuthenticationStrong Authentication

• Wide Array of credential types• ArcotID® PKI secure sw credential• ArcotID® OTP one-time password• OOB OTP via SMS and voice• KBA (questions and answers)• OATH standard tokens

• Support for a wide range of devices• Versatile authentication engine• Flexible user authentication and

provisioning workflows

• Wide Array of credential types• ArcotID® PKI secure sw credential• ArcotID® OTP one-time password• OOB OTP via SMS and voice• KBA (questions and answers)• OATH standard tokens

• Support for a wide range of devices• Versatile authentication engine• Flexible user authentication and

provisioning workflows

Risk-based AssessmentRisk-based Assessment

• White box philosophy • Rich set of assessment tools

• Device identification • Geo-location• Device intelligence• Behavior elements

• Rule editing and performance reporting• Case management and research

• White box philosophy • Rich set of assessment tools

• Device identification • Geo-location• Device intelligence• Behavior elements

• Rule editing and performance reporting• Case management and research

CA AuthMinder CA RiskMinder

CA Advanced Authentication

• Includes CA AuthMinder and CA RiskMinder • Multi-layer risk-based authentication solution• Multi-channel protection


� Two-factor, strong

authentication with

little or no impact to

the customer

experience.

� Multiple delivery

methods including OTP

and PKI

� Out-of-Band delivery

methods including:

SMS, email and voice

� Easy to use OTP mobile

application

� No hardware

credential

logistics/distribution

costs

� Simple software

distribution model

� Self-service

functionality to reduce

password reset and

credential

replacement costs

CA Advanced Authentication

� Patented software

credential protection to

protect against brute

force attacks

� Credential to device

locking to avoid

inappropriate reuse

� Simple rule building

console to easily block

new threats

CostConvenience (User Experience)

New Enterprise

(& Upper Growth)Security


CA AuthMinder

Authentication Methods

Authentication Interfaces

OpenIDSAMLChallenge/Response

RADIUSCustom

Response

LDAPMainframe

Other ProprietaryQ&A OATH

OTP-SMS,Email

CAP/DPA

Callout

• Notifications,

• Alerts, Reports

SiteMinder and other WAMS

ArcotIDOTP

ArcotIDPKI

ID Proof

• Policy Server

• Business Rules

• Config• AuthN Engine


CA Advanced AuthenticationArcotID – Multifactor Software Credential

� Two Form Factors

– Software-based token ArcotID PKI

– OTP credential ArcotID OTP

� Patented “cryptographic camouflage”

– Helps protect against brute force attack

– Simple over the air deployment

UserID:

Password:

User Authentication

YAMMA03

*********

CA ArcotID PKI

Invisible

CA ArcotID OTP

Explicit

– Supports a variety of devices

– PCs, Macs, Phones, Tablets, Linux

• And Use Cases:

– Credential for Enterprise and BYOD

– Website login, VPN access, transaction signing


CA RiskMinder Provides Layered Approach for Risk Assessment and Fraud Detection

Risk Assessment

(Rules / Policy)

Allow

Deny

Alert CSRStep-Auth

Case Mgmt

Reporting

Risk Advice

Historical Context

• Guide risk-appropriate authentication

• Detect and block fraud with real-time risk analysis and scoring

• Dynamically require strong authentication for risky transactions

• Targets online access – Web Access Mgt, Web Portals, VPN’s

Device Details

Device Type iPhone

Operating System iOS 6.0

Browser Safari

Device ID Matched: Yes

User-Device Associated: Yes

Machine Fingerprint (MFP) Matched: Yes

MFP Match % 100

Model Rule Management

Policies


CA Advanced Authentication and CA SiteMinder

CA Advanced Authentication passes an authentication score to CA SiteMinder for authorization of access privilege.

Risk Assessment

(Rules / Policy)

Allow

Deny

Alert CSRStep-Auth

Case Mgmt

Reporting

Risk

Advice

Historical Context

Device Details

Device Type iPhone

Operating System iOS 6.0

Browser Safari

Device ID Matched: Yes

User-Device Associated: Yes

Machine Fingerprint (MFP) Matched: Yes

MFP Match % 100

Model Rule Management

Policies


CA ControlMinder Product family

� Centralized UNIX administration� Active Directory authentication� Native integration with AD� Kerberos-based single-sign-on

� Server security (physical/virtual)� Manage fine-grained access � Control activities by original user ID� Segregation of duty� Auditing privileged access

� Centrally manage CA ControlMinder audit logs� Privileged user access reporting� Access management log trending� Track activities to original user ID� UNIX keystroke logging� Session recording integration

� Control passwords for administrative accounts� Authorization workflow incl ‘break glass’� Accountability of shared account access� Automatic login� Integration w/ session recording software � Manage application passwords� Windows services

& scheduled tasks

Shared Account Management UNIX Authentication Bridging

Fine-Grained Access Controls User Activity Reporting / Session Recording

Privileged Identity Management for Physical & Virtual Environments

CA ControlMinder (/Shared Account Mgmt.) CA ControlMinder

CA ControlMinder & CA Session RecordingCA ControlMinder


Privileged Identity Management

Mitigate

Insider ThreatsEnable

Compliance

Stop

Targeted

Attacks

Secure Virtual Environments

Move to the

Cloud Securely

Privileged

ID Mgmt.


CA ControlMinder -Privileged Identity Management

CAControlMinder

Hypervisor

VM VM VM

Shared Account

Management

Fine-

Grained

Access

Controls

User

Session

Recording

UNIX

Authentication

Bridging

Virtualization

Security


CA Data Protection solutions

� Control sensitive information posted, stored and shared in collaboration platforms.

� Provide convenient user access with security based on dynamic insight including the sensitivity of content hosted on a given site.

� Control the storage of sensitive corporate information across the datacenter and cloud

� Intelligent file protection in the cloud with content classification and control

� Control the distribution and communication of sensitive information via mobile technologies

� Secure mobile file sync and sharing that combines content classification with control delivering intelligent file protection for mobile devices.

� Mitigate the risk of exposing sensitive information through accidental, negligent and malicious email communication.

� Precise control that protects sensitive messages across a broad range of workstations, laptops and mobile devices at the source.

Email Collaboration

Cloud Mobility

CA Email Control for the Enterprise CA DataMinder

CA DataMinderCA DataMinder


CA CloudMinder™CA IdentityMinder as-a-Service

CA FedMinder as-a-Service


CA CloudMinder vision

Ability to Deliver Identity and Access Management (IAM)

capabilities using an enterprise-grade service as a

unified-solution to provide a consumerized experience

and address current and future needs of both large and emerging

enterprises.

CA CloudMinderCA CloudMinder

Single Sign-On

Service

Single Sign-On

Service

Advanced Authentication

Service

Advanced Authentication

Service

Identity Management

Service

Identity Management

Service

Identity Governance

Service

Identity Governance

Service

Privileged Identity

Management

Privileged Identity

Management

Authorization Service

Authorization Service

Data Protection

Service

Data Protection

Service

Other

Security

Services…

Other

Security

Services…

37

= planned = future direction


CA CloudMinderSuite of IAM Cloud Services

Identity Management

� User management

� Access request

� Hybrid provisioning-cloud & on-premise

� Identity synchronization

CA CloudMinder™ Identity Management

Strong Authentication

� Software Tokens, QnA, Oath, CA AuthMinderTM

PKI/OTP

� Roaming support (mobile devices)

� Risk analysis, adaptive authentication

� Device identification, geolocation

� Fraud prevention

CA CloudMinder ™ Advanced Authentication

Federated SSO

� Standards-based federation

� STS (Token Translation)

� Just-in-time provisioning

� Integration with other CloudMinder services

CA CloudMinder ™ Single Sign-on

USER


New capability – Support for IAM Flexibility and Choice

CA CloudMinder Bridge

On-Premise IAM /

Private Cloud

Cloud

platforms

CA

DataMinder™

CA

ControlMinder™CA

IdentityMinder™

CA

GovernanceMinder™

Mobile employee

Consumer

Partner User

Internal Employee

This image cannot currently be displayed.





SaaS Apps

CA CloudMinder

Identity

ManagementFederated

Single Sign-On

Advanced

Authentication


Identity

Governance*Privileged

Identity Mgt


*


A Managed Service Offering includes …

CA Technologies managed service offeringsdesigned for service providers to accelerate business growth

Market-leading

CA Products

Deployment

Packaging

Run Books and

Automation

Verification

Programs

Reference

Architectures

Service

Provider

Play Books

Education Technical Support

40


The CA Technologies cloud security vision

CA CloudMinder

CA IdentityMinderas-a-Service

CA FedMinderas-a-Service

CA AuthMinderas-a-Service*

CA RiskMinderas-a-Service**

Identity management

and provisioning

Federated

single sign-on

Strong, flexible

authentication

Risk-based

authentication


API Management with Layer 7


APIs: A practical, modern integration mechanism across use-cases

Provide Secure

Mobile Backend to

Apps

Solve Big Data

Problem in IoT

Enable Internal &

External

Developers

Connect Partners /

DivisionsProvide Bridge to

Cloud


Common API Needs

• Ease of Access

• Security & Identity

• Operational Control

• Business Visibility

• Documentation

• Adaptability

• Scalability

• Extensibility

Solution:

API Management


Layer 7 Mobile Access Gateway

Mobile API Delivery

Access Control, UX Increased Developer Velocity

• Secure Mobile Endpoint

• Manage permissions across users,

devices, apps

• Integration, Scaling

• Mobile PKI Provisioning

• Mobile app-to-app SSO

• Latest standards (OAuth, OpenID

Connect, JWT/JWS/JWE)

• Mobile SDK for iOS and Android

• Configure, not code

• Form factors, deployment

options

Ne

w

Ne

w


API Management & Security with CA Layer 7

� Secure externalized data and business services

� Protect against DOS and API attacks� Wrap app with security policy &

jailbreak detection� Cache, throttle and meter

� Learn about APIs available for use � Grant certificates for access� Test environment� API usage metrics & reporting

� Accelerate API projects through cloud delivery

� Deliver API gateway and developer portal capabilities from the cloud

� Reach cloud, mobile and smart technology markets faster

� Leverage existing application infrastructures

� Convert legacy apps to REST API� Create API composite applications

Protocol Adaptation Security & Govern

Developer Portal SaaS (Apify)


API Management & Security

Legacy

Application

Environments

API Threats

API

Management

Developer Tools

Capital

Investment

Privileged

ID Mgmt.


CA Layer 7 for API Management & Security

CALayer 7

Performance &

Scale

Security

Depth

Global

Management

Deployment

Options

Adaptation

Simplicity


CA Security Overall Picture


End-to-End Mobile Security

CA provides end-to-end security in today’s complicated heterogeneous mobile platform to seamlessly

and securely enable content access.

Questions

ca security - deloitte iam summit - vasu

Documents