ca security - deloitte iam summit - vasu
TRANSCRIPT
© 2013 CA. All rights reserved.
CA Security -Enabling the Open Enterprise
The Changing Security Landscape
3 © 2013 CA. All rights reserved.
New trends impact the Security strategy
Mobile Apps
IoT / Big Data
Developer Community
Cloud ServicesPartners/Divisions
Social Registration35ZB of data by 20205
79%of organizations are using SaaS³
102Bmobile app downloads in 2013²
50BConnected devices by 20204
Sources: 1. Pew Research 2. Cnet 3. Ponemon Institute; 4. Cisco; 5. CSC
72% of online adults use social media1
4 © 2013 CA. All rights reserved.
Cloudchanges the IT cost equation
Private Cloud
Public Cloud
SaaS
Even IAM can be a cloud service
79%of organizations are using SaaS
SaaS
Cloud Apps/Platforms& Web Services
5 © 2013 CA. All rights reserved.
Mobility is transforming customer engagement
Mobile Customer
Cloud Services Customer AppsGeo-locationMobility
Internet
of Things
Context
Intimacy
Immediacy
MOBILEDELIVERS
6 © 2013 CA. All rights reserved.
Information / Big Data / Internet of Thingsfree flowing information is more difficult to protect
“Connected
Devices”
Systems of Record
Big Data
Business Intelligence
Internetof Things
Business Lines
Partners
Developers
Big Data
?
2.5EB Exabytes (2**18) of data are created every day
7 © 2013 CA. All rights reserved.
Translating priorities into IT initiatives
DELIVER SECURE NEW
BUSINESS SERVICES
PROTECT AGAINST
INSIDER THREATS AND
TARGETED ATTACKS
SECURE THE MOBILE,
CLOUD-CONNECTED
ENTERPRISE
Securely connect employees
to Cloud applications
Secure collaboration for
employees & partners
Streamline & govern user
access
Protect against insider
threats from employees
Protect against external
attacks
Accelerate service delivery
Improve customer engagement
Externalize the business
(engage with developers)
8 © 2013 CA. All rights reserved.
What this really means is the Enterprise must be open
Mobile Apps
IoT / Big Data
Developer Community
Cloud ServicesPartners/Divisions
The Open Enterprise
Social Registration
9 © 2013 CA. All rights reserved.
Solution requires an integrated set of capabilities
Enable AccessManage Identity
Protect Sensitive Data
Drive New RevenueAchieve Operational Excellence
Protect the Brand
SHARED ACCOUNTMANAGEMENT
DIRECTORY
WEB SINGLE SIGN-ONFEDERATION
API SECURITY
API PORTAL
ADVANCED AUTHENTICATION
ACCESSCERTIFICATION
IDENTITYMANAGEMENT
MOBILE APPPSECURITY
MOBILE CONTENTMANAGEMENT
EMAIL CONTROL FILE CONTROLMOBILE DEVICE MANAGEMENT
The Open Enterprise^
The CA Technologies Security Suite
11 © 2013 CA. All rights reserved.
CA Security PortfolioThe building blocks to success
Mobileemployee
InternalEmployee
Partner User
Consumer
On-premise apps
Cloud apps
Identity� CA IdentityMinder
� CA GovernanceMinder
Access
� CA ControlMinder
� CA SiteMinder
� CA AuthMinder
� CA Layer7 API Gateway
Data� CA DataMinder
� CA Email Control for the
Enterprise
CA Solution Proof Points
Identity
Access
� CA CloudMinder Identity Mgmt.
� CA CloudMinder Adv. Auth.
� CA CloudMinder SSO
� >1,500 customers
� 15 of the top 18 global
banks
� 13 of the top 20 Fortune 20
� 8 of the top 10 government
agencies
� 5 of the top 5 Telecom
companies
TM
Source: Fortune, 2012
12 © 2013 CA. All rights reserved.
CA Identity Management & Governance product family
Identity ManagementIdentity Management
• User provisioning & de-provisioning• User self service & password mgmt.• Support for a wide range of applications
and cloud services• Configurable workflow• Delegated administration• Access request• Mobile application• CA GovernanceMinder integration
• User provisioning & de-provisioning• User self service & password mgmt.• Support for a wide range of applications
and cloud services• Configurable workflow• Delegated administration• Access request• Mobile application• CA GovernanceMinder integration
Access GovernanceAccess Governance
• Entitlement certification• Role mining and modeling• Privileged clean-up• Patented analytics• Identity segregation of duty violations• Reporting & workflow• Integration with CA IdentityMinder• Integration with CA ControlMinder
• Entitlement certification• Role mining and modeling• Privileged clean-up• Patented analytics• Identity segregation of duty violations• Reporting & workflow• Integration with CA IdentityMinder• Integration with CA ControlMinder
CA IdentityMinder CA GovernanceMinder
13 © 2013 CA. All rights reserved.
CA Identity Management & Governance
CAIdentity Mgmt &
Governance
User
Management
Mobile
application
Role
analytics &
modeling
Entitlement
certification
Provisioning
to cloud &
on-premise
apps
14 © 2013 CA. All rights reserved.
Xpress Technologies
PolicyXpress
ConnectorXpress
ConfigXpress
Customization without coding
Create connectors to databases and ldap
Environment management
Gx
Px
Cx
Cfx
CA GovernanceMinderAnalyze/Audit/Model access rights
15 © 2013 CA. All rights reserved.
IdentityMinder mobile app
— Extends the “reach” of CA IdentityMinder
— Self-Configuration of App
— Business Approvals
— Password Self-service
— Demo Mode
© 2013 CA. All rights reserved.
CA SiteMinder®Web Access Management
17 © 2013 CA. All rights reserved.
Adjunct FunctionalityAdjunct Functionality
CA SiteMinder Product Family
SSO & Access Management SSO & Access Management
• Web single sign-on• Centralized, policy-based
authorization• Password management services• Secure auditing
• High performance directory server
• High availability, reliability, scalability
• Session management for mobile
• Provides optional deployment model
• High performance directory server
• High availability, reliability, scalability
• Session management for mobile
• Provides optional deployment model
Web Services SecurityWeb Services Security
• Centralized security policy administration and enforcement
• Requester authentication based on message content
• Centralized security policy administration and enforcement
• Requester authentication based on message content
Identity FederationIdentity Federation
• Cross-domain single sign-on• Browser and document-based
federation• Standards-based (SAML, WS-Fed,
OAuth, OpenID)
• Cross-domain single sign-on• Browser and document-based
federation• Standards-based (SAML, WS-Fed,
OAuth, OpenID)
CA SiteMinder Web Services SecurityCA SiteMinder Web Services SecurityCA SiteMinder FederationCA SiteMinder Federation
CA SiteMinderCA SiteMinder CA Directory, CA Secure Proxy ServerCA Directory, CA Secure Proxy Server
18 © 2013 CA. All rights reserved.
Secure the Mobile, Cloud-Connected Enterprise
PC / LAPTOP
BROWSERS
BROWSERS ON
PHONE / TABLET
PHONE / TABLET
NATIVE APPS
NON-TRADITIONAL
DEVICESWEB SERVICES
BIG BROWSERS, SMALL BROWSERS AND MOBILE APPLICATIONS
APPLICATION
SSO
USE ONE SECURITY SOLUTION REGARDLESS OF ACCESS POINT
19 © 2013 CA. All rights reserved.
CA SiteMinder…What Is It? What Does It Do?
A market-leading centralized, policy-based flexible access management and distributed
Web-based secure Single Sign-On (SSO) policy enforcement solution
AUTHENTICATION MANAGEMENT
� Broad strong auth. support � User directory chaining� Step-up authentication, levels, fall
backs, password services, etc.
� Web Single Sign-On� Flexible access policies based on user,
time, location, risk, etc.� Enterprise scalability (100M+ users)
AUDITING AND REPORTING
� Standardized on CA Business Intelligence platform
� Auditing to files or RDBMS� Configuration of events-based audit
CENTRALIZED ADMINISTRATION
� Centralized user, group and policy administration
� User self-service� Delegation of permissions
POLICY-BASED AUTHORIZATION
20 © 2013 CA. All rights reserved.
CA SiteMinder – Different SSO Architectures
OPEN
STANDARDS
SOAP AND
REST APIs
AGENT-LESS SS0
(PROXY)
OPEN FORMAT COOKIE
WEB AGENTS
CA
SITEMINDER
21 © 2013 CA. All rights reserved.
Recent CA SiteMinder Releases
MARCH 2012CA SiteMinder Family 12.5Simplified Federation Administration, Risk-based Identity Assurance, Enhanced Federation, Identity Mapping
AUGUST 2012CA SiteMinder® Secure Proxy Server 12.5UI, enhanced proxy rules, monitoring, session linking, instance discovery
OCTOBER 2012Standalone version of CA SiteMinder®Federation 12.5– Admin SOD, Cert mgmt, attribute mapping, eGov, auth context
DECEMBER 2012CA CloudMinder™ SSO service
APRIL 2013CA SiteMinder Family 12.51Integrated UI for WAM/FED/SOA, Social Media support, Multi-Channel SSO support
DECEMBER 2013CA SiteMinder Family 12.52- Enhanced Session Assurance with DeviceDNA™, SSO between Office 365 & Microsoft Rich Clients, Enhanced Social Sign-On
22 © 2013 CA. All rights reserved.
CA SiteMinder 12.51 (+Fed+WSS)
THEME FEATURE DESCRIPTION
Enable the Business Web Service InterfacesRESTful & SOAP-based web service interfaces for
authentication, authorization
Enable the Business Social media identities Ability to consume OAuth 2.0-based identities produced
by Google and Facebook
Enable the BusinessWS-Federation 1.2 passive
profileSupport for SSO to Microsoft Office365, Azure
Enable the Business Open Format CookieAgent-less form of SSO to applications that have less
stringent security needs
Enable the BusinessInternationalization and
Localization
Standardized internationalization with Japanese (initial)
localization
Simplify ManagementIntegrated SiteMinder Web
Services Security
Integrated installation of CA SiteMinder® Web Services
Security with the Policy Server and Admin UI
Simplify Management Federation enhancements
Various enhancements:
• SAML attribute query
• Attribute transformation
• UI enhancement for attributes from session store
• Log attributes to audit log
23 © 2013 CA. All rights reserved.
Enhanced Session Assurance with DeviceDNADeployment Architectures
Browser Web Server
with CA SiteMinder
Agent
CA SiteMinder
Secure Proxy
Server (w/ DeviceDNA)
CA SiteMinder
Policy Server
Agent Focused
Browser CA SiteMinder
Secure Proxy
Server
CA SiteMinder
Secure Proxy Server (w/
DeviceDNA)
CA SiteMinder
Policy Server
Web Severs
Proxy Focused
Hybrids of Agent and Proxy
architectures also supported
24 © 2013 CA. All rights reserved.
Enhanced Social Sign-on with OAuth 2.0 and 1.0a
� OAuth 2.0 and 1.0a RP side
� Simpler administration via web UI and partnerships
� Just-in-time provisioning integration
� Out-of-the box pre-validated social provider support:
– Facebook, Google+, LinkedIn,
Twitter, Microsoft Live
25 © 2013 CA. All rights reserved.
Enabling SSO between Office 365 & Microsoft Rich Clients
� Simple administration as part
of WS-Fed Federation Partnership
� Verification with:
– Outlook
– Office clients
– Lync
– Dynamics CRM for Outlook
26 © 2013 CA. All rights reserved.
CA Advanced Authentication product family
Strong AuthenticationStrong Authentication
• Wide Array of credential types• ArcotID® PKI secure sw credential• ArcotID® OTP one-time password• OOB OTP via SMS and voice• KBA (questions and answers)• OATH standard tokens
• Support for a wide range of devices• Versatile authentication engine• Flexible user authentication and
provisioning workflows
• Wide Array of credential types• ArcotID® PKI secure sw credential• ArcotID® OTP one-time password• OOB OTP via SMS and voice• KBA (questions and answers)• OATH standard tokens
• Support for a wide range of devices• Versatile authentication engine• Flexible user authentication and
provisioning workflows
Risk-based AssessmentRisk-based Assessment
• White box philosophy • Rich set of assessment tools
• Device identification • Geo-location• Device intelligence• Behavior elements
• Rule editing and performance reporting• Case management and research
• White box philosophy • Rich set of assessment tools
• Device identification • Geo-location• Device intelligence• Behavior elements
• Rule editing and performance reporting• Case management and research
CA AuthMinder CA RiskMinder
CA Advanced Authentication
• Includes CA AuthMinder and CA RiskMinder • Multi-layer risk-based authentication solution• Multi-channel protection
27 © 2013 CA. All rights reserved.
� Two-factor, strong
authentication with
little or no impact to
the customer
experience.
� Multiple delivery
methods including OTP
and PKI
� Out-of-Band delivery
methods including:
SMS, email and voice
� Easy to use OTP mobile
application
� No hardware
credential
logistics/distribution
costs
� Simple software
distribution model
� Self-service
functionality to reduce
password reset and
credential
replacement costs
CA Advanced Authentication
� Patented software
credential protection to
protect against brute
force attacks
� Credential to device
locking to avoid
inappropriate reuse
� Simple rule building
console to easily block
new threats
CostConvenience (User Experience)
New Enterprise
(& Upper Growth)Security
28 © 2013 CA. All rights reserved.
CA AuthMinder
Authentication Methods
Authentication Interfaces
OpenIDSAMLChallenge/Response
RADIUSCustom
Response
LDAPMainframe
Other ProprietaryQ&A OATH
OTP-SMS,Email
CAP/DPA
Callout
• Notifications,
• Alerts, Reports
SiteMinder and other WAMS
ArcotIDOTP
ArcotIDPKI
ID Proof
• Policy Server
• Business Rules
• Config• AuthN Engine
29 © 2013 CA. All rights reserved.
CA Advanced AuthenticationArcotID – Multifactor Software Credential
� Two Form Factors
– Software-based token ArcotID PKI
– OTP credential ArcotID OTP
� Patented “cryptographic camouflage”
– Helps protect against brute force attack
– Simple over the air deployment
UserID:
Password:
User Authentication
YAMMA03
*********
CA ArcotID PKI
Invisible
CA ArcotID OTP
Explicit
– Supports a variety of devices
– PCs, Macs, Phones, Tablets, Linux
• And Use Cases:
– Credential for Enterprise and BYOD
– Website login, VPN access, transaction signing
30 © 2013 CA. All rights reserved.
CA RiskMinder Provides Layered Approach for Risk Assessment and Fraud Detection
Risk Assessment
(Rules / Policy)
Allow
Deny
Alert CSRStep-Auth
Case Mgmt
Reporting
Risk Advice
Historical Context
• Guide risk-appropriate authentication
• Detect and block fraud with real-time risk analysis and scoring
• Dynamically require strong authentication for risky transactions
• Targets online access – Web Access Mgt, Web Portals, VPN’s
Device Details
Device Type iPhone
Operating System iOS 6.0
Browser Safari
Device ID Matched: Yes
User-Device Associated: Yes
Machine Fingerprint (MFP) Matched: Yes
MFP Match % 100
Model Rule Management
Policies
31 © 2013 CA. All rights reserved.
CA Advanced Authentication and CA SiteMinder
CA Advanced Authentication passes an authentication score to CA SiteMinder for authorization of access privilege.
Risk Assessment
(Rules / Policy)
Allow
Deny
Alert CSRStep-Auth
Case Mgmt
Reporting
Risk
Advice
Historical Context
Device Details
Device Type iPhone
Operating System iOS 6.0
Browser Safari
Device ID Matched: Yes
User-Device Associated: Yes
Machine Fingerprint (MFP) Matched: Yes
MFP Match % 100
Model Rule Management
Policies
32 © 2013 CA. All rights reserved.
CA ControlMinder Product family
� Centralized UNIX administration� Active Directory authentication� Native integration with AD� Kerberos-based single-sign-on
� Server security (physical/virtual)� Manage fine-grained access � Control activities by original user ID� Segregation of duty� Auditing privileged access
� Centrally manage CA ControlMinder audit logs� Privileged user access reporting� Access management log trending� Track activities to original user ID� UNIX keystroke logging� Session recording integration
� Control passwords for administrative accounts� Authorization workflow incl ‘break glass’� Accountability of shared account access� Automatic login� Integration w/ session recording software � Manage application passwords� Windows services
& scheduled tasks
Shared Account Management UNIX Authentication Bridging
Fine-Grained Access Controls User Activity Reporting / Session Recording
Privileged Identity Management for Physical & Virtual Environments
CA ControlMinder (/Shared Account Mgmt.) CA ControlMinder
CA ControlMinder & CA Session RecordingCA ControlMinder
33 © 2013 CA. All rights reserved.
Privileged Identity Management
Mitigate
Insider ThreatsEnable
Compliance
Stop
Targeted
Attacks
Secure Virtual Environments
Move to the
Cloud Securely
Privileged
ID Mgmt.
34 © 2013 CA. All rights reserved.
CA ControlMinder -Privileged Identity Management
CAControlMinder
Hypervisor
VM VM VM
Shared Account
Management
Fine-
Grained
Access
Controls
User
Session
Recording
UNIX
Authentication
Bridging
Virtualization
Security
35 © 2013 CA. All rights reserved.
CA Data Protection solutions
� Control sensitive information posted, stored and shared in collaboration platforms.
� Provide convenient user access with security based on dynamic insight including the sensitivity of content hosted on a given site.
� Control the storage of sensitive corporate information across the datacenter and cloud
� Intelligent file protection in the cloud with content classification and control
� Control the distribution and communication of sensitive information via mobile technologies
� Secure mobile file sync and sharing that combines content classification with control delivering intelligent file protection for mobile devices.
� Mitigate the risk of exposing sensitive information through accidental, negligent and malicious email communication.
� Precise control that protects sensitive messages across a broad range of workstations, laptops and mobile devices at the source.
Email Collaboration
Cloud Mobility
CA Email Control for the Enterprise CA DataMinder
CA DataMinderCA DataMinder
© 2013 CA. All rights reserved.
CA CloudMinder™CA IdentityMinder as-a-Service
CA FedMinder as-a-Service
37 © 2013 CA. All rights reserved.
CA CloudMinder vision
Ability to Deliver Identity and Access Management (IAM)
capabilities using an enterprise-grade service as a
unified-solution to provide a consumerized experience
and address current and future needs of both large and emerging
enterprises.
CA CloudMinderCA CloudMinder
Single Sign-On
Service
Single Sign-On
Service
Advanced Authentication
Service
Advanced Authentication
Service
Identity Management
Service
Identity Management
Service
Identity Governance
Service
Identity Governance
Service
Privileged Identity
Management
Privileged Identity
Management
Authorization Service
Authorization Service
Data Protection
Service
Data Protection
Service
Other
Security
Services…
Other
Security
Services…
37
= planned = future direction
38 © 2013 CA. All rights reserved.
CA CloudMinderSuite of IAM Cloud Services
Identity Management
� User management
� Access request
� Hybrid provisioning-cloud & on-premise
� Identity synchronization
CA CloudMinder™ Identity Management
Strong Authentication
� Software Tokens, QnA, Oath, CA AuthMinderTM
PKI/OTP
� Roaming support (mobile devices)
� Risk analysis, adaptive authentication
� Device identification, geolocation
� Fraud prevention
CA CloudMinder ™ Advanced Authentication
Federated SSO
� Standards-based federation
� STS (Token Translation)
� Just-in-time provisioning
� Integration with other CloudMinder services
CA CloudMinder ™ Single Sign-on
USER
39 © 2013 CA. All rights reserved.
New capability – Support for IAM Flexibility and Choice
CA CloudMinder Bridge
On-Premise IAM /
Private Cloud
Cloud
platforms
CA
DataMinder™
CA
ControlMinder™CA
IdentityMinder™
CA
GovernanceMinder™
Mobile employee
Consumer
Partner User
Internal Employee
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
SaaS Apps
CA CloudMinder
Identity
ManagementFederated
Single Sign-On
Advanced
Authentication
This image cannot currently be displayed.
Identity
Governance*Privileged
Identity Mgt
This image cannot currently be displayed.
*
40 © 2013 CA. All rights reserved.
A Managed Service Offering includes …
CA Technologies managed service offeringsdesigned for service providers to accelerate business growth
Market-leading
CA Products
Deployment
Packaging
Run Books and
Automation
Verification
Programs
Reference
Architectures
Service
Provider
Play Books
Education Technical Support
40
41 © 2013 CA. All rights reserved.
The CA Technologies cloud security vision
CA CloudMinder
CA IdentityMinderas-a-Service
CA FedMinderas-a-Service
CA AuthMinderas-a-Service*
CA RiskMinderas-a-Service**
Identity management
and provisioning
Federated
single sign-on
Strong, flexible
authentication
Risk-based
authentication
© 2013 CA. All rights reserved.
API Management with Layer 7
43 © 2013 CA. All rights reserved.
APIs: A practical, modern integration mechanism across use-cases
Provide Secure
Mobile Backend to
Apps
Solve Big Data
Problem in IoT
Enable Internal &
External
Developers
Connect Partners /
DivisionsProvide Bridge to
Cloud
44 © 2013 CA. All rights reserved.
Common API Needs
• Ease of Access
• Security & Identity
• Operational Control
• Business Visibility
• Documentation
• Adaptability
• Scalability
• Extensibility
Solution:
API Management
45 © 2013 CA. All rights reserved.
Layer 7 Mobile Access Gateway
Mobile API Delivery
Access Control, UX Increased Developer Velocity
• Secure Mobile Endpoint
• Manage permissions across users,
devices, apps
• Integration, Scaling
• Mobile PKI Provisioning
• Mobile app-to-app SSO
• Latest standards (OAuth, OpenID
Connect, JWT/JWS/JWE)
• Mobile SDK for iOS and Android
• Configure, not code
• Form factors, deployment
options
Ne
w
Ne
w
46 © 2013 CA. All rights reserved.
API Management & Security with CA Layer 7
� Secure externalized data and business services
� Protect against DOS and API attacks� Wrap app with security policy &
jailbreak detection� Cache, throttle and meter
� Learn about APIs available for use � Grant certificates for access� Test environment� API usage metrics & reporting
� Accelerate API projects through cloud delivery
� Deliver API gateway and developer portal capabilities from the cloud
� Reach cloud, mobile and smart technology markets faster
� Leverage existing application infrastructures
� Convert legacy apps to REST API� Create API composite applications
Protocol Adaptation Security & Govern
Developer Portal SaaS (Apify)
47 © 2013 CA. All rights reserved.
API Management & Security
Legacy
Application
Environments
API Threats
API
Management
Developer Tools
Capital
Investment
Privileged
ID Mgmt.
48 © 2013 CA. All rights reserved.
CA Layer 7 for API Management & Security
CALayer 7
Performance &
Scale
Security
Depth
Global
Management
Deployment
Options
Adaptation
Simplicity
49 © 2013 CA. All rights reserved.
CA Security Overall Picture
50 © 2013 CA. All rights reserved.
End-to-End Mobile Security
CA provides end-to-end security in today’s complicated heterogeneous mobile platform to seamlessly
and securely enable content access.
Questions