Download - 5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Distinguished Engineer, CA
© 2014 CA. All rights reserved.
5 Reasons Why APIs Must Be A Part Of Your Mobile Strategy
K. Scott Morrison
Senior Vice President and Distinguished Engineer
February 2014
5 reasons why APIs must be part of your
mobile strategy
3 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Gateway Cluster at Edge of Network DMZ deployment Hardware appliance, virtual appliance
or software
Layer 7 SecureSpan GatewaySecure and Manage Enterprise APIs
Enterprise Network
API/Service Servers
…
Firewall 2
Firewall 1
Partners
Mobile Devices
Cloud
SSG Cluster
API/Service Client
Directory
4 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
The MAG SDK
4 © 2013 CA. All rights reserved.
5 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
The Essence of the Problem: Secure Mobile Access to Apps and Data
How Do We Make APIs Available?
Firewall mazes
Diversity of clients and back end systems
Clients and servers change at different rates
Enterprise Network
API/Service Client
API/Service Servers
Firewall 2
Firewall 1
Internet
Directory
Of Particular Interest: Authentication, Authorization & SSO
Secure Transmission
6 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
We Want Classic SSO In An Active Profile For REST
Could leverage WS-Fed here SAML’s second act?
API/Service Servers
Apps making RESTful API
calls
Internet
Directory
7 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
But We Also Want Local App SSO
A B C
API/Service Servers
So now it’s getting interesting…
“Like a VPN… but without all of the negatives”
Single Sign On App Group (these apps will share sign-on sessions)
8 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
App layer
Persistence layer
Mobile OS Isolation is an issue
Silos
9 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Self Service: User should be able to log out if device is lost or stolen
Copyright © 2012 CA. All rights reserved.
10 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Solution: Native Single Sign-On SDK For Mobile Developers
Enterprise Network
iPhone
Android
iPad
App-sharable Secure Key Store
One time PINSMS, APNS, call
API ServersStrong Security for Mobile Apps Cross-platform and built for a consumer or BYOD world
100% Standards-based using OAuth+OpenID Connect
X-app SSO with multi-factor auth & secure channel
X.509 Certificate provisioning for strong auth and transaction signing
Standards-
based
11 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Client Deployment Strategy
Don’t make me work hard– But give me a strong and extensible security model
Transfer of security responsibility
– Let developers do what they do best
Simple SDK
– Align with common development time environments
iOS, Android, Javascript, etc
Mirror REST frameworks
Future
– Aspects, wrapping, etc.
12 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Three Important EntitiesAll three are managed by the SDK+MAG
User
Apps
Devices
13 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted
Protocol Strategy
A B C
username/password
ID Token
Access Token/Refresh TokenPer app
Authorization Server
OAuth + OpenID Connect Profiled for mobile
Clear distinction between device, user and app
Questions?
@KScottMorrison
slideshare.net/CAinc
linkedin.com/KScottMorrison
ca.com
K. Scott MorrisonDistinguished Engineer