driving customer and employee engagement with single sign-on and access management

1 © 2016 CA. ALL RIGHTS RESERVED.

Driving Customer and Employee Engagement With Single Sign-On and Access Management

Santiago CavannaSecurity Solution Account DirectorArgentina, Chile, Bolivia, Uruguay y Paraguay.

Twitter https://twitter.com/scavannaOffice: +54-11-43-17-15-95 | Mobile: +54-911-41-65-15-47 | [email protected]


Agenda

INTRODUCTION

CA SINGLE SIGN-ON

FEDERATION AND OPEN STANDARDS

AUTHORIZATION/ACCESS MANAGEMENT

SESSION SECURITY

WHY CA

1

2

3

4

5

6


Organizations Have Many Different Kinds of Apps

SaaSApps

MobileApps On-Premises Web Apps

Home Grown Third Party


Application Economy Opens Security Challenges

1. All data on this slide from CA Application Economy Market Study commissioned by CA, conducted by Vanson Bourne, 20142. The 2014 Cost of Cyber Crime Study Reveals Increased Risks, Oct, 20143. http://breachlevelindex.com/pdf/Breach-Level-Index-Annual-Report-2014.pdf

#1Security concerns—the top obstacle in app economy

16,856Number of attacks for the average company

78%Increase in # of breached records from 2013 to 2014

13.1%Average cost to the company for a breach

http://breachlevelindex.com/pdf/Breach-Level-Index-Annual-Report-2014.pdf


CA IAM Addresses Security Challenges

CA Strong Authentication*

CA Secure Cloud

CA API Management& Security CA Directory

CA Identity Suite

CA Risk Authentication

SSO across API access and

native mobile apps

Risk assessment for authentication

and access decisions

Patented software-based two factor authentication

Automation of RBAC

High performancestore

SaaS-basedIAM

CA Single Sign-On


A Common Security Access Management Solution is Critical

ENABLE THE BUSINESS

Cloud Services

On-Premises Apps

Engage with your customers faster & better.

Make your employees more productive.

CustomersCitizens

Employees/Partners

Connected Apps/Devices

PROTECT THE BUSINESSStrongly validate each user’s identity.

Control user access.

Provide consolidated access audit.

SingleSign-On

http://www.terinea.co.uk/blogs/terineatechtips/wp-content/uploads/2007/07/image45.png

http://www.terinea.co.uk/blogs/terineatechtips/wp-content/uploads/2007/07/image45.png


There are Three Critical Areas to Discuss When Considering an SSO Solution

SingleSign-On

Session Security

Authorization/Access ManagementFederation & Open Standards

CA Single Sign-OnIncluding Federation & Open Standards


CA Single Sign-On is Itself a Comprehensive Suite for SSO and Web Access Management

AuthenticationBroad range of authentication methods

Step up authentication policy Enforce dynamic Authentication for federation

Authorization & Access ManagementProviding SSO to applications that don’t use open standardsControlling which users access which application componentsAbility to centralize application security

Single Sign-OnSupport for open standards

SaaS Runbook program with over 150 partner applicationsFive methods for flexible application integration

Session SecurityManagement of a single user online sessionIntegrated step-up authentication and timeoutsContinuous patent-pending security for online session

CENTRALIZED ADMINISTRATION

CENTRALIZED AUDITING


Flexible Solution to Meet Many Needs in a Single Deployment

CA SingleSign-On

Open Standards

SOAP and REST APIs

Policy Enforcement Gateway

Open Format Token

Policy Enforcement

Connectors (Agents)


Flexibility to Meet Different Business Needs

Access management

Policy enforcement points to examine each request

Gateway or specific CA Single Sign-On agents for the Web, application, ERP/CRM server

WEB ACCESS MANAGEMENT

Identity passed from identity provider to applications

Claims approach to SSO

Application remains in control of own security policies

FEDERATION

TIGHTLY COUPLED LOOSELY COUPLED



Traditional “Access Management”

- Authorization

- Centralized auditing

- Centralized session management

- Access control at the application

Policy enforcement points between the browser and websites

CA Single Sign-On gateway or agent for the Web, application, ERP/CRM server

Loose passing of the identity from one app to another

- Standards (SAML, WS-Federation, OAuth)

- Custom (Open Format Cookie)


Enables separation of identity validation from resource being accessed

TIGHT COUPLING LOOSE FEDERATION


CA Single Sign-On

Tightly Coupled Connector Examples

CA Directory DB2

SunONELDAP

OracleRDBMS

Active Directory SQL 2012LDAP

Application Layer

User Store

Operating System

SecurityLayer

Intranet E-Commerce Portal ERP/HR CMS Partner Extranet

EmployeesEmployees Administrators PartnersExecutives Customers End Users

http://www.netegrity.com/Partners/index.cfm?leveltwo=Alliance&levelthree=directory&partner_id=66



CA Single Sign-On Can Enable You for Open Standards

WS-Fed

SAML 1.1 and 2.0 profiles for accessing SaaS apps and partner to partner single sign-on

OAuth 2.0 to support social media identities

STS translation to WS-Federation for single sign-on to Office 365® via browser and thick clients

CA SSO & Open Standards


Because Standards Aren’t Enough:The CA Security SaaS Validation Program

Requisite security

Improved user experience

Benefits

Faster connection to cloud apps

Scalable

A formal program to validate secure single sign-on to SaaS solutions with CA Single Sign-On and CA Secure Cloud*

WHAT IS IT?

Faster, proven integration = enabling the business

Backed by CA Support

WHY?

Runbooks that map out your steps

View current runbooks on the CA Support site: http://bit.ly/1mZyWwJ

RESULT

Accelerating the Secure Connection to Cloud-Based Services

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=7bd2277c-eb39-4739-a78f-53c3d3dc0ed2&productID=8231


Some of the 165+ Partners to Date

AnswerHub

Bime

BMC Remedyforce

Cerner

Dropbox

Druva HappyFox

HighTail Kindling

MediaCore NetSuite ERPPayPal IDP

ProofHQ

ScreenSteps Live

ThoughtSpot

Workforce Software

Twitter IDP

Watchdox

SugarCRM

Tableau

Huddle

ImageWare Systems, Inc

IQ Navigator

Jive

Blue Coat

Central Desktop SocialBridge

CloudBeesClarizen

ElasticaDocuSign

Hearsay Social

IdeaScale

Imaginatik

Kindling

Panopto

QualtricsProofHQ

Rally Software

Authorization/Access Management


Policy-Based Authorization

Restrict access by user, role, groups, dynamic groups or exclusions.

Secure fine-grained authorization at the file, page or object level.

Determine access based on location, time authentication context.

Send static, dynamic (SQL queries), or profile attributes in responses.

Redirect users based on type of authentication or authorization failure.

SITEMINDERRESPONSE

CUSTOMIP ADDRESSTIMEUSER IDENTITYOR ROLE

SITEMINDERRULE

SITEMINDERVARIABLES

What? Who? Optional Conditions Action

Action that ResultsFrom Processing

ExternalFactors

NetworkRestriction

TimeRestriction

Is the UserIncluded orExcluded?

Describes theResource BeingAccessed

RequestCharacteristics

CA SSOPolicy


Attribute Sources to Support Authorization Decisions

Enterprise Directory or Database

Social Media Tokens

SAML Assertions

Web Service

Back ChannelRequest

Session Management and Security


There Are Many Ways That Attackers Can Hijack User Sessions; If You Use an SSO Solution, You Have to do it Securely

There are several attack vectors:*– Predictable session token

– Session sniffing;

– Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);

– Man-in-the-middle attack

– Man-in-the-browser attack

https://www.owasp.org/index.php/Session_hijacking_attack Source: Enterprise SSO Administrators

Don’t forget about individually vulnerable sites/apps! SSO solutions need to link individual

app tokens to secure tokens.

https://www.owasp.org/index.php/Session_hijacking_attack


A Multi-Layer Problem

APPLICATION–SPECIFIC SESSION TOKENS

JsessionID in WebSphere

Mysapsso2 in SAP

SINGLE SIGN-ON SOLUTION

SMsession

CROSS-DOMAIN SINGLE SIGN-ON SOLUTION

Federation token


Enhanced Session Assurance with DeviceDNA

*formerly CA RiskMinder™

Patent-pending client identification technology sourced from CA Risk Authentication*

Supports CA Single Sign-On SSO, CAFederation IdP and SP patterns

Installs with 12.52 Policy Server, Admin UI and CA Access Gateway

Applied on a per realm or per application basis

Session store required

WHAT:

Improves defense against “session hijacking” or “session replay”

VALUE:


Session Linker Bolsters the Defense Against Session Hijacking

While CA Single Sign-On 12.52 can defeat session hijacking, sites may still be vulnerable—applications use their own session cookies.

Session Linker links the application’s session to the CA Single Sign-On session that is not susceptible to session hijacking

The CA Single Sign-On Session Linker can detect and stop session hijacking attacks for the application’s session.

Can be done without any modification or recoding to the application.

Available to all CA Single Sign-On 12.51+ customers as part of the CA Access Gateway—must be using a proxy architecture to use Session Linker.

Why CA


Heterogeneous SupportCA Single Sign-On operates as a best-of-breed solution that integrates with both CA’s and outside vendors’ solutions.

Two-factor authentication

Identity management

User directories

Governance

Roles

Risk evaluation

CA Single Sign-On allows you to choose which OS, access method, SSO architecture and integrated components you use to build your infrastructure.

MULTIPLE PLATFORMS & OPERATING SYSTEMS

MULTIPLE CHANNELS OF ACCESS

MULTIPLE SSO ARCHITECTURES


Requirements Beyond SSO

USER ADMINISTRATORRESOURCES

Authentication and Authorization

Password policies

Step up authentication

Integrated multi-factor authentication

Integrated risk-based authentication

Attribute-based authorization

Risk-based authorization

Directory mapping and chaining

Session Management

Session replay prevention

Session timeouts

Single log out

Linking to application-specific sessions

Administration

Centralized audit

Scoped/delegated administration

OTHER BENEFITS/CAPABILITIES

Proven enterprise-class scalability, reliability, credibility

Integrated solution vs. point product

Professional services team that can extend the solution for your specific needs

Strong partnerships with other technology vendors

Continued investment in innovation and emerging technologies


CA Single Sign-On Customer Success

3 out of the top 3Oil & Gas companies

10 out of the top 15US Commercial Banks

7 out of the top 8 US Government Agencies

6 out of the top 7 US Manufacturing

4 out of the top 6aerospace

5 out of the top 5telecoms

4 out of the top 5global Fin. Services

5 out of the top 10pharmaceuticals

Rankings based on 2013 Fortune.com data. Gov ranking based on 2013 data of # of employees


Legal NoticeCopyright © 2016 CA. All rights reserved. Microsoft, Windows Server, SharePoint, Office 365, Active Directory, Lync, Outlook and Windows Azure are either

registered trademarks or trademarks of Microsoft Corporation in the United States and /or other countries. IBM and WebSphere are trademarks of

International Business Machines Corporation in the United States, other countries, or both. All trademarks, trade names, service marks and logos referenced

herein belong to their respective companies. No unauthorized use, copying or distribution permitted.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO

THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION,

ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or

damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or

lost data, even if CA is expressly advised of the possibility of such damages.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations

of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any

product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this

presentation remain at CA’s sole discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation,

CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such

releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available

basis.

The information and results illustrated here are based upon each identified customer’s unique experiences with the referenced software product in a variety of environments, which may include production and non-production environments. Past performance of the software products in such environments is not necessarily indicative of the future performance of such software products in identical, similar or different environments.


Resources

• Data Sheet: CA Single Sign-On• Data Sheet: CA Federation • Data Sheet: CA Access Gateway• Data Sheet: CA Single Sign-On Agent for SharePoint• eBook: CA Single Sign-On Enhanced Session Assurance with DeviceDNA• Solution Brief: Employee-focused Use Cases• Solution Brief: Consumer-focused Use Cases• CA Services: Single Sign-On• Documentation: Single Sign-On

http://bit.ly/1P5Syxn

http://bit.ly/1LkwTC4

http://bit.ly/1N1RvPL

http://www.ca.com/us/~/media/Files/DataSheets/ca-strong-authentication.pdf

http://bit.ly/1sfhX9R

http://bit.ly/1wvouUU

http://bit.ly/1Oi3B66

http://bit.ly/1N26w0V

http://www.ca.com/us/services/implement/securecenter-services.aspx

https://support.ca.com/cadocs/0/CA SiteMinder 12 52-ENU/Bookshelf.html

Recent Release Highlights


Significant CA Single Sign-On Commitment

*formerly CA SiteMinder® Federation**formerly CA SiteMinder® Secure Proxy Server

MARCH 2012CA Single Sign-On Family 12.5Feature release—Simplified federation administration, risk-based identity assurance, Enhanced Federation, Identity mapping

AUGUST 2012CA Access Gateway ** 12.5Feature release—UI, enhanced proxy rules, monitoring, session linking, instance discovery

OCTOBER 2012Standalone version of CA Federation* 12.5Feature release—Admin SOD, cert mgmt, attribute mapping, eGov, Auth context

DECEMBER 2012CA Secure Cloud SSO service

APRIL 2013CA Single Sign-On Family 12.51Feature release—Integrated UI for WAM/FED/SOA, social media support, multi-channel SSO support

DECEMBER 2013CA Single Sign-On Family 12.52Feature release—Enhanced session assurance with DeviceDNA™, SSO between Office 365 & Microsoft®rich clients, enhanced social sign-on

AUGUST 2014CA SiteMinder Family 12.52 SP1General update release for all components

OCTOBER 2015CA Single Sign-On Family 12.52 SP2This was a focused release to support Windows 2012 R2 for the core server components (PS, Admin UI, SDK, Report Serer).Also in-memory tracing features and embedded support data collection tool (CA Remote Engineer).


CA Single Sign-On Recent Features

BENEFIT FEATURE DESCRIPTION RELEASE

Increased Security

User Re-Validation Require re-authentication for sensitive resources every time a user accesses them. 12.51

Expand support for single sign-on and access management.

Web Service Interfaces RESTful and SOAP-based Web service interfaces for authentication and authorization. 12.51

Social Media Identities Consume OAuth 2.0-based identities produced by Google and Facebook. 12.51

Open Format Cookie Agent-less form of SSO applies to applications that have less stringent security needs. 12.51

Deliver secure new business services.

Enhanced Session Assurance with DeviceDNA

Patent-pending technology improves defense against “session hijacking” or “session replay.” 12.52

Session LinkerSession Linker links the application’s session (cookie) to the CA Single Sign-On session that itself is not susceptible to session hijacking.

12.52

Secure the mobile, cloud-connected enterprise.

Enabling SSO Between Office 365 & Microsoft Rich Clients

WS-Fed 1.2 Active Profile Support—Enables the Microsoft Rich Client tools, including Outlook, Office 365 client, and mobile apps.

12.52

Social Media


Social Media Drives New Requirements

Improve customer engagement.

NEED TO GROW THE BUSINESS

Facebook—Increase fans, “likes.”

Twitter—Increase followers.

LinkedIn page—Increase followers.

INCREASE THEIR USE OF SOCIAL SITES

AND MEDIA

Coca-Cola > 50m

Walt Disney > 30m

Starbucks > 26m

REACH MILLIONS OF FANS DIRECTLY

Demographic information is not provided.

New Facebook anonymous login makes it more difficult to obtain personal info.

MARKETING OPPORTUNITIES

ARE LIMITED


Use Consumer Identity for Initial Customer Acquisition and Low Risk Transactions

Sign in with stronger credentials when needed for high value transactions

Increases sign up rate.

Collect identity attributes allows for immediate personalized marketing.

Increase customer engagement by eliminating multiple logins.


Three Years Ago, Most Organizations Wouldn’t Do Business With Social Credentials—That Has Changed

Social Login Preferences1

77% of respondents believe websites should offer social login.

86% hesitant to create new account for each website they visit.

80% of Webusers will choose social login if offered.

1) WebHostingBuzz State of Social Sharing 2013 study

2) Forrester, Inc. http://blogs.forrester.com/kim_celestre/14-05-20-look_beyond_the_obvious_when_considering_social_login

Persistent Transient

Currently use

Plan to use in next 12 months

Do not plan to

Use

Which of these additional social tactics does your company plan to use?2

54%

17%

29%

VS

To Consider

Increase customer engagement.

Marketing—“Likes” drive attention.

Provide customers with tailored content (but be

aware of Facebook’s Anonymous Login).

Customers may choose a social-enabled

competitor.

Improve customer user experience.

Why It’s Important


OAuth 2.0 and 1.0a RP side

Simpler administration via WebUI and partnerships

Just-in-time provisioning integration

Out-of-the box pre-validated social provider support:

Facebook, Google+, LinkedIn, Twitter, Microsoft Live

Enhanced Social Sign-on With OAuth 2.0 and 1.0a

Federation—Additional Slides


Employee-Focused Federation Can Improve Productivity and Simplify Management

Employees

Fewer help-desk calls

Happier, more productive employees

Reduced storage of employee information

Seamless integration between corporate and remote assets

BenefitsPartner Apps

CompanyIntranet

On-PremisesWeb Apps

Third-Party Web

Apps


Consumer-Focused Federation Improves Your User Experience and Enables Re-Branded Partner Services

Provide services to your customers faster.

Make your customer experience seamless.

Consumers

Your Site

Your Logo Here

Partner Apps Benefits

Federation needs to integrate with existing

on-premises access management solutions.

On-PremisesWeb Apps

Third-Party Web

Apps


Organizations using standards can prevent vendor lock-in.

Reduce time-to-deployment within the enterprise for applications that know how to speak on a federated protocol.

SSO with third parties to partners, saasvendors, etc.

Seamlessly move functionality to the cloud faster using federation—for both internal and consumer apps.

The Need For Open, Standards-Based SSO Within and Outside The Organization Is Growing

Benefits


LYNC USER

Simple administration is partof WS-Fed Federation Partnership.

Verification with: Outlook

Office clients

Lync

Dynamics CRM for Outlook

“Works with Office365” certification http://technet.microsoft.com/en-us/library/jj679342.aspx#BKMK_6

Active Directory

STS

Sign-In Service

Lync Online

ENTERPRISE OFFICE 365 CLOUD

LYNC USER

2. On-Premises Login

1. STS Discovery

3. 0365 Login

4. Lync Access

Enabling SSO between Office 365 & Microsoft Rich Clients

TM

http://technet.microsoft.com/en-us/library/jj679342.aspx

Session Management—Additional Slides


The More Things Change…The OWASP Top 10 Most Critical Web Application Security Risks

https://www.owasp.org/images/c/ce/OWASP_Top_Ten_2004.dochttp://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

Unvalidated Parameters

Broken Access Control

Broken Account and Session Management

Cross-Site Scripting (XSS) Flaws

Buffer Overflows

Command Injection Flaws

Error Handling Problems

Insecure Use of Cryptography

Remove Administration Flaws

Web and Application Server Misconfiguration

2003

Injection

Broken Authentication and Session Management

Cross-Site Scripting (XSS)

Insecure Direct Object References

Security Misconfiguration

Sensitive Data Exposure

Missing Function-Level Access Control

Cross-Site Request Forgery (CSRF)

Using Known Vulnerable Components

Unvalidated Redirects and Forwards

2013 The Latest


Session Hijacking—What Is It?Session hijacking consists of the exploitation of the Web session control mechanism, which is normally managed for a session token.*

* https://www.owasp.org/index.php/Session_hijacking_attack

Hacker(Andre)

User(Ben)

Ben logs in.

Andre logs in with Ben’s stolen cookie.

Application Access Management

Ben

abcd1234

Andre

zzz999

Application

Success!

“Hello, Ben!”

Success!

“Hello, Ben!”Ben’s App

Session


Risk-Based Authentication Is Great, But What Happens AFTER Login?

The Problems With This Model

1

2

It’s inconvenient.

It violates“least privilege.”

View-Only Access Take Action

View your checking account balance.

Transfer Funds.

WHAT DOES THE USER NEED TO DO WITH THE SESSION? Login QuestionsOTP


What Happens During a User Session Matters

Employee

Low Risk High Risk

Or Customer!

IT Help Desk

Meeting Room Manager

HR or Finance

Benefits

Read-Only

Take Action


Session Hijacking May Be Old, But Protecting Against it Requires New Capabilities

Covert Redirect OAuth & OpenID Security Flaw Flaw in online login protocols

could be used to: steal data, redirect users to malicious websites

No concerted and coordinated response

Heartbleed Bug OpenSSL exploited to steal

active, authenticated session token

Circumvented multi-factor authentication on VPN

Are you ready for what’s next?


There Are Device Identification Techniques That Can Prevent Session Hijacking

Hacker(Andre)

User(Ben)


Ben

abcd1234

Andre

zzz999

Application

Success!“Hello, Ben!”

Denied!Access Attempt

Andre logs in with Ben’s stolen cookie.

Ben’sDevice

Andre’s Device

Unique!

Ben logs in.

Unique

Device

Verification


Risk Score

There Are Currently Two Primary Methods of Ensuring Session Security

Continuous Device Identification Risk-Based Authorization

0 100

Low Risk High Risk


Continuous Device Verification During a Session

User initially authenticates

Unique device identifier is captured

USER SESSION

0Time: 10 20 30

Device check at specified interval



User requests

SSO access to

Office 365

User requests

SSO access to Finance

App

No additional

check required

Additional device check


There Are Device Identification Techniques That Can Prevent Session Hijacking

Hacker(Andre)

User(Ben)


Ben

abcd1234

Andre

zzz999

Application

Success!“Hello, Ben!”

Denied!Access Attempt

Andre logs in with Ben’s stolen cookie

Ben’sDevice

Andre’s Device

Unique!

Ben logs in

Unique Device

Verification


Risk-Based Authorization During a Session

User initially authenticates.

Risk score is generated.

User Session

0Time:User

Requests Access to:

Low Risk High Risk

Risk Score = 75

Risk Score & Access Risk Evaluation

IT Help Desk

Access GrantedAccess

GrantedOr Denied

Benefits Site

Step-Up Authentication

Required

Finance

Access Denied

Finance

Access Granted


Enhanced Session Assurance with DeviceDNA Deployment Architectures

Browser

CA Access Gateway(w/DeviceDNA)

CA Single Sign-OnPolicy Server

Agent Focused

Web Serverwith CA Single Sign-On Agent

CA Access Gateway

CA Access Gateway(w/DeviceDNA)

CA Single Sign-On Policy Server

Web SeversProxy Focused

Browser

Hybrids of Agent and Proxy architectures also supported


CA Web Access Management StrategyExtend the security model from Web to API.

DeviceGeolocation

VelocityUser history

Fraud patterns

Advanced Authentication

Customers

Employees

Partners

Any device/channel

Web applications

Adopt risk-based approach to user authentication. Provide advanced authentication for suspicious activities/transactions. Centralize security policy management.

WHAT YOU NEED TO DO

Context-based authentication

Flexible Access Mgmt& Secure SSO

Increases security without inconveniencing end users Detects and blocks fraud with real-time risk analysis Improves security and reduces security admin costs

VALUE TO YOUR BUSINESS


Securely and Conveniently Enable Multi-Channel Access

APIs/Web Services

WEB APPS

CUSTOMERS

Simplify registration/login/profile management. Provide a convenient, consistent experience. Enable single sign-on across apps & services.

WHAT YOU NEED TO DO

Improved customer experience/loyalty Coordinated security across Web, mobile, APIs Accelerated delivery of new apps

VALUE TO YOUR BUSINESS

MOBILE APPS

ON-PREMISES

ON DEVICE

FROM THE CLOUD


Reduced security administration costs

Reduced coding and maintenance

Much improved user experience

Centralized security enforcement

Standardized security process

Unified central auditing

CA Single Sign-On

Standards-based

Federation

Centralized Administration of Web Access…With CA Single Sign-On

Siemens DirX Oracle OID

SunONELDAP

OracleRDBMS

Active Directory SQL 2008LDAP

Application Layer

User Store

Operating System

SecurityLayer

Intranet E-Commerce Portal ERP / HR CMS Partner Extranet SCM

EmployeesEmployees Administrators PartnersExecutives Customers End Users

Cloud/ Outsourced

services





Access Management

Centralized Policy Decision Point

Specific CA Single Sign-On agent for the web, application, ERP/CRM server, etc.

Web Access Management

Loose passing of the identity from one app to another



Federation

Tightly Coupled Loosely Coupled



STOP !

Can They? Yes

OK

I need to see this

Traditional “Access Management”

- Authorization

- Centralized auditing

- Centralized session management

- Access control at the application

Centralized Policy Decision Point

Specific CA Single Sign-On agent for the Web, application, ERP/CRM server, etc.

TIGHT COUPLING



I am Bob.

Give this token to the other site.

Here is a token

Hi, Bob.

Are you two able to talk?

Passing of the identity from one app to another

- Standards (SAML, WS-Federation, OAuth)

- Custom (Open Format Cookie)



LOOSE FEDERATION


When Users Have Multiple Online Identities, There Are User and Administrative Costs

Users are continually asked to present their online identity

again and again.

Administrators have to create access policies in parallel for

every user identity.

End User Administrator


Customers Agree!Stats

CA SSO Customers— FY2014

42%42% of CA Single Sign-On users stated that CA Single Sign-On is 50% or more cost-effective than individual solutions.

58%58% state that it is 26% to 49% more cost-effective.

100%100% of surveyed organizations have reduced their security-related development costs by at least 26% with CA Single Sign-On vs. developing access and security capabilities for each application.

30%Reduced costs by over 30% with a single solution to manage multiple methods of Webaccess, including HTTP, SAML federation, and Web services vs. implementing separate solutions for each method.

driving customer and employee engagement with single sign-on and access management

Technology