driving customer and employee engagement with single sign-on and access management
TRANSCRIPT
1 © 2016 CA. ALL RIGHTS RESERVED.
Driving Customer and Employee Engagement With Single Sign-On and Access Management
Santiago CavannaSecurity Solution Account DirectorArgentina, Chile, Bolivia, Uruguay y Paraguay.
Twitter https://twitter.com/scavannaOffice: +54-11-43-17-15-95 | Mobile: +54-911-41-65-15-47 | [email protected]
2 © 2016 CA. ALL RIGHTS RESERVED.
Agenda
INTRODUCTION
CA SINGLE SIGN-ON
FEDERATION AND OPEN STANDARDS
AUTHORIZATION/ACCESS MANAGEMENT
SESSION SECURITY
WHY CA
1
2
3
4
5
6
3 © 2016 CA. ALL RIGHTS RESERVED.
Organizations Have Many Different Kinds of Apps
SaaSApps
MobileApps On-Premises Web Apps
Home Grown Third Party
4 © 2016 CA. ALL RIGHTS RESERVED.
Application Economy Opens Security Challenges
1. All data on this slide from CA Application Economy Market Study commissioned by CA, conducted by Vanson Bourne, 20142. The 2014 Cost of Cyber Crime Study Reveals Increased Risks, Oct, 20143. http://breachlevelindex.com/pdf/Breach-Level-Index-Annual-Report-2014.pdf
#1Security concerns—the top obstacle in app economy
16,856Number of attacks for the average company
78%Increase in # of breached records from 2013 to 2014
13.1%Average cost to the company for a breach
5 © 2016 CA. ALL RIGHTS RESERVED.
CA IAM Addresses Security Challenges
CA Strong Authentication*
CA Secure Cloud
CA API Management& Security CA Directory
CA Identity Suite
CA Risk Authentication
SSO across API access and
native mobile apps
Risk assessment for authentication
and access decisions
Patented software-based two factor authentication
Automation of RBAC
High performancestore
SaaS-basedIAM
CA Single Sign-On
6 © 2016 CA. ALL RIGHTS RESERVED.
A Common Security Access Management Solution is Critical
ENABLE THE BUSINESS
Cloud Services
On-Premises Apps
Engage with your customers faster & better.
Make your employees more productive.
CustomersCitizens
Employees/Partners
Connected Apps/Devices
PROTECT THE BUSINESSStrongly validate each user’s identity.
Control user access.
Provide consolidated access audit.
SingleSign-On
7 © 2016 CA. ALL RIGHTS RESERVED.
There are Three Critical Areas to Discuss When Considering an SSO Solution
SingleSign-On
Session Security
Authorization/Access ManagementFederation & Open Standards
CA Single Sign-OnIncluding Federation & Open Standards
9 © 2016 CA. ALL RIGHTS RESERVED.
CA Single Sign-On is Itself a Comprehensive Suite for SSO and Web Access Management
AuthenticationBroad range of authentication methods
Step up authentication policy Enforce dynamic Authentication for federation
Authorization & Access ManagementProviding SSO to applications that don’t use open standardsControlling which users access which application componentsAbility to centralize application security
Single Sign-OnSupport for open standards
SaaS Runbook program with over 150 partner applicationsFive methods for flexible application integration
Session SecurityManagement of a single user online sessionIntegrated step-up authentication and timeoutsContinuous patent-pending security for online session
CENTRALIZED ADMINISTRATION
CENTRALIZED AUDITING
10 © 2016 CA. ALL RIGHTS RESERVED.
Flexible Solution to Meet Many Needs in a Single Deployment
CA SingleSign-On
Open Standards
SOAP and REST APIs
Policy Enforcement Gateway
Open Format Token
Policy Enforcement
Connectors (Agents)
11 © 2016 CA. ALL RIGHTS RESERVED.
Flexibility to Meet Different Business Needs
Access management
Policy enforcement points to examine each request
Gateway or specific CA Single Sign-On agents for the Web, application, ERP/CRM server
WEB ACCESS MANAGEMENT
Identity passed from identity provider to applications
Claims approach to SSO
Application remains in control of own security policies
FEDERATION
TIGHTLY COUPLED LOOSELY COUPLED
12 © 2016 CA. ALL RIGHTS RESERVED.
Flexibility to Meet Different Business Needs
Traditional “Access Management”
- Authorization
- Centralized auditing
- Centralized session management
- Access control at the application
Policy enforcement points between the browser and websites
CA Single Sign-On gateway or agent for the Web, application, ERP/CRM server
Loose passing of the identity from one app to another
- Standards (SAML, WS-Federation, OAuth)
- Custom (Open Format Cookie)
Claims approach to SSO
Enables separation of identity validation from resource being accessed
TIGHT COUPLING LOOSE FEDERATION
13 © 2016 CA. ALL RIGHTS RESERVED.
CA Single Sign-On
Tightly Coupled Connector Examples
CA Directory DB2
SunONELDAP
OracleRDBMS
Active Directory SQL 2012LDAP
Application Layer
User Store
Operating System
SecurityLayer
Intranet E-Commerce Portal ERP/HR CMS Partner Extranet
EmployeesEmployees Administrators PartnersExecutives Customers End Users
14 © 2016 CA. ALL RIGHTS RESERVED.
CA Single Sign-On Can Enable You for Open Standards
WS-Fed
SAML 1.1 and 2.0 profiles for accessing SaaS apps and partner to partner single sign-on
OAuth 2.0 to support social media identities
STS translation to WS-Federation for single sign-on to Office 365® via browser and thick clients
CA SSO & Open Standards
15 © 2016 CA. ALL RIGHTS RESERVED.
Because Standards Aren’t Enough:The CA Security SaaS Validation Program
Requisite security
Improved user experience
Benefits
Faster connection to cloud apps
Scalable
A formal program to validate secure single sign-on to SaaS solutions with CA Single Sign-On and CA Secure Cloud*
WHAT IS IT?
Faster, proven integration = enabling the business
Backed by CA Support
WHY?
Runbooks that map out your steps
View current runbooks on the CA Support site: http://bit.ly/1mZyWwJ
RESULT
Accelerating the Secure Connection to Cloud-Based Services
16 © 2016 CA. ALL RIGHTS RESERVED.
Some of the 165+ Partners to Date
AnswerHub
Bime
BMC Remedyforce
Cerner
Dropbox
Druva HappyFox
HighTail Kindling
MediaCore NetSuite ERPPayPal IDP
ProofHQ
ScreenSteps Live
ThoughtSpot
Workforce Software
Twitter IDP
Watchdox
SugarCRM
Tableau
Huddle
ImageWare Systems, Inc
IQ Navigator
Jive
Blue Coat
Central Desktop SocialBridge
CloudBeesClarizen
ElasticaDocuSign
Hearsay Social
IdeaScale
Imaginatik
Kindling
Panopto
QualtricsProofHQ
Rally Software
Authorization/Access Management
18 © 2016 CA. ALL RIGHTS RESERVED.
Policy-Based Authorization
Restrict access by user, role, groups, dynamic groups or exclusions.
Secure fine-grained authorization at the file, page or object level.
Determine access based on location, time authentication context.
Send static, dynamic (SQL queries), or profile attributes in responses.
Redirect users based on type of authentication or authorization failure.
SITEMINDERRESPONSE
CUSTOMIP ADDRESSTIMEUSER IDENTITYOR ROLE
SITEMINDERRULE
SITEMINDERVARIABLES
What? Who? Optional Conditions Action
Action that ResultsFrom Processing
ExternalFactors
NetworkRestriction
TimeRestriction
Is the UserIncluded orExcluded?
Describes theResource BeingAccessed
RequestCharacteristics
CA SSOPolicy
19 © 2016 CA. ALL RIGHTS RESERVED.
Attribute Sources to Support Authorization Decisions
Enterprise Directory or Database
Social Media Tokens
SAML Assertions
Web Service
Back ChannelRequest
Session Management and Security
21 © 2016 CA. ALL RIGHTS RESERVED.
There Are Many Ways That Attackers Can Hijack User Sessions; If You Use an SSO Solution, You Have to do it Securely
There are several attack vectors:*– Predictable session token
– Session sniffing;
– Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
– Man-in-the-middle attack
– Man-in-the-browser attack
https://www.owasp.org/index.php/Session_hijacking_attack Source: Enterprise SSO Administrators
Don’t forget about individually vulnerable sites/apps! SSO solutions need to link individual
app tokens to secure tokens.
22 © 2016 CA. ALL RIGHTS RESERVED.
A Multi-Layer Problem
APPLICATION–SPECIFIC SESSION TOKENS
JsessionID in WebSphere
Mysapsso2 in SAP
SINGLE SIGN-ON SOLUTION
SMsession
CROSS-DOMAIN SINGLE SIGN-ON SOLUTION
Federation token
23 © 2016 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance with DeviceDNA
*formerly CA RiskMinder™
Patent-pending client identification technology sourced from CA Risk Authentication*
Supports CA Single Sign-On SSO, CAFederation IdP and SP patterns
Installs with 12.52 Policy Server, Admin UI and CA Access Gateway
Applied on a per realm or per application basis
Session store required
WHAT:
Improves defense against “session hijacking” or “session replay”
VALUE:
24 © 2016 CA. ALL RIGHTS RESERVED.
Session Linker Bolsters the Defense Against Session Hijacking
While CA Single Sign-On 12.52 can defeat session hijacking, sites may still be vulnerable—applications use their own session cookies.
Session Linker links the application’s session to the CA Single Sign-On session that is not susceptible to session hijacking
The CA Single Sign-On Session Linker can detect and stop session hijacking attacks for the application’s session.
Can be done without any modification or recoding to the application.
Available to all CA Single Sign-On 12.51+ customers as part of the CA Access Gateway—must be using a proxy architecture to use Session Linker.
Why CA
26 © 2016 CA. ALL RIGHTS RESERVED.
Heterogeneous SupportCA Single Sign-On operates as a best-of-breed solution that integrates with both CA’s and outside vendors’ solutions.
Two-factor authentication
Identity management
User directories
Governance
Roles
Risk evaluation
CA Single Sign-On allows you to choose which OS, access method, SSO architecture and integrated components you use to build your infrastructure.
MULTIPLE PLATFORMS & OPERATING SYSTEMS
MULTIPLE CHANNELS OF ACCESS
MULTIPLE SSO ARCHITECTURES
27 © 2016 CA. ALL RIGHTS RESERVED.
Requirements Beyond SSO
USER ADMINISTRATORRESOURCES
Authentication and Authorization
Password policies
Step up authentication
Integrated multi-factor authentication
Integrated risk-based authentication
Attribute-based authorization
Risk-based authorization
Directory mapping and chaining
Session Management
Session replay prevention
Session timeouts
Single log out
Linking to application-specific sessions
Administration
Centralized audit
Scoped/delegated administration
OTHER BENEFITS/CAPABILITIES
Proven enterprise-class scalability, reliability, credibility
Integrated solution vs. point product
Professional services team that can extend the solution for your specific needs
Strong partnerships with other technology vendors
Continued investment in innovation and emerging technologies
28 © 2016 CA. ALL RIGHTS RESERVED.
CA Single Sign-On Customer Success
3 out of the top 3Oil & Gas companies
10 out of the top 15US Commercial Banks
7 out of the top 8 US Government Agencies
6 out of the top 7 US Manufacturing
4 out of the top 6aerospace
5 out of the top 5telecoms
4 out of the top 5global Fin. Services
5 out of the top 10pharmaceuticals
Rankings based on 2013 Fortune.com data. Gov ranking based on 2013 data of # of employees
29 © 2016 CA. ALL RIGHTS RESERVED.
30 © 2016 CA. ALL RIGHTS RESERVED.
Legal NoticeCopyright © 2016 CA. All rights reserved. Microsoft, Windows Server, SharePoint, Office 365, Active Directory, Lync, Outlook and Windows Azure are either
registered trademarks or trademarks of Microsoft Corporation in the United States and /or other countries. IBM and WebSphere are trademarks of
International Business Machines Corporation in the United States, other countries, or both. All trademarks, trade names, service marks and logos referenced
herein belong to their respective companies. No unauthorized use, copying or distribution permitted.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO
THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION,
ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or
damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or
lost data, even if CA is expressly advised of the possibility of such damages.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations
of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any
product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this
presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation,
CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such
releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available
basis.
The information and results illustrated here are based upon each identified customer’s unique experiences with the referenced software product in a variety of environments, which may include production and non-production environments. Past performance of the software products in such environments is not necessarily indicative of the future performance of such software products in identical, similar or different environments.
31 © 2016 CA. ALL RIGHTS RESERVED.
Resources
• Data Sheet: CA Single Sign-On• Data Sheet: CA Federation • Data Sheet: CA Access Gateway• Data Sheet: CA Single Sign-On Agent for SharePoint• eBook: CA Single Sign-On Enhanced Session Assurance with DeviceDNA• Solution Brief: Employee-focused Use Cases• Solution Brief: Consumer-focused Use Cases• CA Services: Single Sign-On• Documentation: Single Sign-On
Recent Release Highlights
33 © 2016 CA. ALL RIGHTS RESERVED.
Significant CA Single Sign-On Commitment
*formerly CA SiteMinder® Federation**formerly CA SiteMinder® Secure Proxy Server
MARCH 2012CA Single Sign-On Family 12.5Feature release—Simplified federation administration, risk-based identity assurance, Enhanced Federation, Identity mapping
AUGUST 2012CA Access Gateway ** 12.5Feature release—UI, enhanced proxy rules, monitoring, session linking, instance discovery
OCTOBER 2012Standalone version of CA Federation* 12.5Feature release—Admin SOD, cert mgmt, attribute mapping, eGov, Auth context
DECEMBER 2012CA Secure Cloud SSO service
APRIL 2013CA Single Sign-On Family 12.51Feature release—Integrated UI for WAM/FED/SOA, social media support, multi-channel SSO support
DECEMBER 2013CA Single Sign-On Family 12.52Feature release—Enhanced session assurance with DeviceDNA™, SSO between Office 365 & Microsoft®rich clients, enhanced social sign-on
AUGUST 2014CA SiteMinder Family 12.52 SP1General update release for all components
OCTOBER 2015CA Single Sign-On Family 12.52 SP2This was a focused release to support Windows 2012 R2 for the core server components (PS, Admin UI, SDK, Report Serer).Also in-memory tracing features and embedded support data collection tool (CA Remote Engineer).
34 © 2016 CA. ALL RIGHTS RESERVED.
CA Single Sign-On Recent Features
BENEFIT FEATURE DESCRIPTION RELEASE
Increased Security
User Re-Validation Require re-authentication for sensitive resources every time a user accesses them. 12.51
Expand support for single sign-on and access management.
Web Service Interfaces RESTful and SOAP-based Web service interfaces for authentication and authorization. 12.51
Social Media Identities Consume OAuth 2.0-based identities produced by Google and Facebook. 12.51
Open Format Cookie Agent-less form of SSO applies to applications that have less stringent security needs. 12.51
Deliver secure new business services.
Enhanced Session Assurance with DeviceDNA
Patent-pending technology improves defense against “session hijacking” or “session replay.” 12.52
Session LinkerSession Linker links the application’s session (cookie) to the CA Single Sign-On session that itself is not susceptible to session hijacking.
12.52
Secure the mobile, cloud-connected enterprise.
Enabling SSO Between Office 365 & Microsoft Rich Clients
WS-Fed 1.2 Active Profile Support—Enables the Microsoft Rich Client tools, including Outlook, Office 365 client, and mobile apps.
12.52
Social Media
36 © 2016 CA. ALL RIGHTS RESERVED.
Social Media Drives New Requirements
Improve customer engagement.
NEED TO GROW THE BUSINESS
Facebook—Increase fans, “likes.”
Twitter—Increase followers.
LinkedIn page—Increase followers.
INCREASE THEIR USE OF SOCIAL SITES
AND MEDIA
Coca-Cola > 50m
Walt Disney > 30m
Starbucks > 26m
REACH MILLIONS OF FANS DIRECTLY
Demographic information is not provided.
New Facebook anonymous login makes it more difficult to obtain personal info.
MARKETING OPPORTUNITIES
ARE LIMITED
37 © 2016 CA. ALL RIGHTS RESERVED.
Use Consumer Identity for Initial Customer Acquisition and Low Risk Transactions
Sign in with stronger credentials when needed for high value transactions
Increases sign up rate.
Collect identity attributes allows for immediate personalized marketing.
Increase customer engagement by eliminating multiple logins.
38 © 2016 CA. ALL RIGHTS RESERVED.
Three Years Ago, Most Organizations Wouldn’t Do Business With Social Credentials—That Has Changed
Social Login Preferences1
77% of respondents believe websites should offer social login.
86% hesitant to create new account for each website they visit.
80% of Webusers will choose social login if offered.
1) WebHostingBuzz State of Social Sharing 2013 study
2) Forrester, Inc. http://blogs.forrester.com/kim_celestre/14-05-20-look_beyond_the_obvious_when_considering_social_login
Persistent Transient
Currently use
Plan to use in next 12 months
Do not plan to
Use
Which of these additional social tactics does your company plan to use?2
54%
17%
29%
VS
To Consider
Increase customer engagement.
Marketing—“Likes” drive attention.
Provide customers with tailored content (but be
aware of Facebook’s Anonymous Login).
Customers may choose a social-enabled
competitor.
Improve customer user experience.
Why It’s Important
39 © 2016 CA. ALL RIGHTS RESERVED.
OAuth 2.0 and 1.0a RP side
Simpler administration via WebUI and partnerships
Just-in-time provisioning integration
Out-of-the box pre-validated social provider support:
Facebook, Google+, LinkedIn, Twitter, Microsoft Live
Enhanced Social Sign-on With OAuth 2.0 and 1.0a
Federation—Additional Slides
41 © 2016 CA. ALL RIGHTS RESERVED.
Employee-Focused Federation Can Improve Productivity and Simplify Management
Employees
Fewer help-desk calls
Happier, more productive employees
Reduced storage of employee information
Seamless integration between corporate and remote assets
BenefitsPartner Apps
CompanyIntranet
On-PremisesWeb Apps
Third-Party Web
Apps
42 © 2016 CA. ALL RIGHTS RESERVED.
Consumer-Focused Federation Improves Your User Experience and Enables Re-Branded Partner Services
Provide services to your customers faster.
Make your customer experience seamless.
Consumers
Your Site
Your Logo Here
Partner Apps Benefits
Federation needs to integrate with existing
on-premises access management solutions.
On-PremisesWeb Apps
Third-Party Web
Apps
43 © 2016 CA. ALL RIGHTS RESERVED.
Organizations using standards can prevent vendor lock-in.
Reduce time-to-deployment within the enterprise for applications that know how to speak on a federated protocol.
SSO with third parties to partners, saasvendors, etc.
Seamlessly move functionality to the cloud faster using federation—for both internal and consumer apps.
The Need For Open, Standards-Based SSO Within and Outside The Organization Is Growing
Benefits
44 © 2016 CA. ALL RIGHTS RESERVED.
LYNC USER
Simple administration is partof WS-Fed Federation Partnership.
Verification with: Outlook
Office clients
Lync
Dynamics CRM for Outlook
“Works with Office365” certification http://technet.microsoft.com/en-us/library/jj679342.aspx#BKMK_6
Active Directory
STS
Sign-In Service
Lync Online
ENTERPRISE OFFICE 365 CLOUD
LYNC USER
2. On-Premises Login
1. STS Discovery
3. 0365 Login
4. Lync Access
Enabling SSO between Office 365 & Microsoft Rich Clients
TM
Session Management—Additional Slides
46 © 2016 CA. ALL RIGHTS RESERVED.
The More Things Change…The OWASP Top 10 Most Critical Web Application Security Risks
https://www.owasp.org/images/c/ce/OWASP_Top_Ten_2004.dochttp://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
Unvalidated Parameters
Broken Access Control
Broken Account and Session Management
Cross-Site Scripting (XSS) Flaws
Buffer Overflows
Command Injection Flaws
Error Handling Problems
Insecure Use of Cryptography
Remove Administration Flaws
Web and Application Server Misconfiguration
2003
Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function-Level Access Control
Cross-Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
2013 The Latest
47 © 2016 CA. ALL RIGHTS RESERVED.
Session Hijacking—What Is It?Session hijacking consists of the exploitation of the Web session control mechanism, which is normally managed for a session token.*
* https://www.owasp.org/index.php/Session_hijacking_attack
Hacker(Andre)
User(Ben)
Ben logs in.
Andre logs in with Ben’s stolen cookie.
Application Access Management
Ben
abcd1234
Andre
zzz999
Application
Success!
“Hello, Ben!”
Success!
“Hello, Ben!”Ben’s App
Session
48 © 2016 CA. ALL RIGHTS RESERVED.
Risk-Based Authentication Is Great, But What Happens AFTER Login?
The Problems With This Model
1
2
It’s inconvenient.
It violates“least privilege.”
View-Only Access Take Action
View your checking account balance.
Transfer Funds.
WHAT DOES THE USER NEED TO DO WITH THE SESSION? Login QuestionsOTP
49 © 2016 CA. ALL RIGHTS RESERVED.
What Happens During a User Session Matters
Employee
Low Risk High Risk
Or Customer!
IT Help Desk
Meeting Room Manager
HR or Finance
Benefits
Read-Only
Take Action
50 © 2016 CA. ALL RIGHTS RESERVED.
Session Hijacking May Be Old, But Protecting Against it Requires New Capabilities
Covert Redirect OAuth & OpenID Security Flaw Flaw in online login protocols
could be used to: steal data, redirect users to malicious websites
No concerted and coordinated response
Heartbleed Bug OpenSSL exploited to steal
active, authenticated session token
Circumvented multi-factor authentication on VPN
Are you ready for what’s next?
51 © 2016 CA. ALL RIGHTS RESERVED.
There Are Device Identification Techniques That Can Prevent Session Hijacking
Hacker(Andre)
User(Ben)
Application Access Management
Ben
abcd1234
Andre
zzz999
Application
Success!“Hello, Ben!”
Denied!Access Attempt
Andre logs in with Ben’s stolen cookie.
Ben’sDevice
Andre’s Device
Unique!
Ben logs in.
Unique
Device
Verification
52 © 2016 CA. ALL RIGHTS RESERVED.
Risk Score
There Are Currently Two Primary Methods of Ensuring Session Security
Continuous Device Identification Risk-Based Authorization
0 100
Low Risk High Risk
53 © 2016 CA. ALL RIGHTS RESERVED.
Continuous Device Verification During a Session
User initially authenticates
Unique device identifier is captured
USER SESSION
0Time: 10 20 30
Device check at specified interval
Device check at specified interval
Device check at specified interval
User requests
SSO access to
Office 365
User requests
SSO access to Finance
App
No additional
check required
Additional device check
54 © 2016 CA. ALL RIGHTS RESERVED.
There Are Device Identification Techniques That Can Prevent Session Hijacking
Hacker(Andre)
User(Ben)
Application Access Management
Ben
abcd1234
Andre
zzz999
Application
Success!“Hello, Ben!”
Denied!Access Attempt
Andre logs in with Ben’s stolen cookie
Ben’sDevice
Andre’s Device
Unique!
Ben logs in
Unique Device
Verification
55 © 2016 CA. ALL RIGHTS RESERVED.
Risk-Based Authorization During a Session
User initially authenticates.
Risk score is generated.
User Session
0Time:User
Requests Access to:
Low Risk High Risk
Risk Score = 75
Risk Score & Access Risk Evaluation
IT Help Desk
Access GrantedAccess
GrantedOr Denied
Benefits Site
Step-Up Authentication
Required
Finance
Access Denied
Finance
Access Granted
56 © 2016 CA. ALL RIGHTS RESERVED.
Enhanced Session Assurance with DeviceDNA Deployment Architectures
Browser
CA Access Gateway(w/DeviceDNA)
CA Single Sign-OnPolicy Server
Agent Focused
Web Serverwith CA Single Sign-On Agent
CA Access Gateway
CA Access Gateway(w/DeviceDNA)
CA Single Sign-On Policy Server
Web SeversProxy Focused
Browser
Hybrids of Agent and Proxy architectures also supported
Other
58 © 2016 CA. ALL RIGHTS RESERVED.
CA Web Access Management StrategyExtend the security model from Web to API.
DeviceGeolocation
VelocityUser history
Fraud patterns
Advanced Authentication
Customers
Employees
Partners
Any device/channel
Web applications
Adopt risk-based approach to user authentication. Provide advanced authentication for suspicious activities/transactions. Centralize security policy management.
WHAT YOU NEED TO DO
Context-based authentication
Flexible Access Mgmt& Secure SSO
Increases security without inconveniencing end users Detects and blocks fraud with real-time risk analysis Improves security and reduces security admin costs
VALUE TO YOUR BUSINESS
59 © 2016 CA. ALL RIGHTS RESERVED.
Securely and Conveniently Enable Multi-Channel Access
APIs/Web Services
WEB APPS
CUSTOMERS
Simplify registration/login/profile management. Provide a convenient, consistent experience. Enable single sign-on across apps & services.
WHAT YOU NEED TO DO
Improved customer experience/loyalty Coordinated security across Web, mobile, APIs Accelerated delivery of new apps
VALUE TO YOUR BUSINESS
MOBILE APPS
ON-PREMISES
ON DEVICE
FROM THE CLOUD
60 © 2016 CA. ALL RIGHTS RESERVED.
Reduced security administration costs
Reduced coding and maintenance
Much improved user experience
Centralized security enforcement
Standardized security process
Unified central auditing
CA Single Sign-On
Standards-based
Federation
Centralized Administration of Web Access…With CA Single Sign-On
Siemens DirX Oracle OID
SunONELDAP
OracleRDBMS
Active Directory SQL 2008LDAP
Application Layer
User Store
Operating System
SecurityLayer
Intranet E-Commerce Portal ERP / HR CMS Partner Extranet SCM
EmployeesEmployees Administrators PartnersExecutives Customers End Users
Cloud/ Outsourced
services
61 © 2016 CA. ALL RIGHTS RESERVED.
Flexibility to Meet Different Business Needs
Access Management
Centralized Policy Decision Point
Specific CA Single Sign-On agent for the web, application, ERP/CRM server, etc.
Web Access Management
Loose passing of the identity from one app to another
Claims approach to SSO
Enables separation of identity validation from resource being accessed
Federation
Tightly Coupled Loosely Coupled
62 © 2016 CA. ALL RIGHTS RESERVED.
Flexibility to Meet Different Business Needs
STOP !
Can They? Yes
OK
I need to see this
Traditional “Access Management”
- Authorization
- Centralized auditing
- Centralized session management
- Access control at the application
Centralized Policy Decision Point
Specific CA Single Sign-On agent for the Web, application, ERP/CRM server, etc.
TIGHT COUPLING
63 © 2016 CA. ALL RIGHTS RESERVED.
Flexibility to Meet Different Business Needs
I am Bob.
Give this token to the other site.
Here is a token
Hi, Bob.
Are you two able to talk?
Passing of the identity from one app to another
- Standards (SAML, WS-Federation, OAuth)
- Custom (Open Format Cookie)
Claims approach to SSO
Enables separation of identity validation from resource being accessed
LOOSE FEDERATION
64 © 2016 CA. ALL RIGHTS RESERVED.
When Users Have Multiple Online Identities, There Are User and Administrative Costs
Users are continually asked to present their online identity
again and again.
Administrators have to create access policies in parallel for
every user identity.
End User Administrator
65 © 2016 CA. ALL RIGHTS RESERVED.
Customers Agree!Stats
CA SSO Customers— FY2014
42%42% of CA Single Sign-On users stated that CA Single Sign-On is 50% or more cost-effective than individual solutions.
58%58% state that it is 26% to 49% more cost-effective.
100%100% of surveyed organizations have reduced their security-related development costs by at least 26% with CA Single Sign-On vs. developing access and security capabilities for each application.
30%Reduced costs by over 30% with a single solution to manage multiple methods of Webaccess, including HTTP, SAML federation, and Web services vs. implementing separate solutions for each method.