Getting Into Mobile Without Getting Into Trouble

Similar documents
SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Vidder PrecisionAccess

BlackBerry Dynamics Security White Paper. Version 1.6

VMware Horizon Workspace Security Features WHITE PAPER

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

SAP Security in a Hybrid World. Kiran Kola

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

Salesforce1 Mobile Security White Paper. Revised: April 2014

BYOD: BRING YOUR OWN DEVICE.

DreamFactory Security Guide

Sumy State University Department of Computer Science

Authentication CS 4720 Mobile Application Development

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

ISA 2006 and OWA 2003 Implementation Guide

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Publishing Enterprise Web Applications to BYOD using a Granular. Trust Model. Shachaf Levi IT Client Security & Connectivity May 2013.

5 OAuth Essentials for API Access Control

ipad in Business Security Overview

Configuration Guide. BlackBerry UEM. Version 12.9

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Mobile Devices prioritize User Experience

ArcGIS for Server: Security

Partner Center: Secure application model

PKI is Alive and Well: The Symantec Managed PKI Service

Securing ArcGIS Services

Enable the Always Offline Mode to Provide Faster Access to Files

Administering Jive Mobile Apps for ios and Android

Administering Jive Mobile Apps

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

Authentication Methods

BlackBerry UEM Configuration Guide

Google Identity Services for work

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Configuration Guide. BlackBerry UEM Cloud

Salesforce Mobile App Security Guide

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Echidna Concepts Guide

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

Configuring SSL. SSL Overview CHAPTER

TLS 1.1 Security fixes and TLS extensions RFC4346

Sentinet for Microsoft Azure SENTINET

WHITEPAPER. Security overview. podio.com

Modern Identity Management Patterns for Microservices and Mobile

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Balancing BYOD and Security. A Guide for Secure Mobility in Today s Digital Era

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Integration Guide. LoginTC

The Android security jungle: pitfalls, threats and survival tips. Scott

TIBCO Cloud Integration Security Overview

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

BIG-IP Access Policy Manager and F5 Access for Android. Version 3.0.4

Securing ArcGIS Server Services An Introduction

Building a More Secure Cloud Architecture

Which compute option is designed for the above scenario? A. OpenWhisk B. Containers C. Virtual Servers D. Cloud Foundry

McAfee Enterprise Mobility Management 12.0 Software

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Making life simpler for remote and mobile workers

HP Instant Support Enterprise Edition (ISEE) Security overview

WDC RDS Connection for Android Users

Advanced Authentication 6.0 includes new features, improves usability, and resolves several previous issues.

Security Specification

GSE/Belux Enterprise Systems Security Meeting

Google Cloud Platform: Customer Responsibility Matrix. April 2017

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Closing the Biggest Security Hole in Web Application Delivery

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

OpenIAM Identity and Access Manager Technical Architecture Overview

Security in Bomgar Remote Support

Mobility best practice. Tiered Access at Google

Securely Enable the Open Enterprise

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

<Partner Name> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Authenticate & Intel IPT based Token Provider for RSA SecurID

This paper introduces the security policies, practices, and procedures of Lucidchart.

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record


Microsoft Architecting Microsoft Azure Solutions.

The Device Has Left the Building


Remote Support Security Provider Integration: RADIUS Server

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

OneID An architectural overview

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

White paper. April Security

Advanced Security Measures for Clients and Servers

C1: Define Security Requirements

How Next Generation Trusted Identities Can Help Transform Your Business

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

Cloud FastPath: Highly Secure Data Transfer

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

5 OAuth EssEntiAls for APi AccEss control layer7.com

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

O365 Solutions. Three Phase Approach. Page 1 34

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Salesforce Mobile App Security Guide

Transcription:

Getting Into Mobile Without Getting Into Trouble Greg Kliewer Senior Solutions Strategist October, 2014

The good old days Network separation No programmatic access from the Public Internet Safety through total isolation and control 2 2014 CA. ALL RIGHTS RESERVED.

56% Canadian smartphone ownership in 2013. Up from 33% in 2012 1 1 http://www.cbc.ca/news/business/smartphone-use-way-up-in-canada-google-finds-1.1384916 2 http://www.forbes.com/sites/benedictevans/2012/12/31/the-end-of-the-beginning-mobile-blows-past-pcs-so-what 3 http://www.emarketer.com/article.aspx?r=1010095 3 2014 CA. ALL RIGHTS RESERVED. 4 http://www.gartner.com/newsroom/id/2610015 2012 Mobile devices outnumber workstations by 2:1 2 2013 Time spent on nonvoice mobile surpasses time spent on workstations 3 2014 Smartphone and tablet sales surpass workstations 4

Today 4 2014 CA. ALL RIGHTS RESERVED.

Threats Inauthentic user Careless user Poorly coded apps Spoofed apps Lost or stolen devices Hijacked or tampered with devices 5 2014 CA. ALL RIGHTS RESERVED.

What are you going to do about it? building blocks for secure mobile access

Reverse proxy in the DMZ using a hardened platform Terminate inbound connection Establish a new connection to fulfill the request The only open port to the public Internet should be 443 All extraneous ports should be closed All services not strictly necessary should be stopped or removed, preferably Management ports are on separate network not accessible from the public Internet Be ready to patch at a moment s notice (e.g. heartbleed, bash shellshock) 7 2014 CA. ALL RIGHTS RESERVED.

Validate user credentials before making the backend connection Extract credentials Validate them against the existing user directory THEN make the backend connection 8 2014 CA. ALL RIGHTS RESERVED.

PROBLEM It s the app that calls the API. Do you want it holding on to the user s username and password? 9 2014 CA. ALL RIGHTS RESERVED.

Introduce an OAuth 2.0 Authorization Server Authenticate User Authenticate App (request user to grant access to the App) Issue an Access Token that represents an ephemeral session with the client App Creds Token Sessions with permissions NOTE the requirement for a new set of credentials, identifying the app 10 2014 CA. ALL RIGHTS RESERVED.

and an OAuth 2.0 Resource Server Validate Access Token Retrieve permissions Authorize access to requested resources Rinse and repeat App Creds Token Sessions with permissions The session eliminates the need for an app to cache or store the user credentials Instead, you keep a temporary-use token for a short period of time 11 2014 CA. ALL RIGHTS RESERVED.

PROBLEM Sessions can be hijacked. 12 2014 CA. ALL RIGHTS RESERVED.

SOLUTION This one, at least, has a fairly simple solution. 13 2014 CA. ALL RIGHTS RESERVED.

Keep the Access Token private SSL / TLS App Creds Token Sessions with permissions 443 ONLY Strong crypto only The Access Token is a secret and must be treated as such. Use HTTP keep alives to limit resource utilization impact. You may want SSL acceleration for this. Did we mention? Be ready to patch / step up key strength / cipher suite requirements at any time 14 2014 CA. ALL RIGHTS RESERVED.

PROBLEM Aren t mobile devices and apps just inherently unsecure? 15 2014 CA. ALL RIGHTS RESERVED.

Relaxes device security (no screen lock) (no PIN / passphrase) Leaves device behind at the gym or on the bus Caches or persists user ID credentials Stores sensitive data Stores sensitive data without safeguards Tricks user into downloading fake app Steals phone, bypasses protections, unlocks it 16 2014 CA. ALL RIGHTS RESERVED.

Relaxes device security (no screen lock) (no PIN / passphrase) Leaves device behind at the gym or on the bus Caches or persists user ID credentials Stores sensitive data Stores sensitive data without safeguards Mobile Application Management Mobile Device Management Tricks user into downloading fake app Steals phone, bypasses protections, unlocks it 17 2014 CA. ALL RIGHTS RESERVED.

SDKs can provide a lighter-weight solution Takes security out of the hands of app devs (they will thank you!) Tie in to device safeguards Key stores (hdw backed) Native Containers Biometrics Geolocation Remote control (for wipe) Manufacturer Attestation Tie enhanced crypto to user authentication and consent Dynamic app secret provisioning Dynamic certificate provisioning SDK Gateway 18 2014 CA. ALL RIGHTS RESERVED.

Solutions for secure enterprise mobility 19 2014 CA. ALL RIGHTS RESERVED.

1. Securely gate all access from mobile platforms MOBILE API GATEWAY Appliance Pre-hardened for exposure to public Internet Onboard OAuth 2.0 Authorization and Resource Servers Control sign on and sign off across apps, devices, and web properties Enforce multi-factor authentication (e.g. OTP, Biometrics, Attestation) MOBILE API GATEWAY Secure Platform Comprehensive Access Control 20 2014 CA. ALL RIGHTS RESERVED.

2. Extend your security reach onto the devices themselves PLATFORM SDKs Take security out of the hands of application developers Bind to device security primitives to leverage native capabilities (e.g. keystores, containers, hardware-backed crypto, biometrics, etc.) Block access from inauthentic applications Detect device and OS tampering SDK MOBILE API GATEWAY 21 2014 CA. ALL RIGHTS RESERVED.

Come see us at booth 603 The most radical and transformative of inventions are often those that empower others to unleash their creativity to pursue their dreams. -Jeff Bezos 22 2014 CA. ALL RIGHTS RESERVED.

Greg Kliewer Senior Solution Strategist Greg.Kliewer@ca.com @cainc slideshare.net/cainc linkedin.com/company/ca-technologies ca.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback