5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Distinguished Engineer, CA

© 2014 CA. All rights reserved.

5 Reasons Why APIs Must Be A Part Of Your Mobile Strategy

K. Scott Morrison

Senior Vice President and Distinguished Engineer

February 2014

5 reasons why APIs must be part of your

mobile strategy

3 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

Gateway Cluster at Edge of Network DMZ deployment Hardware appliance, virtual appliance

or software

Layer 7 SecureSpan GatewaySecure and Manage Enterprise APIs

Enterprise Network

API/Service Servers

…

Firewall 2

Firewall 1

Partners

Mobile Devices

Cloud

SSG Cluster

API/Service Client

Directory

4 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

The MAG SDK

4 © 2013 CA. All rights reserved.

5 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

The Essence of the Problem: Secure Mobile Access to Apps and Data

How Do We Make APIs Available?

Firewall mazes

Diversity of clients and back end systems

Clients and servers change at different rates

Enterprise Network

API/Service Client

API/Service Servers

Firewall 2

Firewall 1

Internet

Directory

Of Particular Interest: Authentication, Authorization & SSO

Secure Transmission

6 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

We Want Classic SSO In An Active Profile For REST

Could leverage WS-Fed here SAML’s second act?

API/Service Servers

Apps making RESTful API

calls

Internet

Directory

7 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

But We Also Want Local App SSO

A B C

API/Service Servers

So now it’s getting interesting…

“Like a VPN… but without all of the negatives”

Single Sign On App Group (these apps will share sign-on sessions)

8 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

App layer

Persistence layer

Mobile OS Isolation is an issue

Silos

9 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

Self Service: User should be able to log out if device is lost or stolen

Copyright © 2012 CA. All rights reserved.

10 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

Solution: Native Single Sign-On SDK For Mobile Developers

Enterprise Network

iPhone

Android

iPad

App-sharable Secure Key Store

One time PINSMS, APNS, call

API ServersStrong Security for Mobile Apps Cross-platform and built for a consumer or BYOD world

100% Standards-based using OAuth+OpenID Connect

X-app SSO with multi-factor auth & secure channel

X.509 Certificate provisioning for strong auth and transaction signing

Standards-

based

11 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

Client Deployment Strategy

Don’t make me work hard– But give me a strong and extensible security model

Transfer of security responsibility

– Let developers do what they do best

Simple SDK

– Align with common development time environments

iOS, Android, Javascript, etc

Mirror REST frameworks

Future

– Aspects, wrapping, etc.

12 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

Three Important EntitiesAll three are managed by the SDK+MAG

User

Apps

Devices

13 Copyright © 2013 CA. All rights reserved. No unauthorized copying or distribution permitted

Protocol Strategy

A B C

username/password

ID Token

Access Token/Refresh TokenPer app

Authorization Server

OAuth + OpenID Connect Profiled for mobile

Clear distinction between device, user and app

Questions?

[email protected]

@KScottMorrison

slideshare.net/CAinc

linkedin.com/KScottMorrison

ca.com

K. Scott MorrisonDistinguished Engineer