SSO Agility Made Possible - November 2014
•0 gefällt mir•608 views
Downloaden Sie, um offline zu lesen
Melden
CA SSO (formerly SiteMinder) has served the web access security functions of so many, yet the mobile channel is expanding how organizations think about security and APIs are the fundamental connectivity point. Acclaim Consulting, CA and National Rural Electric Cooperative Association (NRECA) present a strategy and solution for "future-proofing" security and SSO. Topics covered: • Centralizing security policy and auditing across multiple platforms and devices • Unified security using cookies or tokens for authorization and session management • Leveraging current investments in IT security assets and extending to mobile apps • Business Solution Collaboration - Security Architect and Application Developers
Recomendados
Más contenido relacionado
Was ist angesagt?
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
1.7K views•35 Folien
Was ist angesagt?(20)
Similar a SSO Agility Made Possible - November 2014
Similar a SSO Agility Made Possible - November 2014(20)
Último
Último(20)
SSO Agility Made Possible - November 2014
- 1. SSO Agility Made Possible The future-proofing of your Web and Mobile Security Strategy November 2014
- 2. Introducing our Presenters Drew Ames is the President & CEO of Acclaim Consulting Group, a leading services, consulting and system integration firm focused on Security, Identity, Governance and Access Management. For 15+ years, Drew has held several sales, delivery and executive leadership roles within the IAM space. Clay Williams runs sales for the CA API Management Business Unit in the Southeast. He’s been in Development, Consulting, and Sales in the Integration/Middleware space for over 15 years at companies like webMethods, IBM, and CA Layer 7. Jon Naglieri is the Principal Security Architect and has been with NRECA for 7 years. Jon has spearhead the creation of a ‘Identity as a Service’ team while at NRECA, providing oversight and direction in the domains of IAM and Application Security. © 2014 CA. ALL RIGHTS RESERVED.
- 3. © 2014 CA. ALL RIGHTS RESERVED. Agenda Time Topic Presenter 5:05pm Web Access Management and Identity as the New Perimeter Drew Ames, Acclaim Consulting ~ 5:10pm API Economy Clay Williams, CA / Layer7 ~ 5:15pm NRECA… Future-Proofing the Security Architecture Jon Naglieri, NRECA
- 4. Cloud IoT Mobile Social Disruptive Events / Explosion of Channels WAM XML © 2014 CA. ALL RIGHTS RESERVED. time
- 5. Web Access Management © 2014 CA. ALL RIGHTS RESERVED. Mobile Apps apps apps apps LDAP
- 6. Mobile-Access Growth Continues 82% Online Time spent with apps vs. browsers¹ • Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013.¹ • http://www.programmableweb.com/ ² © 2014 CA. ALL RIGHTS RESERVED.
- 7. Identity is the New Perimeter Cloud SSO Continues to expand… © 2014 CA. ALL RIGHTS RESERVED. Social Claims Open Standards Mobility
- 8. Acclaim Consulting Group © 2014 CA. ALL RIGHTS RESERVED.
- 9. Delivering New Customer Services Over Internet Used to be All About the Browser WEB CONTENT EXPOSED THROUGH PERIMETER DMZ © 2014 CA. ALL RIGHTS RESERVED. DATA
- 10. No Longer – It’s About the Application SOCIAL NETWORKS COMPUTERS © 2014 CA. ALL RIGHTS RESERVED. PHONES AND TABLETS DEVICES WEB WEARABLE COMPUTERS
- 11. The Application Economy New Challenges and Opportunities Omni-channel access © 2014 CA. ALL RIGHTS RESERVED. Customer Engagement Cloud Services Mobility App acceleration Developer Ecosystems Social login Internet of Things/Big Data Applications Identities APIs
- 12. The New “Application Economy” APP DATA © 2014 CA. ALL RIGHTS RESERVED. IDENTITIES You need to ensure that the right people …using the device of their choice …to obtain data …to securely access applications API …thru APIs
- 13. CA API Management Suite Token Service Config Migration © 2014 CA. ALL RIGHTS RESERVED. Transformation Routing Traffic Control Throttling Prioritization Caching Security API – Enable The Data And Services Composition Authentication Entitlements API Keys Social SSO OAuth 1.x OAuth 2.0 OpenID Connect Secure Access to the API Health Tracking Workflow Performance Global Staging Reporting Patch Management Policy Migration Manage the API Lifecycle Developer Enrollment Plans Manage the Developer Community API Docs Forums API Explorer Quotas Rankings Analytics Developer Enrollment
- 14. National Rural Electric Cooperative Association National service organization based in Arlington, VA and in business for more than 70 years Provides employee benefits to over 170,000 individuals at more than 1,000 co-ops (rural electric cooperatives and public power districts) in 47 states. Benefits include: 401k, Medical, Dental, Life Insurance, etc. © 2014 CA. ALL RIGHTS RESERVED.
- 15. Application Development NRECA Organization (IT) Business Network © 2014 CA. ALL RIGHTS RESERVED. Enterprise Architecture Information Security Application Development IT Business Services and Information Security IT Technical Services IT Operations Infrastructure
- 16. REQUIREMENT: Enhance authentication service for member to best align with regulatory requirements SOLUTION: Risk-Based and Strong Authentication (CA Auth & RiskMinder) 2003 - 2008 2010 2012 2014 © 2014 CA. ALL RIGHTS RESERVED. REQUIREMENT: Secure NRECA web resources and enable access to registered members SOLUTION: Web Access Mgmt (CA SiteMinder) REQUIREMENT: Portal-based services for members, with ability to securely interact with 3rd party benefit service provider SOLUTION: Federation (CA SiteMinder) FUTURE REQUIREMENT: Provide security architecture guidance to the business and fuel adoption of new business delivery channels REQUIREMENT: Close “gaps” on support new security standards (oAuth, OpenIDConnect). Align with development environment shift and extend security to API framework SOLUTION: API Management (CA Layer7)
- 17. Drivers Business • Continue to secure NRECA offerings, address regulatory reporting requirements and… • Seek ways (social, mobile and cloud) by which to quickly develop and deliver new offerings IT / Developers • Lean UX - Collaborative approach to interaction design. Rapidly experiment with design ideas, validate them with real users, and continually adjust your design based on what was learned (API-Centric) • - Web application framework that assists in creating single page applications Information Security • Close ‘gaps’ on supporting new security standards • Architect security to cover legacy, current and future requirements • Seek to leverage, and extend existing security policy © 2014 CA. ALL RIGHTS RESERVED.
- 18. API Management Use Cases © 2014 CA. ALL RIGHTS RESERVED. Use Case API Providers API Consumer Identity Type Use Case Examples Backend API Security Policy Gateway API Security Policy NRECA Internal NRECA Internal Developer(s) NRECA Internal Applic. NRECA Intranet User: StaffMember Group Computer ServiceAccount GEMS Application tier calls Extranet.IdentityProvider.Cust omerData service (an internal-only service) to get identity data for an external customer Configure for Integrated Windows Authentication and Authorization Require Integrated Windows Authentication Require AD Groups for Authorization NRECA External - B2C - REST Client NRECA Internal Developer(s) NRECA External REST Applications NRECA Extranet User: - Customer External customer interacts with NRECA-developed client side application such as an AngularJS App Configure for Integrated Windows Authentication and Authorization Require OAuth (Implicit Flow) OR SiteMinder Session (OAuth takes precedence) Initially Authorize against SiteMInder; use OAuth Scopes for Authorization SiteMinder sessions can be automatically translated to OAuth Access Token
- 19. Security Architecture (future proof) Existing member services still provided mainly through NRECA Portal, requiring WAM Business driving IT security to be ready © 2014 CA. ALL RIGHTS RESERVED. for mobile, social and cloud Security seeking to leverage existing access control policy (SiteMinder)
- 20. Securely Enabling your Business is a Journey Lessons Learned Different security options based on customer situation. Need to deliver app security and access control such as SSO based on when and where the customer needs it. Understand the business and their changing channel goals and service delivery initiatives Stay current with technology… security space is changing © 2014 CA. ALL RIGHTS RESERVED. rapidly Vision must be supported by Leadership (business case) Educate other teams (business, developers, etc)
- 21. Questions Thanks for attending !!!
Hinweis der Redaktion
- Not all that long ago, if you wanted to access a website on the web, you used a browser. That browser was your “window into the Internet”….BUT….really, the website you visited dictated what you saw out that window – and invariably, those websites didn’t really share (or want to share) information. So if you opened your browser and went to check out the latest and greatest laptops available on Best Buy, Best Buy controlled what you saw, how you saw it, and certainly didn’t share information.
- Now, with the rise of mobile and the IoT – what some would call the next generation web or Web 3.0, consumers and employees access their Internet services across multiple channels. Certainly the Web is still prevalent, but social networks and computers have evolved to embrace phones and tablets, devices, and even wearables. But the browser is no longer your window into the Internet – it’s all about the application – and this has created a whole new business model – the application economy.
- [BUILD SLIDE] The application economy has changed everything, but the core demands remain the same: faster delivery, better quality and lower costs. The app economy provides both challenges as well as great opportunities, for organizations that leverage effective security to take advantage of these opportunities. When you look at the basic tenets of the new economy, two things are unchanged. You have applications, and you have identities. What HAS changed, as I said, was that browsers are the center of the universe. [CLICK]. The ability to provide: omni-channel access so that the consumer can utilize their device of choice at that time to access the same data Customer Engagement to ensure that customers don’t migrate to a competitor Access and control of the IoT – both consumer and the Industrial Internet Developer ecosystems that excite the very people that you need to help extend/grow your business Mobility mobility mobility And finally, cloud services, to provide a better/faster solution for your employees/customers Are all mandatory to leverage the new application economy. BUT….there is one final change – the ability to tie ALL of this together – all these new opportunities with applications and Identities – and that’s through [CLICK] APIs.….APIs are the essential building block. And yes, this is a big change. BUT…..with change comes great opportunity.
- Users want to use the device of their choice to access the apps that contain the data. They also want that access to be convenient and simple. This means that security must be: Consistent across channels (Web, mobile) As frictionless as possible APIs provide an effective way for apps to get access to that data. APIs enable internal and external developers to create the complementary solutions to help grow your business. But, APIs also must be secured. Only properly authenticated and authorized users should be able to access them. Also, there must be developer capabilities to help enable them to access these APIs conveniently. This communication interaction must be simple, consistent, and most importantly, secure across the entire path. We are seeing a “digital platform” that enables the Open Enterprise to effectively and securely grow their business, and engage with customers.
- [BUILD SLIDE] The CA API Management and Security platform is a flexible solution that consists of multiple components, based on your business needs. We start with the CA API Gateway – this is the workhorse of the Suite, translating APIs between frameworks, routing, traffic control/throttling, prioritization, caching, and, of course, enterprise-grade security that integrates with your existing IAM solution. [CLICK] Examples of that security solution consists of managing access and credentials to the API, including authentication, entitlement, API keys, social hooks for SSO, token services, OAuth (2-legged and 3-legged), and OpenID Connect. [CLICK] CA also provides the ability to manage the lifecycle and availability of the API, including health tracking, performance monitoring, staging, configuration migration, workflow, patch management, policy migration, and reporting. [CLICK] And finally, CA provides the capability for you to tightly manage developers access to APIs. Including developer enrollment, plans, an API Explorer (we’ll take a look at that in a moment), API documentation, quota control, rankings, ,analytics, and even developer forums.