SSO Agility Made Possible - November 2014

SSO Agility Made Possible

November 2014

The future-proofing of your Web and Mobile Security Strategy

© 2014 CA. ALL RIGHTS RESERVED.

Introducing our Presenters

Clay Williams runs sales for the CA API Management Business Unit in the Southeast. He’s been in Development, Consulting, and Sales in the Integration/Middleware space for over 15 years at companies like webMethods, IBM, and CA Layer 7.

Drew Ames is the President & CEO of Acclaim Consulting Group, a leading services, consulting and system integration firm focused on Security, Identity, Governance and Access Management. For 15+ years, Drew has held several sales, delivery and executive leadership roles within the IAM space.

Jon Naglieri is the Principal Security Architect and has been with NRECA for 7 years. Jon has spearhead the creation of a ‘Identity as a Service’ team while at NRECA, providing oversight and direction in the domains of IAM and Application Security.


Agenda

Time Topic Presenter

5:05pmWeb Access Management and Identity as the New Perimeter

Drew Ames, Acclaim Consulting

~ 5:10pm API Economy Clay Williams, CA / Layer7

~ 5:15pmNRECA… Future-Proofing the Security Architecture

Jon Naglieri, NRECA


WAM XML

Disruptive Events / Explosion of Channels

IoTCloud Mobile Social

tim

e


Web Access Management

Mobile Apps

apps

apps

apps

LDAP


Mobile-Access Growth Continues

• Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013.¹• http://www.programmableweb.com/ ²

Online Time spent with apps

vs. browsers¹

82%

http://www.programmableweb.com/


Identity is the New Perimeter

CloudSocial

Claims

Open Standards Mobility

SSO Continues to expand…


Acclaim Consulting Group


Delivering New Customer Services Over Internet Used to be All About the Browser

WEB CONTENT EXPOSED THROUGH PERIMETER DMZ

DATA


No Longer – It’s About the Application

PHONES AND TABLETS

SOCIAL NETWORKS COMPUTERS

DEVICES

WEB

WEARABLE COMPUTERS


The Application EconomyNew Challenges and Opportunities

Customer Engagement

Mobility

Cloud Services

App acceleration

Developer Ecosystems

Social login

Omni-channel access

Internet of Things/Big Data

Applications IdentitiesAPIs


The New “Application Economy”

You need to ensure that the right people …using the device of their choice

IDENTITIES

…to obtain data

DATAAPP

…to securely access applications

API

…thru APIs


CA API Management Suite

Throttling Prioritization Caching

Routing Traffic ControlTransformation

Security

API – Enable The Data And Services

CompositionAuthentication Social SSOAPI KeysEntitlements

OAuth 1.x OAuth 2.0 OpenID Connect

Secure Access to the API

Token Service

Health Tracking

Workflow

Performance Global Staging

Reporting

Config Migration

Patch Management Policy Migration

Manage the API Lifecycle

Developer

Enrollment

Manage the Developer Community

API Docs

Forums

API Explorer

RankingsQuotas

Plans

Analytics

Developer

Enrollment


National Rural Electric Cooperative Association

National service organization based in Arlington, VA and in business for more than 70 years

Provides employee benefits to over 170,000 individuals at more than 1,000 co-ops (rural electric cooperatives and public power districts) in 47 states. Benefits include:

401k, Medical, Dental, Life Insurance, etc.


Application Development

NRECA Organization (IT)

InformationSecurity

EnterpriseArchitecture

ApplicationDevelopment

IT Business Services and

Information SecurityIT Technical Services

IT Operations

Infrastructure

NetworkBusiness


2003 - 2008 2010 20142012

REQUIREMENT: Enhance authentication service for member to best align with regulatory requirements

SOLUTION: Risk-Based and Strong Authentication(CA Auth & RiskMinder)

REQUIREMENT: Secure NRECA web resources and enable access to registered members

SOLUTION: Web Access Mgmt(CA SiteMinder)

REQUIREMENT: Portal-based services for members, with ability to securely interact with 3rd party benefit service provider

SOLUTION: Federation (CA SiteMinder)

FUTURE

REQUIREMENT: Provide security architecture guidance to the business and fuel adoption of new business delivery channels

REQUIREMENT: Close “gaps” on support new security standards (oAuth, OpenIDConnect). Align with development environment shift and extend security to API framework

SOLUTION: API Management(CA Layer7)


Drivers

Business• Continue to secure NRECA offerings, address regulatory reporting requirements and…• Seek ways (social, mobile and cloud) by which to quickly develop and deliver new offerings

IT / Developers• Lean UX - Collaborative approach to interaction design. Rapidly experiment with design

ideas, validate them with real users, and continually adjust your design based on what was learned (API-Centric)

• - Web application framework that assists in creating single page applications

Information Security• Close ‘gaps’ on supporting new security standards• Architect security to cover legacy, current and future requirements• Seek to leverage, and extend existing security policy


API Management Use Cases

Use Case

API Providers

API Consumer

Identity Type Use Case ExamplesBackend API

Security PolicyGateway API Security

Policy

NRECA Internal

NRECA Internal Developer(s)

NRECA Internal Applic.

NRECA Intranet User:StaffMemberGroupComputerServiceAccount

GEMS Application tier calls Extranet.IdentityProvider.CustomerData service (an internal-only service) to get identity data for an external customer

Configure for Integrated Windows Authentication and Authorization

Require Integrated Windows AuthenticationRequire AD Groups for Authorization

NRECA

External -

B2C -

REST

Client

NRECA

Internal

Developer(s)

NRECA

External REST

Applications

NRECA Extranet

User:

- Customer

External customer interacts with NRECA-developed client side application such as an AngularJS App

Configure for Integrated Windows Authentication and Authorization

Require OAuth (Implicit Flow) OR SiteMinder Session (OAuth takes precedence)

Initially Authorize against SiteMInder; use OAuthScopes for AuthorizationSiteMinder sessions can be automatically translated to OAuth Access Token


Security Architecture (future proof)

Existing member services still provided mainly through NRECA Portal, requiring WAM

Business driving IT security to be ready for mobile, social and cloud

Security seeking to leverage existing access control policy (SiteMinder)


Securely Enabling your Business is a Journey

Understand the business and their changing channel goals and service delivery initiatives

Stay current with technology… security space is changing rapidly

Vision must be supported by Leadership (business case)

Educate other teams (business, developers, etc)

Lessons Learned

Different security options based on customer situation. Need to deliver app security and access control such as SSO based on when and where the customer needs it.

Questions

Thanks for attending !!!

SSO Agility Made Possible - November 2014

Technology

Transcript of SSO Agility Made Possible - November 2014