SSO Agility Made Possible - November 2014
-
Upload
andrew-ames -
Category
Technology
-
view
166 -
download
1
Transcript of SSO Agility Made Possible - November 2014
SSO Agility Made Possible
November 2014
The future-proofing of your Web and Mobile Security Strategy
© 2014 CA. ALL RIGHTS RESERVED.
Introducing our Presenters
Clay Williams runs sales for the CA API Management Business Unit in the Southeast. He’s been in Development, Consulting, and Sales in the Integration/Middleware space for over 15 years at companies like webMethods, IBM, and CA Layer 7.
Drew Ames is the President & CEO of Acclaim Consulting Group, a leading services, consulting and system integration firm focused on Security, Identity, Governance and Access Management. For 15+ years, Drew has held several sales, delivery and executive leadership roles within the IAM space.
Jon Naglieri is the Principal Security Architect and has been with NRECA for 7 years. Jon has spearhead the creation of a ‘Identity as a Service’ team while at NRECA, providing oversight and direction in the domains of IAM and Application Security.
© 2014 CA. ALL RIGHTS RESERVED.
Agenda
Time Topic Presenter
5:05pmWeb Access Management and Identity as the New Perimeter
Drew Ames, Acclaim Consulting
~ 5:10pm API Economy Clay Williams, CA / Layer7
~ 5:15pmNRECA… Future-Proofing the Security Architecture
Jon Naglieri, NRECA
© 2014 CA. ALL RIGHTS RESERVED.
WAM XML
Disruptive Events / Explosion of Channels
IoTCloud Mobile Social
tim
e
© 2014 CA. ALL RIGHTS RESERVED.
Web Access Management
Mobile Apps
apps
apps
apps
LDAP
© 2014 CA. ALL RIGHTS RESERVED.
Mobile-Access Growth Continues
• Harvard Business Review, “For Mobile Devices, Think Apps, Not Ads”, Sunil Gupta, Head of HBR Marketing. March 2013.¹• http://www.programmableweb.com/ ²
Online Time spent with apps
vs. browsers¹
82%
© 2014 CA. ALL RIGHTS RESERVED.
Identity is the New Perimeter
CloudSocial
Claims
Open Standards Mobility
SSO Continues to expand…
© 2014 CA. ALL RIGHTS RESERVED.
Acclaim Consulting Group
© 2014 CA. ALL RIGHTS RESERVED.
Delivering New Customer Services Over Internet Used to be All About the Browser
WEB CONTENT EXPOSED THROUGH PERIMETER DMZ
DATA
© 2014 CA. ALL RIGHTS RESERVED.
No Longer – It’s About the Application
PHONES AND TABLETS
SOCIAL NETWORKS COMPUTERS
DEVICES
WEB
WEARABLE COMPUTERS
© 2014 CA. ALL RIGHTS RESERVED.
The Application EconomyNew Challenges and Opportunities
Customer Engagement
Mobility
Cloud Services
App acceleration
Developer Ecosystems
Social login
Omni-channel access
Internet of Things/Big Data
Applications IdentitiesAPIs
© 2014 CA. ALL RIGHTS RESERVED.
The New “Application Economy”
You need to ensure that the right people …using the device of their choice
IDENTITIES
…to obtain data
DATAAPP
…to securely access applications
API
…thru APIs
© 2014 CA. ALL RIGHTS RESERVED.
CA API Management Suite
Throttling Prioritization Caching
Routing Traffic ControlTransformation
Security
API – Enable The Data And Services
CompositionAuthentication Social SSOAPI KeysEntitlements
OAuth 1.x OAuth 2.0 OpenID Connect
Secure Access to the API
Token Service
Health Tracking
Workflow
Performance Global Staging
Reporting
Config Migration
Patch Management Policy Migration
Manage the API Lifecycle
Developer
Enrollment
Manage the Developer Community
API Docs
Forums
API Explorer
RankingsQuotas
Plans
Analytics
Developer
Enrollment
© 2014 CA. ALL RIGHTS RESERVED.
National Rural Electric Cooperative Association
National service organization based in Arlington, VA and in business for more than 70 years
Provides employee benefits to over 170,000 individuals at more than 1,000 co-ops (rural electric cooperatives and public power districts) in 47 states. Benefits include:
401k, Medical, Dental, Life Insurance, etc.
© 2014 CA. ALL RIGHTS RESERVED.
Application Development
NRECA Organization (IT)
InformationSecurity
EnterpriseArchitecture
ApplicationDevelopment
IT Business Services and
Information SecurityIT Technical Services
IT Operations
Infrastructure
NetworkBusiness
© 2014 CA. ALL RIGHTS RESERVED.
2003 - 2008 2010 20142012
REQUIREMENT: Enhance authentication service for member to best align with regulatory requirements
SOLUTION: Risk-Based and Strong Authentication(CA Auth & RiskMinder)
REQUIREMENT: Secure NRECA web resources and enable access to registered members
SOLUTION: Web Access Mgmt(CA SiteMinder)
REQUIREMENT: Portal-based services for members, with ability to securely interact with 3rd party benefit service provider
SOLUTION: Federation (CA SiteMinder)
FUTURE
REQUIREMENT: Provide security architecture guidance to the business and fuel adoption of new business delivery channels
REQUIREMENT: Close “gaps” on support new security standards (oAuth, OpenIDConnect). Align with development environment shift and extend security to API framework
SOLUTION: API Management(CA Layer7)
© 2014 CA. ALL RIGHTS RESERVED.
Drivers
Business• Continue to secure NRECA offerings, address regulatory reporting requirements and…• Seek ways (social, mobile and cloud) by which to quickly develop and deliver new offerings
IT / Developers• Lean UX - Collaborative approach to interaction design. Rapidly experiment with design
ideas, validate them with real users, and continually adjust your design based on what was learned (API-Centric)
• - Web application framework that assists in creating single page applications
Information Security• Close ‘gaps’ on supporting new security standards• Architect security to cover legacy, current and future requirements• Seek to leverage, and extend existing security policy
© 2014 CA. ALL RIGHTS RESERVED.
API Management Use Cases
Use Case
API Providers
API Consumer
Identity Type Use Case ExamplesBackend API
Security PolicyGateway API Security
Policy
NRECA Internal
NRECA Internal Developer(s)
NRECA Internal Applic.
NRECA Intranet User:StaffMemberGroupComputerServiceAccount
GEMS Application tier calls Extranet.IdentityProvider.CustomerData service (an internal-only service) to get identity data for an external customer
Configure for Integrated Windows Authentication and Authorization
Require Integrated Windows AuthenticationRequire AD Groups for Authorization
NRECA
External -
B2C -
REST
Client
NRECA
Internal
Developer(s)
NRECA
External REST
Applications
NRECA Extranet
User:
- Customer
External customer interacts with NRECA-developed client side application such as an AngularJS App
Configure for Integrated Windows Authentication and Authorization
Require OAuth (Implicit Flow) OR SiteMinder Session (OAuth takes precedence)
Initially Authorize against SiteMInder; use OAuthScopes for AuthorizationSiteMinder sessions can be automatically translated to OAuth Access Token
© 2014 CA. ALL RIGHTS RESERVED.
Security Architecture (future proof)
Existing member services still provided mainly through NRECA Portal, requiring WAM
Business driving IT security to be ready for mobile, social and cloud
Security seeking to leverage existing access control policy (SiteMinder)
© 2014 CA. ALL RIGHTS RESERVED.
Securely Enabling your Business is a Journey
Understand the business and their changing channel goals and service delivery initiatives
Stay current with technology… security space is changing rapidly
Vision must be supported by Leadership (business case)
Educate other teams (business, developers, etc)
Lessons Learned
Different security options based on customer situation. Need to deliver app security and access control such as SSO based on when and where the customer needs it.
Questions
Thanks for attending !!!