Post on 22-Jan-2018
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Charley Chell
Security
CA Technologies
Security Product Management
SCT24T
@CharleyChell
#CAWorld
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
The mobile application is becoming the primary interface between your enterprise and end users — but what will be used to secure this access? Come learn how to leverage data from mobile devices to help identify the legitimacy of a user attempting to login or perform a sensitive transaction.
Charley Chell
CA Technologies
Advisor
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
A BRIEF LOOK AT HISTORY
MOBILE DEVICE AUTHENTICATION
CAUTIONS
RAISING THE SECURITY BAR FOR AUTHENTICATION
1
2
3
4
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication – Traditional Ideas
Something that you KNOW
Something that you
HAVE
Something that you
ARE
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Before Mobile
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Mobile Device
Brings together something that you HAVE and something that you ARE
Is your mobile separate from you?
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Something About Mobile Devices
Everyone has one
Everyone has their own
Everyone (almost) has just one (may change from time to time, but one current)
And, it is not shared!
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Mobile Devices and Authentication
Authenticate WITH
Authenticate TO
Authenticate THROUGH
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication Schemes
Lifelong
Thumbprint
Drivers License
Years
Work badge
Credit/Debit Card
Days
Hotel room key
Boarding Pass
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication Schemes – Cautions
Lifelong
Thumbprint
Drivers License
Years
Work badge
Credit/Debit Card
Days
Hotel room key
Boarding Pass
Fraudulent
Online Check In
Stolen
Sophisticated
fraud if the
value is there
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Mobile Device for Authentication – Significant benefits
Multi-mode Usability Visual – something user can view and enter
Interactive – direct interface at POI
Automatic – backend without user interaction
Retention of usage history User audit possible
But, not without risk checks Wealth of data
Identify legitimate behavior
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
General Pattern for Risk Assessment
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication for Browser-Based Access
Assessment generally at key points like login, accessing a new application, sensitive requests
Authentication has evolved– From Username / Password
– Evolved to Strong 2FA primary credential, like a HW or SW Token
– Now Evolving to Username / Password + Out-of-Band One-Time Password (OOB OTP)
CA Auth ID
Q&A OATH Tokens
OTP – Out of Band
CA Mobile OTP
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication for Browser-Based Access
Considerable discussion on new
authenticators. However, there has been
little progress on eliminating the password.
Many companies use hardware tokens for
some small set of users.
The decision process here is largely based on
fixed policies. However, the use of
behavioral analytics is growing.
Q&A usage is on the decline and is
being replaced by One Time
Password (OTP) over SMS or email.
Confirmation via push notification is
gaining ground.
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What’s Driving the Changes?
Change 1 – Use of the Phone as an Authenticator
– Everyone has a Phone
Hardware tokens too cumbersome
But need for multifactor authenticationhasn’t changed. Passwords too easy to crack.
– It’s a personal device
Only used by one person, always available, rarely shared
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What’s Driving the Changes?
Change 2 – Behavioral Analytics Use
– A person’s behavior is difficult to mimic
Attacker must watch for a very long time to determine behavior
Then simulating it is still hard
– And generally, the attacker must change the behavior in order to accomplish the illegal act they are perpetrating
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Risk Assessment is a Strong Credential
RISK DATA AVAILABLE
Where is the user? What device is being used?
What is the user trying to do?
Is the action consistent with history?
Is the location inherently suspect?
Have they been there before?
Where were they recently?
LOCATION
What kind of device is it?
Have they used it before?
Has it changed since they last used it?
DEVICE DNA
Is this a typical action for the user?
Is the action inherently risky?
Have they taken similar actions before?
BEHAVIOR
Is this a normal time of day for them?
Is their frequency of login abnormal?
Is their current action consistent with prior actions?
HISTORY
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication for the Mobile App
“Login” is different. That concept doesn’t really exist in the app world.
App developer has a choice– Trust the on-phone authentication
Touch ID
– Supplement the on-phone authentication with something else, like
SMS to verify that the phone is bound to the phone number on file
– Authenticate from the app
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Authentication for Browser-Based Access
Access generally is persistent. The app
always knows who you are.
The decision process here is largely
nonexistent today.
Therefore, the concept of risk-based
additional authentication is just emerging.
But it will take many forms ranging from
identity confirmation to transaction signing.
Most apps provide the option to require a
PIN/fingerprint at the first major activity.
21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Why Mobile Risk is Important
Credentials can be compromised– Phones may be lost/stolen
– Or simply left unlocked at the desk
Behavioral assessment best indicator of identity
Wealth of data available on a phone, much more than a browser world
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Let’s Take a Look at Mobile Risk Up Close
Rich data available on mobile
Can generate a risk score
Can require step up based on score
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Top 5 Takeaways1. The mobile device improves the browser authentication experience
– Easy intuitive experience– Provides a platform for security Mobility index
2. And mobile app authentication is becoming increasing important– Organizations are looking to apps as a way to reach their customers– Authentication is of course necessary
3. Mobile app authentication is lagging the browser– Risk assessment not prevalent– But will become important quickly
4. Users use multiple devices in multiple locations– You have to tie the activity together– Risk assessment that uses behavioral profiling and a mobility index can account for this
5. Mobile Device Identification gives us an important tool– More precise and more data available to make a decision– Can be done without invading the user’s privacy
24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Advanced Authentication
Versatile Authentication
CA Strong Authentication™
CA Auth ID
Q&A OATH Tokens
OTP – Out of Band
CA Mobile OTP
Contextual Authentication
CA Risk Authentication™
Where isthe user?
What is the usertrying to do?
Is the action consistent with
history?
What device is being used?
25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCT21T Enable Omnichannel with Security and API Management Thurs. Nov 19 at 2:00 pm
SCT17T Strong Auth in IdM Thurs. Nov 19 at 3:45 pm
26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Must See Demos
Protect Against Fraud & Breaches
CA Advanced Auth
Security Theater
Engage Customers
CA SSO
Security Theater
Innovation – IoTSlot Car
CA AA, APIM
Security Theater
Secure Omni-Channel Access
CA AA, APIM, SSO
Security Theater
27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15