API Risk: Taking Your API Security to the Next Level
-
Upload
ca-technologies -
Category
Technology
-
view
103 -
download
1
Transcript of API Risk: Taking Your API Security to the Next Level
World®’16
APIRisk:TakingYourAPISecuritytotheNextLevelTabishTanzeem,CISSP- SeniorPrincipalConsultant- CATechnologiesDanielBrudner,CISSP,CISA,CCSK- SeniorPrincipalConsultant- CATechnologies
SCX25V
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
MobileapplicationsandtheInternetofThingswillcontinuetotransformthewayusersinteractwiththebusiness—buthowwillwesecurethisaccess?Forexample,evenasmobilepaymentshavegrownexponentiallyinthepast12–18months,paymentfraudfrommobiledeviceshasgrownevenfaster.Inthissession,we’lldiscusshowCAAdvancedAuthenticationcanbeintegratedwiththeCAAPIGatewaytoprovideasolutionwecallAPIRisktoaddressthischallenge.APIRiskprovidesawaytoembedcontextualriskanalysisand/orstrongauthenticationwithintheAPIcallstoconfirmdeviceidentitiesandensurethatendusersarewhotheyclaimtobe.
DanielBrudner&TabishTanzeem
CATechnologiesSecurity
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
IOTANDMOBILETRENDS
TRADITIONALAPPROACHESTOAUTHENTICATION
LOGICALARCHITECTURE
CAADVANCEDAUTHENTICATION
CAAPIGATEWAY
INTEGRATION
1
2
3
4
5
6
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheIoT Ecosystem
Sensor
Network/Carriers
IoTGateway
Cloud
OpenData
Platform
IoTPlatform
ConnectedCar
SmartProducts
SmartUtilities
SmartAnalytics
‘Makers’‘Users’
HomeIoT
IndustrialIoT
InformationTechnology
OperationsTechnology
Wearables
Platforms
IntelligentGateways
Consumers
ConnectedHealth SmartEnergy
SmartTransportation SmartFactories
Enterprise ‘Edge’
SystemsIntegration/Services
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IoT– TodayandTomorrow2015– 2025*
0
10
20
30
40
50
60
70
80
90
2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
Billion
s
*ScenarioBased(2020– 2025)
1 5 2 2 0 0, connectedIoTdevicesperminuteBy20254 8 0 0, connectedIoTdevicesperminuteToday
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ChallengeswithIoT§ 80BillionIoT devicesby2025(theyallwanttohave
Identities…)– needtomanageexponentiallymoreidentitiesthancurrenthumans’Identities
§ DynamichighmobilityofIoT devicescreatesmoreRisk– Devicesappearanddisappearindifferentlocations– Needtouniquelyidentifythedevice– Needtoidentifychangesindevicefingerprint
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ChallengeswithIoT§ Manageinteraction/relationshipofIoTwithotherdevices,humans,
services- IRM– Authentication– Authorization– Auditing– Administration
§ Traditionalboardersaregone
§ Computeconstrainedresources(IoTdevices)requiredelegationofauthenticationandauthorizationtoless-constraineddevices
§ HowdoIknowthedevicehasbeencompromised?
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AShiftinCriminalActivityCybercriminalsareexpandingtheirreachbeyondtraditionaltargetsofconsumerbankingandcreditcards.Theyarenowlookingtostealvaluabledatathatisaccessibleonline.
TheTop5SectorsBreached1
Healthcare37%
Retail11%
Education10%
Gov/Public8%
Financial6% 95%
Of[Web]incidentsinvolveharvestingcredentialsstolenfromcustomerdevices,thenloggingintowebappswiththem2.1. SymantecInternetThreatReport2015
2. VerizonDataBreachReport2015
World®’16©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD10
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TraditionalApproachestoAuthentication
1. Forrester,“HowToGetAwayWithMurder:AuthenticationTechnologiesThatWillHelpYouKillPasswords”,AndrasCserandMerrittMaxim,Sep.2015.
Something
thatyou
KNOW
Something
thatyou
HAVE
Something
thatyou
ARE
56%Ofenterprisesplantomoveawayfrompasswordsinthenext36months1.
PasswordsaretheprimarymechanismusedformostonlineInternetSites,but…
And…
[Forrester’s]surveyfounddevice-basedauthentication,fingerprinting,andone-timepasswordscombinedwithbiometricsashavingthegreatestchanceofaugmentingthenreplacingpasswords[forbusiness-to-customerIAM].1
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Haveyouconsideredtheimpacttoyourusers?
“Userexperience(UX)isanimportantselectioncriteria,aheadofbothtrustandtotalcostofownershipinamajorityoforganizations”1
“AGartnersurveyofU.S.bankcustomers,conductedinthewakeofbanksintroducingnewauthenticationmethodsforretailbankinginresponsetoFederalFinancialInstitutionsExaminationCouncil(FFIEC)guidance,revealedthat12%ofcustomershadconsideredchangingbanks becausetheyfoundwhattheirbankshaddonetobetooonerous,and3%actuallychangedbanks.PoorUXledtolostbusinesss”1
1. Gartner,“MarketGuideforUserAuthentication”,AntAllan,AnmolSingh,andDavidAnthonyMahdi,12February2016.
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Whatifyoucould…
AuthenticateUserwithSimplePassword
FromaSingleAuthenticationSolution?
AnalyzeRiskbasedonBehavior,Device
andLocation
InitiateStep-UpAuthenticationwhenRiskisHigh
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ContextualAuthentication
CARiskAuthentication™
Whereistheidentity?
Whatistheidentitytryingtodo?
Istheactionconsistentwith
history?
Whatdeviceisbeingused?
IntroducingCAAdvancedAuthentication
VersatileAuthentication
CAStrongAuthentication™
CAAuth ID
Q&A OATHTokens
OTP– OutofBand
CAMobileOTP
Twobest-of-breedcomponentsthatcanbedeployedindividuallyortogether
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CARiskAuthentication
AUTHENTICATIONMETHODS
RISKANALYSISTECHNIQUES
Makereal-timedecisionsbasedontheriskoftheloginattempt
Whereistheidentity?
Whatistheidentitytryingtodo?
Istheactionconsistentwith
history?
Whatdeviceisbeingused?
§ Behavioralriskmodeling§ DynamicRules§ DeviceDNA™deviceidentification§ Transparentdatacollection§ MobileRisk
KEYFEATURES
§ Frictionlesscustomerexperience§ DeepintegrationwithCASSO§ Reducefraudrisk§ Controlcostsassociatedwithfraud
KEYBENEFITS
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAStrongAuthentication
§ Eliminatesriskofstolenpasswords§ Convertsdeviceinto2Fcredential§ Varietyofintegrationoptions§ Highlyconfigurable/scalable§ Availableonpremiseorincloud
KEYFEATURES
§ Easyforcustomertouse§ Choiceofauthenticationmethods§ Useacrossmultiplechannels§ Enhancedsecurity&compliance
KEYBENEFITS
AUTHENTICATIONMETHODS
Identifytheuserusingarangeofauthentication
options
CAAuth ID
Q&A OATHTokens
OTP–OutofBand
CAMobileOTP
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Butisn’ttheInternetPortaldead?
Thedigitaltransformationisunderway
Sources:1. CAVanson BourneStudy2. eMarketer study3. McKinseyGlobalInstitute,DisruptiveTechnologies,advancesthatwilltransformlife,businessandtheglobaleconomy,May20134. GMSAIntelligence,FromConcepttoDelivery,theM2MMarketToday,Feb.17,2014
1.75Bsmartphoneusersin20141
50BConnecteddevices(IoT)by2020 3
25Businessappsperdevice2
>$100Bincloudspendingthisyear4
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SomethingaboutMobileDevices
63%Ofmobileuserswillaccessonlinecontentthroughtheirmobiledevicesby20171.1. http://www.pcmag.com/article2/0,2817,2485277,00.asp
2. http://www.statista.com/topics/779/mobile-internet
70%Ofpopulationworldwidewillusesmartphonesby20201.
World®’16©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD18
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HowMobileDeviceIsChangingAuthentication
Authenticate
WITH
Authenticate
TO
Authenticate
THROUGH
In2017,figuressuggestthatmorethan63.4percentofmobilephoneuserswillaccessonlinecontentthroughtheirdevices1.
1. http://www.statista.com/topics/779/mobile-internet/
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ButWhatAbouttheMobileApps?
§ Authenticationisdifferent
§ Appdevelopershaveachoice– Trustthedeviceunlockingmechanism(e.g.,TouchID)– Supplementdevicesecuritywithapplogin
§ Ifauthenticationisbuiltintoapp,thenmustdecide– Doyoupromptforcredentialseverytimeappis
opened(notuser-friendly)– Ordoyousavecredentialsondevice(notverysecure)
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HowOurSolutionAddressesMobileDevices…
AUTHENTICATION CA ADVANCEDAUTHENTICATIONAUTHENTICATE WITH CAAdvancedAuthenticationprovidesaCAMobileOTPappformost
smartphonesandtablets.This2FAcredentialisasecuresoftwarepasscodegeneratorthatallowsmobilephones andtabletstobecomeaconvenientauthenticationdevice. Inaddition,CAAdvancedAuthenticationcanalsosupportout-of-bandauthentication,sendinganOTPtotheuserviaemail,text,orvoice.
AUTHENTICATETO Whenrelyingonthedevicesecurity,CAAdvancedAuthenticationcanincreasethesecurityofthemobileappviaacapabilitycalled MobileRisk.Thisapproachembedslibrariesintothemobileapp.Whentheuseropenstheapp,thelibrarieswillcollectdatafromthedeviceandforwardittoCAAdvancedAuthenticationforanalysis.Iftheriskscoreexceedsadefinedthreshold,thesolutioncaninitiateastep-upauthentication.
AUTHENTICATETHROUGH CAAdvancedAuthenticationcanbeintegratedwithexternalbiometricsolutionstosupportauthenticationthroughthedevice.ThiscouldincludeleveragingAppleTouchID,voiceprints,facialimages,etc.
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RiskAnalytics– Whyit’sCool
• Effectiveanalyticstechniqueideallysuitedforcustomerswhereroutinefraudmarkingisnotavailable.
• Approachisbasedonassessingwhetherbehaviorisnormalorabnormal.Itisnotbasedonpriorfrauddata.
• Learnsquickly,startsactiveassessmentupondeployment.
• Noconfigurationortraining.Itcanadapttoyouruserpopulation.
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OutsidetheEnterprise
InternetofThings
Mobile
SaaS/CloudSolutionsAWS,Google,SFDC…
PartnerEcosystems
ExternalDevelopers
WithintheEnterprise
SecureData
ApplicationPortfolio
ID/Authentication
Reporting&Analytics
InternalTeams
CAAPIManagementTheBuildingBlocksofDigitalTransformation
SecuretheOpenEnterpriseü ProtectagainstthreatsandOWASPvulnerabilitiesü ControlaccesswithSSOandidentitymanagementü Provideend-to-endsecurityforapps,mobile,andIoT
IntegrateandCreateAPIsü EasilyconnectSOA,ESB,andlegacyapplicationsü AggregatedataincludingNoSQLupto10xfasterü Buildscalableconnectionstocloudsolutionsü AutomaticallycreatedataAPIswithlivebusinesslogic
UnlocktheValueofDataü MonetizeAPIstogeneraterevenueü Builddigitalecosystemstoenhancebusinessvalueü Createefficienciesthroughanalyticsandoptimization
AccelerateMobile/IoTDevelopmentü Simplifyandcontroldeveloperaccesstodataü Buildawiderpartnerorpublicdeveloperecosystemü Leveragetoolsthatreducemobileappdeliverytime
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheIntegration:ValueProposition
§ ReturnonInvestment– Enhancedsecurityreducesfraudlossesbyprotectingthebrand
§ FasterTimetoValue– SDKallowsorganizationstoquicklydeployriskcollectorsintotheirmobileappsandIoT
devices
§ UserConvenience– Transparentriskanalysisenhancesappsecuritywithoutimpactinguserexperience
§ Adaptability– Configurablerulesengineallowsadministratorstocreate&modifyriskrulestobalance
user/deviceconveniencewiththreatmitigation
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MobileDevices
Consumer WebServices Applications ApplicationData
MobileApp
EnhancingAppSecurityWithMobileRiskProcessFlowThetypicalprocessisthattheuseropenstheappontheirmobiledevice,andmayormaynotpromptedtoauthenticatebeforeaccessingenterpriseapplicationsanddata.
But…thereisnorealsecuritybeyondthepasswordorPINenforcedbytheApp.
Inaddition,becausemanyAppsstoreasessiontokenonthedevice,accesscanbeeasilycompromisedifthemobiledeviceisstolenorlost.
MobileRiskcanAddressthisWeakness!
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EnhancingAppSecurityWithMobileRiskProcessFlowThefirststepistoembedtheMobileDeviceDNAdatacollectorswithintheMobileAppthatyouwishtoprotect.
TheSDKwillcommunicatewiththeCAAdvancedAuthenticationservers.CAAdv.AuthMobileDevices
Consumer WebServices Applications ApplicationData
MobileApp
SDK
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAdv.AuthMobileDevices
Consumer WebServices Applications ApplicationData
MobileApp
EnhancingAppSecurityWithMobileRiskProcessFlowWhentheidentityopenstheapp,theSDKwilltransparentlyconductariskevaluation,whichcouldoccurafterauthenticationbutbeforeuserisgivenaccesstoanydata.
SDK
TheSDKwillcollectdevicedataandsendittotheriskengineforanalysis.
Analysisincludes:• Location• DeviceIdentification• IdentityBehavior
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAdv.AuthMobileDevices
Consumer WebServices Applications ApplicationData
MobileApp
EnhancingAppSecurityWithMobileRiskProcessFlowIftheriskanalysisreturnsaLOWRiskScore,theriskenginewillreturnan“Approve”messageandtheidentitywillbeallowedtocontinuetoaccessapplicationdata.
SDK
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAdv.AuthMobileDevices
Consumer WebServices Applications ApplicationData
MobileApp
EnhancingAppSecurityWithMobileRiskProcessFlowIftheriskanalysisreturnsaMEDIUMRiskScore,theriskenginecaninitiateaStep-UpAuthenticationprocess(e.g.,pushnotificationorout-of-bandOTP).
SDK
Afteridentityanswersstep-upchallenge,theyareallowedtoaccessapplicationdata.
PushNotification
OutofBandAuthentication
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAAdv.AuthMobileDevices
Consumer WebServices Applications ApplicationData
MobileApp
EnhancingAppSecurityWithMobileRiskProcessFlowIftheriskanalysisreturnsaHIGHRiskScore,theriskenginecouldreturna“Deny”messageandtheuserwouldnotbeallowedtoaccessanyapplicationdata.
SDK
AccessDenied
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Consumer
MobileDevices
MobileApp CAAPIGateway
Applications Data
CAAdvancedAuthentication
LogicalArchitecture
Riskanalysis,behaviorprofiling,&step-upauthentication
AAMobileSDKtocollectriskdatafromdevice
APISDK
AASDK
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Consumer
MobileDevices
MobileApp CAAPIGateway
CAAdvancedAuthentication
IoT/MobileAppRiskAnalysisInitialProcess
TheSDKwillcollectriskdata,whichistransmittedforanalysistotheAAserversviatheGateway
ThefirststepistoembedtheCAAdvancedAuthenticationSDKwithintheMobileAppthatyouwishtoprotect.
AASDK
33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Consumer
MobileDevices
MobileApp CAAPIGateway
CAAdvancedAuthentication
IoT/MobileAppRiskAnalysisinActionRegistrationProcess
WhenuserdownloadsMobileAppandRegistersforthefirsttime,theSDKwillcollectDeviceDNA datasothatCAAdvancedAuthenticationcanfingerprintthedevice.
Thedeviceisassociatedwiththeidentityandthefingerprintisstoredforfuturecomparisons.
Inaddition,thesolutioncaninitiatesanout-of-bandoralternativeauthenticationtovalidatetheidentity.
AASDK
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Consumer
MobileDevices
MobileApp CAAPIGateway
Applications
CAAdvancedAuthentication
IoT/MobileAppRiskAnalysisinActionTheImprovedProcess ProcessSteps:
1. IdentitiesopensappandauthenticateswiththeirUserID/password
2. CredentialsvalidatedbytheCAAPIGateway
3. Riskdatacollectedfrommobiledeviceandsentforanalysis
4. Riskengineevaluatescontextualdataanddeterminesriskscore
Knowndevice?Jailbroken?NegativeIPorCountry?TypicalBehavior?Velocity?etc.
5. Ifriskscoreishigh,anout-of-band(OOB)challengesenttoidentity
6. IdentityrespondstoOOBchallengetovalidatetheiridentity
7. Ifidentityisvalidated,gatewayroutesAPIrequestandreturnsresponse
NOTE:Ifriskscoreistotoohigh,theAPIrequestcanalsobeblocked
APISDK
AASDK
35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Top5Takeaways1. Themobiledeviceimprovesthebrowserauthenticationexperience
– Easyintuitiveexperience– ProvidesaplatformforsecurityMobilityindex
2. Andmobileappauthenticationisbecomingincreasingimportant– Organizationsarelookingtoappsasawaytoreachtheircustomers– Authenticationisofcoursenecessary
3. Mobileappauthenticationislaggingthebrowser– Riskassessmentnotprevalent– Butwillbecomeimportantquickly
4. Usersusemultipledevicesinmultiplelocations– Youhavetotietheactivitytogether– Riskassessmentthatusesbehavioralprofilingandamobilityindexcanaccountforthis
5. MobileDeviceIdentificationgivesusanimportanttool– Morepreciseandmoredataavailabletomakeadecision– Canbedonewithoutinvadingtheuser’sprivacy
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX73SBestWesternImprovesSecurityfor5M+RewardsMemberswithSimeio IdentityasaService(IDaaS)PoweredbyCASecurity
11/16/2016at3:00pm
SCX20S CARoadmap:Authentication,SingleSign-On,Directory 11/17/2016at1:45pm
SCX50S ConvenienceandSecurityforbankingcustomerswithCAAdvancedAuthentication
11/17/2016at3:00pm
SCX75S Risk-awareaccesstoOffice365™ 11/17/2016at3:45pm
SCX52S ProtectingQualcommIPwithCAAdvancedAuthentication 11/17/2016at4:30pm
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Wewanttohearfromyou!
§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.
§ ITCSstaffmaybeatthissessionnow!(lookfortheirshirts).Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.
Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired
39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Stayconnectedatcommunities.ca.com
Thankyou.
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.41 @CAWORLD#CAWORLD
Security
FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw