API Risk: Taking Your API Security to the Next Level

World®’16

APIRisk:TakingYourAPISecuritytotheNextLevelTabishTanzeem,CISSP- SeniorPrincipalConsultant- CATechnologiesDanielBrudner,CISSP,CISA,CCSK- SeniorPrincipalConsultant- CATechnologies

SCX25V

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

MobileapplicationsandtheInternetofThingswillcontinuetotransformthewayusersinteractwiththebusiness—buthowwillwesecurethisaccess?Forexample,evenasmobilepaymentshavegrownexponentiallyinthepast12–18months,paymentfraudfrommobiledeviceshasgrownevenfaster.Inthissession,we’lldiscusshowCAAdvancedAuthenticationcanbeintegratedwiththeCAAPIGatewaytoprovideasolutionwecallAPIRisktoaddressthischallenge.APIRiskprovidesawaytoembedcontextualriskanalysisand/orstrongauthenticationwithintheAPIcallstoconfirmdeviceidentitiesandensurethatendusersarewhotheyclaimtobe.

DanielBrudner&TabishTanzeem

CATechnologiesSecurity


Agenda

IOTANDMOBILETRENDS

TRADITIONALAPPROACHESTOAUTHENTICATION

LOGICALARCHITECTURE

CAADVANCEDAUTHENTICATION

CAAPIGATEWAY

INTEGRATION

1

2

3

4

5

6


TheIoT Ecosystem

Sensor

Network/Carriers

IoTGateway

Cloud

OpenData

Platform

IoTPlatform

ConnectedCar

SmartProducts

SmartUtilities

SmartAnalytics

‘Makers’‘Users’

HomeIoT

IndustrialIoT

InformationTechnology

OperationsTechnology

Wearables

Platforms

IntelligentGateways

Consumers

ConnectedHealth SmartEnergy

SmartTransportation SmartFactories

Enterprise ‘Edge’

SystemsIntegration/Services


IoT– TodayandTomorrow2015– 2025*

0

10

20

30

40

50

60

70

80

90

2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025

Billion

s

*ScenarioBased(2020– 2025)

1 5 2 2 0 0, connectedIoTdevicesperminuteBy20254 8 0 0, connectedIoTdevicesperminuteToday


ChallengeswithIoT§ 80BillionIoT devicesby2025(theyallwanttohave

Identities…)– needtomanageexponentiallymoreidentitiesthancurrenthumans’Identities

§ DynamichighmobilityofIoT devicescreatesmoreRisk– Devicesappearanddisappearindifferentlocations– Needtouniquelyidentifythedevice– Needtoidentifychangesindevicefingerprint


ChallengeswithIoT§ Manageinteraction/relationshipofIoTwithotherdevices,humans,

services- IRM– Authentication– Authorization– Auditing– Administration

§ Traditionalboardersaregone

§ Computeconstrainedresources(IoTdevices)requiredelegationofauthenticationandauthorizationtoless-constraineddevices

§ HowdoIknowthedevicehasbeencompromised?


AShiftinCriminalActivityCybercriminalsareexpandingtheirreachbeyondtraditionaltargetsofconsumerbankingandcreditcards.Theyarenowlookingtostealvaluabledatathatisaccessibleonline.

TheTop5SectorsBreached1

Healthcare37%

Retail11%

Education10%

Gov/Public8%

Financial6% 95%

Of[Web]incidentsinvolveharvestingcredentialsstolenfromcustomerdevices,thenloggingintowebappswiththem2.1. SymantecInternetThreatReport2015

2. VerizonDataBreachReport2015

World®’16©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD10


TraditionalApproachestoAuthentication

1. Forrester,“HowToGetAwayWithMurder:AuthenticationTechnologiesThatWillHelpYouKillPasswords”,AndrasCserandMerrittMaxim,Sep.2015.

Something

thatyou

KNOW

Something

thatyou

HAVE

Something

thatyou

ARE

56%Ofenterprisesplantomoveawayfrompasswordsinthenext36months1.

PasswordsaretheprimarymechanismusedformostonlineInternetSites,but…

And…

[Forrester’s]surveyfounddevice-basedauthentication,fingerprinting,andone-timepasswordscombinedwithbiometricsashavingthegreatestchanceofaugmentingthenreplacingpasswords[forbusiness-to-customerIAM].1


Haveyouconsideredtheimpacttoyourusers?

“Userexperience(UX)isanimportantselectioncriteria,aheadofbothtrustandtotalcostofownershipinamajorityoforganizations”1

“AGartnersurveyofU.S.bankcustomers,conductedinthewakeofbanksintroducingnewauthenticationmethodsforretailbankinginresponsetoFederalFinancialInstitutionsExaminationCouncil(FFIEC)guidance,revealedthat12%ofcustomershadconsideredchangingbanks becausetheyfoundwhattheirbankshaddonetobetooonerous,and3%actuallychangedbanks.PoorUXledtolostbusinesss”1

1. Gartner,“MarketGuideforUserAuthentication”,AntAllan,AnmolSingh,andDavidAnthonyMahdi,12February2016.


Whatifyoucould…

AuthenticateUserwithSimplePassword

FromaSingleAuthenticationSolution?

AnalyzeRiskbasedonBehavior,Device

andLocation

InitiateStep-UpAuthenticationwhenRiskisHigh


ContextualAuthentication

CARiskAuthentication™

Whereistheidentity?

Whatistheidentitytryingtodo?

Istheactionconsistentwith

history?

Whatdeviceisbeingused?

IntroducingCAAdvancedAuthentication

VersatileAuthentication

CAStrongAuthentication™

CAAuth ID

Q&A OATHTokens

OTP– OutofBand

CAMobileOTP

Twobest-of-breedcomponentsthatcanbedeployedindividuallyortogether


CARiskAuthentication

AUTHENTICATIONMETHODS

RISKANALYSISTECHNIQUES

Makereal-timedecisionsbasedontheriskoftheloginattempt

Whereistheidentity?

Whatistheidentitytryingtodo?

Istheactionconsistentwith

history?

Whatdeviceisbeingused?

§ Behavioralriskmodeling§ DynamicRules§ DeviceDNA™deviceidentification§ Transparentdatacollection§ MobileRisk

KEYFEATURES

§ Frictionlesscustomerexperience§ DeepintegrationwithCASSO§ Reducefraudrisk§ Controlcostsassociatedwithfraud

KEYBENEFITS


CAStrongAuthentication

§ Eliminatesriskofstolenpasswords§ Convertsdeviceinto2Fcredential§ Varietyofintegrationoptions§ Highlyconfigurable/scalable§ Availableonpremiseorincloud

KEYFEATURES

§ Easyforcustomertouse§ Choiceofauthenticationmethods§ Useacrossmultiplechannels§ Enhancedsecurity&compliance

KEYBENEFITS

AUTHENTICATIONMETHODS

Identifytheuserusingarangeofauthentication

options

CAAuth ID

Q&A OATHTokens

OTP–OutofBand

CAMobileOTP


Butisn’ttheInternetPortaldead?

Thedigitaltransformationisunderway

Sources:1. CAVanson BourneStudy2. eMarketer study3. McKinseyGlobalInstitute,DisruptiveTechnologies,advancesthatwilltransformlife,businessandtheglobaleconomy,May20134. GMSAIntelligence,FromConcepttoDelivery,theM2MMarketToday,Feb.17,2014

1.75Bsmartphoneusersin20141

50BConnecteddevices(IoT)by2020 3

25Businessappsperdevice2

>$100Bincloudspendingthisyear4


SomethingaboutMobileDevices

63%Ofmobileuserswillaccessonlinecontentthroughtheirmobiledevicesby20171.1. http://www.pcmag.com/article2/0,2817,2485277,00.asp

2. http://www.statista.com/topics/779/mobile-internet

70%Ofpopulationworldwidewillusesmartphonesby20201.

World®’16©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD18


HowMobileDeviceIsChangingAuthentication

Authenticate

WITH

Authenticate

TO

Authenticate

THROUGH

In2017,figuressuggestthatmorethan63.4percentofmobilephoneuserswillaccessonlinecontentthroughtheirdevices1.

1. http://www.statista.com/topics/779/mobile-internet/


ButWhatAbouttheMobileApps?

§ Authenticationisdifferent

§ Appdevelopershaveachoice– Trustthedeviceunlockingmechanism(e.g.,TouchID)– Supplementdevicesecuritywithapplogin

§ Ifauthenticationisbuiltintoapp,thenmustdecide– Doyoupromptforcredentialseverytimeappis

opened(notuser-friendly)– Ordoyousavecredentialsondevice(notverysecure)


HowOurSolutionAddressesMobileDevices…

AUTHENTICATION CA ADVANCEDAUTHENTICATIONAUTHENTICATE WITH CAAdvancedAuthenticationprovidesaCAMobileOTPappformost

smartphonesandtablets.This2FAcredentialisasecuresoftwarepasscodegeneratorthatallowsmobilephones andtabletstobecomeaconvenientauthenticationdevice. Inaddition,CAAdvancedAuthenticationcanalsosupportout-of-bandauthentication,sendinganOTPtotheuserviaemail,text,orvoice.

AUTHENTICATETO Whenrelyingonthedevicesecurity,CAAdvancedAuthenticationcanincreasethesecurityofthemobileappviaacapabilitycalled MobileRisk.Thisapproachembedslibrariesintothemobileapp.Whentheuseropenstheapp,thelibrarieswillcollectdatafromthedeviceandforwardittoCAAdvancedAuthenticationforanalysis.Iftheriskscoreexceedsadefinedthreshold,thesolutioncaninitiateastep-upauthentication.

AUTHENTICATETHROUGH CAAdvancedAuthenticationcanbeintegratedwithexternalbiometricsolutionstosupportauthenticationthroughthedevice.ThiscouldincludeleveragingAppleTouchID,voiceprints,facialimages,etc.


RiskAnalytics– Whyit’sCool

• Effectiveanalyticstechniqueideallysuitedforcustomerswhereroutinefraudmarkingisnotavailable.

• Approachisbasedonassessingwhetherbehaviorisnormalorabnormal.Itisnotbasedonpriorfrauddata.

• Learnsquickly,startsactiveassessmentupondeployment.

• Noconfigurationortraining.Itcanadapttoyouruserpopulation.


OutsidetheEnterprise

InternetofThings

Mobile

SaaS/CloudSolutionsAWS,Google,SFDC…

PartnerEcosystems

ExternalDevelopers

WithintheEnterprise

SecureData

ApplicationPortfolio

ID/Authentication

Reporting&Analytics

InternalTeams

CAAPIManagementTheBuildingBlocksofDigitalTransformation

SecuretheOpenEnterpriseü ProtectagainstthreatsandOWASPvulnerabilitiesü ControlaccesswithSSOandidentitymanagementü Provideend-to-endsecurityforapps,mobile,andIoT

IntegrateandCreateAPIsü EasilyconnectSOA,ESB,andlegacyapplicationsü AggregatedataincludingNoSQLupto10xfasterü Buildscalableconnectionstocloudsolutionsü AutomaticallycreatedataAPIswithlivebusinesslogic

UnlocktheValueofDataü MonetizeAPIstogeneraterevenueü Builddigitalecosystemstoenhancebusinessvalueü Createefficienciesthroughanalyticsandoptimization

AccelerateMobile/IoTDevelopmentü Simplifyandcontroldeveloperaccesstodataü Buildawiderpartnerorpublicdeveloperecosystemü Leveragetoolsthatreducemobileappdeliverytime


TheIntegration:ValueProposition

§ ReturnonInvestment– Enhancedsecurityreducesfraudlossesbyprotectingthebrand

§ FasterTimetoValue– SDKallowsorganizationstoquicklydeployriskcollectorsintotheirmobileappsandIoT

devices

§ UserConvenience– Transparentriskanalysisenhancesappsecuritywithoutimpactinguserexperience

§ Adaptability– Configurablerulesengineallowsadministratorstocreate&modifyriskrulestobalance

user/deviceconveniencewiththreatmitigation


MobileDevices

Consumer WebServices Applications ApplicationData

MobileApp

EnhancingAppSecurityWithMobileRiskProcessFlowThetypicalprocessisthattheuseropenstheappontheirmobiledevice,andmayormaynotpromptedtoauthenticatebeforeaccessingenterpriseapplicationsanddata.

But…thereisnorealsecuritybeyondthepasswordorPINenforcedbytheApp.

Inaddition,becausemanyAppsstoreasessiontokenonthedevice,accesscanbeeasilycompromisedifthemobiledeviceisstolenorlost.

MobileRiskcanAddressthisWeakness!


EnhancingAppSecurityWithMobileRiskProcessFlowThefirststepistoembedtheMobileDeviceDNAdatacollectorswithintheMobileAppthatyouwishtoprotect.

TheSDKwillcommunicatewiththeCAAdvancedAuthenticationservers.CAAdv.AuthMobileDevices


MobileApp

SDK


CAAdv.AuthMobileDevices


MobileApp

EnhancingAppSecurityWithMobileRiskProcessFlowWhentheidentityopenstheapp,theSDKwilltransparentlyconductariskevaluation,whichcouldoccurafterauthenticationbutbeforeuserisgivenaccesstoanydata.

SDK

TheSDKwillcollectdevicedataandsendittotheriskengineforanalysis.

Analysisincludes:• Location• DeviceIdentification• IdentityBehavior




MobileApp

EnhancingAppSecurityWithMobileRiskProcessFlowIftheriskanalysisreturnsaLOWRiskScore,theriskenginewillreturnan“Approve”messageandtheidentitywillbeallowedtocontinuetoaccessapplicationdata.

SDK




MobileApp

EnhancingAppSecurityWithMobileRiskProcessFlowIftheriskanalysisreturnsaMEDIUMRiskScore,theriskenginecaninitiateaStep-UpAuthenticationprocess(e.g.,pushnotificationorout-of-bandOTP).

SDK

Afteridentityanswersstep-upchallenge,theyareallowedtoaccessapplicationdata.

PushNotification

OutofBandAuthentication




MobileApp

EnhancingAppSecurityWithMobileRiskProcessFlowIftheriskanalysisreturnsaHIGHRiskScore,theriskenginecouldreturna“Deny”messageandtheuserwouldnotbeallowedtoaccessanyapplicationdata.

SDK

AccessDenied


Consumer

MobileDevices

MobileApp CAAPIGateway

Applications Data

CAAdvancedAuthentication

LogicalArchitecture

Riskanalysis,behaviorprofiling,&step-upauthentication

AAMobileSDKtocollectriskdatafromdevice

APISDK

AASDK


Consumer

MobileDevices



IoT/MobileAppRiskAnalysisInitialProcess

TheSDKwillcollectriskdata,whichistransmittedforanalysistotheAAserversviatheGateway

ThefirststepistoembedtheCAAdvancedAuthenticationSDKwithintheMobileAppthatyouwishtoprotect.

AASDK


Consumer

MobileDevices



IoT/MobileAppRiskAnalysisinActionRegistrationProcess

WhenuserdownloadsMobileAppandRegistersforthefirsttime,theSDKwillcollectDeviceDNA datasothatCAAdvancedAuthenticationcanfingerprintthedevice.

Thedeviceisassociatedwiththeidentityandthefingerprintisstoredforfuturecomparisons.

Inaddition,thesolutioncaninitiatesanout-of-bandoralternativeauthenticationtovalidatetheidentity.

AASDK


Consumer

MobileDevices


Applications


IoT/MobileAppRiskAnalysisinActionTheImprovedProcess ProcessSteps:

1. IdentitiesopensappandauthenticateswiththeirUserID/password

2. CredentialsvalidatedbytheCAAPIGateway

3. Riskdatacollectedfrommobiledeviceandsentforanalysis

4. Riskengineevaluatescontextualdataanddeterminesriskscore

Knowndevice?Jailbroken?NegativeIPorCountry?TypicalBehavior?Velocity?etc.

5. Ifriskscoreishigh,anout-of-band(OOB)challengesenttoidentity

6. IdentityrespondstoOOBchallengetovalidatetheiridentity

7. Ifidentityisvalidated,gatewayroutesAPIrequestandreturnsresponse

NOTE:Ifriskscoreistotoohigh,theAPIrequestcanalsobeblocked

APISDK

AASDK


Top5Takeaways1. Themobiledeviceimprovesthebrowserauthenticationexperience

– Easyintuitiveexperience– ProvidesaplatformforsecurityMobilityindex

2. Andmobileappauthenticationisbecomingincreasingimportant– Organizationsarelookingtoappsasawaytoreachtheircustomers– Authenticationisofcoursenecessary

3. Mobileappauthenticationislaggingthebrowser– Riskassessmentnotprevalent– Butwillbecomeimportantquickly

4. Usersusemultipledevicesinmultiplelocations– Youhavetotietheactivitytogether– Riskassessmentthatusesbehavioralprofilingandamobilityindexcanaccountforthis

5. MobileDeviceIdentificationgivesusanimportanttool– Morepreciseandmoredataavailabletomakeadecision– Canbedonewithoutinvadingtheuser’sprivacy


RecommendedSessions

SESSION# TITLE DATE/TIME

SCX73SBestWesternImprovesSecurityfor5M+RewardsMemberswithSimeio IdentityasaService(IDaaS)PoweredbyCASecurity

11/16/2016at3:00pm

SCX20S CARoadmap:Authentication,SingleSign-On,Directory 11/17/2016at1:45pm

SCX50S ConvenienceandSecurityforbankingcustomerswithCAAdvancedAuthentication

11/17/2016at3:00pm

SCX75S Risk-awareaccesstoOffice365™ 11/17/2016at3:45pm

SCX52S ProtectingQualcommIPwithCAAdvancedAuthentication 11/17/2016at4:30pm


Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!



Wewanttohearfromyou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.

§ ITCSstaffmaybeatthissessionnow!(lookfortheirshirts).Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.

Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired


Questions?


Stayconnectedatcommunities.ca.com

Thankyou.

API Risk: Taking Your API Security to the Next Level

Technology

Transcript of API Risk: Taking Your API Security to the Next Level