API Risk: Taking Your API Security to the Next Level

World®
’16
API Risk: Taking Your API Security
to the Next Level
Tabish Tanzeem, CISSP - Senior Principal Consultant - CA Technologies
Daniel Brudner, CISSP, CISA, CCSK - Senior Principal Consultant - CA Technologies
SCX25V
SECURITY

2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

Abstract
Mobile applications and the Internet of Things will continue to transform the way users interact
with the business—but how will we secure this access? For example, even as mobile payments
have grown exponentially in the past 12–18 months, payment fraud from mobile devices has
grown even faster. In this session, we’ll discuss how CA Advanced Authentication can be
integrated with the CA API Gateway to provide a solution we call API Risk to address this
challenge. API Risk provides a way to embed contextual risk analysis and/or strong
authentication within the API calls to confirm device identities and ensure that end users are
who they claim to be.
Daniel
Brudner &
Tabish
Tanzeem
CA Technologies
Security

Agenda
IOT AND MOBILE TRENDS
TRADITIONAL APPROACHES TO AUTHENTICATION
LOGICAL ARCHITECTURE
CA ADVANCED AUTHENTICATION
CA API GATEWAY
INTEGRATION
1
2
3
4
5
6

The IoT Ecosystem
Sensor
Network
/Carriers
IoT
Gateway
Cloud
Open
Data
Platform
IoT
Platform
Connected Car
Smart Products
Smart Utilities
Smart Analytics
‘Makers’‘Users’
Home IoT
Industrial IoT
Information Technology
Operations Technology
Wearables
Platforms
Intelligent Gateways
Consumers
Connected Health Smart Energy
Smart Transportation Smart Factories
Enterprise ‘Edge’
Systems
Integration
/Services

IoT – Today and Tomorrow
2015 – 2025*
0
10
20
30
40
50
60
70
80
90
2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
Billions
* Scenario Based ( 2020 – 2025)
1 5 2 2 0 0
, connected IoT devices per minuteBy 2025
4 8 0 0
, connected IoT devices per minuteToday

Challenges with IoT
§ 80 Billion IoT devices by 2025 (they all want to have
Identities…) – need to manage exponentially more identities
than current humans’ Identities
§ Dynamic high mobility of IoT devices creates more Risk
– Devices appear and disappear in different locations
– Need to uniquely identify the device
– Need to identify changes in device fingerprint

Challenges with IoT
§ Manage interaction/relationship of IoT with other devices, humans,
services - IRM
– Authentication
– Authorization
– Auditing
– Administration
§ Traditional boarders are gone
§ Compute constrained resources (IoT devices) require delegation of
authentication and authorization to less-constrained devices
§ How do I know the device has been compromised?

A Shift in Criminal Activity
Cybercriminals are expanding their reach beyond traditional
targets of consumer banking and credit cards. They are now
looking to steal valuable data that is accessible online.
The Top 5 Sectors Breached1
Healthcare
37%
Retail
11%
Education
10%
Gov/Public
8%
Financial
6%
95%
Of [Web] incidents involve harvesting
credentials stolen from customer
devices, then logging into web apps
with them2.1. Symantec Internet Threat Report 2015
2. Verizon Data Breach Report 2015
World®
’16© 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD10

Traditional Approaches to Authentication
1. Forrester, “How To Get Away With Murder: Authentication Technologies That Will Help You Kill Passwords”, Andras Cser and Merritt Maxim, Sep. 2015.
Something
that you
KNOW
Something
that you
HAVE
Something
that you
ARE
56%
Of enterprises plan to move
away from passwords in the
next 36 months1.
Passwords are the primary
mechanism used for most
online Internet Sites, but…
And…
[Forrester’s] survey found
device-based authentication,
fingerprinting, and one-time
passwords combined with
biometrics as having the
greatest chance of augmenting
then replacing passwords [for
business-to-customer IAM].1

Have you considered the impact to your users?
“User experience (UX) is an important selection criteria, ahead of both trust and total
cost of ownership in a majority of organizations”1
“A Gartner survey of U.S. bank customers,
conducted in the wake of banks introducing
new authentication methods for retail
banking in response to Federal Financial
Institutions Examination Council (FFIEC)
guidance, revealed that 12% of customers
had considered changing banks because they
found what their banks had done to be too
onerous, and 3% actually changed banks.
Poor UX led to lost businesss”1
1. Gartner, “Market Guide for User Authentication”, Ant Allan,
Anmol Singh, and David Anthony Mahdi, 12 February 2016.

What if you could…
Authenticate User
with Simple
Password
From a Single Authentication Solution?
Analyze Risk based
on Behavior, Device
and Location
Initiate Step-Up
Authentication
when Risk is High

Contextual Authentication
CA Risk Authentication™
Where is
the identity?
What is the identity
trying to do?
Is the action
consistent with
history?
What device is
being used?
Introducing CA Advanced Authentication
Versatile Authentication
CA Strong Authentication™
CA Auth ID
Q&A OATH Tokens
OTP – Out of Band
CA Mobile OTP
Two best-of-breed components that can be deployed individually or together

CA Risk Authentication
AUTHENTICATION
METHODS
RISK ANALYSIS
TECHNIQUES
Make real-time decisions
based on the risk of
the login attempt
Where is
the identity?
What is the identity
trying to do?
Is the action
consistent with
history?
What device is
being used?
§ Behavioral risk modeling
§ Dynamic Rules
§ DeviceDNA™ device identification
§ Transparent data collection
§ Mobile Risk
KEY FEATURES
§ Frictionless customer experience
§ Deep integration with CA SSO
§ Reduce fraud risk
§ Control costs associated with fraud
KEY BENEFITS

CA Strong Authentication
§ Eliminates risk of stolen passwords
§ Converts device into 2F credential
§ Variety of integration options
§ Highly configurable/scalable
§ Available on premise or in cloud
KEY FEATURES
§ Easy for customer to use
§ Choice of authentication methods
§ Use across multiple channels
§ Enhanced security & compliance
KEY BENEFITS
AUTHENTICATION
METHODS
Identify the user using a
range of authentication
options
CA Auth ID
Q&A OATH Tokens
OTP – Out of Band
CA Mobile OTP

But isn’t the Internet Portal dead?
The digital transformation is underway
Sources:
1. CA Vanson Bourne Study
2. eMarketer study
3. McKinsey Global Institute, Disruptive Technologies, advances that will transform life, business and the global economy, May 2013
4. GMSA Intelligence, From Concept to Delivery, the M2M Market Today, Feb. 17, 2014
1.75B
smartphone users in
2014 1
50B
Connected devices
(IoT) by 2020 3
25
Business apps per
device2
>$100B
in cloud spending
this year 4

Something about Mobile Devices
63%
Of mobile users will access
online content through their
mobile devices by 20171.
1. http://www.pcmag.com/article2/0,2817,2485277,00.asp
2. http://www.statista.com/topics/779/mobile-internet
70%
Of population worldwide
will use smartphones
by 20201.
World®
’16© 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD18

How Mobile Device Is Changing Authentication
Authenticate
WITH
Authenticate
TO
Authenticate
THROUGH
In 2017, figures suggest that more than 63.4 percent of mobile
phone users will access online content through their devices1.
1. http://www.statista.com/topics/779/mobile-internet/

But What About the Mobile Apps?
§ Authentication is different
§ App developers have a choice
– Trust the device unlocking mechanism (e.g., Touch ID)
– Supplement device security with app login
§ If authentication is built into app, then must
decide
– Do you prompt for credentials every time app is
opened (not user-friendly)
– Or do you save credentials on device (not very secure)

How Our Solution Addresses Mobile Devices…
AUTHENTICATION CA ADVANCED AUTHENTICATION
AUTHENTICATE WITH CA Advanced Authentication provides a CA Mobile OTP app for most
smartphones and tablets. This 2FA credential is a secure software passcode
generator that allows mobile phones and tablets to become a convenient
authentication device. In addition, CA Advanced Authentication can also
support out-of-band authentication, sending an OTP to the user via email,
text, or voice.
AUTHENTICATE TO When relying on the device security, CA Advanced Authentication can
increase the security of the mobile app via a capability called Mobile Risk.
This approach embeds libraries into the mobile app. When the user opens
the app, the libraries will collect data from the device and forward it to CA
Advanced Authentication for analysis. If the risk score exceeds a defined
threshold, the solution can initiate a step-up authentication.
AUTHENTICATE THROUGH CA Advanced Authentication can be integrated with external biometric
solutions to support authentication through the device. This could include
leveraging Apple Touch ID, voice prints, facial images, etc.

Risk Analytics – Why it’s Cool
• Effective analytics technique ideally suited for customers
where routine fraud marking is not available.
• Approach is based on assessing whether behavior is normal or
abnormal. It is not based on prior fraud data.
• Learns quickly, starts active assessment upon deployment.
• No configuration or training. It can adapt to your user
population.

Outside the Enterprise
Internet of Things
Mobile
SaaS/Cloud Solutions
AWS, Google, SFDC …
Partner Ecosystems
External Developers
Within the Enterprise
Secure Data
Application Portfolio
ID/Authentication
Reporting & Analytics
Internal Teams
CA API Management
The Building Blocks of Digital Transformation
Secure the Open Enterprise
ü Protect against threats and OWASP vulnerabilities
ü Control access with SSO and identity management
ü Provide end-to-end security for apps, mobile, and IoT
Integrate and Create APIs
ü Easily connect SOA, ESB, and legacy applications
ü Aggregate data including NoSQL up to 10x faster
ü Build scalable connections to cloud solutions
ü Automatically create data APIs with live business logic
Unlock the Value of Data
ü Monetize APIs to generate revenue
ü Build digital ecosystems to enhance business value
ü Create efficiencies through analytics and optimization
Accelerate Mobile/IoT Development
ü Simplify and control developer access to data
ü Build a wider partner or public developer ecosystem
ü Leverage tools that reduce mobile app delivery time

The Integration: Value Proposition
§ Return on Investment
– Enhanced security reduces fraud losses by protecting the brand
§ Faster Time to Value
– SDK allows organizations to quickly deploy risk collectors into their mobile apps and IoT
devices
§ User Convenience
– Transparent risk analysis enhances app security without impacting user experience
§ Adaptability
– Configurable rules engine allows administrators to create & modify risk rules to balance
user/device convenience with threat mitigation

Mobile Devices
Consumer Web Services Applications Application Data
Mobile App
Enhancing App Security With Mobile Risk
Process Flow
The typical process is that the user opens the app on their mobile device, and may or
may not prompted to authenticate before accessing enterprise applications and data.
But…there is no real security beyond the password or
PIN enforced by the App.
In addition, because many Apps store a session token
on the device, access can be easily compromised if the
mobile device is stolen or lost.
Mobile Risk can Address this Weakness!

Process Flow
The first step is to embed the Mobile Device DNA data collectors within the Mobile
App that you wish to protect.
The SDK will communicate with the CA Advanced Authentication servers.
CA Adv. AuthMobile Devices
Mobile App
SDK

Mobile App
Process Flow
When the identity opens the app, the SDK will transparently conduct a risk
evaluation, which could occur after authentication but before user is given access to
any data.
SDK
The SDK will collect device data and send it to the risk engine for analysis.
Analysis includes:
• Location
• Device Identification
• Identity Behavior

Mobile App
Process Flow
If the risk analysis returns a LOW Risk Score, the risk engine will return an “Approve”
message and the identity will be allowed to continue to access application data.
SDK

Mobile App
Process Flow
If the risk analysis returns a MEDIUM Risk Score, the risk engine can initiate a Step-
Up Authentication process (e.g., push notification or out-of-band OTP).
SDK
After identity answers step-up challenge, they are allowed to access application data.
Push Notification
Out of Band Authentication

Mobile App
Process Flow
If the risk analysis returns a HIGH Risk Score, the risk engine could return a “Deny”
message and the user would not be allowed to access any application data.
SDK
Access Denied

Consumer
Mobile Devices
Mobile App CA API
Gateway
Applications Data
CA Advanced
Authentication
Logical Architecture
Risk analysis,
behavior profiling, &
step-up authentication
AA Mobile SDK to collect risk data from device
API SDK
AA SDK

Consumer
Mobile Devices
Mobile App CA API
Gateway
CA Advanced
Authentication
IoT/Mobile App Risk Analysis
Initial Process
The SDK will collect risk data,
which is transmitted for analysis to
the AA servers via the Gateway
The first step is to embed the CA Advanced Authentication SDK within the Mobile App
that you wish to protect.
AA SDK

Consumer
Mobile Devices
Mobile App CA API
Gateway
CA Advanced
Authentication
IoT/Mobile App Risk Analysis in Action
Registration Process
When user downloads Mobile App and Registers for the first time, the SDK will collect
DeviceDNA data so that CA Advanced Authentication can fingerprint the device.
The device is associated with the
identity and the fingerprint is
stored for future comparisons.
In addition, the solution can
initiates an out-of-band or
alternative authentication to
validate the identity.
AA SDK

Consumer
Mobile Devices
Mobile App CA API
Gateway
Applications
CA Advanced
Authentication
IoT/Mobile App Risk Analysis in Action
The Improved Process Process Steps:
1. Identities opens app and
authenticates with their User ID /
password
2. Credentials validated by the CA
API Gateway
3. Risk data collected from mobile
device and sent for analysis
4. Risk engine evaluates contextual
data and determines risk score
Known device ?
Jailbroken ?
Negative IP or Country ?
Typical Behavior ?
Velocity ?
etc.
5. If risk score is high, an out-of-band
(OOB) challenge sent to identity
6. Identity responds to OOB
challenge to validate their identity
7. If identity is validated, gateway
routes API request and returns
response
NOTE: If risk score is to too high, the
API request can also be blocked
API SDK
AA SDK

Top 5 Takeaways
1. The mobile device improves the browser authentication experience
– Easy intuitive experience
– Provides a platform for security Mobility index
2. And mobile app authentication is becoming increasing important
– Organizations are looking to apps as a way to reach their customers
– Authentication is of course necessary
3. Mobile app authentication is lagging the browser
– Risk assessment not prevalent
– But will become important quickly
4. Users use multiple devices in multiple locations
– You have to tie the activity together
– Risk assessment that uses behavioral profiling and a mobility index can account for this
5. Mobile Device Identification gives us an important tool
– More precise and more data available to make a decision
– Can be done without invading the user’s privacy

Recommended Sessions
SESSION # TITLE DATE/TIME
SCX73S
Best Western Improves Security for 5M+ Rewards
Members with Simeio Identity as a Service (IDaaS)
Powered by CA Security
11/16/2016 at 3:00 pm
SCX20S CA Roadmap: Authentication, Single Sign-On, Directory 11/17/2016 at 1:45 pm
SCX50S
Convenience and Security for banking customers with CA
Advanced Authentication
11/17/2016 at 3:00 pm
SCX75S Risk-aware access to Office 365™ 11/17/2016 at 3:45 pm
SCX52S Protecting Qualcomm IP with CA Advanced Authentication 11/17/2016 at 4:30 pm

Don’t Miss Our INTERACTIVE
Security Demo Experience!
SNEAK
PEEK!

We want to hear from you!
§ IT Central is a leading technology review site. CA has them to
help generate product reviews for our Security products.
§ ITCS staff may be at this session now! (look for their shirts). If
you would like to offer a product review, please ask them
after the class, or go by their booth.
Note:
§ Only takes 5-7 mins
§ You have total control over the review
§ It can be anonymous, if required

Questions?

Stay connected at communities.ca.com
Thank you.

API Risk: Taking Your API Security to the Next Level

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to API Risk: Taking Your API Security to the Next Level (20)

More from CA Technologies (20)

Recently uploaded (20)

API Risk: Taking Your API Security to the Next Level