OOW13: Developing secure mobile applications (CON8902)
- 1. CON8902 - Developing Secure Mobile Applications Mark Wilcox Senior Product Manager September 2013
- 2. 2Copyright © 2011, Oracle and/or its affiliates. All right This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
- 3. 3 Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud Complete and Integrated Best-in-class Open standards On-premise and Cloud Foundation for Oracle Fusion Applications and Oracle Cloud User Engagement Identity Management Business Process Management Content Management Business Intelligence Service Integration Data Integration Development Tools Cloud Application Foundation Enterprise Management Web Social Mobile
- 4. 4 Program Agenda Define the problem and solution Partner Demo and Presentation Oracle Shows The Developer Demo
- 5. 5Copyright © 2012, Oracle and/or its affiliates. All right The Mobile and Social Access Promise Anytime Anywhere Access New Tools for Business Personal and Business Devices Mobile, Social and Cloud Access Mobile and Social Access is changing the landscape
- 6. 6Copyright © 2012, Oracle and/or its affiliates. All right The Mobile and Social Access Problems Security Proliferation of Devices Cannot leverage existing security Limited device control A compliance challenge How to centrally manage the security and be complaint?
- 7. 7Copyright © 2012, Oracle and/or its affiliates. All right The Mobile and Social Access Problems User Experience Native Applications No Native Single Sign-on Password Help Desk Calls Inconsistent Login Experience How to improve user experience and productivity?
- 8. 8 Cloud AccessMobile Security Social Sign-On Standards Support Oracle Access Management Mobile & Social Overview
- 9. 9 Mobile Security Native App Web App Mobile and Social REST Oracle SDK Security App Access Management Directory User Profile Services OAAM Service OAM Service Device Registration Lost & Stolen Devices GPS/WIFI Location Awareness Device Fingerprinting & Tracking Risk-based KBA & OTP Transactional risk analysis
- 10. 10Copyright © 2012, Oracle and/or its affiliates. All right Client SDKs Native Libraries for iOS and JAVA Store/Access Keys, Tokens, Handles and other secure data Access Mobile Device Information (OS, Carrier, Geolocation, IP/MAC) Support KBA, OTP via Email and SMS Manage Single Sign-on Quickly build security into your mobile applications
- 11. 11Copyright © 2011, Oracle and/or its affiliates. All right 11 Mobile & Social Access Management Deployment Architecture Corporate DMZ Corporate Network HTTP/REST/SOAP/OAuth Clients Oracle Adaptive Access Manager Mobile and Social OAM Agent SOAP/REST and Legacy Web Services Oracle Access Manager Directory Services Oracle Enterprise Gateway Web Services Manager Service Bus Context Aware Authorization and Data Redaction OES PDP OES PDP
- 12. 12Copyright © 2011, Oracle and/or its affiliates. All right Partner Presentation Vivek Lodhi ERS Specialist Manager , Deloitte & Touche LLP
- 13. 13Copyright © 2011, Oracle and/or its affiliates. All right Oracle Developer Demo DEMO
- 14. 14Copyright © 2012, Oracle and/or its affiliates. All right • Mobile security is more than device management • Use a Mobile-focused security product to simplify the development of secure mobile applications • Oracle provides an end to end mobile security solution that leverages existing investments in access management Summary
- 15. 15Copyright © 2012, Oracle and/or its affiliates. All right • Partners • Contact Partner Training Services to learn how they can help you learn Oracle Access Management Secure Mobile Development • Customers • Contact your Oracle Account Representative to learn more Next Steps
- 16. 16
- 17. 17
Editor's Notes
- #3: Voice over … none of this constitutes a commitment to deliver futures
- #4: With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.
- #9: Oracle Access Manager for Mobile and Social OverviewConnects mobile users to identity services using REST interfacesOrganizations can bridge the security gap between the enterprise and mobile devices. With RESTful identity services, rich mobile applications can access stateless identity functions from mobile devices which are limited by processing capacity and battery power. Organizations can maketheir backend services and data available in a secure manner by simply exposing these through virtual REST API’s in the DMZ. Messages, security tokens, and protocols are automatically translated between formats appropriate for mobile devices and the source system. REST API’s can mash up information from multiple sources and be protected from a wide variety of attacks (denial of service, sql injection, content retrieval attacks, etcetc), usage can be monitored, and all your Oracle Access Management technologies can be leveraged for further protection. Delivers SSO and Authorization for native mobile applications Traditional mobile security solutions like VPN tunnels are limited in that they cannot overcome the problem of SSO for native mobile apps. OAM-M&S simplifies SSO across rich mobile apps and browser applications. This reduces the number of logins required for enterprise applications from the native mobile screen. Authorization can control what transactions end users are able to perform from a device and under what conditions. Perhaps only transactions below a given amount are allowed from a mobile device. An organizations REST API’s require authorization, what data is accessible to a given user must be controlled and monitored. A users location and device state may need to be taken into account. Enables sign on from 3rd party and Social identities to Enterprise resourcesWith the proliferation of social networking sites, there is a need for relying parties to consume identities from internet identity providers like Facebook, Twitter, LinkedIn, Google and Yahoo. Many of these providers support user centric federation standards like OpenID and Oauth. OAM-M&S enables organizations to accept internet identities for signing on users to low value applications like blogs, communities, etc. This in turn can provide a seamless user experience for users without the burden of additional logins.Single Sign-On covers web applications, native mobile applications, and also the RESTful API’s and web services accessed from the device.Supports industry standards (OpenID, OAuth)Oracle IDM supports OpenID and Oauth. So with Oracle Identity Management we are making it easier for relying parties to accept identities from internet identity providers like Facebook, Twitter, LinkedIn, Google and Yahoo.
- #10: Mobile Security – web and mobile appDevice registration and fingerprintLost & stolen device securityGPS/WIFI based location awareness
- #12: Oracle Adaptive Access ManagerDevice Fingerprinting and Registration DatabaseRisk-Based Authentication that Factors Mobile ContextOracle Enterprise GatewayEnables Mobile Application REST API’s and protects API’s, webservices, and SOA infrastructure from external threats and invalid / suspicious requestsExtends Access Management with authentication, authorization, audit to REST API’s, web servicesOracle Entitlement ServerMake AuthorizationDecisions and Redact Data based on User,Mobile, or any other ContextExternalize AuthorizationPolicies from Application CodeOracle Access Management : Mobile & SocialMobile Identity and Access GatewayAuthentication, Registration, and User Profile Services for MobileOracle Web Services ManagerLast mile security for an organizations backend web services and SOA infrastructure Embedded agentsNative Mobile Security SDKNative Login Screens / Secure Credential StorageEasy Integration w/ SSO and Web Services SecurityNative Mobile Security AppsLogin App for Native and Web Apps Providing Device ContextNative White Pages App Integrated w/ User Profile Services