Packt publishing book proposal api and mobile access management
- 1. What is it, exactly, that you’re focusing on? Deploying an application access management suite is currently too expensive for any but the largest enterprises who can afford platforms like Oracle Access Manager, IBM Tivoli Access Manager or CA Site Minder. These security suites use proprietary protocols which frequently result in “vendor lock-in.” This book would document a recipe to leverage open standards to build an enterprise class web access management using 100% open source components. This recipe has been developed by Gluu over the last five years, and is proven to work in a variety of deployments around the globe that vary in size from small to humongous. Why does the community use this tool? People–employees, customers, and partners–need to be identified to interact electronically with an organization. Authentication (authn) and authorization (authz) is a challenge faced by almost every organization large enough to register an Internet domain. And it’s not just people that need to be authenticated and authorized. “Clients” are online agents that can interact with services on your behalf. With the emergence of the IoT and the API economy, developers and system administrators are urgently searching for standards based solutions and best practices to improve the security of web and mobile applications.
- 2. While commercial solutions exist, there are many organizations that prefer the do-it- yourself approach. Authentication impacts the integrity of every transaction performed by a person or client on the network. In some cases, web authentication is the organization’s keys to the kingdom. There are many organizations that will never outsource this function. And there are many organizations that see excellence in authentication–which is the front door to their Internet presence–as a competitive advantage to drive adoption of their products and services. For these organizations, a recipe for open source access management would be extremely helpful. What are people doing with it on a daily basis? Application security is a very difficult and scary topic for the average system administrator. Authentication and authorization is the first step for almost any content of value. If the central authn/authz service is down, even the CEO of the company may not be able to read her email. Or worse, a security breach may result in a financial loss for the organization or even dismissal. This book would document a proven solution to enable sysadmins to confidently deploy a modern, flexible authn/authz service that would be available day after day for many years to come. What are its benefits to users, compared to a new/old rival? The recipe documented in the book is a proven stack of wam software used by universities, governments, large companies and websites.
- 3. This stack has more features and is easier to manage than commercial alternatives. If you are paranoid about the NSA spying on you, then you can read all the code. This recipe includes some of the most widely deployed and some of the most cutting edge security solutions available anywhere. Organizations who don’t use open source may use expensive commercial software or a SaaS service. As application security is a universal requirement, both of these options will make sense for some organizations. The recipe documented in this book is not the only open source recipe possible the book is not intended to be a compendium of all open source security solutions. It’s a curated recipe of a suite of software proven to work together to satisfy the requirements of many organizations large and small. What issues does your community face, day to day? A recent Verizon study indicated that 80% of Internet breaches were the direct result of bad password security. But how can organizations reduce reliance on passwords, without tightly coupling authentication technology into applications? How can the deploy ability issues of strong authentication be addressed?
- 4. Mobile applications are creating new requirements for companies. There has been a paradigm shift where enterprise services are published with JSON/REST APIs to support both web sites and mobile apps. Organizations are using more services hosted by third parties. Some web sites are facing requirements to support the standards based security infrastructures of their customers or partners. It’s impossible for the average system administrator to patch together a solution to address all these challenges. It’s time for an open source alternative. What else can it do? The solution is very flexible. It is solving a wide range of use cases today. One area that could be expanded is “enrollment,” which involves creating an internal profile for a person who is authenticated at another domain (like Google). Another extra-credit topic that is not needed by the average domain is multi-party federation hosting. This enables an organization to vet a list of trusted, autonomous partners who publish applications or authenticate people. What do its friends look like? Many governments are anxious to see open source alternatives for security. The Internet will not become a safer place if only big companies can afford security. Higher Education has also been early adopters of open standards for security
- 5. . Part of the solution is based on open source software already popular in this segment. Finally, many companies are anxious for more cost effective solutions to recommend to partners. If you need your partners to support secure open standards for security, you can’t ask them to buy expensive enterprise software. Finally, privacy advocates around the globe prefer open source security solutions, especially in light of recent revelations regarding US government spying. What does the future look like? There is a major paradigm shift happening right now. In the past, there were too many Internet standards for web authentication: Opined 2.0, OAuth 1.0, WS-Federation, CAS, and many other protocols are on the trash heap of failed or fading efforts. Finally, new standards have arisen that use the OAuth2 pattern, leveraging a JSON/REST API architecture that is friendly to application developers. There is more consensus than ever on how to achieve interoperable security. If authentication and authorization becomes a decentralized Internet infrastructure like SMTP or DNS, the know-how for how to launch a manage these services will be in high demand across the globe. Product Proposal API and Mobile Access Management
- 6. What is the vision and purpose of this product? While the vision for securing the Internet is clear to the “identerati”–the experts who developed the standards–we need to get the information into the hands of a much wider audience. It is imperative for our society that we decentralize identity. Face book and Google have bridged our inability to identify our friends on the Internet by providing a centralized solution–you can share a Google doc with someone only because they also have a Google account. With a myriad of vendors producing hardware and software that interact on our behalf, we cannot build our society on these central identity silos. Like enlightened despotism, it seems efficient. But over time, it undermines the original design goal of the Internet… the largest federation of autonomous entities ever assembled into one network. The Internet was made possible by standards like TCP/IP, DNS, http and ssl. After 20 years, we have an Internet identity infrastructure, and it’s time to get the word out. For this, we need paper! Who is the reader/viewer at the start? The basic profile of the person is a “Unix system administrator.” However, others in the organization who use or rely on the infrastructure may also want to read it.
- 7. To read this book, the person will need to understand the current infrastructure of the Internet: TCP/IP, DNS, SMTP, HTTP, and SSL. Some knowledge of private-public key cryptography would also helpful, although the required concepts will be reviewed–it’s so critical, it can’t be assumed. No programming is assumed, although some additional material will be referenced, as many programmers will certainly read this book. Who is the reader/viewer at the end? After reading the book, the reader should be ready to deploy the components to enable application testing and development to proceed. The roadmap for security should be clear, including which services are needed to meet the requirements of the reader’s organization. Importantly, after reading this book, the programmers, system administrators, and Chief Information Security Officer should be able to get alignment much more quickly on the important standards, and the moving pieces that need to be addressed from a business perspective, not just a technical perspective. Article resource:-https://sites.google.com/site/thegluuserver/packt-publishing-book- proposal-api-and-mobile-access-management