Upload
wso2
View
376
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Securing Cloud and Mobile Pragma&c Enterprise Security
Architecture
Prabath Siriwardena (@prabath) WSO2
Director, Security Architecture
Within the first decade of the 21st century – internet worldwide increased from 350 million
to more than 2 billion.
Mobile phone subscribers increased from
750 million to 5 billion Today it’s around 6 billion
Only 30% of mobile users, password protect their mobile devices
Many SaaS providers ignore mulJfactor authenJcaJon for mobile applicaJons
113 cell phones are lost or stolen every minute in the U.S and $7 million worth of
smartphones are lost daily
62% of mobile workers currently use their personal smartphones for
work
hAp://www.websense.com/assets/reports/websense-‐2013-‐threat-‐report.pdf
Mobile Device Management systems need to be an integral part of the corporate
IdenJty Management
Cloud service providers are becoming mobile friendly with REST/JSON APIs
OAuth 2.0 dominates Mobile and API security
Avoid using Resource Owner Password OAuth grant type
Mobile applicaJons secured with OAuth can be vulnerable to phishing
Your Facebook or TwiYer account credenJals can be quite easily phished through your
mobile phone -‐ than from a laptop computer
The need to bake-‐in client key and the secret key into the mobile app itself is an issue yet to
solve
OAuth has given a beYer failover capability to mobile applicaJons in case of an aYack
It takes an average of 20 seconds for a user to log into a resource
Single Sign On increases user producJvity
Browser based Single Sign On
Na&ve App Na&ve Web Browser
Authoriza&on Server (IdP)
Mobile Device
NaJve Single Sign On
Na&ve App Na&ve IdP App
Mobile Device
OpenID FoundaJon is working on standardizing NaJve Single Sign On based on
OpenID Connect
Federated Single Sign On
Na&ve App Na&ve Web Browser
Authoriza&on Server (IdP)
Mobile Device
SAML2 IdP
SAML2 IdP
Federated Single Sign On with heterogeneous AuthorizaJon Servers
Secured / ConfidenJal data channels
TLS, JSON Web EncrypJon (JWE)
Managed Cloud APIs
Mobile App API Gateway
Cloud API
Thank You