practical security measures for exposing enterprise ... · pdf file practical security...

Click here to load reader

Post on 29-May-2020

13 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • Practical Security Measures for Exposing

    Enterprise Services to Mobile Applications

    Greg Kliewer | Solutions Architect | Layer 7 Technologies | gkliewer@layer7.com

    mailto:gkliewer@layer7tech.com

  • © 2012 Layer 7 Technologies 2

    Proudly Canadian Headquartered in Vancouver, BC

    Contents

    Apps  Web Apps  Services  Mobile

    Services  Mobile = New Risks

    Mitigations Strategies

  • © 2012 Layer 7 Technologies 3

    Proudly Canadian Headquartered in Vancouver, BC

    Contents

    Apps  Web Apps  Services  Mobile

    Services  Mobile = New Risks

    Mitigations Strategies

  • © 2012 Layer 7 Technologies 4

    Proudly Canadian Headquartered in Vancouver, BC

    Chances are, you work for a going concern

  • © 2012 Layer 7 Technologies 5

    Proudly Canadian Headquartered in Vancouver, BC

    It is likely that your organization rolled

    out a long time ago

    HTTP

    Server

    App

    Server

    Database

    Web Client

    Objects

    Pages

  • © 2012 Layer 7 Technologies 6

    Proudly Canadian Headquartered in Vancouver, BC

    And your organization

    probably, to some extent,

    adopted

    over the last decade, in

    order to facilitate

    integration

    between

    enterprise

    applications

    Pages

    Objects

  • © 2012 Layer 7 Technologies 7

    Proudly Canadian Headquartered in Vancouver, BC

    And now there are pressures to

    provide user interfaces into the

    same enterprise applications and

    services from new applications,

    deployed to .

  • © 2012 Layer 7 Technologies 8

    Proudly Canadian Headquartered in Vancouver, BC

    BUT mobile platforms are different than browsers

    “Thin” clients

    User experience is delivered almost entirely by the server

    Consume “pages” already marked up for human consumption

    Browser “Thick” clients

    User experience is delivered by the app (servers are just there for “resources”)

    Consume APIs designed for machines only

    Mobile

    Consume APIs designed for machines only

  • © 2012 Layer 7 Technologies 9

    Proudly Canadian Headquartered in Vancouver, BC

    So organizations are looking to leverage their enterprise services

  • © 2012 Layer 7 Technologies 10

    Proudly Canadian Headquartered in Vancouver, BC

    And they are building / buying bridges from services to mobile

    Web

    Services

    Mobile Apps

    Transport HTTP POST HTTP REST

    Data XML JSON

    Authentication PKI, X.509,

    Kerberos, SAML

    Trust-less

    (keys, tokens)

    Confidentiality &

    Integrity

    XML DSIG / ENC

    WS-Security

    SSL (sometimes)

    Wait… do we

    have a problem

    here?

    Compatible

    Simple

    Transformation

  • © 2012 Layer 7 Technologies 11

    Proudly Canadian Headquartered in Vancouver, BC

    Contents

    Apps  Web Apps  Services  Mobile

    Services  Mobile = New Risks

    Mitigations Strategies

  • © 2012 Layer 7 Technologies 12

    Proudly Canadian Headquartered in Vancouver, BC

    GET http://www.layer7.com/employee?id=270183

    Who is making the call?

  • © 2012 Layer 7 Technologies 13

    Proudly Canadian Headquartered in Vancouver, BC

    API Keys

    “An application programing interface key (API key) is a

    code generated by websites that allow users to access their

    application programming interface. API keys are used to

    track how the API is being used in order to prevent malicious

    use or abuse of the terms of service.

    API keys are based on the UUID system to ensure they will

    be unique to each user.”

    (Source: wikipedia http://en.wikipedia.org/wiki/Application_programming_interface_key )

    http://en.wikipedia.org/wiki/Application_programming_interface_key

  • © 2012 Layer 7 Technologies 14

    Proudly Canadian Headquartered in Vancouver, BC

    &APIKey=15458617-7813-4a37-94ac-a8e6da6f6405

    GET http://www.layer7.com/employee?id=270183

    15458617-7813-4a37-94ac-a8e6da6f6405

    A A person? Or an app?

    Layer 7 HR

    My Manager Or a device?

  • © 2012 Layer 7 Technologies 15

    Proudly Canadian Headquartered in Vancouver, BC

    The Identity Profile Increasingly we need to move toward large number of claims

    (multiple identity profile)

    • Attributes

    • Roles

    • Geo location

    • IP

    • User agent

    • Time of day

    • etc

    • Identities

    • userID

    • appID

    • deviceID

  • © 2012 Layer 7 Technologies 16

    Proudly Canadian Headquartered in Vancouver, BC

     The culture of the web:

     PROBLEM:

    Most of the authentication schemes that we relied on for web services involved

    asymmetric crypto with consumers of services (clients)

    - SSL / TLS Mutual Authentication

    - XML DSIG / XML ENC

    - WS-Security

    - SAML

    “No way we’re implementing client-side certificates”

  • © 2012 Layer 7 Technologies 17

    Proudly Canadian Headquartered in Vancouver, BC

    API

    Keys

    here?

  • © 2012 Layer 7 Technologies 18

    Proudly Canadian Headquartered in Vancouver, BC

    Contents

    Apps  Web Apps  Services  Mobile

    Services  Mobile = New Risks

    Mitigations Strategies

  • © 2012 Layer 7 Technologies 19

    Proudly Canadian Headquartered in Vancouver, BC

    SSL for ALL THE THINGS!

     Web devs won’t like this, but…

     It is the battle you can win!

    (as opposed to trying get them to adopt client side certs)

     The overhead isn’t what it used to be

    The bridge MUST • Terminate inbound connections

    (use new conn on back end)

    • Require SSL for all connections

    • Require strong cipher suites

  • © 2012 Layer 7 Technologies 20

    Proudly Canadian Headquartered in Vancouver, BC

    Use real tokens to establish / maintain sessions

     API Keys are okay for tracking how

    applications are using APIs / services,

    but they are not security tokens

     Use OAuth for:

     Issuing session token tied to the user

     Authenticating the client (e.g. device) as

    well as the user when necessary

     Analogous to web app cookies

    Access Tokens

    Clients / Secrets

    The token system MUST • Practice good management

    (e.g. expiry, revocation)

    • Treat tokens as shared secrets

    (hence, SSL all the time)

     For more on OAuth see:

    http://en.wikipedia.org/wiki/OAuth

    http://oauth.net/

    Access

    Tokens

    Client

    Secrets

    API

    Keys

    http://en.wikipedia.org/wiki/OAuth http://en.wikipedia.org/wiki/OAuth http://oauth.net/ http://oauth.net/

  • © 2012 Layer 7 Technologies 21

    Proudly Canadian Headquartered in Vancouver, BC

    Leverage existing ACLs where possible

     If you already own the services you are developing mobile

    apps for, there is no need to over-engineer by adopting

    fancy 3-legged grant types

    - Resource Owner Credentials grant type will work just fine and

    allow you to do warm-body AU/AZ the way you do today

    LDAP MSAD OAM TAM

    CASM etc

    The resource owner (user)

    MUST be authenticated and

    authorized for access to the

    resource requested.

    Access Tokens

    Clients / Secrets

  • © 2012 Layer 7 Technologies 22

    Proudly Canadian Headquartered in Vancouver, BC

  • © 2012 Layer 7 Technologies 23

    Proudly Canadian Headquartered in Vancouver, BC

    Summary

     There are new complications and risks associated with exposing enterprise (web)

    services to mobile applications

    - New entities to identify and authorize (e.g. applications and clients)

    - Impracticality of establishing trust in familiar ways (i.e. with certificate distribution)

     BUT there is no need to panic

     There are practical steps to take to reduce security risks while bridging between

    the enterprise service and mobile worlds

    - Token systems can be placed in front of existing services to provide access control

    that works much like browser-cookie systems

    - Tokens can be kept safe over their limited life-spans using tried-and-true SSL

    - Token systems provide grant types designed to work with incumbent enterprise

    identity and access management solutions

  • © 2012 Layer 7 Technologies 24

    Proudly Canadian Headquartered in Vancouver, BC