By Greg Jensen on Jun 10, 2013
Embracing Mobility in the Workspace using Oracle API Gateway
“In 2013, mobile devices will pass PCs to be most common Web access tools. By 2015, over 80% of handsets in mature markets will be smart phones.”
Across the globe, corporations are embracing the influx of mobility and the last five years have seen an expanding role of mobility in the workspace. Enterprises everywhere are coming up with innovative initiatives to support the mobility needs of personnel working for them. In addition, a variety of mobile applications and services are being offered to the workforce to make them more effective and efficient at work. Such applications and services unify different user populations within the organization, including internal workforce, partners, customers, and consumers, with the internal and external resources of the organization.
There are numerous reasons why enterprises are embracing mobility in the workspace and the chart below highlights the most important ones:
The devices used by the user populations are usually diverse in nature and leads to a fragmented and a disconnected landscape. As a result, IT architects and product managers of organizations are compelled to develop applications that can be ported to mobile devices of users. However, the deployed in-house applications aren’t capable of averting increasingly sophisticated identity thefts and data breaches of today. Development and utilization of secured mobile applications is often the primary concern that bothers infrastructure & solution architects today.
Forrester Consulting commissioned a study on behalf of Cisco Systems in 2012 to gather information on top security concerns and compatibility issues that concern senior-level decision-makers. The chart below illustrates the results.
There are a lot of aspects that should be managed to effectively support mobile devices. They are:
· Password and User management – Management of multiple passwords and user identities for each application
· Device Management – Management of authentication and authorization of devices allowing users to access company resources securely. A high mobile device turnover by user population calls for re-registration of new devices and blacklisting/wiping-out of corporate information from older devices. Device management automates such processes in a structured manner
· Application Access Management – Management of role-based access that is usually absent or is being managed locally in the application leading to unauthorized access to applications. And the local role management leads to redundant and expensive management of access to applications via roles
· API Management – Management of central publishing, promoting, and monitoring of exposed APIs within a secure and scalable environment that is often missing. Many applications todays exposes web services which may not consumed by mobile devices as efficiently as possible.
Following section describes how the above-mentioned aspects are managed and how challenges and issues related to adoption of mobile devices are addressed by using Oracle API Gateway and a variety of other components of Oracle Access management stack.
· User Management – The mentioned aspects and challenges are addressed by having a User Provisioning tool like Oracle Identity Manager (OIM). OIM streamlines user provisioning and de-provisioning, and other identity based lifecycle events in the organization. Along with that, users are also provisioned access to various target systems. Once the step of access provisioning is completed, Oracle Access Management (OAM) steps in for users who wish to access the target system by using single sign-on. The authentication can be done by binding to LDAP, but OAM brings additional advantages as it allows various policies and procedures to be defined and implemented for the users accessing target systems within the enterprise. Furthermore, access request to all resources on mobile devices are intercepted by Oracle API Gateway or OAG (deployed in DMZ) in order to enforce the policies that define the steps involved. OAG gathers the necessary user, application, device, and network context data to enable authentication decisions and validates the gathered data using the Access Management tool as per the policies laid down.
However, this approach only performs user authentication and relies on Access Management tool to perform coarse grain authorization, and may not be sufficient for the detailed authorization rules defined within the application itself.
Please refer to the figure below for a better understanding.
· Device Management – Mobile devices used by users are registered through Identity Manager as an asset and this information is provisioned to an LDAP, DB device, or an App registry. Also, Oracle API Gateway is used to perform device authentication by using the custom authentication logic it comes with. Once the device is authenticated, a device token is generated, and the same is used by mobile devices in subsequent interactions in order to fetch the desired information from the applications. This is a simple approach and can be employed to achieve the desired results in small work environments where functionalities like device profiling, blacklisting and whitelisting, knowledge based authentication, and device control is of less importance.
For work environments that are larger and more complex, and where the previously mentioned functionalities are important, Access Management component can be extended to include and deploy Oracle Adaptive Access Manager (OAAM) along with Mobile and Social Services components. By doing this, the desired Device Management functionality is implemented.
In other scenarios, device registration can also be delegated to OAAM components rather than registering it through Oracle Identity Manager against the user record. Here, mobile and social services components play a crucial role of mediating security tokens for mobile devices to access enterprise resources and cloud based applications.
Please refer to the figure below for a better understanding.
· Application Access Management – The above two architectures explain how Oracle API Gateway (OAG) manages and performs user and device authentication. Oracle API gateway is Policy enforcement point for mobile devices in a similar way Web-Gates are policy enforcement for Oracle Access Management. However, the fine-grained authorization can’t be overlooked.
Classical approach of programming included embedding the authorization logic within the application itself, making the management and extension of application security cumbersome. And it can lead to failed audit and compliance objective requirements of certifying who has what access and at what level. This may not be acceptable in today’s world of increased scrutiny of applications and their access.
Fortunately, Oracle Entitlement Server (OES) comes to rescue and serves as a central policy decision/definition point where all applications can externalize authorization rules. When used with OAG, the authorization policies set by OES are enforced. In addition, the combo can also redact the data elements based on various roles of users accessing applications through mobile devices.
The figure below will be able to help you understand the concepts better.
· API Management – Enterprises today have applications that expose web services primarily meant for either intranet use or exchanging information with business-partner applications. That paradigm has taken a major shift with the proliferation in on-boarding of mobile devices and the need to access the respective applications on these devices. Mobile devices may not be able to consume the exposed web-services as efficiently and thus, require enterprises to adopt strategies to either re-write or extend those web-services for such use-cases, or rely on Oracle API Gateway (OAG) features and functionalities.
OAG provides functionalities that shield these efforts and perform content transformation on the fly in order to make it adaptable for mobile device use. Oracle API Gateway provides controlled connection between APIs and applications that exposes them. OAG also allows access related metrics for any APIs managed by it. In a well laid-out architecture and implementation of OAG, enterprises can expose these services confidently with additional benefits such as Threat protection and XML Acceleration while having the same performance levels, and exceptional reporting and analytics capabilities across all services.
In all, mobile devices have evolved to better suit the needs of consumers but at the same time have traded of their security to ensure usability. These trade-offs increasingly contribute to security risks when such devices connect to the enterprise resources.
The security risks should be addressed in an effective manner to protect precious company resources and comply with increasingly strict regulations. Mobile Access management solution using Oracle API Gateway technology unifies enterprise resources and cloud-based resources across network boundaries to mobile devices. This solution assures enhanced security, regulatory compliance, improved governance, and increased productivity.
For more information on registration on our upcoming joint webinar with guest presenters Arun Mehta from AmerIndia, and Sid Mishra from Oracle Corporation, please go to http://www.amerindia.net/webinars.php. Here you will be able to pre-register for this event, where we will discuss the changing face of mobile devices in today’s work environment and the risks associated with this upcoming trend. In addition, solutions available to address such risks will be described, while also highlighting solutions specific to different types of organization.
Mobile Security Practice Leader
AmerIndia Technologies Inc.
Arun Mehta is Principal Solution Architect in Mobile Security, Security Solutions practice at AmerIndia Technologies Inc. In this role, Arun leads a team of specialist technical consultants and architects across North America focusing on Oracle's Security and Identity Management technology. Arun has been in the field of Security for over a decade and has experience across large and complex Identity Management projects in the North America region covering multiple industry verticals. More recently, he has been engaged on a number of projects including enterprise security platforms and mobile access management to help customers enable digital and business transformation initiatives.
AmerIndia Technologies Inc.
AmerIndia Technology Inc. is a full-service information security consulting firm and an Oracle Gold Partner. We specialize in security assessments, software security, mobile security, identity and access management, cloud identity management, API management, certification, regulatory compliance, and vulnerability management. AmerIndia serves clients throughout the United States.
Our expertise and client base spans all major verticals. Customers include Fortune 5000 companies in the financial, technology, healthcare, insurance, education and manufacturing sectors. Because of our wide range of experience and subject matter knowledge, major consulting firms also rely on AmerIndia as a trusted partner.
For more information, visit our website: www.amerindia.net