CA Aims to Improve API Security
Modern Web and mobile apps tend to use external resources, often called via an API, making the API a critical control point for security. That is why CA is addressing API security with new products.
CA Technologies today announced new mobility and API security technologies to help protect the modern open perimeter of the IT security landscape.
John Hawley, vice-president of Strategy at CA, explained to eSecurityPlanet that in the past security was all about protecting the edge of the network with strong security. With mobile apps and the widespread use of APIs for applications, however, the boundary is shifting and the perimeter is more open than ever before.
"Mobility from our perspective is the biggest IAM (identity and access management) spending driver today as it introduces a variety of new challenges," Hawley said.
One of those challenges is how to secure applications on user devices. The app, more than just mobile device management (MDM) technologies for locking down devices, is the real key to mobile security.
Securing the mobile app landscape begins at the development stage, which is where the new CA Layer 7 API developer portal fits in. The portal is a resource for developers writing mobile apps.
"The API developer portal allows an enterprise to manage either internal or external developers, and provides those developers with secure access to a set of APIs and gets them up and running with the appropriate capabilities," Hawley said.
While the API developer portal is about the development phase, the CA Layer 7 Mobile Access Gateway is about the runtime operation of APIs. Hawley explained that the CA Layer 7 Mobile Access Gateway wraps security around the available APIs.
"A mistake that many mobile developers make when building apps is, their apps make too many API calls," Hawley said. "The CA Layer 7 Mobile Gateway gives the developer a single API to call and on the back-end the gateway will grab all the required information via five or six separate API calls."
The benefit to the mobile app developer is a simpler programming model that is more bandwidth efficient as well as being more secure. Going a step further, the CA Layer 7 Mobile Gateway now has single sign-on (SSO) capabilities, so the user only needs to be authenticated once in order to get access to Web applications. The SSO piece comes by way of integration with CA's Siteminder technology
For developers, CA is also now offering a software development kit (SDK) to enable the integration of strong authentication capabilities directly into mobile apps. One of those strong authentication features is the ability to generate a one-time password, for use in a multi-factor authentication application.
"We want developers to think about building applications, and what we've done is abstracted security," Hawley said. "We're letting security people handle security, and the app developer can focus on the app experience."
For off-the-shelf apps, CA is introducing the new CA Mobile Application Management (CA MAM) as a way to lock apps down into secure containers. CA MAM can be used to restrict an application to only run in a certain geographic location. For example, a medical app can be locked down so that it can only work when the user is inside the hospital.
"CA MAM is bringing interesting authentication and context controls around mobile apps," Hawley said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.