SecureMobileAccessforEnterpriseEmployees

SimplifyingSecurity&ManagementforEnterpriseLevelApps&BYOD

Layer7Technologies

WhitePaper

SecureMobileAccessfortheEnterprise

Contents
Introduction..................................................................................................................................................3 BYOD&Apps:InnovationThroughConsumerization..................................................................................3 TheBenefitsofEverywhereAccess..........................................................................................................4 TheBYODMovement ...............................................................................................................................4 . MobileIntegration:UsingAppstoLeverageInternalInformationAssets&Services .................................5 . UsingAPIstoEnableEnterpriseMobility.................................................................................................5 AddressingtheChallengesofEnterprise/MobileIntegration......................................................................6 1.AdaptingInternalInformationAssetsforMobileConsumption..........................................................6 2.OptimizingAppPerformanceWhenAccessingEnterpriseInformation...............................................7 3.SecuringMobileAccesstoEnterpriseAPIs...........................................................................................7 4.MakingAPIsDiscoverable&ConsumableforDevelopers....................................................................8 SimplifyingSecureEnterpriseMobilitywithaMobileAccessGateway...................................................9 Layer7SolutionsforSimplifyingSecureEnterpriseMobileAccess.............................................................9 Conclusion.....................................................................................................................................................9 AboutLayer7Technologies........................................................................................................................10 ContactLayer7Technologies.....................................................................................................................10 LegalInformation........................................................................................................................................10

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

Introduction
MobiletechnologyisrevolutionizingthecorporateITlandscape.Enterpriseswanttoleveragemobileto maximizeemployeeproductivity,efficiencyandavailability.Meanwhile,employeesarealreadytaking theinitiativebyusingtheirownpersonalmobiledevicesforbusinesspurposes.Forenterprises,the benefitsofenterprisemobilityandtherealityofthebringyourowndevice(BYOD)movementare becomingimpossibletoignore. For enterprises, the benefits of enterprise mobility and the reality of BYOD are becoming impossible to ignore. Thetruepotentialofmobiledevicesisintheappstheyrun.Togetrealvalue frommobile,enterprisesneedtoprovidetheiremployeeswithappsthatcan accesscorporateresourcesandinformation,evenwhenthedevicesbeingused arenotundercorporatecontrol.Forenterprises,thiscreatessignificant challengesrelatedtosecurityandinformationadaptation.

Makingcorporatedataandapplicationfunctionalityavailabletoappsresiding onemployeesmobiledevicescanbeachievedbyusingAPIstoexposeon premisesystemsanddatatodevelopersbuildingmobileapps.UsingAPIsforenterprise/mobile integrationisarecentparadigmrequiringaspecificsolutiontoensurethemaintenanceofsecurityand governance.Inthiscontext,aSOAGatewaywithAPIProxycapabilitiescanbeusedasaMobileAccess Gatewaytoaddressidentity,dataandapplicationadaptationandsharingcontrolacrossanAPI.

ThisLayer7Technologieswhitepaperexploresthechallengesofenterprisemobilityandprovides practicaladviceonhowtouseanAPIproxyasaMobileAccessGateway.ItdescribesrealLayer7use casestoshowhowenterprisesbenefitfromprovidingemployeeswithmissioncriticalmobileapps.It alsoexplainshowtheLayer7APIProxyandsupportingcomponentsofLayer7sAPIManagementSuite arehelpingtheseenterprisestodeliversecuremobileaccess.

BYOD & Apps: Innovation Through Consumerization

Mobiletechnologyisbeingusedincreasinglyintheworkplaceandbyremoteworkersinterfacingwith theextendedenterprisethroughappsandservices.TherunawaypopularityoftheAppleiPadhas acceleratedthistrendgreatlyoverthelastcoupleofyearsbutotherappdrivenplatformssuchas theiPhone,GooglesAndroidsmartphoneOSandWindowsMobileareplayingasignificantrole.The Blackberryplatformstillwidelyusedinenterprisesettingshasalsoembracedthemobile appparadigm. Forlargecompanies,governmentaldepartmentsandmanyothertypesoforganization,therearetwo keyfactorsdrivingtheenterprisemobilityrevolutionandmakingitvitalthatenterprisesaddressthe challengesofsecuremobility: 1. Theremarkableefficienciesandcostsavingsofferedbyprovidingeverywhereaccess

2. TheBYODmovementandtheconsumerizationofenterpriseIT

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

The Benefits of Everywhere Access

Mobiletechnologypresentsorganizationswithpotentialefficienciesthataresimplytoobeneficialto ignore.OneLayer7customerinthehealthinsurancesectorprovidesagreatexample.Thecustomers representativesmakearoundtwomillionhousecallstomemberseveryyear.Traditionally,member datagatheredatahousecallwouldberecordedbyhandandkeyedintoacentraldatabasewhenthe representativereturnedtotheoffice. Itwasclearthatprovidingrepresentativeswithmobiletechnologywouldmakethisprocessquickerand moreaccurate.Therefore,thecompanycreatedaniPadappdesignedtohelprepresentatives interactivelyassessmembersneeds.Thisapplicationisnowhelpingtoreducetimespenton administrativetasksandincreasetimespentwithmembersleadingtomoreefficientdecisionmaking andenhancedmemberservices. Inthisexample,alargeorganizationbenefitedfromprovidingitsstaffwithmobiledevices.Thiscaseis certainlynotuniquemanyenterpriseorganizationsareseeingsimilarbenefitsfromequippingtheir salesstaffwithmobiletechnology.However,inmanycases,enterprisesarepresentedwiththemobile workforceasaforegoneconclusionandarespecificallybenefittingfromthefactthatemployeesare usingtheirownconsumerfocuseddevicesintheworkplace.

The BYOD Movement

BYODisaresultoftheconsumerizationofIT.AsNathanClevengerobservesinhisexcellentbookiPadin theEnterprise,theflowofITinnovationhasreversed.Formerly,governmentresearchwouldleadto technologicalinnovations,whichwouldthenbeleveragedbybusinessesandfinallypackagedfor consumers.Now,technologicalinnovationsareemergingdirectlyfromconsumerelectronicsand consumertechnologiesarebeingembracedbythebusinessworld. Nevertheless,notalltheenterprisesthatarebeginningtoincorporateconsumerfocusedmobile technologyaredoingsoproactively.Moreoftenthannot,employeesarenotwaitingfortheir employerstoequipthemwithmobiledevicestheyaresimplybringingtheirowndevicestothe workplace(hencethetermBYOD).Moreover,theseindividualsarenotwaitingoraskingfortheirIT departmentspermissiontousethesedevicesforworktheyarejustdoingso. Andtheyaredoingsoenmasse.IDGConnectsiPadforBusiness2012studyfoundthat67%ofNorth AmericaniPadownerswereusingtheiriPadsatworkandthenumbersweresimilarlyhighworldwide. ThismeansthatBYODisarealityenterprisesaregoingtohavetodealwith,whethertheylikeitornot. Peopleclearlywanttousetheirmobiledevicesatwork,sotryingtoturnbackthetideofBYODcould haveaseriousimpactonemployeesatisfaction.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

SmartorganizationswillseeBYODforthemassiveopportunityitis.Theusecasedescribedearliershows thegreatbenefitsanorganizationcangainfromprovidingitsemployeeswithmobiledevices.Now imaginetheadditionalcostsavingsandefficienciesthatcanbegainedfromleveragingmobiledevices employeeshavealreadypurchasedforpersonaluseandarealreadyfamiliarwithonatechnicallevel. Ofcourse,astheusecasealsoshowsus,mobiledevicesareonlyhalfthestory.Hardware(specifically theemergenceoftheiPadandsimilartablets)hasbeenthecatalystforarevolutioninenterprise mobilitybutappsaretherealpayoff.BYODshowsusthatpeoplearealreadyusingtheirdevicesfor work.Toreallybenefitfrommobile,enterprisesneedtobuildappsspecificallydesignedtohelptheir employeesworkmoreeffectively.

Mobile Integration: Using Apps to Leverage Internal Information Assets & Services
Enterprise IT organizations have often reacted to any new technology paradigm with a rip and replace approach Sohowdoyoubuildappstoenablethemobileworkforce?Inthepast, enterpriseITorganizationsalltoooftenreactedtoanynewtechnology paradigmwitharipandreplaceapproachaccommodatingthenew technologybyattemptingtobuildnewITsystemsorportoldprocessesto newpackagedplatforms.Thisapproachyieldedlimitedreturnsanda moreflexible,efficientalternativewasclearlyneeded.

Overthelastdecade,moreandmoreenterprisearchitectshaveadopted anapproachdrivenbyapplicationprogramminginterfaces(APIs)inordertomakedataandapplication functionalityavailabletootherapplications.Thesearchitectscreateservicesthatallowthemtoeasily consumeandreuseexistingITinvestmentswhilecreatingnewbusinessprocessesbycomposing multipleoperationstogetherintohigherlevelapplications. ThisapproachknownasServiceOrientedArchitecture(SOA)canbeleveragedintheenterprise mobilecontext.Keydataandapplicationscanbeextendedanddeliveredasservices,viaAPIs,tomobile apps.Morespecifically,ServiceOrientedinterfacescanbequicklyadaptedintomobilefriendlyAPIs thatexposeinternalenterpriseinformationassetstomobiledevelopersandtheappstheybuild,using formatsandsecuritymodelsmobiledevicescaneasilyconsume.

Using APIs to Enable Enterprise Mobility

TheAPIdrivenservicesassociatedwithSOAmaybeexposedinternallyorexternally.OpeningAPIsto internalandexternaldeveloperssimplifiesthecreationofapplicationsabletointegratewiththe enterprisesinformationassetsinordertobenefitarangeofstakeholdersfromemployeestopartners tocustomers.Theseapplicationsmayresidewithintheenterprise,atpartnerorganizations,onthe Web,intheCloudoronmobiledevices.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

Forthesakeofthiswhitepaper,weareprimarilyconcernedwiththecreationofmobileappsbyinternal developersforusebyemployees(andpartners)acrosstheextendedenterprise.Ausecasefrom anotherLayer7customerdemonstrateshoweffectivethisstrategycanbe.Thecustomer,oneofthe largestUSbasedairlines,launchedanambitiousAPIpublishingprogramtargetedatbothinternaland externaldevelopers;employeesandcustomers. Internally,theseAPIsallowedthecompanysdeveloperstocreatearangeofappsdesignedtoenable themobileworkforce.Forexample,anappwascreatedthatwasdesignedtohelpgroundcrews expeditetheloadingandunloadingofbaggagefromflights,decreasingbaggagehandlingtimesto maximizecustomersatisfaction.(Externally,appsweredevelopedthatgavecustomersfulleritinerary managementcapabilitiesbycombiningtheairlinesscheduleandticketinformationwithvalueadded informationprovidedbyoutsidesources.) Layer7srolewastohelpthecompanyaddressthechallengesofpublishing,integratingandsecuring theseAPIs,therebyenhancingkeybusinessprocesseswithoutcompromisingcorporateintegrity.

Addressing the Challenges of Enterprise/Mobile Integration

APIsprovidethetechnicalcomponentsinternaldevelopersneedtointegrateonpremiseinformation assetswiththeappstheybuildforemployeesmobiledevices.However,forthisapproachtowork,four challengesmustbemet: 1. 2. 3. 4. AdaptingInformationAssetsforMobileConsumption OptimizingAppPerformanceWhenAccessingEnterpriseInformation SecuringMobileAccesstoEnterpriseAPIs MakingAPIsDiscoverable&ConsumableforDevelopers

1. Adapting Internal Information Assets for Mobile Consumption

Thereareanumberofchallengesassociatedwithmakinginternalinformationassetsusablebyamobile app.Firstly,informationassetsinlegacyformatsneedtobereworkedasRESTfulAPIsthatcanbe accessedasXMLorincreasinglyJSONdatamessagingformats.Thisrequiresanefficientsystemfor translatinganybackendinformationassetintoaRESTfulAPIthatcommunicatesoverHTTP/SusingJSON messaging.Itmayalsorequireareconstitutionorrecompositionofinternalinformationassetsinto newAPIscustomizedtospecificusersorapps. ThiskindofdatatranslationandAPIrecompositionisideallysuitedtotheSOAGatewaysthatare commonlyusedtointegrateapplicationsinSOAbytranslatingdataformats,orchestratingservice interactions,virtualizingAPIsandbridgingdifferentprotocolsandtransports.Connectingamobileapp toanenterpriseapplicationisthereforerenderedasjustanotherintegrationproblem.SomeAPIProxies cansimilarlyhandlethiskindofintegrationchallengeforasimplersubsetofenterpriseapplications.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

2. Optimizing App Performance When Accessing Enterprise Information

Whenintegratingenterpriseapplicationswithmobileapps,performanceisalwaysakeyconsideration. AnenterprisethatispublishingmobileAPIswillneedwaystoacceleratethedeliveryofdatawhile reducingdatatrafficvolumesbecause: Thedatawillbetravelingonrelativelylowbandwidthmobilenetworks Mobileusagecanscalegeometricallyastheenterpriseopensapplicationsfirsttoemployees andthenconsumers,whichplacesaheavyburdenontheseapplications

Again,aSOAGatewayorAPIProxymaybeabletohelptheenterpriseaddressthesechallenges.Thisis becausesomeSOAGatewaysdeliverawiderangeoffunctionalityformanagingandoptimizingdata trafficloads,including: Throttlingrequeststhatexceedacertainthresholdorshapingtrafficbasedonconsiderations likelocation,timeofdayorsubscriberlevel,thusselectivelylimitingperformancesappingload onbackendapplications. Usingsophisticatedcachingcapabilitiesinorderto:(a)minimizethenumberofrequeststhat getpassedtobackendapplications;(b)improvelatencyresponsetimes. Compressingdataonthefly,tominimizetrafficsenttoandfromamobileapp.SomeGateways canloadbalanceacrossmultiplebackendapplicationinstances,ensuringmoreevenly distributedloadacrossAPIsandsimplifyingscaleoutofbackendapplications. PrioritizingAPIcallstoensurethatpaidsubscribersorkeyusersreceiveaconsistentqualityof service,withguaranteedaccesstoenterpriseresources.Thisfunctioncanalsobeusedto reserveAPIaccesscapacitybasedonaspecifictraffictype.

WhendeployedintheCloud,someSOAGatewayscanalsohelpautoscalebackendservicesandeven dynamicallyaddGatewaynodestoaclusterinordertoprocessmoretraffic.

3. Securing Mobile Access to Enterprise APIs

SecurityisamajorconcernwheneveranapplicationoutsidetheDMZlikeamobileappneedsto accessinformationinsidetheenterprise.APIshavetobeprotectedagainstattackormisuse.Thedata transmittedtoandfromtheAPIneedstobesecured(throughencryption,tokenizationorredaction) anditsintegrityverified.AndaccesstotheinformationresourcesexposedviatheAPIswillneedtobe controlledatagranularlevel,basedontheidentityorroleoftherequestor. ControlofaccesstoinformationexposedthroughanAPIisaneventhornierissue.Ausermayuse differentappsondifferentdevicestoaccessapieceofdataorfunctionalityexposedthroughthesame enterpriseAPI.Thoseappscanbebuiltbydifferentgroupsordesignedasmashupsofdifferent informationassets.EachappmayuseadifferentuserID,complicatingtheidentificationoftheuser. Furthermore,usersdislikeretypingappspecificidentitiesonmobiledevicesandwouldpreferto delegatethatauthenticationtoapreexistingtrustedapp.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

ToaddressthedilemmascreatedbytheneedtoprovideflexibleyetsecureaccesscontrolforAPIsin thesemorecomplicatedmobile(andsimilarWebbased)scenarios,anewstandardOAuthhas emerged.OAuthisanevolvingprotocolthatmakesitpossibletoidentifyauserandtheresourcesthat userisinterestedinaccessingviaanintermediateapp,withoutnecessarilyrequiringtheusertoentera usernamepasswordcombinationspecifictotheapp. TheOAuthspecificationallowsenterprisestograntauthorizationrightstoanappbasedon:(a)the userspreexistingcredentialswithintheorganization;(b)atrustrelationshipbetweentheenterprise andtheintermediateapp.Thiskindoftransitivetrustandrightspassinghappensinthebackground theuseronlyneedstoestablishtrustoncefortheintermediateapp. WhileOAuthsolvespricklyaccessproblemsparticulartomobileappdynamics,itremainscomplicated forenterprisestosetup.Inparticular,therearechallengesaroundintegratingOAuthwithan enterprisesexistingidentityinfrastructure.Toaddressthesechallenges,anAPIProxymaycomewithan OAuthToolkitortokenserver,whichwillsimplifytheprocessofdeployingandmaintaininganOAuth accessinfrastructureontopofanAPI. Butaccesscontrolisnormallyjustthebeginningofthesecuritychallengesfacinganenterpriseand thesechallengesareexacerbatedinaBYODscenario,wheretheenterprisecannotlockdownmobile devicesthewayitcouldwithdesktopcomputers.Keychallengesinclude: Protectingagainstdenialofservice,crosssitescripting,SQLinjectionandURLtamperingattacks Preventingaccidentaldamagecausedbypoorlywrittenapps DeployingascalablesystemforpreservingdatasecurityincommunicationtoandfromAPIs,in ordertomeetdataprivacystandardslikeFIPS,PCIDSSandHIPAA

Again,someSOAGatewaysandAPIProxiescanhelpenterprisesaddressthesechallengesbyprovidinga rangeofAPI,dataandURLsecurityfeatures.

4. Making APIs Discoverable & Consumable for Developers

Acriticalelementinenablingintegrationbetweenmobileappsandenterpriseservicesoccursbeforethe firstbyteofdataisexchanged.InordertobuildmobileappsbasedonenterpriseAPIs,developersand developerteamsneedcertaininformationontheAPIstheycancall.Thismayincludeinformationonthe functionalityanAPIexposes,thedataitreturns,bestpracticesforitsuseandsoforth. Enterprisesthereforeneedsystemsfordeveloperonboarding(i.e.registeringdeveloperstouseanAPI) andmanagement.ThiscanbeachievedbydeployinganAPIPortalacentrallocationwheredevelopers gotogetdocumentationonanAPI,testitsbehavior,signupforusage,trackAPIhealthandcollaborate withotherdevelopers.SomeSOAGatewayandAPIProxyvendorsprovideintegratedAPIPortalstoease thegovernanceofAPIsandthedevelopersthatusethem.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

Simplifying Secure Enterprise Mobility with a Mobile Access Gateway

Aswehaveseen,thetypeofinfrastructurethathasemergedoverthelastdecadeorsotoenable secureSOAaccesstoAPIscanbeappliedtomobileappintegration.ADMZdeployedSOAGatewayor APIProxywithanintegratedOAuthToolkitandAPIPortalmaybeabletoactasaMobileAccess Gateway,addressingthespecificdataadaptation,performanceoptimization,securityanddeveloper managementchallengesassociatedwithexposinginternalinformationassetstomobiledevelopers andapps.

Layer 7 Solutions for Simplifying Secure Enterprise Mobile Access

Layer7TechnologiesAPIManagementSuiteofproductsdeliversalltheextendedMobileAccess Gatewayfunctionalitynecessaryforsecureenterprise/mobileintegration.TheAPIManagementSuite representsthemostcomprehensiveAPImanagementsolutionavailableandhasbeenusedinmultiple successfulintegrations,includingtheusecasesdescribedinthiswhitepaper. TheAPIManagementSuiteincludes: SecureSpanAPIProxy TheAPIProxydeliversallthecorefunctionalityrequiredforaneffectiveMobileAccess Gateway,includingAPIsecurity,datafiltering,contenttransformationandoutofthebox integrationwithleadingaccesscontrolsystemsandstandards. Layer7APIPortal TheAPIPortalprovideseverythingenterprisesneedinordertoonboardandmanage mobileappdevelopers,makingitsimpletocreateaportalthroughwhichdeveloperscan discover,learnaboutandregisterforavailableAPIs. Layer7EnterpriseServiceManager TheEnterpriseServiceManagerprovidesacentraldashboardthatmakesitsimpleto monitorProxyoperationsandmanageAPIversioning,lifecycleanddeploymentacross internaldatacentersandtheCloud. Layer7OAuthToolkit TheOAuthToolkitmakesitsimpletoimplementOAuthinenterprise/mobileintegrations, facilitatingefficientidentityfederationandsecureaccessmanagementwhenusingthe SecureSpanAPIProxyasaMobileAccessGateway.

Conclusion
Enterprisesstandtogainconsiderablebenefitsfromenablingtheirstafftousemobiledevices formissioncriticaldailyworktasks.WiththeBYODmovementgainingmomentum,manyenterprise employeesarealreadyusingtheirownmobiledevicesforwork.Therealpayoffwillcome asmoreenterprisesfindwaystobuildappsthatsecurelyandefficientlyinterfacewithonpremise systemsanddata.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

SecureMobileAccessfortheEnterprise

TheLayer7APIManagementSuiteprovideseverythingenterprisesrequiretoleverageAPIsasamethod forreusingexistinginformationassetstocreateappsthattrulyenablethemobileworkforce.The SecureSpanAPIProxydeliversallthefunctionalityrequiredforaneffective,enterpriselevelMobile AccessGateway.Layer7sAPIPortal,EnterpriseServiceManagerandOAuthToolkitprovidethe additionalintegratedfeaturesneededforacompletesolution.

About Layer 7 Technologies

Withmorethan150customersacrosssixcontinentsandsuccessfulpartnershipswithsomeofthelargestISVsand resellersintheindustry,Layer7TechnologiesistheleaderinsecurityandgovernanceforSOA,APIandCloud.Our awardwinningSecureSpanfamilyofXMLGatewaysfeaturessophisticatedruntimegovernance,enterprisescale managementandindustryleadingXMLsecurity.OurCloudSpanfamilyenablesenterprisesandserviceproviders tosecurelyconsumeCloudservices,aswellasprotectandcontroltheirownapplicationsdeployedinpublicand privateClouds.Foundedin2002,Layer7hasahistoryofhelpingorganizationsaddresstheirsecurity,visibilityand governanceissuesbyenablingthemtocontrol,manageandadapttheirWebservices,nomatterthedeployment modelintheenterpriseorintheCloud.

Contact Layer 7 Technologies

Layer7Technologieswelcomesyourquestions,commentsandgeneralfeedback. Email: info@layer7.com Web Site: www.layer7.com Phone: (+1)6046819377 18006819377(tollfreewithinNorthAmerica) Fax: (+1)6046819387 Address: Layer7Technologies 1200GStreet,NW,Suite800 Washington,DC20005 Layer7Technologies Suite4051100MelvilleStreet Vancouver,BCV6E4A6 Canada

Legal Information
Copyright2012byLayer7Technologies,Inc.(www.layer7.com).Contentsconfidential.Allrightsreserved. SecureSpanisaregisteredtrademarkofLayer7Technologies,Inc.Allothermentionedtradenamesand/or trademarksarethepropertyoftheirrespectiveowners.

Copyright2012byLayer7Technologies,Inc.(www.layer7.com)

10