Credit: Dreamstime
Security is “a massively complex topic,” according to Mike Gregoire, CEO of CA Technologies, who cited considerations including transparency (telling people how you will use the data you collect), protection (sadly, the bad guys seem to be smarter than the good guys, so organisations need to work together and share information about compromises) and identity (so data can be protected without frustrating bona fide users).
But what is the company doing to help its customers improve their security?
CSO spoke to Jim Reno, CA Technologies distinguished engineer and chief architect - security, who joined the company when it acquired Arcot Systems, which developed strong authentication and risk analytics, including the technology used in ‘Verified by Visa’.
Verified by Visa aims to make online transactions as secure as ‘card present’ transactions. It looks at the amount, type of transaction, user history, how often the user has purchased from that merchant, and other information, which is processed by rules-based and neural network subsystems that can be customised for each bank and different sets of customers to determine whether additional questions are required to confirm the customer’s identity, or if the transaction can just go through. “That’s tremendously powerful,” said Reno. The bank benefits as it identifies the transactions that are most likely to be fraudulent, and most customers are not asked for additional information. “In a perfect world, the bad guys would always get challenged, and the good guys would never get challenged,” he said.
Reno still works on authentication, and leads a small group of security architects concerned with identity, access management, cloud security, data protection, and privileged identity management, with an increasing focus on cloud and API management.
He pointed to a change in the way people develop applications. The current approach resembles the 1990s client-server model, because more of the processing is being done by the mobile app or the web app (in JavaScript), versus the previous ‘thin client’ web model where all the work was done by the server, which in turn was more like the old mainframe model from a processing perspective.
So contemporary apps typically connect multiple APIs, and this requires identity and access management: who is trying to connect, should they be allowed to, does this look like a fraudulent attempt (risk analytics, independent of identity), and so on. For example, valid credentials may have been used to log in, but there’s something suspicious about the device being used (perhaps it is one that the person has not previously used, or it’s a type associated with previous fraudulent accesses), the time of day, the data being accessed, etc. So CA is applying its authentication expertise from projects such as Verified by Visa to the API economy.
Ram Varadarajan, CA Technologies senior vice president and general manager new business unit, said employees have an expectation of convenience, so it makes sense to allow benign transactions to occur without further authentication, even if additional measures are needed in other situations.
Employees are consumers who came to work that day, he said, so it is important to provide them with a good experience but without compromising security. Younger people are even less tolerant of shortcomings in this regard, he added.
Reno pointed out that another complication is that enterprises need to manage more and much larger user sets than in the past - not just on-premises employees, but also people working off-site, plus those working for the organisation’s customers and partners. If that wasn’t enough, some applications are being moved to the cloud or to partners’ systems.
So “standards become incredibly important,” he said. “The last thing you would want to do is create another management point of work.” For example, you might want a partner to manage their users’ access to your systems (perhaps a labour supply company should be able to say that a certain person will be doing a particular job for you and therefore needs the appropriate access rights - it would want to be able to that from its own systems rather than being forced to use yours). Cloud systems, such as CA Secure Cloud, are useful in this context, he said.
Furthermore, if an IT department doesn’t address all these considerations, it risks being short-circuited by business units adopting cloud services in an uncontrolled manner. After all, “they need to get their jobs done,” observed Reno. So CA wants security to be an enabler - eg, to help serve customers by protecting their identities, data, and so on - not a block. (CA likes to talk about moving from “no” to “know.”)
So the company used CA World ‘14 to announce new and expanded parts of its API management tools, including a SaaS version of the CA API Developer Portal.
Read more: Pervasive technologies and its implication on security
App development is increasingly about assembling APIs, according to Amit Chatterjee, CA Technologies executive vice president, enterprise solutions, who said the product helps businesses expose data through APIs, as well as creating, deploying and managing applications more effectively and efficiently.
“We are helping customers unleash the potential of their APIs to create unprecedented growth opportunity,” said Rahim Bhatia, CA Technologies senior vice president, API management.
“Frictionless security and automated API management become key enablers in the Application Economy, as businesses seek to extend their customer relationships and create new revenue streams. CA is powering our customers’ future and enabling the open enterprise, with identity-based solutions that provide secure, seamless access to APIs with enhanced data and user protection.”
For some organisations, it is important to be able to charge for external use of an API (for example, a provider of currency exchange rates might give away historical rates while charging for live information). The latest on-premises release of CA API Developer Portal includes easier pricing of API assets, a revenue planner, and simpler invoicing directly from the Portal.
Chatterjee noted that Salesforce.com derives half of its revenue from the use of its APIs, and that one retailer (a CA customer) handled 240 million API transactions in a single day. “You’re going to have to master APIs,” he said.
By providing access to a single set of identity controls, the API Developer Portal reduces the chance of “a crack in the identity surface,” said Andi Mann, CA Technologies vice president, office of the CTO.
CA’s SaaS portfolio is growing fast, and now includes 20 products, observed John Michelsen, CA Technologies CTO. “It will not be too far off [that a customer can] have only SaaS versions of our software,” he observed.
Another product announcement was that the CA Mobile API Gateway has been enhanced with a software development kit (featuring end-user experience improvements across native mobile, hybrid or Web apps), and integration with the latest release of Samsung KNOX giving an end-to-end mobile app security solution that provides mobile single sign-on while securing the API from instances of rogue apps or tampered devices.
Mann said the way CA Mobile API gateway integrates with the company’s single-sign-on product was important, as having one set of identity information reduces the chance of “a chink in the identity surface.”
As a parting question, we asked Reno what he considers to be the top current issue for CSOs. In his opinion, it involves taking a broad view of the enterprise. Breaches generate lots of bad publicity, so CSOs pay attention to them, but while “the bug of the moment” (Heartbleed, Shellshock, and so on) must be handled, “you can’t get distracted too much by the hot item,” said Reno. “Do it, but don’t take your eye off the ball.”
Disclosure: the writer attended CA World ’14 in Las Vegas as the guest of the company.