April 3rd, 2014

Mobile Access Gateway 2.1 is Here!

Mobile Access GatewayLast week, we launched the Mobile Access Gateway 2.1 in style. The team has worked hard over the past few months to make sure the new features are coming together in a meaningful way. So, what’s in the new release?

First, we now allow customers to configure the usage of SiteMinder Session Cookies, with the Mobile SDK. In fact, the client libraries can use just about any token as the user token without breaking the existing model where we provision and manage token artifacts for users, apps and devices. With 2.1, you can use SiteMinder Session Cookies, SAML, JWT or any other user token. The Gateway administrator can configure what is relevant for the use case. As we know, there is a huge base of SiteMinder users who should now consider the Mobile Access Gateway as their mobility toolkit.

Second, the Mobile Access Gateway now supports social login for mobile apps. Social login support on the Gateway empowers developers to build apps that allow users to securely identify themselves by using sign-on credentials from social network platforms like Google Accounts, Salesforce, LinkedIn and Facebook. The social login flow is supported by the Gateway’s mobile Single Sign-On (SSO) capability. With mobile SSO and social login enabled, users login once with their social account credentials to access multiple enterprise and third-party applications from a mobile device. Additional contextual data such as geolocation can be combined with social login to provide a more secure API.

Third, with the 2.1 release, we now support Adobe PhoneGap. By leveraging the Cordova plugin interface, hybrid apps can tie in to the SSO and mutual SSL session negotiated by the native client libraries. This way, there is a unified security model for native and hybrid apps and app developers can choose to code application logic with their preferred tool chains.

Together with the existing Mobile Access Gateway features, this release provides app developers with better tools for writing awesome and secure mobile apps.

February 14th, 2014

The Truth About CA & Layer 7

CA Layer 7Has it really been almost a year since my last post? I suspected I was near that milestone but it’s still surprising to discover it has been so long.

The story of the last year, of course, is the acquisition of Layer 7 by CA Technologies. Today being Valentine’s Day, I’m reminded that acquisitions are very much like relationships and I’ve been completely consumed with making this one a success. So, the last year is a blur of integration, customer outreach and some terrific innovations — but not a lot of writing.

Hopefully, now that the smoke has at least partly cleared, I’ll get back to blogging regularly and maybe even writing some lengthier pieces of content.

For now though, let’s get back to talking about the acquisition because I know people are curious. The number one question I get asked is how am I doing at a large company and — more specifically — how is CA? It is a logical question but one always delivered with a slightly raised eyebrow that really implies “just give me the dirt — the juicer the better”.

I respond with the truth. And the truth, to be honest, is quite a bit less salacious than everyone secretly hopes. At CA and Layer 7, we are steering clear of  the all-too-common pitfalls of start-up/enterprise marriages. We seem to be finding a very effective approach that works nicely for everyone.

Like all good relationships, this one is founded on a base of mutual respect and a healthy dose of trust. CA recognizes that the Layer 7 team in Vancouver is a great engine of innovation. So, the team stays together and has the mandate to continue pushing the envelope around APIs and mobility. We all recognize that we are part of a much larger narrative now, but honestly, this is what excites us most of all.

CA is a large company but it isn’t overwhelming. Indeed, I’ve been struck by what a small big company this actually is. In just seven months, I feel as though I’ve got a good handle on who all of the key players are and I can pretty much engage anyone I need to and be taken seriously. It’s a level of engagement I never dreamed of.

So, while the truth is boring and my anecdotes are not sexy, that’s all a very good thing. Actually, it’s a great thing. The numbers are high, opportunity abounds and there is a sense we can affect real change when change makes sense. This is a good place to be and I can promise you that there are very good things to come. Stay tuned.

October 30th, 2013

5 Horrors of API Mismanagement

5 Horrors of API MismanagementAt Layer 7, we decided to have a bit of fun with Halloween this year. In the spirit of all things spooky and scary, we created a little online game called 5 Horrors of API Mismanagement. It’s pretty simple: you just explore our haunted house to discover five deadly pitfalls that today’s API programs run into with terrifying regularity.

Of course, there’s a serious point to all the festive fun and games. Enterprises have a lot to gain from opening their backend systems to Web and mobile applications but – without appropriate controls in place – the impact on IT security and performance could be horrifying. Getting caught up in a mismanaged API program would be a truly spine-chilling experience.

Fear not, though. Finish the game and we’ll show you the way out of the haunted house and towards a well-managed API strategy. Happy Halloween!

August 26th, 2013

Layer 7 Mobile Access Gateway 2.0

Mobile Access Gateway 2.0Today, Layer 7 introduced version 2.0 of the Mobile Access Gateway, the company’s top-of-the-line API Gateway. The Mobile Access Gateway is designed to help enterprises solve the critical mobile-specific identity, security, adaptation, optimization and integration challenges they face while developing mobile apps or opening APIs to app developers. In the new version, we have added enhancements for implementing Single Sign-On (SSO) to native enterprise apps via a Mobile SDK for Android and iOS.

Too many times, we have seen the effect of bad security practices. My colleague Matt McLarty eloquently discusses the gulf between developers on one hand and enterprise security teams on the other in this Wired article on Tumblr’s security woes. Because these two groups have different objectives, it becomes hard to get a common understanding of how you can secure the enterprise while enabling app developers to build new productivity-enhancing apps. While nobody really wants to be the fall guy who lets a flaw take down a business, we can be sure Tumblr isn’t the last stumble we are going to see.

To prevent you being the next Stumblr, we have taken a closer look at the technologies and practices for authentication of users and apps. No one of these seemed to be adequate alone and – while acknowledging the value of leveraging existing technologies –  we realized that a new approach was needed.

For mobile app security, there are three important entities that need to be addressed: users, apps and devices. Devices are the focus of the MDM solutions many enterprises are adopting and although these solutions are good at securing data at rest they fail to address the other two entities adequately.

Because today’s enterprise apps use APIs to consume data and application functionality that is located behind the company firewall or in the cloud, API security is vital to the success of any enterprise-level Mobile Access program. Therefore, APIs must be adequately secured and access to API-based resources must be controlled via fine-grained policies that can be implemented at the user, app or device level. To achieve this, the organization must be able to deal with all three entities.

Based on this, we have proposed a new protocol that leverages existing technologies. We leverage PKI for identifying devices through certificates, OAuth 2.0 is used to grant apps access tokens and finally OpenID Connect is used to grant user tokens. This new approach, described in our white paper Identity in Mobile Security,  provides SSO for native apps and makes sure the handshake is done with a purpose – to set up mutual SSL for secure API consumption.

Furthermore, this framework is adaptable to changing requirements because new modules can replace or add to existing protocols. For example, when an organization has used an MDM solution to provision devices, the protocol could leverage this instead of generating new certificates. Equally, in some high-security environments, the protocol should be able to leverage certificates embedded in third-party hardware.

To simplify the job for app developers, the Mobile Access Gateway now ships with a Mobile SDK featuring libraries that implement the client side of the handshake. The developer will only have to call a single API on the device with a URL path for the resource as its parameter. If the device is not yet registered or there are no valid tokens, the client will do the necessary handshake to get these artifacts in place. This way, app developers can leverage cryptographic security in an easy-to-use manner, giving users and security architects peace of mind.

June 6th, 2013

It’s Official… Layer 7 Joins CA Technologies

Layer 7 and CAThis week, CA Technologies officially closed its acquisition of Layer 7. As a Layer 7 co-founder, this represents the culmination of a decade’s worth of hard work. Equally important, it represents the opening of a new chapter for the company and an opportunity to amplify the vision we have been promoting.

Since our founding, we have preached the vision that enterprises can open their data and application assets programmatically in a secure way. When we started off, the primary driver for opening up was tighter business integration with partners. Today however, the demand for opening up data and application assets has exploded alongside the growth of mobile, cloud, Big Data and the Internet of Things (IoT).

The idea of organizations as walled-off castles is gone. Mobile is forcing organizations to deliver new business apps to customers and employees beyond the enterprise perimeter. Cloud is redefining how applications are consumed and delivered across a hybridized, extended organization. IoT will upend our notions of outside connectivity and data processing. APIs play a central role in making all this happen. Layer 7 gives customers the confidence to open up via APIs, without compromising security or operational integrity.

For us at Layer 7, security has always been a paramount consideration because our customers are enterprises and enterprises care about security. The CA Technologies acquisition reflects a common point of view on how to deliver new business value in mobility, cloud etc. while protecting the data and applications that are the lifeblood of a today’s enterprise.

CA and Layer 7 both appreciate that the old enterprise security perimeter is disappearing and that the only way to effectively enable online business while protecting information assets is to make identity the new perimeter. We need to focus on managing who gets access to what and what they can do with data once they have that access. Put another way, we need to focus on the identity, data and access that drives modern initiatives around Web, mobile, cloud, social and IoT. Together CA Technologies and Layer 7 Technologies offer enterprises the first truly multi-channel approach to enabling the business while securing its information assets.

Looking into the future, one clearly sees the scope for APIs will increase. IoT will make every formerly detached device connected – all through APIs. Where networking used to be about discrete routers and switches, it is now being transformed, via SDN, into something that is programmable and agile – again, this will be brought to you by APIs. And as for the server and storage infrastructure that underpins the data that drives the Web and mobile, Amazon Web Services has given us a glimpse of the future. As the “Web Services” part of that name suggests, APIs will play a significant role in provisioning in management of the cloud.

As we join CA Technologies, we now have the necessary reach and breadth to make Layer 7 the unassailable leader in the API security and management space. For customers, this means more of what they liked plus the ability to accelerate delivery of our original vision. We’re here to help organizations open up via APIs. And we’re open for business.