June 5th, 2014

The Need for Secure APIs in Retailing

Secure API RetailApplications in today’s retail industry are highly distributed and are generally connected by proprietary protocols. But trends toward expanding geographic distribution are driving increased demands for integration — and these demands are driving a greater use of application programming interfaces (APIs) in retail.

Retailers worldwide are under tremendous pressure to innovate faster and cycle through inventory as quickly as possible. Also, aggressively managing inventory supply chains is increasingly challenging because consumers have online access to competitive retail Web sites and can easily purchase products elsewhere.

“Showrooming” — the practice of examining merchandise in a traditional brick-and-mortar retail store but then shopping online to find a lower price for the same item — is placing increased margin pressure on retailers, particularly in countries like the US that have relatively low shipping costs.


Read more: 5 Simple Strategies for Securing APIs


Retailers are responding by accelerating inventory churns by gaining product visibility on partner Web sites and maximizing exposure of available inventory. The ability to quickly implement secure APIs that enable innovative merchandising opportunities and aggressive supply chain management can make the difference between success and failure in a highly competitive market.

Customers expect retailers to always have items they want in stock. For example, a customer who wants a sweater in a certain size and color will just shop elsewhere if that exact sweater is not available when he or she wants to buy it. Brand loyalty and repeat business are hurt by a failure of any link in the supply chain. APIs and the ability to accelerate integration with partner systems help retailers not only to increase merchandising opportunities but also to gain greater visibility over purchasing patterns and supply chain demands.

APIs can have an even greater impact on retail markets with products that have shorter shelf lives. While the clothing markets are aggressively deploying APIs, so too are retail markets that rely on perishable products, such as the food industry. Obtaining food products when needed and minimizing spoilage requires an information-centric approach to supply chain management. Food service retailers and grocery stores both depend on real-time information about product availability. In this context, innovative APIs into third-party applications can provide a competitive advantage.

To see the long-term potential of APIs in retailing, I think we can take a look at industries such as online gambling. The gambling industry is a tremendously aggressive consumer of APIs. In locations where it’s legal, large bookmaking organizations compete to quickly introduce opportunities for people to bet on everything from sports to political races or the national budget. Online betting companies develop games or set up innovative new betting scenarios to captivate retail customers and APIs allow them to retail new services out very quickly, to keep customers engaged.

For multi-channel retailers, it’s only natural to want to give customers immersive shopping experiences across not only brick-and-mortar storefronts but also Web, mobile and social media channels. These online experiences are increasingly location-specific and contextualized to each shopper’s identity and buying history. APIs provide the means for ensuring consistent shopping experiences across multiple retail channels.

Retailers are increasingly seeking to engage buyers everywhere they might be, whether online or in-store. They are looking for ways to deliver immersive commerce experiences — including consistent content, promotions and rewards —  across multiple channels. Retailers want to tailor these experiences to buyers’ enhanced identity information. Achieving all this requires the ability to:

  • Expose content, commerce, loyalty and promotion functions as APIs
  • Integrate APIs from third-party affiliates, mobile apps, social networks, geolocation services, customer data sources and ad networks
  • Resolve and reconcile a buyer’s identity across online channels
  • Simplify mobile notifications.

Having the toolset to manage APIs is essential. The CA Layer 7 API Management Suite provides all the API creation, integration and orchestration features necessary to meet context-aware, multi-channel retail merchandising objectives. By adopting proven policies and procedures for ensuring secure APIs, retailers can aggressively scale their online merchandising initiatives and potentially reach more customers with innovative offers of products and services.

May 27th, 2014

Hybrid App Growth in the Enterprise: Lessons Learned at Gartner AADI

Gartner AADI 2014Last week, I was lucky enough to attend the latest Gartner Application Architecture, Development & Integration Summit in London. One of the key themes that emerged from this show was the need to create agile architectures for mobile apps that leverage enterprises’ backed systems. Architectural agility has long been a central concern for enterprise IT but it has taken on a new urgency with the mobile revolution. As all sorts of enterprises scramble to launch effective mobile app strategies, the issue of how to build agile architectures for the mobile domain is ever more pressing.

One of the key questions for architects charged with enabling enterprise app strategies is whether enterprises should be developing fully native mobile apps, building apps on Web standards like HTML5 or taking a hybrid approach. Based on the sessions I attended and my conversations with architects who are attempting to answer this question in the field, it is clear that each approach has its own advantages and pitfalls. The Web-centric approach enables enterprises to be quick-to-market – a significance advantage in the current climate. But HTML5 simply cannot deliver the kind of rich and seamless functionality offered by native apps.

Logically then, the hybrid approach would seem like the way to go. But even this has its disadvantages. For example, platform vendors like Apple and Google might impose more restrictive terms and conditions on hybrids. Furthermore, hybrid apps retain many of the disadvantages of a Web-centric approach. Hybrids can never deliver the full native experience users prefer and they create significant testing and security challenges. And it’s quite possible that, at some point in the future, mobile development tools could improve to the point where hybrids are no quicker or cheaper to deploy than native apps.

Nevertheless, hybrid apps have significant advantages. First and foremost, the hybrid approach turns the whole “Web-versus-native” binary into a continuum, allowing sophisticated trade-offs to be made between cost/time-to-market and functionality. Furthermore: tools to create hybrid apps are well understood and widely available; unlike pure HTML5 apps, hybrids allow a presence in the app store for marketing purposes; hybrids allow some content and features to be updated without resubmitting the app to the store.

In light of all this, it seems clear to me that the hybrid approach will have a role to play in the ongoing development of enterprise mobility. Indeed, if I remember correctly, one study I heard mentioned said that, by 2016, over half of all mobile apps deployed will be hybrids – whereas less than a quarter were just a year ago. Still, hybrid apps won’t work for every use case and my advice to architects would be to make sure your architectural approach matches the needs and resources of your organization. And whatever approach you take, make sure that it is built on a technology platform that will allow the apps to run smoothly at scale, without impacting the security or performance of backend systems.

April 25th, 2014

The Importance of Context to Mobility

Written by
 

Mobile ContextMy grandfather has a bumper sticker on his pickup truck that says “He who dies with the most toys, wins.” Since my world revolves more around API Management than collecting die-cast models of John Deere tractors, I have my own version of the saying – “He who has the most context wins.” Context has always been an important part of managing data or applications, but the proliferation of enterprise B2E (business-to-employee) and B2C (business-to-consumer) mobile apps has significantly increased the need for context-based policy.

The Layer 7 family of API Gateways has always been good at context. Not only does a Gateway have access to the full request and response content, it can also access header content (from a wide variety of protocols) and transaction metadata (latency, source information etc.) Then it adds in user credentials and attributes retrieved from the request and backend identity management systems. These inform decisions around access control but also around traffic routing, prioritization, rate limiting, quota fulfillment etc.

However, mobility introduces a few new entities to the equation, all of which have to be taken into account for ideal contextual decision-making. The first is familiar: users; but mobile users might have additional attributes that come into play. Phone number and email become more important, since they provide other connection points accessible to the user on the same device (smartphone, tablet etc.) The inclusion of social login – available in the 2.1 release of our Mobile Access Gateway – provides social graph information that might also have relevance when deciding how a user request should be processed.

The second entity providing contextual attributes is the app itself. An app ID or API key can tie an application back to the developer who created it. Signer information, permissions and other internal details can give context around existing app security. The Mobile Access Gateway can collect some of this information using our Mobile SDK and more data can be gathered via integration with CA (or third-party) MAM and MDM products.

The third important entity is the device itself. Not only can APIs be tailored to return data structures specific to a screen size or even a specific device type but behavior can also be tracked to a single device ID to analyze the risk involved. There might be more risk delivering sensitive data to a family iPad than there would be on a personal smartphone – or to a phone in an airport rather than a laptop in the office. This level of risk (and the associated response) increases dramatically when interacting with an unlocked device rather than one locked down by corporate security policies.

In my new role across the CA Securecenter product line, I’ve focused quite a bit on the integration of Layer 7 with other CA products. The result has been a flood of new contextual information with which to make richer decisions. Gathering risk profiles from CA RiskMinder or data categorization from CA DataMinder provides an even stronger understanding of who is trying to access what, from where. And the decision made from this context doesn’t necessarily have to result in a thumbs-up or thumbs-down; with CA AuthMinder, suspicious requests can simply require an additional level of authentication.

Every industry has its own variables, vulnerabilities and potential optimizations. Our goal is to give customers the right context with which to make the best decisions for their specific use cases. Our rich interface management capabilities and strong integrations with other proprietary and standards-based mobile technologies give us the best palette of access control and policy options in the API Management industry. In a world where context is king, we’re continually fighting for that crown.

April 10th, 2014

Upcoming Talks at MobileWeek 2014 in NYC

Written by
 

MobileWeek 2014I will be attending MobileWeek 2014 in New York City next Monday, April 13. I’ll be at the conference all day, so drop by and say hello. Part way through the day, I’ll  deliver a two-minute lightning talk on mobile authentication, followed by a panel on enterprise mobile security and scalability.

The lightning talk is at 12:25 pm:

How to Make Mobile Authentication Dead Easy
Are your developers struggling to integrate mobile apps and enterprise data? They shouldn’t be! In just two minutes, learn the easiest way to get end-to-end security between your mobile apps and the enterprise — all without using a VPN.

It must be easy if I can cover it in only two minutes!

The panel, scheduled to start at 1:10pm (an odd time, so keep an eye on the clock), will include participants from Hightail and will be moderated by Geoff Domoracki, who is one of the conference founders:

The Mobile Enterprise: Productivity, Security & Scalability
We hear terms like “mobile enterprise” and “mobile workforce” but how far are we towards creating an enterprise work environment that enables real-time communication beyond geographic boundaries — freeing the employee to work from his phone anywhere in the world? This panel will explore the opportunities and challenges around the emergence of a “mobile enterprise” where sitting at a desk in the office is becoming more and more outdated. How do you share documents, secure data, prove identity and geo-collaborate in the new mobile enterprise?

Overall it looks to be a good day. New York is a hotbed of mobile development and I’m looking forward to meeting lots of interesting people.

See you at MobileWeek!

April 3rd, 2014

Mobile Access Gateway 2.1 is Here!

Mobile Access GatewayLast week, we launched the Mobile Access Gateway 2.1 in style. The team has worked hard over the past few months to make sure the new features are coming together in a meaningful way. So, what’s in the new release?

First, we now allow customers to configure the usage of SiteMinder Session Cookies, with the Mobile SDK. In fact, the client libraries can use just about any token as the user token without breaking the existing model where we provision and manage token artifacts for users, apps and devices. With 2.1, you can use SiteMinder Session Cookies, SAML, JWT or any other user token. The Gateway administrator can configure what is relevant for the use case. As we know, there is a huge base of SiteMinder users who should now consider the Mobile Access Gateway as their mobility toolkit.

Second, the Mobile Access Gateway now supports social login for mobile apps. Social login support on the Gateway empowers developers to build apps that allow users to securely identify themselves by using sign-on credentials from social network platforms like Google Accounts, Salesforce, LinkedIn and Facebook. The social login flow is supported by the Gateway’s mobile Single Sign-On (SSO) capability. With mobile SSO and social login enabled, users login once with their social account credentials to access multiple enterprise and third-party applications from a mobile device. Additional contextual data such as geolocation can be combined with social login to provide a more secure API.

Third, with the 2.1 release, we now support Adobe PhoneGap. By leveraging the Cordova plugin interface, hybrid apps can tie in to the SSO and mutual SSL session negotiated by the native client libraries. This way, there is a unified security model for native and hybrid apps and app developers can choose to code application logic with their preferred tool chains.

Together with the existing Mobile Access Gateway features, this release provides app developers with better tools for writing awesome and secure mobile apps.