Packt Publishing Book Proposal: API and Mobile Access Management

1
Packt Publishing Book Proposal API and Mobile
Access Management

• What is it, exactly, that youre focusing on?
• Deploying an application access management suite
  is currently too expensive for any but the
  largest enterprises who can afford platforms like
  Oracle Access Manager, IBM Tivoli Access Manager
  or CA Site Minder. These security suites use
  proprietary protocols which frequently result in
  vendor lock-in. This book would document a
  recipe to leverage open standards to build an
  enterprise class web access management using 100
  open source components. This recipe has been
  developed by Gluu over the last five years, and
  is proven to work in a variety of deployments
  around the globe that vary in size from small to
  humongous.
•  
• Why does the community use this tool?
•  
• Peopleemployees, customers, and partnersneed to
  be identified to interact electronically with an
  organization. Authentication (authn) and
  authorization (authz) is a challenge faced by
  almost every organization large enough to
  register an Internet domain. And its not just
  people that need to be authenticated and
  authorized. Clients are online agents that can
  interact with services on your behalf. With the
  emergence of the IoT and the API economy,
  developers and system administrators are urgently
  searching for standards based solutions and best
  practices to improve the security of web and
  mobile applications.

2
  While commercial solutions exist, there are
many organizations that prefer the do-it-yourself
approach. Authentication impacts the integrity of
every transaction performed by a person or client
on the network. In some cases, web authentication
is the organizations keys to the kingdom. There
are many organizations that will never outsource
this function. And there are many organizations
that see excellence in authenticationwhich is
the front door to their Internet presenceas a
competitive advantage to drive adoption of their
products and services. For these organizations, a
recipe for open source access management would be
extremely helpful.   What are people doing with
it on a daily basis?   Application security is a
very difficult and scary topic for the average
system administrator. Authentication and
authorization is the first step for almost any
content of value. If the central authn/authz
service is down, even the CEO of the company may
not be able to read her email. Or worse, a
security breach may result in a financial loss
for the organization or even dismissal. This book
would document a proven solution to enable
sysadmins to confidently deploy a modern,
flexible authn/authz service that would be
available day after day for many years to
come.   What are its benefits to users, compared
to a new/old rival?   The recipe documented in
the book is a proven stack of wam software used
by universities, governments, large companies and
websites.
3
This stack has more features and is easier to
manage than commercial alternatives. If you are
paranoid about the NSA spying on you, then you
can read all the code. This recipe includes some
of the most widely deployed and some of the most
cutting edge security solutions available
anywhere. Organizations who dont use open
source may use expensive commercial software or a
SaaS service. As application security is a
universal requirement, both of these options will
make sense for some organizations.   The recipe
documented in this book is not the only open
source recipe possible the book is not intended
to be a compendium of all open source security
solutions. Its a curated recipe of a suite of
software proven to work together to satisfy the
requirements of many organizations large and
small.   What issues does your community face,
day to day?   A recent Verizon study indicated
that 80 of Internet breaches were the direct
result of bad password security. But how can
organizations reduce reliance on passwords,
without tightly coupling authentication
technology into applications? How can the deploy
ability issues of strong authentication be
addressed?  
4
Mobile applications are creating new requirements
for companies. There has been a paradigm shift
where enterprise services are published with
JSON/REST APIs to support both web sites and
mobile apps. Organizations are using more
services hosted by third parties. Some web sites
are facing requirements to support the standards
based security infrastructures of their customers
or partners.   Its impossible for the average
system administrator to patch together a solution
to address all these challenges. Its time for an
open source alternative.   What else can it
do?   The solution is very flexible. It is
solving a wide range of use cases today. One area
that could be expanded is enrollment, which
involves creating an internal profile for a
person who is authenticated at another domain
(like Google). Another extra-credit topic that is
not needed by the average domain is multi-party
federation hosting. This enables an organization
to vet a list of trusted, autonomous partners who
publish applications or authenticate
people. What do its friends look like?   Many
governments are anxious to see open source
alternatives for security. The Internet will not
become a safer place if only big companies can
afford security. Higher Education has also been
early adopters of open standards for security
5
. Part of the solution is based on open source
software already popular in this segment.
Finally, many companies are anxious for more cost
effective solutions to recommend to partners. If
you need your partners to support secure open
standards for security, you cant ask them to buy
expensive enterprise software. Finally, privacy
advocates around the globe prefer open source
security solutions, especially in light of recent
revelations regarding US government spying. What
does the future look like?   There is a major
paradigm shift happening right now. In the past,
there were too many Internet standards for web
authentication Opined 2.0, OAuth 1.0,
WS-Federation, CAS, and many other protocols are
on the trash heap of failed or fading efforts.
Finally, new standards have arisen that use the
OAuth2 pattern, leveraging a JSON/REST API
architecture that is friendly to application
developers. There is more consensus than ever on
how to achieve interoperable security. If
authentication and authorization becomes a
decentralized Internet infrastructure like SMTP
or DNS, the know-how for how to launch a manage
these services will be in high demand across the
globe.   Product Proposal   API and Mobile Access
Management  
6
What is the vision and purpose of this
product?   While the vision for securing the
Internet is clear to the identeratithe experts
who developed the standardswe need to get the
information into the hands of a much wider
audience. It is imperative for our society that
we decentralize identity. Face book and Google
have bridged our inability to identify our
friends on the Internet by providing a
centralized solutionyou can share a Google doc
with someone only because they also have a Google
account. With a myriad of vendors producing
hardware and software that interact on our
behalf, we cannot build our society on these
central identity silos. Like enlightened
despotism, it seems efficient. But over time, it
undermines the original design goal of the
Internet the largest federation of autonomous
entities ever assembled into one network. The
Internet was made possible by standards like
TCP/IP, DNS, http and ssl. After 20 years, we
have an Internet identity infrastructure, and
its time to get the word out. For this, we need
paper! Who is the reader/viewer at the
start?   The basic profile of the person is a
Unix system administrator. However, others in
the organization who use or rely on the
infrastructure may also want to read it.  
7
To read this book, the person will need to
understand the current infrastructure of the
Internet TCP/IP, DNS, SMTP, HTTP, and SSL. Some
knowledge of private-public key cryptography
would also helpful, although the required
concepts will be reviewedits so critical, it
cant be assumed. No programming is assumed,
although some additional material will be
referenced, as many programmers will certainly
read this book.   Who is the reader/viewer at the
end?   After reading the book, the reader should
be ready to deploy the components to enable
application testing and development to proceed.
The roadmap for security should be clear,
including which services are needed to meet the
requirements of the readers organization.
Importantly, after reading this book, the
programmers, system administrators, and Chief
Information Security Officer should be able to
get alignment much more quickly on the important
standards, and the moving pieces that need to be
addressed from a business perspective, not just a
technical perspective.   Article
resource-https//sites.google.com/site/thegluuser
ver/packt-publishing-book-proposal-api-and-mobile-
access-management