Packt Publishing Book Proposal API and Mobile Access Management

1
 Pack Publishing Book Proposal API and Mobile
Access Management

• What is it, exactly, that youre focusing on?
• Deploying an application access management suite
  is currently too expensive for any but the
  largest enterprises who can afford platforms like
  Oracle Access Manager, IBM Tivoli Access Manager
  or CA Site Minder. These security suites use
  proprietary protocols which frequently result in
  vendor lock-in. This book would document a
  recipe to leverage open standards to build an
  enterprise class access management system using
  100 open source components. This recipe has been
  developed by Gluu over the last five years, and
  is proven to work in a variety of deployments
  around the globe that vary in size from small to
  humongous.
•  
• Why does the community use this tool?
•  
• Peopleemployees, customers, and partnersneed to
  be identified to interact electronically with an
  organization. Authentication (authn) and
  authorization (authz) is a challenge faced by
  almost every organization large enough to
  register an Internet domain. And its not just
  people that need to be authenticated and web
  access management system (wams).

2

• Clients are online agents that can interact
  with services on your behalf. With the emergence
  of the IoT and the API economy, developers and
  system administrators are urgently searching for
  standards based solutions and best practices to
  improve the security of web and mobile
  applications.
•  
• While commercial solutions exist, there are many
  organizations that prefer the do-it-yourself
  approach. Authentication impacts the integrity of
  every transaction performed by a person or client
  on the network. In some cases, web authentication
  is the organizations keys to the kingdom. There
  are many organizations that will never outsource
  this function. And there are many organizations
  that see excellence in authenticationwhich is
  the front door to their Internet presenceas a
  competitive advantage to drive adoption of their
  products and services. For these organizations, a
  recipe for open source access management would be
  extremely helpful.
•  
• What are people doing with it on a daily basis?
•  
• Application security is a very difficult and
  scary topic for the average system administrator.
  Authentication and authorization is the first
  step for almost any content of value. If the
  central authn/authz service is down, even the CEO
  of the company may not be able to read her email.
  Or worse, a security breach may result in a
  financial loss for the organization or even
  dismissal. This book would document a proven
  solution to enable sysadmins to confidently
  deploy a modern, flexible authn/authz service
  that would be available day after day for many
  years to come.

3
What are its benefits to users, compared to a
new/old rival?   The recipe documented in the
book is a proven stack of software used by
universities, governments, large companies and
websites. This stack has more features and is
easier to manage than commercial alternatives. If
you are paranoid about the NSA spying on you,
then you can read all the code. This recipe
includes some of the most widely deployed and
some of the most cutting edge security solutions
available anywhere.   Organizations who dont use
open source may use expensive commercial software
or a SSO service. As application security is a
universal requirement, both of these options will
make sense for some organizations.   The recipe
documented in this book is not the only open
source recipe possible the book is not intended
to be a compendium of all open source security
solutions. Its a curated recipe of a suite of
software proven to work together to satisfy the
requirements of many organizations large and
small.   What issues does your community face,
day to day? A recent Verizon study indicated
that 80 of Internet breaches were the direct
result of bad password security. But how can
organizations reduce reliance on passwords,
without tightly coupling authentication
technology into applications? How can the
deployability issues of strong authentication be
addressed?  
4
Mobile applications are creating new requirements
for companies. There has been a paradigm shift
where enterprise services are published with
JSON/REST APIs to support both web sites and
mobile apps. Organizations are using more
services hosted by third parties. Some web sites
are facing requirements to support the standards
based security infrastructures of their customers
or partners.   Its impossible for the average
system administrator to patch together a solution
to address all these challenges. Its time for an
open source alternative.   What else can it
do?   The solution is very flexible. It is
solving a wide range of use cases today. One area
that could be expanded is enrollment, which
involves creating an internal profile for a
person who is authenticated at another domain
(like Google). Another extra-credit topic that is
not needed by the average domain is multi-party
federation hosting. This enables an organization
to vet a list of trusted, autonomous partners who
publish applications or authenticate
people.   What do its friends look like?   Many
governments are anxious to see open source
alternatives for security. The Internet will not
become a safer place if only big companies can
afford security. Higher Education has also been
early adopters of open standards for security.
Part of the solution is based on open source
software already popular in this segment..  
5
Finally, many companies are anxious for more cost
effective solutions to recommend to partners. If
you need your partners to support secure open
standards for security, you cant ask them to buy
expensive enterprise software. Finally, privacy
advocates around the globe prefer open source
security solutions, especially in light of recent
revelations regarding US government spying. What
does the future look like? There is a major
paradigm shift happening right now. In the past,
there were too many Internet standards for web
authentication OpenID 2.0, OAuth 1.0,
WS-Federation, CAS, and many other protocols are
on the trash heap of failed or fading efforts.
Finally, new standards have arisen that use the
OAuth2 pattern, leveraging a JSON/REST API
architecture that is friendly to application
developers. There is more consensus than ever on
how to achieve interoperable security. If
authentication and authorization becomes a
decentralized Internet infrastructure like SMTP
or DNS, the know-how for how to launch an manage
these services will be in high demand across the
globe. Product Proposal API and Mobile Access
Management What is the vision and purpose of
this product? While the vision for securing the
Internet is clear to the identeratithe experts
who developed the standardswe need to get the
information into the hands of a much wider
audience. It is imperative for our society that
we decentralize identity.
6
Face book and Google have bridged our inability
to identify our friends on the Internet by
providing a centralized solutionyou can share a
Google doc with someone only because they also
have a Google account. With a myriad of vendors
producing hardware and software that interact on
our behalf, we cannot build our society on these
central identity silos. Like enlightened
despotism, it seems efficient. But over time, it
undermines the original design goal of the
Internet the largest federation of autonomous
entities ever assembled into one network. The
Internet was made possible by standards like
TCP/IP, DNS, http and ssl. After 20 years, we
have an Internet identity infrastructure, and
its time to get the word out. For this, we need
paper! Who is the reader/viewer at the
start? The basic profile of the person is a
Unix system administrator. However, others in
the organization who use or rely on the
infrastructure may also want to read it. To read
this book, the person will need to understand the
current infrastructure of the Internet TCP/IP,
DNS, SMTP, HTTP, and SSL. Some knowledge of
private-public key cryptography would also
helpful, although the required concepts will be
reviewedits so critical, it cant be assumed.
No programming is assumed, although some
additional material will be referenced, as many
programmers will certainly read this book.
7
  Who is the reader/viewer at the end?   After
reading the book, the reader should be ready to
deploy the components to enable application
testing and development to proceed. The roadmap
for security should be clear, including which
services are needed to meet the requirements of
the readers organization. Importantly, after
reading this book, the programmers, system
administrators, and Chief Information Security
Officer should be able to get alignment much more
quickly on the important standards, and the
moving pieces that need to be addressed from a
business perspective, not just a technical
perspective.   Article resource-http//thegluuser
ver.livejournal.com/4973.html