Imagine you manage IT security for an automobile insurance company that is experiencing strong growth in the personal vehicle market segment. (You can substitute any services-as-products industry that transacts with any segment of external customers using public-facing points of entry to sensitive data.) Many of your customers will need to access your site and applications via mobile devices; the data resources you need to protect will be the individual personal information in a customer's account — you will also have to demonstrate to your customers that they can be confident their transactions will be secure.
The three areas of security you will need to implement are:
- Identity access assessment and user experience. The company will want to enforce risk-based assessment to impact user experience for high-risk operations.
- Device consent. The company will require context-based authorization on the device used.
- Transaction confidence. The company will require context-based authorization as defined by specific application instance and transaction value.
In addition, customers must be able to self-manage registered devices in case of theft or loss and they must be able to disable any registered mobile application or browser devices.
In this demonstration, I'll showcase how the Tivoli Federated Identity Manager risk-based access capability can provide access decision and enforcement for device consent purposes and establish a level of confidence for transactions involving insurance purchases. Another primary focus I'll tackle is to showcase the use of OAuth mobile access and authorization with OAuth Access tokens when performing transaction- and risk-based access on mobile devices.
The video has three parts to it:
- Part one of the demonstration will showcase how to register a mobile application as a trusted instance against to a user account.
- Once the mobile application has been trusted, part two of the demonstration will showcase a user purchasing the car insurance packages via the mobile device (and the mobile app); the app is governed by a risk-based access policy with one-time password policy obligations.
- Part three of the demonstration will showcase how it is possible, by using underlying IBM Security products, to disable a registered mobile instance to prevent others from making car insurance purchases on other phones.
This demonstration is designed for security and IT architects.
The Tivoli Federated Identity Manager risk-based access feature provides access decision and enforcement that is based on a dynamic risk assessment or confidence level of a transaction. Risk-based access uses behavioral and contextual data analytics to calculate risk and can:
- Improve security during authentication and authorization of transactions.
- Assess risk based on static, contextual, and analytically calculated attributes.
- Calculate a risk score based on multiple weighted attributes.
- Provide policy rules that determine whether an access request must be allowed, denied, or challenged.
This feature can be configured to:
- Silently register or require users to register devices that they commonly use.
- Associate the registered devices with user credentials.
- Present a challenge or request additional authentication if the user attempts to authenticate with the same credentials from another unregistered device.
- Use the behavioral patterns of the user as a factor in risk-score calculation.
- Visit the IBM Tivoli Federated Identity Manager Version 220.127.116.11 Information Center to get more information regarding the installation, and administration of Federated Identity Manager.
- Get an overview of one-time password capability, as well as information on how to configure it.
- Get starting information, feature overviews, as well as information on how to install and configure the risk-based access capability.
- Visit the IBM Security Access Manager for Web Version 7.0 Information Center to get more information regarding the installation, and administration of IBM Security Access Manager.
- Visit the IBM Security Access Manager for Web on developerWorks community to learn more about Access Manager.
- Visit the IBM IAM Business Value Accelerators Community to learn more about key deployment accelerators relating to topics such as cloud, mobile, compliance, and governance.
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Explore developerWorks IT security from a different perspective: Take a look at the weekly Security on developerWorks newsletter.
- Dive into cloud application development at cloud computing on developerWorks; an important component to build into cloud application development is security.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.
Dig deeper into Security on developerWorks
Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.
Pragmatic, intelligent, risk-based IT Security practices.
Software development in the cloud. Register today to create a project.
Evaluate IBM software and solutions, and transform challenges into opportunities.