Perimeter
10/10/2012
09:58 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Walking The Mobile Mile

Putting the 'i' in identity means navigating the hidden complexities in mobile identity

Mobile applications have disparate characteristics from normal Web applications and so demand different requirements from developers. This in turn drives the need for new security models. When enterprises write mobile apps, they are not simply delivering data to the customers as in a Web app, they are delivering code that interacts with the mobile device OS, data, and security tokens (and beacons) that will reside on the device for some period of time.

This opens a window of vulnerability for devices that are lost, stolen, or compromised by malware. The enterprise response has been largely focused on Mobile Device Management (MDM), which closes out several important gaps through services like remote wipe. Today, MDM is a sina qua non technology for many enterprises but its not sufficient by itself to get the job done for mobile. After all, as Paul Madsen posits: "If my CEO and I both have the same phone, is the device the right level of granularity?" Further, the device is only one asset in play.

To get a full picture of the risk involved, you must look end to end. Mobile apps do introduce new risks, but it's not just about the device its about how they connect up to the enterprise. Mobile Access Management (MAM) -- access control services that sit in front of the enterprise gateway -- has emerged as a server-side guard enforcing access-control policy for requests from the mobile app to the enterprise back end. Mobile apps get the lion's share of attention, but do not neglect the Web services that provide the wormhole from the iPhone straight into the enterprise core mainframes, databasesm and back end services.

MAM provides mobile-specific security services for the server side. But what about the app on the device? Yet a different set of controls called Mobile Information Management (MIM) enable policy-based communication on the device.

Confused yet? The result in the short run is that the enterprise's identity architecture must factor in many different kinds of identity claims needed to resolve an access-control decision, including the device identity claims (such as hardware fingerprint), the mobile app identity claims (such as the Android PID), the local/mobile user identity claims, and the server-side identity claims. From there, these claims about an identity must be resolved and need to work cohesively across a mobile session, mobile-to-server communication session, and, in some cases, mobile app-to-mobile app communication.

This makes for a real challenge -- difficult, but not impossible, getting consistent policy enforcement across sessions, devices, and servers. As with so much else in security, there are no silver bullets. There's no single product to solve all of these challenge. The mobile app provides a new set of challenges -- specifically an integration challenge -- and likely requires different protocols than enterprises have used in the past, such as OpenID Connect and OAuth. Identity requires first-mile integration (identity provider) and last-mile integration (service provider). But, in addition, mobile "mile" integration requires meshing an array of disparate identities and attributes to enforce consistent policy.

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.