Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

6/5/2014
12:00 PM
Garret Grajek
Garret Grajek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

If HTML5 Is The Future, What Happens To Access Control?

The solution for multi-device deployment is HTML5. The challenge, for the enterprise, is deploying it correctly. Here are seven tools you will need.

The use of HTML5 versus other media-centric mechanisms for cross-device support is the latest tech topic causing passionate debate among IT aficionados. Most of us knew Flash would not prevail when Steve Jobs prophetically commented in April 2010, Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.”

We now have an explosion of HTML5 creation tools and some really creative ideas of what to do with them. This goes beyond games and videos to include full enterprise data and access control, like Sencha Space, which provides cross-device support and data, and application support agnostic to the device -- a true BYOD solution via HTML5.

With HTML5, the focus is back on apps and data rather than the device. What was the shift? The shift was away from proprietary platforms that limited cross-device support, and the solution created apps that were device specific and required device control for updates and management.

HTML5 promises a cross-device platform and the wonderful ability of server-side control of app logic and content. HTML5 even introduced concepts like HTML5 Semantics, where the coder expresses the intent of the action and the device handles the interpretation and specifics.

End of mobile device management
When done correctly, HTML5 frees the enterprise from mobile device management. Resources can be deployed to all devices in a manner that allows complete abstraction of the device to the app. The good news is that it places the focus on the apps, not the devices, an area that enterprises can manage more effectively.

Enterprises need to take these resources, which are, in the HMTL5 world, URL-addressable, and construct access policies that are aligned with corporate policies on two-factor authentication, SSO, time, geography, and device limitation.

Fortunately, these tools all exist. Enterprises do not need to do what they did in 2008 through 2010 and go purchase and deploy all new security and control mechanisms for the purpose of locking down the new devices.

The mechanisms for HTML5 app access control exist. It’s now up to the enterprise to place an inventory of what tools they have and augment them accordingly. Key components should include the following:

1. HTML5 development tools. There are several robust and proven technologies in this space to help an enterprise take advantage of the cross-device coding advantages of HTML5. Even Google has joined the crowd with the launch of Google’s Web Designer.

2. URL-based access control. This includes single sign-on (SSO) to directories, two-factor URL-based authentication, and SSO into multiple mobile, web, HTML5, and legacy applications. For SSO to directories, it is important to work with what is already in place. Use the existing directory information (AD, LDAP, SQL), and employing multiple directories should not be hindered. SSO to multiple applications makes the solution more complete and convenient to end-users. This enables transparent access to existing web applications, cloud resources, HTML5 applications, and non-HTML5 mobile applications.

3. Two-factor authentication/access control. The two-factor URL-based authentication is key for any solution; and it should be built right into the workflow for security and ease-of-use, be based on existing groups and policies, support multiple mechanisms, and be browser-friendly. Browser-friendly authentication is a major part of the authentication workflow and provides a human language interface and user interplay, with which users are very familiar. All forms of two-factor authentication should be supported as well, like SMS OTPs, Telephony OTPs, Soft Tokens, Hard Tokens, NFC, and X.509.

4. Logging from HTML5 resources. Logging and reporting are essential to any security solution. It is vital to track all events concerning user authentication, authorization, and data access to ensure that only the permitted users are entering corporate applications at any time.

5. Application deployment and access. This system should be in place for app-to-role deployment and include an inventory of all deployments, which should be the same type of access control the enterprise has been running for the enterprise apps. The solution should include one-touch resource allowance/revocation.

6. Data management of HTML5 apps. Data management should determine how to “wipe” data from an application and the data space for an app.

7. Integration. If enterprises try to piecemeal these solutions together, it becomes a nightmare. URL-based access control has been around for over 20 years. Look for the solution that can amalgamate multiple directories, providing multiple two-factor options and SSO into HTML5 apps and other app and IT resources.  

The solution for multi-device deployment is HTML5. Now, let’s deploy it right for the enterprise. 

Garret Grajek is a CISSP-certified security engineer with more than 20 years of experience in the information security and authentication space. As Chief Technical Officer and Chief Operating Officer for SecureAuth Corp., Garret is responsible for the company's identity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/9/2014 | 10:00:06 AM
Good breakdown on using how to use HTML5 securely for MDM
Good blog, Garret. In this early adoption phase, what strategies are you seeing that are most effective. And on the flip side, what are some common errors. 

Best/worst war stories from Dark Reading community members are welcome, as always.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...