Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/10/2012
09:58 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Walking The Mobile Mile

Putting the 'i' in identity means navigating the hidden complexities in mobile identity

Mobile applications have disparate characteristics from normal Web applications and so demand different requirements from developers. This in turn drives the need for new security models. When enterprises write mobile apps, they are not simply delivering data to the customers as in a Web app, they are delivering code that interacts with the mobile device OS, data, and security tokens (and beacons) that will reside on the device for some period of time.

This opens a window of vulnerability for devices that are lost, stolen, or compromised by malware. The enterprise response has been largely focused on Mobile Device Management (MDM), which closes out several important gaps through services like remote wipe. Today, MDM is a sina qua non technology for many enterprises but its not sufficient by itself to get the job done for mobile. After all, as Paul Madsen posits: "If my CEO and I both have the same phone, is the device the right level of granularity?" Further, the device is only one asset in play.

To get a full picture of the risk involved, you must look end to end. Mobile apps do introduce new risks, but it's not just about the device its about how they connect up to the enterprise. Mobile Access Management (MAM) -- access control services that sit in front of the enterprise gateway -- has emerged as a server-side guard enforcing access-control policy for requests from the mobile app to the enterprise back end. Mobile apps get the lion's share of attention, but do not neglect the Web services that provide the wormhole from the iPhone straight into the enterprise core mainframes, databasesm and back end services.

MAM provides mobile-specific security services for the server side. But what about the app on the device? Yet a different set of controls called Mobile Information Management (MIM) enable policy-based communication on the device.

Confused yet? The result in the short run is that the enterprise's identity architecture must factor in many different kinds of identity claims needed to resolve an access-control decision, including the device identity claims (such as hardware fingerprint), the mobile app identity claims (such as the Android PID), the local/mobile user identity claims, and the server-side identity claims. From there, these claims about an identity must be resolved and need to work cohesively across a mobile session, mobile-to-server communication session, and, in some cases, mobile app-to-mobile app communication.

This makes for a real challenge -- difficult, but not impossible, getting consistent policy enforcement across sessions, devices, and servers. As with so much else in security, there are no silver bullets. There's no single product to solve all of these challenge. The mobile app provides a new set of challenges -- specifically an integration challenge -- and likely requires different protocols than enterprises have used in the past, such as OpenID Connect and OAuth. Identity requires first-mile integration (identity provider) and last-mile integration (service provider). But, in addition, mobile "mile" integration requires meshing an array of disparate identities and attributes to enforce consistent policy.

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14869
PUBLISHED: 2019-11-15
A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could esc...
CVE-2019-18987
PUBLISHED: 2019-11-15
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Once a specific abuse filter has (accidentally or otherwise) been made public, its previous versions can be exposed, thus potentially disclosing private or sensitive information within the filter's definition.
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.