Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/10/2012
09:58 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Walking The Mobile Mile

Putting the 'i' in identity means navigating the hidden complexities in mobile identity

Mobile applications have disparate characteristics from normal Web applications and so demand different requirements from developers. This in turn drives the need for new security models. When enterprises write mobile apps, they are not simply delivering data to the customers as in a Web app, they are delivering code that interacts with the mobile device OS, data, and security tokens (and beacons) that will reside on the device for some period of time.

This opens a window of vulnerability for devices that are lost, stolen, or compromised by malware. The enterprise response has been largely focused on Mobile Device Management (MDM), which closes out several important gaps through services like remote wipe. Today, MDM is a sina qua non technology for many enterprises but its not sufficient by itself to get the job done for mobile. After all, as Paul Madsen posits: "If my CEO and I both have the same phone, is the device the right level of granularity?" Further, the device is only one asset in play.

To get a full picture of the risk involved, you must look end to end. Mobile apps do introduce new risks, but it's not just about the device its about how they connect up to the enterprise. Mobile Access Management (MAM) -- access control services that sit in front of the enterprise gateway -- has emerged as a server-side guard enforcing access-control policy for requests from the mobile app to the enterprise back end. Mobile apps get the lion's share of attention, but do not neglect the Web services that provide the wormhole from the iPhone straight into the enterprise core mainframes, databasesm and back end services.

MAM provides mobile-specific security services for the server side. But what about the app on the device? Yet a different set of controls called Mobile Information Management (MIM) enable policy-based communication on the device.

Confused yet? The result in the short run is that the enterprise's identity architecture must factor in many different kinds of identity claims needed to resolve an access-control decision, including the device identity claims (such as hardware fingerprint), the mobile app identity claims (such as the Android PID), the local/mobile user identity claims, and the server-side identity claims. From there, these claims about an identity must be resolved and need to work cohesively across a mobile session, mobile-to-server communication session, and, in some cases, mobile app-to-mobile app communication.

This makes for a real challenge -- difficult, but not impossible, getting consistent policy enforcement across sessions, devices, and servers. As with so much else in security, there are no silver bullets. There's no single product to solve all of these challenge. The mobile app provides a new set of challenges -- specifically an integration challenge -- and likely requires different protocols than enterprises have used in the past, such as OpenID Connect and OAuth. Identity requires first-mile integration (identity provider) and last-mile integration (service provider). But, in addition, mobile "mile" integration requires meshing an array of disparate identities and attributes to enforce consistent policy.

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9678
PUBLISHED: 2019-09-18
Some Dahua products have the problem of denial of service during the login process. An attacker can cause a device crashed by constructing a malicious packet. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for v...
CVE-2019-9679
PUBLISHED: 2019-09-18
Some of Dahua's Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time i...
CVE-2019-9680
PUBLISHED: 2019-09-18
Some Dahua products have information leakage issues. Attackers can obtain the IP address and device model information of the device by constructing malicious data packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-...
CVE-2019-9677
PUBLISHED: 2019-09-18
The specific fields of CGI interface of some Dahua products are not strictly verified, an attacker can cause a buffer overflow by constructing malicious packets. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X fo...
CVE-2019-14458
PUBLISHED: 2019-09-18
VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.