The Problem Of Securing Mobile Applications With A Web Access Management System
5 min read
Since the dot com bubble started the IT industry has been working toward simplifying and strengthening the security around the web. How do you maintain security, auditing, and compliance as the applications become more decentralized, flexible and distributed across multiple systems? The world moved away from the one large computing center of a mainframe set of applications to a spider web of rapidly growing applications that can be placed anywhere. The industry had to evolve their Identity and Access Management systems to maintain the security protections they had tucked into one main computing center.
The speed and flexibility of the web based applications slowly turned the larger, more complex and less flexible traditional “thick” applications obsolete. There are still cases where those applications are necessary but they are now the small minority to the web applications. Over the last 10 years the entire world has been operating in this direction. Build many applications spread out over wide area with centralization of the security, auditing and policy management.
In a centralized access management system you generally three core components. The Policy Decision Point (PDP) is your central location for all your access policies for the applications under its protection. The Policy Enforcement Point (PEP) is the mechanism, usually some kind of agent, that resides on or very near the application that filters all the traffic in and out of the application and enforces the access policies. To round it out you have an Audit location which stores all the authentication, authorization and transaction behavior in one location. For compliance reporting the audit database is the most critical, this one location will tell you with great speed and accuracy who accessed what and when across all the applications. In the old days each application audits itself and to investigate that means an individual visit to each application to get the data you need. Not every application stores the same information or records it the same way. The centralized access management system solved that.
Around 2003 or so the mobile devices started to get powerful enough to allow for browser based access from your phones, primarily Blackberry at that time. WAP and other mobile protocols came along to allow companies to build slimmer versions, less cosmetic but have the same key functionality as their big brother full sized web applications. This first mobile movement was still able to use the same web security systems in the back end without too much disruption, maybe you have to throw in a proxy server, but the fundamental protections methods remained the same.
Technology in the mobile space continued to get smaller and more powerful, laptops began to take over PCs and mobility started to become a buzzword. Users wanted to access their applications and data in more ways than just a desk anchored computer. Then comes along the iPhone and the mobile revolution exploded and I think it took the Security and Access Management industry by surprise. The adoption rate by the users was extraordinary, taking the whole concept of computing in general and turning it upside down. So now instead of the world staying on track to a web platform, here comes this mobile application model and went back to individually installed and managed applications on a device. Instead of making the web work through a new kind of browser, there is a web protocol based back end but with thick applications that do not conform to browser behaviors. So now what? How do we protect that with the centralized access management system that is primarily for the web I have spent the last 10 years building up? What are the vendors doing to evolve into this new paradigm? This is the challenge facing the IT Security folks. With the every increasing demands from the regulatory requirements of FFIEC, HIPAA, PCI, EMEA, etc. companies now need to integrate this new direction into an existing auditing and reporting structure.
The problem resides in the security technology. Taking mobility and not doing it through a browser supported by a presentation layer of web servers with HTML pages. A web access management security system works on URL redirects, headers, javascripts, and session management. The iPhone and Androids went backwards. Now your web access management system which drives the authentication for most if not all your web applications needs to work with this non-browser technology. I have yet to come across an application for a mainstream enterprise that does not have a big brother web application it was modeled after.
In a thick mobile application you cannot use your standard web access management policy implementation model. Writing web based policies which rely on headers and URL redirects won’t work for an application that is not a browser and does not want users to get taken out of the application and into a browser. Otherwise they would use the browser in the first place. They want to use the new cool application. They also want to use the same userid and password as they do on the regular website. The security guys in the back room are scratching their heads trying to figure out how to maintain centralized services with this new IT direction of individual applications.
Money will solve everything eventually when it comes to IT, but economic times are not like they were in the dot com days. Companies need to make due with what they have with little or new additional investments. The vendors of the access management products need to speed up their solutions to help their customers get this problem solved. One thing is for sure, customer demand for more mobility is only going to get greater. Unless solutions are found two major things are going to happen, one is that a company will end up spending many times more trying to manage these systems in a decentralized way and second is the user experience will suffer through more accounts to manage, bad flows, or worse security lapses. Either way it’s going to cost a company more later, no customers means no money.
End of Line.
@binaryblogger
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com
