As more and more government agencies integrate mobile solutions into their work environments and into how they deliver services to the American tax payer, the issue of securing technology and resources on the go becomes more pressing. Several agencies have recently announced the development of their own apps and potentially their own app stores; the Marine Corps has expressed interest in developing a containerized phone. As civilian and military agencies fully embrace mobility, how will they secure not only the devices, but the development and delivery of mobile tools as well?
Nate Rushfinn, Principal Business Architect at CA Technologies, takes us through the major issues that agencies should account for as they enter the mobility space and some strategies for implementing best practices for secure end to end mobile application development.
This week in Barcelona people are gathering from all over the world to discuss how mobile phones will become the new face of commerce and banking.
In trials around the world, people are buying tickets with their cell phones to ride the train. A new technology called Near-Field Communication (NFC), which is based on RFID, allows you to make contactless payments with your cell phone, just as you would with your ATM or speed pass. NFC forms an ‘air gap’ transformer allowing devices to connect up to 4cm apart, and then sets up a secure connection with Bluetooth via WIFI.
But with recent security breaches in retail and local government on the forefront of everyone’s mind, is a new technology like NFC just a little too scary?
Instead of another layer of security or a Band-Aid approach to staunch the bleeding, we need an End-to End model that will secure mobile apps from the front gate to the back-end
At the Front Gate – Users and their Smart Phones
It all starts at the front gate—you, confirming your identity.
Passwords alone aren’t enough so we use two factor authentication (TFA) – “something you have,” like your personal identity, or common access card, plus “something you know”—your password or PIN. There’s a lot of talk these days about beefing this up using “something you are” such as your fingerprint, iris, or face. But what happens when you say…”I forgot my password?” We need to make it EASY, so that with a single click, a one-time passwords (OTP) can be sent to your phone.
Doing that securely is key. This is why it’s so important to prevent a man-in the middle attack. You don’t want somebody snooping your password.
Keeping it Simple (KISS) is also very important. Passwords aren’t safe if you write them down. A great idea that is gaining in popularity is OpenID. It’s the technology you use logging into many popular sites using your Google or Yahoo identity. But some call it the ‘the most successful failure on the web, because more and more you see the proprietary “do you want to login with Facebook?” A standard will evolve, as this idea saves a lot of time and helps avoid users from having multiple passwords.
But what happens when you lose your phone and somebody steals your identity?
VISA uses Risk Based Analysis (RBA) to learn your spending habits. When there is an abrupt change that doesn’t match your normal pattern of activity, this triggers an alarm. A few simple questions from security confirms your identity and your card access is restored. Fail the security questions and your card is blocked.
The Citizen App Store
But then we started doing Sudoku on our smart phones. Not only is it fun, but we get smart at the same time by stimulating our neurons and increasing our brain plasticity. Downloading cool apps like “Calorie Counter” or “Night Light” is fun, but now I can do real stuff with my smart phone. When I forget my anniversary, I can log on my iPhone and get dinner reservations at a four star restaurant using OpenTable—a real marriage saver. With the Hertz Gold App I can book my rental car as I am getting off the plane. But the coolest thing is that people in Portland, OR and Helsinki, Finland ‘bum’ their phone up to the Pay Pass station, buy their ticket and jump on the train. Soon I’ll be able to buy my groceries and gas at Piggly Wiggly using my cell phone.
With smart phones we can do amazing things we could never dream of a few years ago. Mobile apps are disrupting the market and becoming the new face of commerce, a trend that will only continue.
Devops – Mobile Edition
The app store is a paradigm shift. Mobility is disruptive not because smart phones will replace laptops, but because mobile apps are disrupting the market.
For years, we have written large applications and monolithic suites that do everything. Mobile apps are small and do one thing. The fact that these are small and single purpose is why we have so many of them and why they are being written so quickly. Using external APIs these apps connect to valuable citizen and government data. To protect our government data, applications must be well written and designed with sound architecture principles. But writing good apps isn’t enough. They must be well tested to ensure that all our security controls work. Everyone wants to be more agile and increase their velocity, so delivering applications is important. But more important is being able to able to update apps quickly and easily as soon as new vulnerabilities arise.
Mobile apps are small components in a complex environment. This makes them easy to write but hard to test and deploy. Mobile Devops, combining Service Virtualization, continuous testing and release automation, is a critical part of end to end mobile security.
In the old paradigm, cell phones were all the same and were standard issue from your company’s IT department. But BYOD has changed all that. Having your own phone (or two) makes it futile for IT to lock it down tight as a drum. Instead of trying to protect the phone, we protect the data and the application. To do this we use ‘smart containerization’. A Smart container resides on the phone. Information is sent from the secure back-end data center to the container, which is also secure. A user opens their email in the special container. The program ensures that any links contained in the email are subsequently opened in a secure web container. We can’t make the whole phone secure, but we can install a smart container on the phone with a secure connection back the home container.
Access control – Who’s watching the store?
But even when we protect our end users, computer professionals still share critical passwords like “administrator” or “root” which we sometimes call the “god” password.
Even though these back-end servers are always ‘trusted systems’ Privileged users must still log on with their own unique identity and perform their work under their own credentials. Robust access control and privileged user management is how we enable business, not block it.
API Management is an important piece of the end-to-end mobile application security
Application Programming Interfaces have been the standard way of accessing programs and data since the 1980’s, but according to “Programmable Web” external APIs or web API’s are growing at an increasing rate—11,003 at last counting.
Millions of new mobile applications allow users to easily connect with data that was previously only available on secure internal networks. Exposing data to mobile applications with external APIs allows organizations to make it easier for their customers to do business with them. APIs in themselves are not the problem, but unmanaged, exposing data to the cloud through APIs poses new risks.
The solution is not to block the new APIs but implement a framework of control between the user’s mobile device and the back-end data. API gateways and a management framework reduce complexity and enable secure access, while reducing risk.
Mobile and Smart phones will be the new face of commerce and business, and security is still foremost on everyone’s mind.
The answer is simple, we say: “A new mobile firewall,” or “Maybe, mobile device management, yeah, that’s the ticket.” We would all like to believe a single solution will solve the problem, but it won’t.
We need an End-to End mobile security solution from the front gate to the back end; a solution that addresses all aspects of the mobile enterprise. We can’t fix the problem by just adding another layer of security—putting on a Band-Aid.
The End-to-End solution starts at the front gate with identity access management (IAM), two-factor authentication (TFA) and one-time passwords (OTP). We need to use behavioral analytics with Risk Based Authentication (RBA) that analyses your behavior and flags threats from people masquerading as you.
It means getting past the password conundrum. Security must be easy on mobile devices or people won’t use it.
We are not going to be able to control every device. Instead we need to ruthlessly control the data on the device. “Smart containerization” allow us to setup secure email, file transfer and browser containers.
Mobile security means taking a firm stand on privileged user management and ensure we have robust access control. We need zero-trust architecture in the back-end to slow down intruders and to give us adequate time to respond to infiltrations and remediate attacks.
For mobility to change the way we do business, we need mobile Devops. We need to ensure that developers and operations work together to ensure our mobile apps well written and thoroughly tested and ready to deploy. And most importantly when problems arise we are teamed to work together to quickly remediate the problem.
A comprehensive approach can make mobility the new face of ecommerce. We need an end-to-end mobile application security that protects us from the front gate to the backend.