Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network. These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges. Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.
These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:
The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.
1 – Understand the Mobile Enterprise Architecture
You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.
- Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
- Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
- Does the mobile application connect to an API gateway?
2 – Diagram the network topology of how the mobile devices connect
Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.
3 – Develop Mobile Application Security Requirements
At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are: Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies? Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?
4 – Incorporate a Mobile Device Security Policy
What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.
5 – Application Security Testing
According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.
6 – System Threat Model, Risk Management Process
What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive. It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.
7 – Consider implementing a Centralized Mobile Device Management System
Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:
- For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
- Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
- Manage credentials for each mobile device through a Directory Service.
- Self service automation for BYOD and Reducing overall administrative costs.
- Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
- A system that can remotely wipe or lock a stolen or loss phone.
- A system that can detect Jail-broken or rooted mobile devices.
8 – Security Information and Event Management (SIEM)
Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.
- Guidelines for managing the Security of Mobile Devices in the Enterprise http://csrc.nist.gov/publications/PubsSPs.html#800-124
- Vetting the security of Mobile of Mobile Applications http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf
- Top 10 Mobile Risks https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
Are your C-level leaders sending a clear message about Cyber Security?
Despite the high profile security breaches making news headlines and increased attention around cyber risks, executives in the C-suites are still lacking commonality and communication of a clear goal when it comes to a cybersecurity strategy. These individuals need to work together to manage their organizational risks to help prepare, mitigate, and minimize the damage caused by cyber incidents.
Every organization needs a clear strategy and roadmap with supporting tools that protect critical assets. Read more about this topic and the crucial role the C-suite plays in the dynamics surrounding Cybersecurity.
We were sitting down with a client during some initial prioritization discussions in an Identity and Access Management (IAM) Roadmap effort, when the talk turned to entitlements and how they were currently being handled. Like many companies, they did not have a unified approach on how they wanted to manage entitlements in their new world of unified IAM (a.k.a. the end of the 3 year roadmap we were helping to develop). Their definition of entitlements also varied from person to person, much less how they wanted to define and enforce them. We decided to take a step back and really dig into entitlements, entitlement enforcement, and some of the other factors that come into play, so we could put together a realistic enterprise entitlement management approach. We ended up having a really great discussion that touched on many areas within their enterprise. I wanted to briefly discuss a few of the topics that really seemed to resonate with the audience of stakeholders sitting in that meeting room.
(For the purpose of this discussion, entitlements refer to the privileges, permissions or access rights that a user is given within a particular application or group of applications. These rights are enforced by a set of tools that operate based on the defined policies put in place by the organization. Got it?)
- Which Data is the Most Valuable?- There were a lot of dissenting opinions on which pieces of data were the most business critical, which should be most readily available, and which data needed to be protected. As a company’s data is moved, replicated, aggregated, virtualized and monetized, a good Data Management program is critical to making sure that an organization has handle on the critical data questions:
- What is my data worth?
- How much should I spend to protect that data?
- Who should be able to read/write/update this data?
- Can I trust the integrity of the data?
- The Deny Question – For a long time, Least Privilege was the primary model that people used to provide access. It means that an entitlement is specifically granted for access and all other access is denied, thus providing users with exact privilege needed to do their job and nothing more. All other access is implicitly denied. New thinking is out there that says that you should minimize complexity and administration by moving to an explicit deny model that says that everyone can see everything unless it is explicitly forbidden. Granted, this model is mostly being tossed around at Gartner Conferences, but I do think you will see more companies that are willing to loosen their grip on the information that doesn’t need protection, and focus their efforts on those pieces of data that are truly important to their company.
- Age Old Questions – Fine-Grained vs. Coarse-Grained. Roles vs. Rules. Pirates vs. Ninjas. These are questions that every organization has discussed as they are building their entitlements model.
- Should the entitlements be internal to the application or externalized for unified administration?
- Should roles be used to grant access, should we base those decisions on attributes about the users, or should we use some combination?
- Did he really throw Pirates vs. Ninjas in there to see if we were still paying attention? (Yes. Yes, I did).
There are no cut and dry answers for these questions, as it truly will vary from application to application and organization to organization. The important part is to come to a consensus on the approach and then provide the application teams, developers and security staff the tools to manage entitlements going forward.
- Are We Using The Right Tools? – This discussion always warms my heart, as finding the right technical solution for customers IAM needs is what I do for a living. I have my favorites and would love to share them with you but that is for another time. As with the other topics, there really isn’t a cookie cutter answer. The right tool will come down to how you need to use it, what sort of architecture, your selected development platform, and what sort of system performance you require. Make sure that you aren’t trying to make the decisions you make on the topics above based on your selected tool, but rather choose the tool based on the answers to the important questions above.
As I was preparing for Gartner’s Identity and Access Management conference next week in Las Vegas, I was thinking about some of the typical topics that attendees usually ask us about. There are always the people that want more information about the sexy, cutting edge topics like the Internet of Things, Privileged Identity Management and Adaptive Access Control. I love talking about these subjects as they are new and involve interesting problems. Solving interesting problems is fun and the reason many of us got into the information security field.
Another topic that frequently comes up isn’t quite as sexy or fun but really is a foundation function for a mature IAM system: What is Single Sign-On (SSO)? It seems like SSO is viewed by many as a commoditized feature these days but a surprising number of organizations are still in the early stages of investigating SSO and what it might mean for them.
When explaining SSO to someone, I used to lead off by trying to break the news that they are really never going to have 100% single sign-on but as more and more legacy desktop fat client applications become web-enabled it is much more likely that they might be able to approach a true single sign-on. These days I just get into a quick overview of what SSO means across a variety of different use cases.
- Web-Based Single Sign-On – The most commonly recognized type of SSO is the sharing of credentials and user sessions across a common set of internally managed web applications. These can be things like Oracle e-Business Suite applications, portals and most other non-Software-as-a-Service (SaaS) web applications. A user will be authenticated when the system validates username and password (plus additional factors in some cases). They are given a session token in the form of a browser cookie that is validated and updated as they travel from application to application. Usually the same Access Management system provides some level of authorization into these applications but we’re not going to get into all that entails.
- Federation – Federation is a standards based method of authenticating users into applications hosted by a third party, also called Cloud-based or Saas. Think of SalesForce.com or any of a variety of Oracle’s Cloud applications. There are two sides to a federated agreement: Service Provider controls the actual application, and Identity Provider controls the user IDs and passwords. The session token is typically a SAML assertion that is consumed by both parties and includes all of the relevant user information. These SAML assertions can typically be consumed by the Access Management system that provided SSO for the internal applications, allowing users to seamlessly move from application to application regardless of where that application is hosted. (As an aside, when you hear Identity as a Service (IaaS) tossed around, typically is refers to a federation model when you still control your account information but the IaaS is used to broker application access via federation.)
- Windows Native Authentication – This is the bridge to true SSO by allowing the Access Management system to integrate with a Windows domain to provide a seamless experience. A user will authenticate into their domain as they perform their initial login. Once they are validated, they will received a Kerberos ticket from the domain controller that contains user and session information much like the browser token or SAML assertion. When they launch an application that is protected by the Access Management system, the Kerberos ticket will be consumed, validated and then used as the basis to issue its own session token.
- Enterprise SSO – eSSO, or desktop SSO, is based on agents being installed on each work station to handle the login in process for fat client and legacy applications. We don’t see this nearly as much since more and more applications are moving to the web.
An example to tie it all together – I sit down at my workstation and log in for the morning. A Kerberos ticket is issued. I decide that I need to check the status of a customer lead in Salesforce.com so I launch a browser and go to the site. When I land on the app, it will query its Identity Provider (our Access Management system) who I am. The Access Management system sees that I have a valid Kerberos ticket so it will create a SAML assertion and send me back to Salesforce. This all happens behind the scenes and is usually pretty quick. Once I am done on SalesForce, I need to go to Oracle e-Business to check on the status of an order. I browse to the app. The Access Management system sees that there is an active SSO session (via the SaleForce visit) and creates a new browser cookie to manage the session. I’d be able to go between any integrated app, onsite or in the cloud, and have SSO for the duration of that session.
Obviously, this is a super-simplified version of how SSO works but I find that it gives people who don’t have a working knowledge of IAM concepts a good understanding of the functionality that is typically grouped under the SSO umbrella.
As a note, PathMaker Group typically implements SSO early in the release roadmap as it can be a quick win that shows value and progress to stakeholders. We can get through a typical SSO project from requirements through production deployment in 3-4 months depending on scope and complexity. Reach out to us to see how we can help you get your SSO project underway.
Identity and Access Management (“IAM”) as an industry started gaining significant recognition and momentum around 2003. During these last 12 years, we’ve seen product vendors come and go, we’ve seen industry consolidation, and we’ve seen important product innovation driven by real business need.
While all this has been going on, many companies have leveraged IAM products to achieve important and significant gains in security, efficiency and compliance enforcement. On the other hand, some companies have tried and tried to establish effective IAM programs only to fail in their attempts to affect real change.
What makes one company succeed and another one fail while attempting to leverage the same products and technologies? What are the characteristics of a truly mature IAM program?
Over the next few weeks, I will attempt to address these questions. I also hope to create an important dialogue among those of you who have “been at it” for the last 5-10 years and have seen and been part of great successes and colossal failures. Although I have been part of hundreds of IAM projects, and will lend my experience to the discussion, you, as the readers and contributors, may have much more to contribute to make this topic come alive. Will you help?
Let’s get started with three important characteristics of a mature IAM program. This list is not exhaustive but these capabilities are common among organizations that have made IAM a strategic part of the IT infrastructure.
#1 – User Identity Integration
Pieces and parts of a user’s identity can exist across many different systems in an enterprise. HR systems are an obvious source along with IT systems like Active Directory. Then there is the badge or physical access system, the phone system, and various business applications that become critical for a user to perform their role. Before long, keeping up with all these disparate systems and keeping user attributes current becomes unmanageable. Most organizations recognize the problem and also recognize the need for a consolidated view of a user’s identity. It seems simple enough, but it takes planning, time and good processes to move an organization down the road to centralizing processes, automating synchronization, and removing redundant identity attributes from across the enterprise.
#2 – Account Provisioning
Creating an account on an appropriate system with the correct permissions is a straightforward task when you’ve been given the right information and you have the time to get it done. When a company grows to around 3,000 employees, the enterprise reaches a tipping point where going about this using people and manual effort becomes untenable. Too many requests for new accounts, or too many changes to existing accounts, or repeated requests to remove accounts for terminated employees all begin to pile up. This creates a backlog delaying new workers from getting started, hampering productivity, or creating security exposures where accounts of terminated employees remain active far too long. Centralizing and/or standardizing the process can help but adding technology that provides automation will speed up the process along with enforcing identity standards, access entitlements, and important policies and standards. Automatic account removal of terminated employees is also a significant gain. All accounts on key systems can also be tied back to a central, validated user account eliminating unknown, orphaned user ids from across the enterprise.
#3 – Password Management
Password management activities face a similar challenge as an organization grows and adds more and more people, systems and applications. Initial steps should be to provide tools to help desk personnel centralize and automate this activity. Ultimately an organization needs to move this function away from the help desk and enable the end user to manage his own passwords on key systems, including resetting their own Active Directory password. This is another step that seems simple on the surface but can actually take a significant amount of planning and coordination to get it right and keep it running smoothly. Organizations that make a misstep on their first attempt find it difficult to gain user adoption the second (or third) time around. Eventually, standardized help desk procedures can assist the user community in adopting the self-service approach to managing passwords.
Identity integration, provisioning and password management are three essential building blocks, but there are another 8 – 10 key capabilities we could discuss that should be considered when talking about IAM maturity. What other capabilities would you consider to be essential building blocks? Please contribute to the discussion.
Up next, let’s talk about the essentials for planning a long-term, mature IAM program. If you’re just getting started or have been struggling to make progress, what are some of the keys to putting plans in place that can be effectively executed?
Sadly, the CEO presiding over Target during the recent data breach resigned today. See USA today article.
This series of unfortunate events for Target begs a key question relating to the risks every company CEO faces today. Did Target leadership ask the right questions about overall IT security and the risk every company faces?
Protecting a company from Cyber bad guys is a never ending battle. It’s a game of leap frog with some serious consequences if you get behind. With all the opportunity for full-time, professionally paid, government backed hackers to spend all day every day figuring out new ways to wreck a company, the priority for combating this enemy needs to be pretty high on the list for every CIO and CEO. But it’s not just about spending all the money you can afford to spend. It’s about understanding where to spend the money on the right technology.
How do leaders responsible for protecting a company sort out all the noise from the real threats? This has become a constant exercise in analyzing risk and applying financial priorities accordingly.
As fast as the bad guys are coming up with new ways to exploit a target, new innovative minds are working to counter their moves. Many of these great technologies are being folded into a portfolio of products and solutions that can be layered across an enterprise to protect and prevent the latest threats from creating the worst kind of headlines.
IBM has been on a major buying spree for the last several years snapping up some of the best and brightest technologies and resources across the globe. They are quickly assembling an array of tools that are being shaped into the worlds best security risk analysis platform. By leveraging this risk-based assessment direction, IT leaders can depend on technologies that will not only provide the intelligence about where to address risk, but can be assured that these technologies are probably the best that money can buy.
IBM is currently the third largest security company in the world with the goal of being the largest and the best. As a Premier IBM Business Partner, we see this investment first hand. See ComputerWorld’s perspective.
PathMaker Group serves our customers by planning, implementing, and managing these security solutions across the enterprise. IT Security is a rapidly changing, complex business and our partnership with IBM helps us keep our customers one step ahead of the bad guys.
How did they pull it off and how can you safeguard your environment from a similar event?
The Target Stores data breach started by exploiting a vulnerability in an externally facing webserver. Once inside, hackers took command of an internal server and planted malware on the Point of Sale devices in stores all over the US. The harvested data was stored internally until the hackers reached back in to grab the millions of credit card account records that were stolen. More details can be found at http://krebsonsecurity.com/
With the tools available today, how could this event happen? What can you do to safeguard your environment from a similar incident?
PathMaker Group recommends the following measures:
- Assess the overall security posture of your organization. Our company provides a rapid assessment covering 16 security domains enabling you to understand where you may have major gaps. We can help you prioritize these gaps to help you to maximize your risk mitigation.
- Test your environment (and your website code) for vulnerabilities. External and internal penetration testing is a necessary starting place, but if you develop your own website code, scanning your application code prior to releasing the system to production is essential as these techniques and tools will surface many more vulnerabilities. We can help with both of these services.
- Leverage security intelligence technologies to correlate and identify suspect events before massive damage can occur. We can rapidly deploy an industry leading solution for you in a matter of days including setting up a managed service.
For help or more information, please contact PathMaker Group at 817-704-3644
Keith Squires, President and CEO, has been in high demand by the media to add insight to this recent news. Radio and television news interviews, including CBS National News, are available to view at the following link:
Target suffered a major data breach losing credit, debit and Red card numbers for as many as 40 million customers across 1900 stores in US and Canada. This will go down as one of the largest breaches in recent history and it comes at the worst possible time. Consumers may have to cancel their cards just they are trying to finish Christmas shopping. Target says the issue has been resolved. Keep an eye on your accounts and if you see any suspect activity, cancel your card right away.
Are you doing everything you can to prevent a breach like this at your company?
Talk to PathMaker Group about our 16 domain security assessment.
Learn more about the Target breach at their corporate website
So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.
Who We Are
PathMaker Group is a specialized Security and Identity Management Consultancy, blending core technical and product expertise, consultative know-how, and extensive implementation experience.
635 Fritz Drive
Coppell, TX 75019
1250 Capital of Texas Hwy
Bldg 3, Suite 400
Austin, TX 78746