Tuesday, February 26, 2013

Security of Enterprise Mobile Apps

 A colleague invited my attention to this article.  I was engaged by this headline :


The best way to keep mobile apps safe is to secure the services they connect to.”

Perhaps.   In any case, this is good treatise on the security of client-server applications. 

However, the quote seems to suggest that the risk is that client mobile apps are being contaminated by connecting to rogue services.  In fact, the risk to the enterprise is more likely that rogue or compromised apps on mobile devices will leak sensitive data into the network.  Even that risk ranks after the risk to the user that rogue apps will incur charges; this is one way that rogue apps are being monetized.

Therefore, the issue for the enterprise is not protecting the client app from the server, or any server, but protecting the application and its data on the server.  The best way to do that is to ensure that the server will only accept connections from known and trusted clients.  Said another way, use crypto to authenticate the code in the app to ensure that it is the code that you think that it is; then use crypto to authenticate the client application and bind it to the server end-to-end. 

The owner (not necessarily the user) of the mobile device must get the client app from trusted sources, e.g., iTunes, the enterprise itself, and protect it from contamination or compromise from other apps.  (If the enterprise does not yet know how to protect its servers, this discussion  is premature.)  Again, trusted apps from trusted sources via trusted transport or packaging.  (This assumes that the enterprise has a sufficiently well-controlled development process that it can produce application programs that do what, and only what, it intends.) 

To protect against any unacceptable residual risk of a rogue application on the mobile device, one should prefer a mobile device operating system, e.g., iOS, that provides good process-to-process isolation.  For highly sensitive applications one should use a mobile device dedicated to that application.  Hardware is cheap.  This is a cost of high security and must be balanced against the risk or sensitivity of the application.  (One should not use a shared device and then whine about its operating system.) 

Wednesday, February 20, 2013

EO 13636 Improving Critical Infrastructure Cybersecurity

The Executive Order

Fairly well done, Mr. President.  The order is addressed to people who report to you and written in the active voice.  It tells them clearly and directly what they are expected to do.  It fixes responsibility, accountability, and schedules.  It requires measurement and reporting.  It does not increase the power of the government to do anything, for example regulate or control privately owned infrastructure, that it is not already empowered to do.  It articulates clear limits on what is intended.  It also specifies self-corrective measures.

However, while it requires that actions should be “risk based,” it fails to establish or articulate the level of risk tolerance.  Instead, it leaves this determination to the various agencies of the government.  One must be concerned that the acceptable level will be poorly articulated in some cases and chosen for the benefit of the agency in others. 

Part of the problem that the order sets out to address is that the private owners of the infrastructure are each choosing their own level of risk.  This results in over spending by some and under spending by others.  This is clearly inefficient.  Think of a fence that is very high in some places but can be stepped over in others. 

This has been the problem with government security from the day one.  Instead of establishing an objective level of risk, the government relies upon the owner/author of a document, file, message,  or other data object, to specify its “classification,” that is, the set of protective measures to be implemented and paid for by others.  This results in "@least common" security.  That is why the government sets such a poor example of security. 

All in all, this is a good first effort.  It is not likely to do any harm.  However, the problem that it addresses is deeply rooted in culture and we know from bitter experience that culture is resistant to change.  However, Mothers Against Drunk (drinking and) Driving (MADD) and the anti-smoking campaign lend hope that we can do it.