A holistic approach towards mobile security

Friday, 26 August 2016 00:02 -     - {{hitsCtrl.values.hits}}

Untitled-5

From left: WSO2 Sri Lanka Ltd Director - API Architecture Sumedha Rubasinghe, WSO2 Sri Lanka Ltd Mobile Architecture Former Director Sinnathamby Shanmugarajah (Shan), Epic Technology Group Executive Chairman/MD NayanaDehigama, FINCSIRT Information Security Manager Loshan Wickramasekara and CICRA Holdings Executive Director Vasana Wickremasena (Moderator) - Pix by Samantha Perera and Nirmala Dananjaya

 

Untitled-2

By Hiyal Biyagamage

At the recently-concluded Cyber Security Summit 2016, experts from the mobile telco industry expressed their views on the importance of secured mobile applications. The summit, which was held for the fourth consecutive time, was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT. The final session of the summit was themed ‘Tame the Villain Walks with You: Mobile Security Preparedness’.

The invisible identity 

Delivering the key note address, Dialog Axiata PLC Sri Lanka Group Chief Information Officer Anthony Rodrigo made some key points on the benefits of a single sign-on (SSO) and the revolutionary Mobile Connect which allows users to log into websites/applications safely without a password. 

He gave an overview of Dialog’s value-added services such as eZ Cash which helps non-banking communities to participate in the electronic money economy, Dialog Mobile Insurance and mobile internet payments with two factor authentication via USSD/SMS, and pointed out that millions of Dialog customers are already using their mobile ID indirectly when consuming these services. However, he said that many of these authentication services are still fragmented with the mobile identity being invisible as a core product.

“If you look at legacy mobile ID services and digital services, the number of sign-in instances over a period of time has shown an immense upsurge. On a daily basis, people access different value added services and each time, they enter a different user name and a password to gain access. When Internet of Things hits the market, telco businesses will be scratching their heads just to manage the number of sign-ins with thousands of apps. This means that user names and passwords will be scattered and fragmented everywhere and this is why there is an important discussion on enabling a single login. The aim is to make users’ life so much easier without remembering multiple user names and passwords,” said Rodrigo.

Rodrigo said that telco operators across the globe have been trying to implement single sign-on across their infrastructures to provide their line-of-business clients with an improved user experience. Single sign-on brings many advantages. It will eliminate password fatigue (this is caused by having to remember too many passwords and inadvertently, users will adhere to insecure password practices), increase user productivity, improve user experience through automatic login and reduce the risk of user account lockout. 

“Imagine the cost that companies have to bear when implementing a solution to store millions of sign-in details. A typical integration would cost a good fortune for organisations and you might have to spend so many hours to figure out the best solution. That is why a single sign-on will give a user the feel of ease and guaranteed security when he or she enters an application or a website. During the course of a day, users may access dozens of applications for productivity and collaboration tasks. Simplifying the process of accessing these resources to a ‘sign once and done’ experience will provide number of benefits.”

According to Rodrigo, the million-dollar question for telco operators was to bring down the implementation cost by 20 times. “With cost out of the equation, the discussion becomes all about customer experience and engagement,” he said.

Mobile Connect

Rodrigo spoke about Mobile Connect, a convenient and secure universal log-in solution with privacy protection, developed by the GSMA and its operator partners. By using the inherent security of the mobile devices carried by consumers, Mobile Connect can provide authentication at a number of security levels on any device (PC, mobile or tablet). It reduces the need for consumers to remember multiple usernames and passwords, thereby lowering the likelihood of abandoned shopping carts and increasing sales for online businesses.

“Mobile Connect is the new standard in digital authentication. Mobile operators can now make users’ digital lives safe and convenient using this platform. With Mobile Connect, the user is authenticated through their mobile phone, rather than through personal information. This makes logging in safer and more secure. The beauty of this is that service providers cannot touch user data without their consent, which makes logging more private.”

Back in 2014, Dialog Axiata launched a beta trial of Mobile Connect service and it marked a first implementation of the Mobile Connect service anywhere in the world. Dialog co-developed the gateway with WSO2. Rodrigo said that the total number of global Mobile Connect users has risen to a staggering 2.8 billion by June 2016 from a mere 26 million in April 2014. More than 42 operators in 22 countries are implementing Mobile Connect to ensure a flawless authentication process for their users.

“It is convenient by every means and it eliminates the ever-increasing number of passwords we need in order to securely maintain our online identities. Mobile Connect is trusted which gives users control over their data, helping them to make their online interactions with confidence and as it will also help mobile operators to leverage their status as trusted guardians of their personal data. Most importantly, Mobile Connect speaks of secure which drives economic growth through the reduction of online cart abandonment and cybercrimes,” said Rodrigo during his presentation.

According to a global research conducted by GSMA, 88% have said that they would prefer just one strong password to be remembered. 68% of users have said forgetting passwords is a significant problem and 40% users have admitted to using the ‘forget password’ feature once a month. However, 75% of consumers worldwide are interested in their location being transmitted to their bank to enable easier use of their credit card abroad and 72% of consumers have shown interest in adopting Mobile Connect.

“The value of abandoned transactions in 2014 is estimated at US$ 4 trillion. 86% of online users have left a website when asked to register and 74% of users abandoned their shopping cart in 2013, up from 69% in 2011. ^3% of these abandoned operations could be recoverable by online hackers. That is why a seamless and secure authentication method like Mobile Connect will reduce online frauds for mobile operators and other online service providers,” Rodrigo said.

The Dialog-WSO2 gateway is also empowering India’s six leading mobile operators to enable Mobile Connect across the country. Six operators which includes Bharati Airtel, Aircel, Idea, Telenor, Tata Teleservices and Vodafone serve more than 800 million consumers across India.

Untitled-1 Untitled-2

Mobile security needs a holistic approach

Addressing the gathering, Sinnathamby Shanmugarajah (Shan), former Mobile Architecture Director at WSO2 Sri Lanka, spoke about how mobile devices disrupt traditional businesses, introducing new avenues for organisations to up their game. 

Technology is independent and it enables various platforms to communicate with each other but when it comes to resources; some of the devices are owned by the enterprise while the others are brought in by employees, said Shan. 

He spoke about Enterprise Mobility, the use of mobile devices to perform business operations, and its many challenges where he said the current risk levels from mobile devices will be doubled within the next two to three years with Internet of Things (IoT) getting popular.

“The introduction of technology into a business can decrease the gap between stakeholders and the business. Mobility further narrows that gap however there are reprimands. With mobility, your productivity level goes up with the capability to access information anywhere, anytime. However, it increases the level of risk as well. The question is whether we allow mobility within our organisational premises. Mobility has become the primary access mechanism for employees and customers to interact with the business,” Shan explained.

Mobile devices contain applications, documents, stored credentials, photographs, preferences and email, and most of those items are not intended for unrestricted access. Therefore, the devices need to be protected against access to, use of and modification of data. Although data comes in many forms, it can generally be broken into two broad categories: corporate and personal. 

“The point is there is valuable information on mobile devices that is attractive to adversaries. Holders of those devices may not be fully aware of the consequences of loss or modification of that data,” said Shan.

Direct extrusion of data, possibly by-passing data loss prevention (DLP) systems and violation of administrative controls (restrictions on user behaviour) are typical ways how insiders would attack your mobile device. Tricking users to install malicious profiles, malware or repackaged apps that then could be used to transmit or relay data, establishing a path where network traffic is sniffed or, better yet, allows an attacker to act as a MITM (man in the middle), are actions an outsider would leverage to access data.

Shan said that even though you protect your mobile device with a strong password and an encryption; vulnerabilities in the device operating system, malicious Wi-Fi networks or installed applications may still leave traces to direct an attack. 

Untitled-3 Untitled-4

Protecting your data

He explained how security could be provided using two different methods: device-based approach and application-based approach.

“Using a Mobile Device Management (MDM), you could control the entire device. Here a policy is enforced before allowing access to the corporate data. This could include password policies and also, a MDM can monitor the location of the device and configure it according to proper security standards so that no outsider could enter. Application-based protection addresses three types of apps; vendor apps, downloaded apps and enterprise apps. The Android and Apple app explosion in the late 2008 made it necessary for corporations to incorporate these devices into their formerly homogeneous mobile device environment. 

“Users install applications whenever they need another tool to help them achieve desired results, and they expect to use them wherever they happen to be, connecting to cellular and Wi-Fi networks. Some new approaches have evolved in device management to attempt to manage enterprise mobility. Some organisations whitelist or blacklist applications, largely manually, in an attempt to reduce the introduction of mobile malware. Additional efforts have been focused on limiting the sources of applications that can be installed, reducing the possible sources from which a malicious application can be installed,” said Shan.

Shan spoke about containers which have been deployed to create software and policy boundaries around data. The container secures the data, typically using encryption to separate container information from the other data stored on the device, and provides partner applications within the container to share data and possibly credentials. 

He also discussed virtualisation, where the application and data are not actually present on the mobile device or are executing as a guest OS on the device. Furthermore, he discussed mobile desktop virtualisation, mobile web application as well as Mobile App Management (MAM), a tool used in enterprise mobility management to control the data inside the application.

Untitled-6 Untitled-7

Preparing the workforce

Developing applications that use corporate data is really not enterprise mobility, said Shan. 

“The first step in achieving mobility is to prepare the workforce. There should be a team who has been properly trained and have experience in mobile technology and security. Certification is a great way to determine the effectiveness of employees’ ability to meet business demands and expectations. Once you have your team, you can use any enterprise mobility management tool. This will allow the enterprise to have control of the devices and apps. 

However, the tool needs to be open-source to ensure that it doesn’t leak your data. There are mobility management companies to which you can subscribe and tools that you can purchase and implement in-house – but in this case, you don’t know what is really happening to your data.”

He also pointed out the importance of choosing the correct strategy that is going to perfectly fit your organisation. Will MDM going to help me or is it MAM? Should I enforce a BYOD policy or a COPE policy? Then, organisations need to think about their strategy on mobile application development.

“There are six different ways you can build an application; responsive web apps, hybrid web apps, mobile web, hybrid native, native apps and widgets. If you feel that you only have a limited pool of developers; go for a responsive web or hybrid web approach. If it is the case of instantly publishing the app, responsive web will be the ideal approach. Analyse what is going to be the best approach for you and put it in place.”

“The next important step is to do a threat modelling process for mobile application development. Companies rarely do threat modelling for mobile apps but it’s very important. Before you start development, you have to do threat modelling; other way around is not effective and a waste of time. The areas of concern would be mobile app architecture, mobile data, threat agent identification, methods of attacks and controls. Finally, conduct a security code review of the application, followed by penetration testing and fuzz testing,” Shan opined. 

Untitled-8

Not just a small computer

Speaking at the panel discussion, Epic Technology Group Executive Chairman and Managing Director Nayana Dehigama said mobile devices need to be identified, secured and managed like every business asset in an organisation.

“Mobile devices are more than just small computers; they are key business and productivity tools of an organisation. The operating paradigm of these devices calls for new approaches to ensure the data processed by them remains secure while maintaining productivity. The ecosystem to manage these devices must include both technical and operational controls, and it must integrate into the overall operational awareness for the business. So, it is important that these game-changing devices to be properly evaluated and secure like any other business asset within the organisation.”

“The omnipresent use of mobile devices stores a mixture of corporate and personal that are online continuously, seamlessly connecting to the closest available network, downloading and uploading data whenever possible, and carried with users continuously. It is no secret that we use our personal device to check a corporate email on a daily basis. Taking everything into consideration, the problem with mobile devices remains a systemic one. Organisations must be more and more proactive about patching up the holes in their remote access strategies at every stage, from policy creation to the technologies’ implementations. The approach should truly be a holistic one,” said Dehigama. 

The EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.  Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.

COMMENTS