Last month, I met some major telecom companies and during these meetings, the business and security leaders discussed the challenges they face in their B2C mobility initiative. The concerns were around launching mobile applications for various mobile operating systems and platforms, deciding the right communication channels and of course security.

B2C mobile apps architecture involves mobile client apps, middleware applications and external integration services which make it complex. This is true for any company wanting to provide a mobile application to their consumers and not just telecom companies.

Key Security Risks

A B2C mobile apps has four major risk categories – mobile client app risk, middleware application risk, mobile applications interfaces risks and device lost / stolen case risks. Below are some major security risks for mobile applications:

• Mobile Client App Security Risks

1. A malicious user can perform reverse engineering attacks to get sensitive information on improper signed application.
2. Weak cryptographic implementation for critical data storage on device’s local data storage can lead to fraudulent transactions.

• Middleware Application Security risks

1. In middleware applications where web services – HTTP, SOAP, REST – are used, an adversary may attempt to intercept request/response messages
2. Insecure network communications channels may lead to tampering of middleware/interfaces parameters and/or database compromises.

• Mobile Application Interfaces risks

1. Mobile applications connect to the backend and database servers through various interfaces. Insecure interfaces may lead to data tampering, Denial of Services and message reply attacks.
2. Improper data validations may lead to SQL injections, Cross site scripting attacks.

• Device lost/stolen case risks

1. In case of device lost/stolen, un-authorized user may misuse data on device

Securing the B2C Mobile Application

To secure your mobility initiative organizations should focus on security of the entire eco-system including:

• Mobile client and server applications,
• Middleware applications, its interfaces, web services,
• Communication channels and
• Local device data storage.

Securing only one or two components will not help secure the entire chain, since the chain is only as strong as your weakest link.

Top 10 suggestions to secure your B2C mobile application would be:

1. Validate all trusted (local data storage or server data storage) and not trusted (invalid user inputs e.g., special characters) inputs in the mobile client application
2. Encrypt request and response messages
3. Use secure web services
4. Use appropriate security controls for firmware and middleware applications
5. Encrypt data storage on local handheld devices
6. Employ a strong authentication mechanism
7. Release proper signed mobile apps
8. Remote data wipe configurations to prevent unauthorized access
9. Session management
10. Restricting access to the integration services and its configurations

Happy mobilizing!

Author

Mr. Suhas Desai,
Sr. Consultant – Mobile Security Practice
Aujas Risk Management Services

Introduction:

While Identity and Access management (IAM) projects can solve multiple problems, they can also become complex and time consuming. Most organizations struggle with the question, “To deploy or not to deploy”. Is there an ROI? Are there real benefits at the end of the tunnel? These are typical questions most CIOs ask.

Aujas has implemented large IAM projects for clients across industry verticals. In a series of articles, we plan to discuss what benefits a client can expect realistically. We will provide the “Before and After” view by discussing scenarios prior to IAM implementation and scenarios post implementation.

In this first article of the series, we are going to cover the aspect of Helpdesk calls related to access management.

Client Background:

The client is a country arm of a global financial services company with a large user base of over 10,000 and growing. The user base includes internal users, external users and contractors. Additionally, the organization works with more than 50,000 agents. The business operations are supported by over 30 business critical applications that are built on diverse and heterogeneous technology platforms, and managed by different business teams.

Before IAM:

One key problem the client had was of managing user identities across enterprise applications. While there were support teams for each of the application, there were no universal and common procedure followed for user requests to avail application access.

With this approach, although the process for requesting access was defined, the implementation lacked user ID standardization, strong password policies, escalation matrix, audit and compliance reports to name a few.

Users had to remember multiple sets of user IDs and passwords to login to applications. Because of this, there was a huge backlog in helpdesk calls for password reset, unlocking accounts and other such requests.

The Solution:

Aujas successfully implemented a leading IAM suite to address the client requirements. The solution included:

• User Provisioning System: To streamline the business processes by defining a centralized control to manage identity records. The processes to provision access to business applications were refined to leverage the automated system. Access provisioning was aligned with roles and a self-service interface was setup to allow users to request application access and their approvers to grant or reject the request.

• Access Management System: A comprehensive access management system comprising web access management and enterprise Single Sign-on (SSO) was setup. The access management system provided a unified and dynamic portal for users to see and access their currently approved applications. This system allowed users to access the web easily, thick client and terminal based applications in a safe manner without the hassle of remembering different passwords and policies, thereby drastically enhancing user experience. 

After IAM:

Even though the client saw many positive improvements, the biggest benefits were seen in the following two categories:

• Productivity Increase: The key factor in productivity increase stemmed from the reduction in turn-around time for Access Provisioning. The turn-around time reduced from an average of 4 days to less than 15 minutes – a 99% decline.

  This led to an enormous productivity improvement for the client. With an average growth of user base at 30% (3000 employees), the 4 days saved per employee in access provisioning led to tremendous increase in productivity as the client saved over 12,000 man-days of effort annually.

• Cost savings: Reduction in user account management related helpdesk calls from 5500 per month to 500 per month (90% reduction). On an average, a helpdesk call costs $10. Hence, the solution provided savings of $50,000 per month ($600,000 per annum).

  Additionally, the solution provided savings in lost productivity. Earlier the helpdesk received 100 account lockout tickets per day with an average turnaround time of 4 hours. The new solution allowed the client to eliminate almost all account lockout situations (90% reduction). Totally, around 13,000 man-days were saved which would have been wasted otherwise.

Conclusion:

There are definite benefits in terms of automating your access provisioning system. The primary benefits are around productivity increase and cost savings and these are only a few of them. We will cover other benefits like security, risk management and other productivity improvements as we go along in this series.

Author(s):

Mohit Vaish
Practice Head – IAM
Aujas Risk Management Services

Ms. Amitha Raju
Consultant – IAM Practice

Here is what Rumelt says, “Back in the 1930s, the Graf Zeppelin and the Hindenburg were the largest aircraft that had ever flown. The Hindenburg was as big as the Titanic. Together these vehicles had made 620-odd successful flights when one evening the Hindenburg suddenly burst into flames and fell to the ground in New Jersey. That was May 1937.”

Years ago, I had a chance to chat with a guy who had actually flown over Europe in the Hindenburg. He had this wistful memory of it being a wonderful ride. He said, “It seemed so safe. It was smooth, not like the bumpy rides you get in airplanes today.” Well, the ride in the Hindenburg was smooth, until it exploded.

The risk that passengers took wasn’t related to the bumps in the ride or to its smoothness. If you had a modern econometrician on board, no matter how hard he studied those bumps and wiggles in the ride, he wouldn’t have been able to predict the disaster. The fallacy is the idea that you can predict disaster by looking at the bumps and wiggles in current results.”

To see the disaster coming, you had to have looked beyond the data about flight bumpiness—beyond the professionalism of the staff—and really think, “Does it make any sense to have people riding in a gondola, strapped to a giant sack of flammable hydrogen gas?” There’s just not a data series that lets you think about that.  The history of bumps and wiggles—and of GDP and prices—didn’t predict economic disaster. That is the fallacy most people fall into when they talk about security, Tail risk or Black Swan events.

If we apply this logic to any ERP – I find many ERP customers suffer from the smooth sailing fallacy.

• “Well – we implemented SAP 10 years back, IBM is managing the support and we have no problems!”
• “Our security incidents are insignificant.”
• “Oh we have installed SAP GRC solutions but no one uses them! And so we are secure!”

This smooth-sailing fallacy in security arises when we mistake a measure for reality. Mature managers always look deeper than the numbers, deeper than the current measures. Others just focus on the metrics that are based on past reality. That’s how we get into trouble.

This lesson is fundamental: you cannot manage by just looking at the results.  You have to have a big picture view of security by applying constant changes in security issues, technology, protocols and metrics. That means your security policy which may be 3 years old is useless and you have no security in place. CEOs and CFOs will use the smooth sailing argument – Hey! We never had a security issue in the past 2 years? So why worry now?

You have to show them what Rumelt said about Hindenburg! A small design flaw can blow them out of business since the ERP system is the business backbone in many companies.

So it is important to focus on three things:

1. Critically question your IT systems & the Security design – are they relevant? Are they bullet proof & future proof? Is there a hidden flaw?
2. Hope is not a strategy! So create a Security Team to redesign the IT Security Framework based on a thorough and annual Risk Assessment (mere adherence to ISO 27001 or ITIL will not do!). Use professional help if needed.
3. Execute your plans in a phased manner – first time right. Do not try to boil the ocean. Keep this as a continuous improvement process.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

Maintaining awareness of potential security incidents all the time, every day, is difficult, and knowing how to react to incidents is more difficult still. Your company needs to be ‘right’ all the time, but intruders only need to be ‘right’ once. Imagine an IP, Design, Customer Data, Financial data theft from your SAP system! It can lead to both a reputation loss and a loss of business.

Companies that run SAP ERP & their security teams should understand how vulnerable your SAP system is! Here are some facts that might shake you:

1. In a typical SAP environment, data transferred between a client and the server is unencrypted. E.g. Any communication with the SAP server using a Desktop or mobile device or client app or portal transmits unencrypted data! It is a high risk area, “client to server un-encrypted communication”, and makes your entire SAP system highly vulnerable.
2. To fix this gap, SAP has recently introduced “SNC Encryption module” in
   October 2011 and is a free release for the SAP clients. Through this
   small upgrade you can quickly fix one of the most vulnerable areas of
   your SAP system.  Point to note here is that this un-encrypted
   communication vulnerability existed for a long time in your SAP system
   and even now you are vulnerable without this fix.
   

SAP did two acquisitions to provide a Secure SAP system and these are recent events.

1. SAP acquired MaxWare Identity Management solution in 2006. This is incorporated as SAP Netweaver Identity Management solution & sold with a licensing model.
2. SAP acquired SECUDE (a Swiss SAP Information security company) software assets in March 2011. With this acquisition came Single Sign-On (Secure Log-In), ESSO – Enterprise SSO and SNC Encryption.

There is a lot to catch up and be compliant with these security solutions – to ensure a secure SAP environment. To bring you up-to-date on the SAP security and improve your SAP Security posture – you need a roadmap. 

The road map broadly should focus on a combination of business focus, scenario analysis and SAP security tools. The combined knowledge of your security experts and a purpose driven SAP security assessments, provide you with a world-class SAP security service at a low cost.

High Performance SAP Security road-map is developed with a three phased approach:

1. Assessment – This phase is designed to understand the ‘as-is’ risk profile of your organization, and how it fits with the business requirements of your enterprise. Based on this assessment you should tailor SAP Security design and controls to monitor and protect key business assets as well as the enabling IT of your enterprise.

2. Implementation – Deployment of controls processes and tools to put the right monitoring capability in place, and building of the right rule-sets to prioritize and escalate events in line with business priorities.

3. Ongoing Management –SAP Security process that works on intelligent escalation as required and continuous improvement of your risk management and security posture with a managed SAP Security service. A Security Management Portal should be built so that your company can drill down into the status of threats and remediation actions underway.

The benefits of a high performance SAP Security includes:

• Business-focused security delivery model: guard your business, not just your SAP ERP
• Improved security efficiency as a result of wider SAP Security situational awareness and Business asset aligned prioritization
• SAP Security and compliance tools, dashboards that provide you with a view of your security posture and results of security improvement programs
• Improved manageability and reduction in security operating costs
• Reduced security ‘distraction factor’ so that you can focus on your core business objectives.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

The Problem

The Risk
Usually, these IDs, especially the ones that are in-built, are shared among the groups of administrators. This method of sharing highly powerful access can cause accountability concerns and non compliance with regulatory requirement, thereby significantly increasing the access risk.

Data can be stolen undetected or IT systems can be sabotaged by misusing the privileged access, since these IDs have access to systems from the backend and can bypass the control deployed for business users.

The rapidly emerging trends of cloud computing, consolidation of data centers, virtualization and hosted application services providers imply growing numbers of IT systems and privileged IDs. Any organization using significant number of IT systems like servers, network devices, desktops, or applications faces the requirement of managing privileged IDs.

Regulatory and government requirements for telecom, banking and IT verticals create an even greater need to address this requirement. Recent prominent and high profile security breaches in these verticals across the globe highlight the degree of access risk caused by inadequate privileged ID management.

What Not to Do
Limiting the privileges granted to these IDs will not mitigate the risk as it will render the useless IDs to perform its functions. Alternatively, some organizations aim to bring in accountability by assigning individual IDs to their administrators in order to eliminate sharing. This approach is helpful only for managing a small number of administrators managing few systems.

In-built IDs will still need to be shared even if administrators use their own individual IDs. To add to the complexity, some IT systems enforce a limit on the number of individual accounts that can be created to manage them. Moreover, the number of individual IDs grows multiplicatively with the increase in both the number of administrators and managed systems.

For example, an admin team of twenty managing a thousand systems can easily be dealing with more than 20,000 IDs. The cost and complexity of managing the lifecycle, enforcing password policies and access controls on so many individual IDs makes this approach suboptimal.

Mitigating the Risk
What is needed is a comprehensive and modular approach to privileged access and activity management. Privileged access and activity management is an identity management domain comprising of the same traditional building blocks of User Provisioning, Single Sign-on and Access Management, Role Management, Password Vault and SIEM tied together with robust solution design based on well thought of policies and procedures.

A good solution approach uses an iterative model to focus on each of these areas and improve them incrementally by understanding how it integrated with other building blocks. This approach allows for a modular solution which not only can solve immediate problems with least disruption and change to the existing practices, but also scale to meet the evolved requirements as the business and expectations grow.

I often think how real is the Consumerization theory? It is a passing phenomenon, which would lose its momentum as we move on? Would business adopt it? Would it remain a B2C technology, would it impact B2B transactions? This post is my attempt to think through this.

Over the last two months I have seen extreme examples of consumerization in use. Part of my departure process from India involved me going to a family event in my village. Technology & consumerization is the last thing I could relate to the village where continued electricity supply was a challenge. During the event I saw my cousin use his smart phone to update this Facebook status on 3G! Now this guy is a successful businessman, who I didn’t think knew how to use a computer and I know had a hard time getting through his graduate studies.

The other extreme was my experience in moving to the Bay area, setting up my home and office in Cupertino, California. Yes Cupertino, the home of Apple. Not many believe me that that was not the reason for me to choose Cupertino. Living in the US has its own set of learning’s, one among them is as my friend says “Your home may not have water, but it needs to have internet”.  At home I have a basic internet service (22Mpbs download speed, yes that’s basic). There is not a single aspect of our life which is not powered by an Internet service or for that matter a smartphone application, which is on the cloud.  Some examples:

­   TV (Netflix)

­   Phone (Vonage)

­   Maps / GPS (Mapquest, Google Maps)

­   Banking (mobile app, e.g. I can simply take a photo of a cheque for it to be deposited)

­   Tennis (joining weekly practice sessions, court bookings and USTA league)

­   Library (online booking, RFID check-in and check-out)

­   Books (ebooks)

­   Travel (online booking and smart phone boarding passes)

­   Music (Pandora)

­   Home remote (yes that’s an app on my ipad to control multiple devices)

­   News (We don’t get any “newspaper”)

­   Skype (video calls)

­   Google Places to find stores and restaurants

­   Movie ticket bookings

­   Online shopping (Craiglist, Walmart etc.)

­   School updates

­   Insurance

­   Medical services

­   Etc.

We add to the list almost every day AND each one of the above has an Apple App! So having an Apple App is like a basic must have channel for business to reach its customers. I must add that the above are basic services; our family is not the most technically advanced, yet.

So each of these “consumers” who become “users” inside the enterprise are being exposed to such services and channels, they seem to expect the same type of services from the enterprise. Enterprises are now creating “internal applications” using the consumerization channel and are distributing them to users and customers.

This seems to be an irreversible phenomenon, the adaptation across users and businesses is just growing and in areas which are beyond imagination. I recently read about a company in the Bay area which has created technology to open the car using an iPhone app. You don’t need to carry anything now, cash, cards, keys, contacts, books, newspapers, addresses, GPS, music player, remote control etc. All you need is an iPhone and the internet.

Consumerization is real, it’s here to stay and we are going to find ways to use it, beyond what we can imagine now.  It’s also not possible to de-couple the CSM (Cloud, Social and Mobile) elements of Consumerization. One is going to drive the others and the cycle will continue. So will the need to build security strategies as these services are rolled out, which would help me pay the bills for services I am using!

Download the Risky Business ebook for insights into information security risks

Over the last three years we have published many key articles covering best practices, happenings in the industry, critical items to watch for in the Information Risk management domain.

Our objective always has been to inform and create awareness on the critical aspects of information security and risk management.

Over the last 35 editions we have covered a lot of ground. We have created this eBook which is a compilation of some of our best articles we have published. We hope this Risky Business ebook is an exciting addition  collection to your digital library.

Download the Risky Business ebook now!

The primary focus was on the roadmap for M-Payment services roll-out for the huge consumer base in India. Leading payment service providers and banks came together to showcase their concrete and innovative mobile payment solutions.

In panel discussions on ‘Future of M-Payment in India and Service providers’ perspective’, lots of new ideas and perceptions were shared by leaders from Aadhaar, MTNL, Bharti Airtel, Reliance Communications and Axis Bank.  There were interesting discussions on exciting Mobile payment success stories and growth prospects in Indian market.

One of the key concerns was about Mobile payments standardization of policies, deployments, revenue models for service providers and banks, which are critical to make M-payment services a success. The second key concern was about security issues and risks in mobile payments eco-system.

Everyone agreed on security risks involved in this eco-system, but not too many sessions were there on how to mitigate these security risks. Surprisingly, the only one who spoke about Mobile security risks and mitigation was me.

My session was on “Mitigating Security risks in Mobile Payment Applications”. It covered the concerns around major security risks in Mobile payments communications channels and payment application design flaws. The session focused on the trends in security risks and challenges involved and best practices to mitigate these security risks and challenges.

The outlook for Mobile payment in India seems bright, as long on companies take care of security. Secure Mobile payment applications would be main attentive feature to attract and build trust among mobile payments’ larger customer-base.