26 Nov 2014 | By Networks Asia Special Projects Team
Before IoT, let’s talk about rigorous application security
The use of web applications in the enterprise has grown exponentially in the last decade. This will likely continue into the next decade, driven by trends such as the Internet of Things (IoT).
Indeed, IoT has been identified as one of the Top 10 Strategic Technology Trends for 2015 by Gartner, having the potential for a significant impact on organizations in the next three years. IoT is now at the “peak of inflated expectations” heading into the “trough of disillusionment” on Gartner’s The Hype Cycle for Emerging Technologies.
Hence, it is timely for the Open Web Application Security Project (OWASP) Foundation to identify the top ten security problems seen with IoT devices – cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, etc. – and recommend ways to prevent them.
For example, to ensure sufficient authorization or authentication, the OWASP recommends a review of password policy for various interfaces and separation of roles determining access rights to available application features. Testers can validate these issues by identifying instances of weak passwords, conducting brute-force attacks against usernames, reviewing access controls and testing for privilege escalation.
Another top issue is insecure software or firmware. It arises when updates are delivered on unprotected network connections, or when the software or firmware contains hardcoded sensitive data such as credentials. Although easy to discover, a software or firmware compromise can lead to loss of user data, loss of control over the IoT device, and attacks against other devices.
So, security vulnerabilities inherent in poorly coded applications and systems will expose organizations to high security risks.
To establish rigorous application security, i-Sprint Innovations – which provides identity, credentials and access management solutions – is building on the stringent requirements and standards in the banking and finance sector to provide security administration, authentication, authorization and audit (4A) services to business applications.
i-Sprint’s comprehensive AccessMatrix Universal Access Management (UAM) system provides those services and is geared to address the issues identified by OWASP. The system’s web single sign-on (SSO); federated SSO; externalized authorization management; and hierarchy-based delegated administration tap on a built-in common set of identity and access management services for custom enterprise and internet applications.
Besides tightly integrated web access management, a loosely coupled federated SSO based on standards like SAML can be applied for, say, applications in distributed locations. Key benefits of the UAM include:
- Improved security administration: UAM enables security administrators to define the access control policy that protects the resources within web servers and application servers. This centralized policy-driven approach to authentication and authorization greatly simplifies user administration and application integration. Additionally, i-Sprint’s patented Segmented Hierarchy-Based Security Administration and Authorization Framework allows the administrators to designate security administrators at different levels of the organization, and manage IDs and user rights.
- Externalized authorization: Built-in role-based access control for users and groups, and mapping of different user IDs in different applications to a unique SSO ID, help in migration of existing applications to UAM. Native integration of the AccessMatrix Security Server with external user stores such as LDAP and Active Directory via LDAP protocol or JDBC alleviates the need to synchronize user information or change schemas.
- Flexible, extensible authentication: Built-in proprietary static passwords and an LDAP authentication module facilitate flexible password quality policy, password expiry policy and login policy, as well as enhanced end-to-end encrypted passwords with hardware security modules. Further, extensible pluggable authentication modules support authentication requirements using SMS, hardware and software tokens.
- App-specific audits: To address administration, access and transaction audit and reporting requirements, UAM provides detailed tamper detection audit logs, including application-specific audit trail information, and ready modules for audit reports.
So, before IoT creates new online security risks, rigorous application security is a must-have for enterprises and government agencies to deliver secure mission-critical services to their stakeholders and protect their personal information.
Organizations like an inland revenue authority or a growing financial institution constantly review the resilience of their digital services against evolving web and application security threats.
In Singapore, a Civil Service College case study on the Inland Revenue Authority (IRAS) cited a comment by latter’s deputy commissioner James Khor last year: “If taxpayers can self-help, what we offer is easy, simple, and reliable e-services. Our website is simple to navigate, the information is authoritative, up-to-date, and you can rely on it to fulfill your tax obligations.”
Technologies underpinning these e-services include 4A capabilities provided by i-Sprint’s UAM to custom applications in IRAS’ Inland Revenue Interactive Network. A fine-grained authorization framework based on the UAM segmented hierarchy-based security administration allows delegated granular access by taxpayers and organizations, third-party tax agents and organizational employees.
Internet banking is another area where rigorous application security is particularly critical, not only to replace legacy client-server systems but also to comply or exceed security guidelines outlined by the central bank or monetary authority.
McKinsey’s Digital Banking in Asia report suggests as much: Asian banks are recognizing that cybersecurity must be treated as a core business function. This is corroborated by a study by McKinsey and the World Economic Forum where 80% of global banking IT executives believe that the risk of cyberattack is a significant issue that could have major strategic implications.
In this regard, the AccessMatrix UAM solution’s core security infrastructure technology – SSO, hierarchical administration of user IDs and access privileges, and an efficient way for existing applications to securely sign on to target databases, etc. – supports critical e-banking applications.
Coupled with externalized authorization and extensible authentication, UAM paves the way for banks and other organizations to do more than provide secure services through mobile and internet channels.
As McKinsey’s Digital Banking in Asia authors point out, “For some banks, integrated multichannel access will become a core feature of their value proposition, including a light physical presence and agents to enhance the customer experience, as well as to promote trust and branding.”
To promote trust, in particular, i-Sprint’s rigorous application security lays the requisite foundation for trustworthy IoT connecting diverse wearable devices and internet-enabled devices in homes, offices and places of business.
This is a QuestexAsia feature commissioned by i-Sprint Innovations.