Securing the Mobile Enterprise

September 17, 2009

Context Aware Mobility – 2 : Access Control

Context awareness is intricately coupled with location awareness to some extent. The security and access considerations mainly apply at the network layer as this is the only aspect of the device that crosses a trust boundary. All access control frameworks are built around the concept of “Trust” between various entities and agents participating in the network. According to the ISO 10181,

Trust is a relationship between 2 elements, a set of operations and a security policy, P where element X trusts element Y only if X has confidence that Y behaves in a well-defined way that does not violate the P.

Most hierarchical trust models incorporate his central concept. In such models, one or more superior (i.e. more trusted) entities grants credentials to the participating peers. One example of this model is the public key infrastructure (PKI) built around X.509 digital certificates which forms the backbone of all internet security. However modern network access control frameworks, especially those designed for fixed/mobile LANs are adopting a distributed intelligence approach where the NAC environment is dynamically structured to fit the users and data that is accessed. The Juniper Networks UAC solution is one such instance. This system allows administrators to encode users and data on-the fly through a rich and granular policy management framework. The decision engine then defines the policy (contract) after evaluating the user (permissions, clearance), the network (access-method, resource properties) and the endpoint properties (OS, patch version, anti-virus programs etc.).

Let us now look at the mechanism by which a mobile device ‘attaches’ to the network. To begin with recall the behavior of a Windows PC when it first connects to a new network. The user is required to choose whether it is a private, business or public network. Based on the option selected Windows firewall will apply the appropriate firewall profile. Subsequent visits to the same network will automatically apply the same policy without manual intervention. Context awareness takes this concept to the next level. Now applications and services can also become “aware” of the network and tailor their behaviors accordingly. The ultimate goal here is to identify and authenticate the network location. At the protocol level the application or service authorizes the network access provider (usually a DHCP server), which is a form of entity authentication. From the standpoint of privacy we have to ensure that the client remains sufficiently anonymous in order to protect the mobile user before and during the network access. In the standard Wifi access operation the client and the network use 802.1X protocol that is backed up by public key certificates. 802.1X allows piggy-backing of new authentication methods e.g. EAP-TLS for authenticating with TLS/SSL or EAP-SIM for authenticating against GSM-SIM or EAP-JUAC, for Juniper’s custom UAC method. In all these methods the client’s privacy is protected by authenticating the server and then performing the client authentication inside the secure channel.


September 13, 2009

Context Aware Mobility -1

Context Aware  Computing is next big thing on the horizon.  It is alternatively known by the much more cooler moniker “Ambient Computing“. From an architectural standpoint context aware services (CAS) usually have a component-based design with basic constructs like components, connectors, contracts and interfaces. Components provide the core functionality of the application and use connectors to communicate with other components in the system. Contracts and interfaces ensure a specific behavior in a given situation. “Awareness” is programmed into the system by rewiring the interfaces and contracts when the context changes. The context could be changed by changing one or more of the following parameters – userID, activity, geospatial information (location, direction, speed etc.), Temporal Information (timeOfday, date), ServiceVicinity (presence of other devices or services) etc. A simple manifestation of this is the popular app “Locale“.

Major universities  are furiously researching and developing technologies to incorporate context awareness in SOA environments. Such applications benefit from technology that connects everyday objects and provides opportunities to collect and use context specific information from various sources and present them on increasingly sophisticated mobile platforms. Enterprises have only recently started looking into how CAS applications can provide real-time benefits. In fact Cisco has recently announced mobile context aware framework running on the 3300 MSE (Mobility Services Edge) that enterprises can incorporate   into their existing SOA framework.

That’s it for a high level overview of context aware mobility. In the next article I will talk about some of the unique security constraints that have to be addressed in CAS environments.

September 5, 2009

Mobile hack shows need for security upgrade • The Register

Filed under: Mobile Security,security — Balaji Prasad @ 12:19 am
Tags: , , ,

Recently security journals all over the world splashed the news that GSM security was compromised by using a Rainbow table. However the approach was deemed impractical by GSMA as requiring 2TB of data and enormous amount of number crunching to invert the one way hash function. The approach to do this is called the Shor’s algorithm named after its inventor Peter Shor. Shor’s algorithm takes a long time to execute on a classical (Von Neumann) computer but can be done a lot faster on a quantum computer. In fact Shor’s Algorithm is designed specifically for a quantum computer.
Quantum computers are no longer theoretical constructs, we now have word of a working prototype that actually runs on a single silicon chip.

September 2, 2009

Kaspersky releases mobile security suite

Filed under: Mobile Security,security,smartphone — Balaji Prasad @ 10:28 pm
Tags: , , ,

Kaspersky has announced what is by far the most promising security suite for Symbian and Windows Mobile phones. Besides providing a regulation firewall and anti-virus it offers unique features like anti-theft and SIM-Watch modules. Remote Device wipe is nothing new, Blackberry and Windows Mobile devices (via ActiveSync) have had this feature for years. However this is the first time we are having a device wiping solution for a mobile device that is not tethered to the enterprise. The device wipe in this case happens by sending an SMS message to the lost/stolen phone causing it to digitally self-destruct. The unique anti-theft module locks your data if a new SIM card is inserted into the device. Additionally it sneaks an email back to you with the telephone number of the new SIM card!! Truly ingenious. Enough data about the performance/battery-life implications of running this suite is not available as yet but if Kaspersky engineers it similar to their desktop solution, that should not be too much of a performance hog.

Create a free website or blog at