Defensive design becomes a security requirement when SOA meets mobile
By Jason Tee
As new technologies such as hybrid clouds, big data solutions, mobile platforms and open source tools become commonplace in the workplace, IT professionals of all stripes must continue to be diligent as they maintain the security of their systems. As organizations expose an increasing number of applications, services, data, and other resources in an increasingly interconnected world, IT departments find themselves having less rigid control over their systems. Simple governance rules aren't enough to keep data safe if there is no ability or authority to enforce them. The solution is to start building security right into the architecture and applications, and doing it properly from the start. That means doing it everywhere from the mobile device to the desktop application, not just the web based interface that has historically been the biggest security risk.
Easy access spells trouble
Mobile has created security issues that designers simply aren't taking into account. Matt Brasier of C2B2 Consulting, coauthor of the Oracle SOA Suite 11g Performance Cookbook, points out two factors that are raising risks. First, it's become very easy to write applications – so hackers are having a field day. Second, organizations don't have as much control over the consumers of their services. "You have to be a lot more careful about programming and designing your architecture and applications defensively these days. Even if you're not exposing an application through a public web service, if information is on a web page there's still risk. Someone out there will write a mobile app that can scrape the HTML and pull out the data," said Brasier. Furthermore, the mobile interface itself isn't necessarily something you have control over. It might be a third party component. This means you have to build security into those aspects of the resource over which you do have control.
Few businesses are exercising caution
Godfrey Nolan, author of Decompiling Android, says his firm specializes in demonstrating just how easy it is to crack an Android APK. There are plenty of decompilation tools available that anyone can get their hands on. These tools can readily reverse-engineer an APK and use the information stored in plain text format, which may including sensitive data like logins and passwords, to wreak havoc on an enterprise organization's backend. "Our team has downloaded and tested about 100 apps. Only one of these was appropriately protected with security-conscious code," said Nolan. Nolan recommends using tools such as HoseDex2Jar to create a barrier to decompilation. This code enhancer inserts programming that renders current decompiling tools useless.
CSOs need to be on the ball
Ann Thomas Manes, VP Distinguished Analyst at Gartner, says that it's the Chief Security Officer's job to make sure new non-functional security requirements aren't circumvented during design, development, or deployment. "First, you need to decide what type of data is truly sensitive. Some of it can be available on the device without much risk. Data that requires more security may need to be encapsulated to keep it from being easily exposed. Don't delay going mobile, but do consider how to adjust your architecture strategy." Physical, administrative and technological solutions all play a part in defensive design.
Mobile creates an open ended game
And in terms of non-functional requirements, mobile is impacting more than just how organizations deal with security, as performance and usability comes into play as well. Matt Brasier stresses that mobile proliferation is impacting the non-functional requirements of applications, such as security and performance, and therefore impacting the design. At least, he says it should be changing how SOA design is used for mobile. In fact, he laments that too many businesses are not contemplating the kind of issues that mobile brings to the table. Not everyone is putting mobile first. "They tack mobile on at the end, which isn't the right way of approaching it," says Brasier. Just one of the scenarios that might leave you twisting in the wind is the sudden interruption of service such as when a user goes out of range or a transaction is terminated before completion. That's the kind of thing that rarely happened with desktop access. With mobile, it's very common and has a definite impact on how service provision should be structured.
The bottom line is that users are interacting with our SOA based architectures in ways that were never envisioned when they were built five, ten or even fifteen years ago. IT professionals must remain diligent, and ensure that the right steps are being taken to ensure the security of an organization's data, and the integrity of an organization's SOA based architecture.
Going forward, we are likely to see many more proprietary and open source solutions being created to provide greater security in mobile apps and architecture. What tools do you use? What tools do you wish you had? Let us know.
01 Sep 2013