Mobile Apps Must be their own Fortress to Withstand Attacks from Hackers

Book Cover

A #mobile app must be its own fortress and never assume platforms are encrypted, authenticated, use VPN or require a PIN for #security.

I guess developers can’t count on anything these days. How you deal with security is what separates consumer app developers from enterprise app developers. The best apps assume an insecure, unencrypted and completely compromised mobile platform. In a world of bring your own app (BYOA), this will differentiate consumer app developers from trusted enterprise app developers. Imagine the scenario where a logged-in device is left behind in a taxi and is stolen before device security kicks-in to log the device out. A window of time ranging from five to fifteen minutes of exposure is realistic.

So how does a mobile app take charge of its own security? On launch, it must prompt for enterprise credentials like a password, PIN, face or fingerprint before allowing a user inside the app. Eliminate the use of cached credentials and tokens or keep expiration times to a minimum. Next, the app must provide its own encryption for data at rest. This is accomplished through the use of a mobile platform’s crypto APIs. Oftentimes you can reuse login credentials as a password and salt value. Use this to encrypt all downloaded and user-entered data before saving to local storage. The app must use TLS or per-app VPN tunnels for all remote communication to secure data in transit. Lastly, trustworthy apps should never take dependencies on platform capabilities they don’t actually require.

Reduce risk to your business by insisting every enterprise app you build or buy provides its own comprehensive security capabilities. Is your company making app security a top priority?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click here to purchase a copy of my book today and start transforming your business!

12 Steps to Stop the Next IoT Attack in its Tracks

IoT Attack

Distributed denial-of-service (DDoS) #IoT attack against DNS are a wake up call to how fragile the #Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

  1. Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
  2. Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
  3. Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
  4. Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
  5. Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
  6. IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
  7. The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
  8. Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
  9. When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
  10. Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
  11. Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
  12. IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.

Improve Productivity by Publishing Services to Mobile Employees via a Web Gateway

Book Cover

Rather than extending your entire #network out to #mobile devices via #VPN, publish individual services through a #web gateway or the #cloud.

Most remote employees gain access to Intranet resources through a virtual private network (VPN). Using 3rd party or built-in software, employees provide credentials and sometimes a smartcard to create a VPN tunnel. Once created, employees can securely exchange data with internal resources. This is anything but seamless and employees find setting up VPN sessions and re-authenticating due to dropped connections to be a hassle. They want to access things the same way they do on the Internet.

Let’s take a look at a better mobile reality. Most companies around the world use Microsoft Exchange for corporate email. For more than a decade, mobile users on virtually every platform have been able to securely sync their email without first creating a cumbersome VPN connection. This was possible because Exchange publishes its Active Sync service through a reverse-proxy over TLS. The email app is responsible for passing credentials to the server. It works the way mobile employees expect all their mobile apps to work.

You can do this too by publishing your internal web sites and REST + JSON APIs on port 443 through a reverse proxy that lives at the network edge. Reverse proxies are appliances or server software that let you create a multi-channel access gateway. Of course, when you move your workloads to the cloud, none of this will be needed anymore.

Improve user productivity by eliminating the need to create cumbersome VPN connections to achieve secure connections. What remote access technology changes are you making at your organization to make life easier for your employees?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!