Monday, May 19, 2008

Historic perspective to mobility security problems

When I was reading an excellent performance audit report about Finland’s failed PKI-project (more about that later) I remembered an old project where I was once working. At late 90’s web applications were extremely hot and new thing and the project’s target was to create a browser solution that citizens could use to change their contact details. Somebody had made a decision earlier that the web solution must be very secure and all transactions must be strongly authenticated to ensure that no false data could ever be entered to the system. Because of this security requirement, project had to use PKI solution with Finland’s brand new certificates, identity cards and card readers. Obviously that ensured that the browser solution was very well secured.

However, browser access wasn’t the only channel to change person’s contact data. Instead of using the high-secure browser solution, citizen could pick up the phone and call to customer care center and ask them to change the data. No passwords asked, no certificates needed; just give them new address and change was done.

The thing that I didn’t understand at that time (and I still don’t) was that browser access was ranked very insecure and potentially dangerous, but at the same time the old channel was completely lacking user authentication and still there were no problems because of false data or similar. What made browser so dangerous at late 90’s?

I have a strong feeling that browser was once dangerous because it was a new thing and all risks related to that were overrated. What potentially could happen was interpreted that it must happen. Now ten years have passed and situation is much better regarding browser’s risk assessment; of course the risks still exist but browser itself is not seen so dangerous anymore.

What has taken browser’s place as the very-dangerous-new-thing? Mobility of course! So many times I have been in the situation that the possible mobile solution has been ranked very dangerous to the organization - but at the same time the data is already available in the internet from a password protected browser page. What mobility would mean in this case is that the data would be rendered in a different way to ensure usability in a small device. The risk of loosing the mobile device is real, but properly encrypting local data and/or using mobile browser is a good real life solution. 

Now mobile solutions are suffering from this same “new solution’s handicap” that the browser faced at the late 90’s - if you don’t have time to wait until mobility becomes mainstream you’d better work with your arguments and tell customers honestly what the real risks with mobility are. Perhaps the risk is that the competitor integrates mobility smartly into their processes and performs better than you?


No comments: