How to secure Web applications from insecure mobile devices

RSA says 2011 will be the year of mobile device malware and of criminals exploiting these devices to commit fraud and other crimes. With literally billions of devices in use worldwide, it’s hard to secure them all. Trusteer takes a different approach: secure the applications people want to access from these mobile devices. The solution involves a secure Web browser on a gateway that the mobile device must use to access the protected application.

According to the RSA 2011 Cybercrime Trends Report, the number one trend this year will be mobile device malware and the associated exploitation of mobile smart devices to commit fraud. The explosive growth of mobile smart devices as general purpose “on the go” computers has made them an attractive target for cybercriminals to exploit. Unfortunately, it is not just consumers and their banks that must consider the risks of mobile device malware; the consumerization of IT has laid the bridge for the crossover of consumer technology into the enterprise.  

As with all cybercrimes, or crimes in general, it’s a matter of opportunity. With the explosion of smart devices used to conduct business today, cybercriminals currently have a window of opportunity to exploit a variety of mobile platforms. Unfortunately for the enterprises that conduct business through the cloud, they must now support more devices than ever before. In effect they are finding that they must extend their corporate firewalls and services to places they may not be prepared for.  This proliferation in use of mobile devices has the potential of opening up a backdoor for specifically engineered malware to make its way onto the corporate network.

Many times, the problem is that mobile devices are not managed by the enterprise, and as a result they do not have the same level of controls surrounding them as do computing resources inside the firewall and laptops that are used remotely.  Consequently, companies cannot assure that the communications from these devices to corporate web applications are properly protected; that the devices are properly configured; and that they include all the security software needed to protect themselves and ultimately corporate applications and data.

Trusteer, a company focused on guarding against infection of Web based applications for both financial and non-financial enterprises, believes that the best way to protect against Web-borne threats is to utilize a separate browser, apart from the default browser, solely for the mobile smart device. Trusteer’s recently released Secure Web Access product enables organizations to protect their Web applications, network and data from targeted attacks that exploit potentially insecure mobile devices. Secure Web Access is an extension of Trusteer’s Rapport Secure Web Browsing Technology for PCs and Macs, which secures both online banking transactions and other sensitive Web-facing transactions.  

Secure Web Access pairs software on the enterprise gateway with a lightweight standalone secure browser that any institution can use to force customers and employees to use in order to access corporate Web applications. The product enables secure access to corporate Web applications via the mobile device. This protects communications to prevent cybercriminals from gaining access to or seeing sensitive data, thus preventing security beaches and data theft via man-in-the-middle and man-in-the-browser attacks. Secure Web Access allows organizations to define and apply access control policies based on the security status of the device. Such policies might include actions like blocking access to all or only select resources.

For example, if someone attempts to access a Secure Web Access protected Web application with a mobile device default browser, the protected application will force the person to utilize the Secure Web Access secure browser for secure communication. Once the user’s mobile device accesses the application via the secure browser, Secure Web Access assesses the security posture of the device to assure it is properly protected by checking the status of the device, looking for known infections, security exploits and unpatched vulnerabilities.  

When Secure Web Access detects the device is at risk, depending on the established security policies and the sensitivity of the data being accessed, there are several ways an organization can address the issues at hand, such as blocking access until separate remediation is performed or only allowing limited connectivity to less sensitive resources.

Secure Web Access logs the status of each device. This information is forwarded in real time to the appropriate administrator along with alerts that someone is attempting to connect a sensitive application from an infected or unsecured mobile device.  

Users of Trusteer’s Secure Web Access protected devices can continue to use their native web browser for their personal browsing on all leading tablets and mobile devices including iPad, iPhone, Android, Blackberry and more.

Smart phones and tablet computers are the next great frontier for cybercrime. It’s time for organizations to consider how to protect them and the enterprise applications they access.

Brian Musthaler is a Principal Consultant with Essential Solutions Corporation.  You can write to him at Bmusthaler@essential-iws.com.  

About Essential Solutions Corp:  Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.