Page 49

EETE JUNE 2013

applications that are accessed via the browser, has challenged this model. IT teams need to accept that the consumer cloud has come into the enterprise environment, along with the use of personal devices. To ensure risk management and compliance, IT must embrace the use of these services and provide equivalent secure alternatives. CIOs, CISOs and risk and compliance managers need to address how they will enable SaaS and bring your own device (BYOD), while still controlling access to data and auditing application use. Corporate data that is accessed via a Web-based application is prone to the same insider threats and computer fraud as traditional corporate applications. The browser is simply the new end point. Therefore, access to applications through the browser needs to be managed and audited in the same way as traditional corporate computing devices. Auditing browser-based data access To address the security, governance and compliance issues associated with BYOD initiatives, SaaSID developed software that works within the browser, so that all browser-based applications can be controlled and audited, regardless of the devices employees use to access those applications. Embedding enterprise class security within the browser has significant benefits. It enables organisations to introduce flexible BYOD schemes, with the attendant availability and productivity benefits of SaaS. If the browser is tightly locked down and Web application access and activity can be managed and audited, then employees can be given much wider freedom over the device they choose, regardless of whether it is owned by, or even known to, the enterprise. This approach also overcomes the HR issues created when organisations are using mobile device management (MDM) and introduce a remote lock and wipe policy for lost or stolen devices, which has resulted in employees losing personal pictures, documents, films or music that they have stored on the device. Alternative approaches to managing Web applications One of the biggest inhibitors to the increase in SaaS adoption is the forced downgrade to the one size fits all security model offered by SaaS vendors. The vendor models typically lack granularity, which risks non-compliance with EU GDPR, PCI DSS, and HIPAA Omnibus regulations, to name just a few. Organisations should look to restore access control and auditing of Web-based applications that is equivalent to existing on-premise security controls, independently of the cloud vendor if necessary. This will allow organisations to maintain compliance by detecting and preventing insider misuse of applications, whether inadvertent or intentional. Our software, Cloud Application Manager, takes the logical step on from single sign-on (SSO) tools and enables centralised authentication, application feature control and auditing of browser-based activity. This extends corporate governance to any device being used by authorised users and enables CIOs to create an audit trail of employees’ interactions with Web applications for compliance with European regulations. Proxy versus agent-based security When developing our browser-based security and compliance software an alternative would have been to develop a proxy instead. The proxy-based approach to managing Web applications is a valid solution for sites that are delivered using the traditional model where each individual page within the application has a unique URL. Proxies are able to filter by URL and block access to specific pages. However, proxies cannot be used effectively to manage content when a web application is a single-page application (SPA ), also known as a single-page interface (SPI). An SPA is a web application that has a single URL. SPA s are designed to provide a user experience that is more akin to that of a desktop application. Within an SPA , typically all necessary code (HTML, JavaScript, and CSS) is retrieved with a single page load. Updates to the page as the user interacts with it may or may not involve further interaction with a server. The page doesn’t automatically reload during user interaction with the application and control doesn’t transfer to another page. The URL in the browser, the attribute that a proxy-based solution relies upon, rarely changes across the entire functionality of the application. Google Apps is a well-known SPA . Within Google Apps, as the user accesses Gmail and Google Calendar for example, the core URL never changes. With a proxy-based solution there is one choice: CIOs can allow access to Google Apps in its entirety or block it completely. For organisations that need to filter individual components, such as specific buttons, links or menu options on the screen (within the page), in order to prevent certain employees from handling particular corporate information, proxies simply cannot be used. The majority of modern pages are built on the user’s machine and rendered within the browser window. The base HTML is delivered to the client’s browser first, and then additional functionality is delivered (by JavaScript for example) that enhances the core structure with event handlers and builds the page up into a richer Document Object Model (DOM). Using proxies, specific URLs must be filtered. The choices are therefore limited. CIOs can either block the base page or individual scripts within a page. If the base page is blocked then the user will see no content at all. Blocking individual scripts typically breaks all functionality within the page. While the user may see some or all of the content, the application is effectively crippled. Fig. 2: Agent-based web applications allow a highly granular control over access to individual page elements. www.electronics-eetimes.com Electronic Engineering Times Europe June 2013 41


EETE JUNE 2013
To see the actual publication please follow the link above