No Technology Solutions on the Near Term Horizon for a Better Defense Against Online Hacking

ISVs with popular online computing offers (notably Apple, Google, and Microsoft) have each adopted and endorsed an “App” model. This writer has a lot of conceptual familiarity with Microsoft’s version of this approach. Microsoft has positioned its Office 2013 App Model as a better approach to online security, but is it really?

For readers unfamiliar with the broad technical structure of “Apps” and how it might enhance online security for consumers, the key principle is “isolation”. In theory, “Apps” transition a lot of computer processing from servers to clients. In other words, a lot of the activity handled in the past by the server is transitioned over to the PCs, smart phones, tablets, and even game consoles consumers use to process computing tasks online. The method of processing this activity is to instruct these computing clients to act on commands written in some version of the JavaScript programming language, or the latest version of HTML (HTML 5 at the time of this post).

In the case of the Office 2013 App Model, the jQuery function library is heavily used by developers to add procedures quickly, which already exist somewhere online, with all of the supporting libraries required for successful execution. But this practice poses several difficulties, a couple of which directly impact on online security for consumers. First, there are different versions of the jQuery function library. So, when an App is developed with one version, and another App is added to a computing environment (for example, Office 365), the potential for App conflict arises, which can result in degradation of service for the end consumer.

Second, inadvertently to advocates of this type of development, the App model’s reliance on a client-side method like JavaScript can be said to insulate the server, but, inadvertently, this approach shifts the burden of security over to the client. Since their are hundreds, if not thousands, and even millions of different clients in use to interact with one server (or many servers in a load-balancing scenario, which act as one server), there is a much higher likelihood of a security breach on a client machine. Once clients are successfully compromised, they can be added to bot networks and re-purposed for other types of malicious activity.

For better or worse, in late 2014 the best defense against malicious online activity remains best represented by a correct set of operational risk management processes, at least for large organizations of users.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved

Leave a Reply

Your email address will not be published. Required fields are marked *