New Firefox OS will enhance SaaS security

As the business world moves towards client computing, Mozilla has promised to address issues like security with a free, cloud-sourced operating system that should make it easier to deploy SaaS apps.

Mozilla is best known for Firefox, the browser. Now it’s extending its reach into the mobile phone and tablet space with a freeware operating system. Firefox OS is based on a very simple Linux distribution (labeled Gonk in the stack), and structured around HTML5, which has finally reached a high level of maturity.

In addition to Gonk, there is a Gecko layer that implements the app space, and supports HTML, CSS, and JS. Gecko has the networking, graphics, and porting stacks. The user interface is Gaia, which is written entirely in HTML, CSS, and JS. Gaia is portable to other OS environments, because it only uses standard Web APIs.

The user interface in FOS is built as a browser using HTML5. The product focuses on the browser experience, both locally and for imported content and apps. First looks are good, with a nice appearance and all the features expected for smartphones, etc.

The browser nature of the UI could mean a good deal of personalization in the future, both by users and vendors, and this is supported by the intense security structure built into the OS.

The OS core itself is interdicted by being in a read-only space. Mozilla has a feature where vendors can download encrypted updates and temporarily make this space writable; this is a very small exposure that Windows would do well to emulate.

What about security?

Apps and content are graded to three levels of security. Most apps are untrusted and have limited API access to features, so they can’t corrupt basic functionality. A select second tier consists of apps that are certified and digitally signed, with access to more APIs. Only a few systems-class apps such as Bluetooth, telephony, and camera are classed as the most-secure certified tier.

Apps default to the lowest level of trust following the Principle of Least Privilege. The security system allows upgrading of permissions via a runtime review process. The locked down OS and the security system should make for a very secure product.

FOS has already some buy in, with ZTE and Alcatel making handsets. It has the potential for eating into the Android market, and for gaining share anywhere security is important. It is of interest in emerging nations, too, because the price is right.

This looks like a very portable model with low integration costs, and that has to be attractive.

The SaaS side

The implications for the SaaS space are interesting. Being essentially a smart browser it will accelerate moving to a browser-based client model for SaaS applications, and the security features look to be adequate for enterprise use.

Mozilla is pushing WebApi as a tool for transitioning from native apps to a browser, with the not-so-incidental benefit of the resulting apps running on any platform without a rewrite. This has big implications for the software industry, making for OS agnostic apps.

The browser emphasis also ought to strike a nerve with the Android types, and it isn’t difficult to see the two of them converging on the browser-based model and, in the process, making life even more miserable for Windows in the mobile and desktop spaces.

It’s still too early to figure out all the implications, and market acceptance, more than technical elegance, will determine FOS’s success in a crowded market. Still, the price is right, the story sounds good, and it fills needs, so FOS should see some play.

Source: SaaS in the Enterprise