Risk-adverse executives are wise to put into place governance policies pertaining to how mobile devices and mobile application are both consumed internally by employees, and delivered externally to customers. Of course, many of the challenges associated with deploying Internet-based mobile applications to the general public have been addressed over the years and are now readily understood. The new frontier causing consternation for data architects is the push to deliver internal applications to employees, and the subsequent deployment of those applications across public networks while mitigating mobile risks.
Delivering internally facing mobile applications has the potential to greatly increase productivity, but it comes with a dangerous downside as well, and that the downside has the potential for damaging and embarrassing security breaches. "Data leakage is a big issue with mobile applications, or at least, it's potentially a big issue," said Van Baker, a senior Gartner Inc. vice president specializing in the mobile and wireless space. So what should the security-conscious IT professional be thinking about when developing mobile applications that will use used by employees and staff members?
Authenticate at the application level
Nobody would ever deploy a corporate application across the Internet without requiring credentials before mitigating access, but this type of approach is all too common in the mobile application world. It is sometimes assumed that since the mobile device itself is protected by a four-digit password, and because the user of the device is a trusted employee, the mobile app itself need not employ a subsequent authentication mechanism. Nothing could be further from the truth. If an application is to be deployed to a mobile device, ensure that authentication is baked right into the application.
And it's not just about securing the application on the phone, but the corporate servers need to know that the person requesting data is indeed a staff member, employee or trusted user. "You want to be able to authenticate the users who are coming in because they are coming in on a cellular network, and you want to make sure they are members of your corporation," said Baker.
Secure all communications over the public network
If an employee is doing work on their cell phone, be it responding to email or filling out an expense report, their interaction with the corporate backend is only as secure as the public network over which they are communicating. "If you're sending sensitive information to mobile applications, you want to make sure that data is encrypted in transit," said Baker. Given the inherent fact that a public network will never really be secure, all client-server based interaction between a corporate application hosted on a mobile device and the corporate system itself must be encrypted, and encrypted using a secure protocol that hasn't been compromised. That means not only using encryption, but keeping up to date on the encryption technologies and having a contingency plan on how to switch technologies when something like the SSL 3.0 POODLE exploit rears its ugly head.
Don't make your data accessible
Along with the encryption of the network, any data stored on the local device must be encrypted as well. No iPhone or Android app should ever store local data in an unencrypted format. It is with great ease that an iPhone or an Android device can be hooked up to a desktop with a suite of mobile device cracking tools, and all of the plain text data on the device can be accessed. "If data resides on the mobile device you want to make sure that data is encrypted in order to protect the intellectual property of the organization," said Baker. The latest Android and iPhone updates provide for full disk encryption, which is a very good start, but it's not good enough. Custom encryption and hashing techniques need to be applied to any piece of data that is stored locally on a mobile device.
Contain the threats
One of the unique challenges mobile devices present, especially if an organization employs a bring your own device (BYOD) strategy is the fact that employer-supplied programs hosting sensitive corporate data sits right alongside personal mobile apps like Facebook, Twitter and Gmail. "People are going to have personal applications on these mobile devices that are not under the control of the enterprise," said Baker. Any mobile governance model must be aware of the inherent danger that is presented when a user could either maliciously or inadvertently post internal information publicly on a social media site.
Fortunately, there are simple solutions that will thwart the much beloved cut-and-paste function of most operating systems. Native mobile applications can be easily containerized, and their ability to share data and functions with other programs will be subsequently neutered. It's a basic step that can provide a much greater level of application security, yet many organizations fail to go through the required steps to enable it.
Just don't do it
There's always a foolproof way to fully secure your data from vexatious world of cell phones and tablets: simply don't provide mobile functionality at all. "People have an expectation that anything they can do on the desktop, they should also be able to do on a mobile device, but that doesn't always make sense," said Karsten Torp, technical director with Pernexus Systems. Just because users enjoy a particular program while working behind their desk at the office, doesn't mean they need to be provided that same program or functionality on their mobile device. If the risk associated with providing a certain level of access through a mobile device is too great, an enterprise organization shouldn't feel ashamed not to provide that type of functionality.
The idea of providing mobile access to highly secure corporate data streams and systems is a scary proposition at the best of times. Sometimes the risk is worth the reward, especially when the reward is increased productivity and efficiency, so long as the risk can be mitigated as much as possible. By following these pieces of advice, enterprises will be taking the right steps to strike the right balance between mobile risk and reward.