Unlike b2c markets, mobility has started penetrating the Enterprise space only recently and enterprise mobile apps are actually aiming to be more than just marketing or employee management tools. As businesses start looking for enhanced data sharing, collaboration, productivity, finance improvement and other features pertaining to enterprise applications, what are the key security concerns and who and how should address them?
I've asked this question to our CTO and am sharing his answer with you here.
Most of today's enterprise leaders are really concerned about BYOD, malware and cyberattacks that may target their infrastructures, sensitive data and clients' confidential information, as well as careless employees who may cause trouble while sharing something outside the enterprise. But end point security is the root of all concerns when it comes to enterprise.
Let's take a look at leading tech companies and how they protect their enterprise solutions from cyber violations. Apple's security has traditionally been DRM-focused and Microsoft's security focus is mainly on consumer, especially with Windows Phone 7. By the way, the platform doesn't even support all of the out-of-the-box ActiveSync device policy configurations. However, developers have found ways to root Windows Phone 7 devices and Microsoft doesn't seem to object much or place any mitigations.
Google's Android remains the most vulnerable platform to date and the company has made it clear Android is a completely consumer facing mobile platform. Along with virtualization, VMWare uses Open Kernel Labs to ensure appropriate hardware support for acceptable UX. Other brands keep adding secure enterprise management features as well as creating secure communication channels to access enterprise data. However, enterprise mobility security remains a burning question.
Good news is that security vendors are joining forces to develop end point security solutions for the enterprise. Bad news is that mobile application developers, users and IT security designs are not yet properly factored into innovative and emerging mobile technologies.
However, there're so many trusted and truly working methods to secure non-mobile software solutions that there's no need for enterprises to invent a bicycle, at least for their MVP mobile applications. Our experience building enterprise mobility solutions, both MVP and full-fledged and robust ones, proves that IT security deployed at the end of your software development project is half as effective and twice as expensive as IT security design embedded in specification even before the project launch. Because doing security testing right before your app's general availability release is like shooting in the air.
When we build custom enterprise mobile applications at Intersog, we design security into the application by asking our customer the following key questions (well, some of them):
- Should the data required for your app to perform properly reside on user's device or be streamed from a remote location? What will be the impact if the user can't get to the data on the device?
- How sensitive is the data you'll be storing, processing and transmitting in your mobile IS? Will you be sending user's personal data to a website? What will happen if your sensitive and critical data is accessed by unauthorized users? What will be the impact if your mobile device data is read by any other app that is allowed to run at the same permission level?
- Does mobile devices battery strength matter for your app to do its job? How will an integrity failure impact your app's data and users?
Having received answers to these and many other questions, Intersog's PMs and BAs are able to clearly outline potential security risks, have a clear understanding of how each will affect your enterprise app's data, users and information system, identify existing methods to mitigate risks and develop additional controls to address any gaps determined at risk assessment.
After thorough risk assessment, we create an application security strategy to make sure all of the major security concerns are addressed. In particular, I'm speaking about data storage and transmission, SSL issues, data leakage prevention, untrusted inputs, app legitimacy verification, server-side controls and back-end, etc.
Also, BYOD is a huge concern when it comes to security of enterprise mobility, as it presents own unique challenges. With BYOD there's a possibility that sensitive data can fall into wrong hands and be used against your brand. Some companies use special apps that wipe employee's device remotely.
But it's another story I'll keep for the next blog!