Security is, understandably, so wrapped up in mobility that they tend to be mentioned in the same breath. All these smartphones and tablets peppering the workforce are great for operational efficiency, but they must keep IT department heads up at night. One iPad forgotten in the back of a cab and who knows what would be compromised.
It’s reassuring to see security awareness evolving instep with mobile app proliferation. We’re seeing that awareness manifest itself in three distinct areas: Authentication, Authorization, and Data Protection.
Authentication
How do you prove this user is who they say they are? The most straightforward strategy is the classic UserName and Password/PIN combination. While eye-scanners and fingerprint readers are fun, most organizations probably don’t have to go all Mission Impossible for now. Still, a policy that ensures those password protections are in place is a must.
Authorization
This takes a step up in terms of security significance. It’s about who within the organization gets access to what data once they are on the proverbial “inside”.
Smart organizations are realizing that users can have access to certain functions based on their group, specific assignments, even their location, time of use or their operating systems or very model type of their mobile devices. Not too long ago, managing and monitoring these variables was unthinkable. Now, it’s expected.
Accounting for each of these factors and applying them to authorization permissions has created a new security dynamic: contextual awareness. The mobile world is so change driven that any security policy must account for those ever-evolving aspects, from where a device may be to how it is upgraded to the device itself. Accounting for the user used to be adequate. Now, when it comes to enterprise mobile app usage, it’s just the first item on the security checkllst.
Location, in fact, is perhaps the most significant factor. In the EU, for example, medical information companies are contending with cloud-based challenges when trying to remotely access medical records. If you are a patient in France, your medical records have to be on servers in France. Once healthcare providers start disseminating data on mobile devices, it becomes challenging for a physician in another country to access those records — a concept called geofencing.
Another geographic hurdle is geolocation — well known within the Department of Defense. Here, things do get a little “Mission Impossible,” with restrictions on certain devices being able to access specific data. This type of technology is definitely serving the intelligence community overseas.
Security policies that once were defined on the network level, and then moved to the device level are now being defined at the app level. And if you ask us, it’s going to go even further into the app. The multi-layer question constantly being asked: Is this user on this device, in this location, using this app, allowed to perform this specific function?
That’s today’s reality. Application developers need to understand these subtleties when working up their apps or face user frustration and disengagement caused by no fault of their own.
Data Protection
The enterprise is not the same as the consumer realm in terms of personal data protection, but data privacy issues still abound and companies like Localistics and Flurry are working to address them. Even if the app is yours and the user is an employee, there can be issues. Consider an HR or automation app dealing with salaries or sales commissions, for example. The information may not be valuable beyond your organization, but internally, its protection is critical.
Addressing data protection is demanding new policy approaches in keeping with the way mobile has changed the game. Just a half-decade ago, losing a laptop was the worst-case scenario. Think about how much smaller a smartphone is, how much easier it is to leave in the back of a cab or forgotten on a bar.
Other mobile app security considerations have to include accounting for whether or not a phone has been rooted or jailbroken. These devices can do devastating things, and each mobile device under your domain has the potential to be stolen, to go rogue.
This is forcing everyone to look at security in a different, much more scalable way. Instead of building a very large, strong, seemingly impenetrable layer of protection, we’re seeing better approaches in layered security at the device, app, and even the data and file-writing level. Once again, mobile means thinking in new ways. The fortress mentality that worked to some degree with monolithic systems is just too rigid. Instead, compartmentalized security, addressing the realities of a multiple-device dynamic are gaining favor.
An App47 Extra Point:
Even though it’s only Tuesday, most of us are ready for Super Bowl Sunday.
This week may be all about gearing up for feasting and football, but we’re hoping you save a sliver of anticipation because we’re planning to shake things up in the enterprise app store game.
When the Super Bowl ends, our disruption of the app store begins!