As Uncle Ben said to Peter Parker before Peter became Spiderman, "With great power comes great responsibility." So it is with enterprise mobile apps -- when properly implemented, they can bestow great benefits to an organization; yet to protect those benefits requires attention to a broad set of security measures.
A mobile software initiative (MSI) that starts and stops with mobile device management (MDM) hasn't done enough. Simply controlling the mobile device itself doesn't protect the data that the device accesses, transmits and stores. Nor is it enough to just implement mobile application management (MAM) without considering the security of wireless communications, the data center and cloud services.
A comprehensive approach to mobile app security is required -- where the mobile app is viewed as an integral part of a security ecosystem, reaching from the mobile device to the core of the cloud and/or data center.
The Essential Mobile App Security Ecosystem
Although an end-to-end security strategy is the goal, this column focuses on those security capabilities that center on the mobile endpoint, its apps and data -- as described in previous Aberdeen research on enterprise mobility management (EMM). These essential EMM security features include:
Environmental and Biometric Sensorsin the device (such as video/still image capture, geo-location, sound, motion, fingerprint or iris scan, orientation, proximity, acceleration, ambient temperature, humidity, etc.) should comply with the organization's data capture policies, and their use should be selectively controlled by MDM (as described below).
Device Access Controlprotects physical access to the device by requiring successful recognition of a policy-defined password, pattern swipe, biometric scan, voice or facial recognition.
Content Management / Data Loss Preventionsoftware uses encrypted on-device data storage ("containerization"), policy-defined cut-and-paste controls (to prevent data "leakage"), and/or website access control via URL filtering to restrict the intentional or inadvertent non-compliant sharing of protected content.
Encrypted Data Storageis cypher-encoded protected data (typically hardware accelerated to speed up access) stored on the device, whether in volatile memory, persistent memory or removable storage.
Application Management and Securityuses MAM to secure access and deployment of approved enterprise mobile apps, including the ability to approve (whitelist) compliant apps, and quarantine (blacklist) non-compliant apps. MAM services, such as those from AirWatch, MobileIron and Apperian, typically incorporate an enterprise app store, which provides a central online location for distributing, downloading and tracking policy-compliant mobile apps for use by employees.
Device Management and Securityuses MDM to define and enforce policies regarding control of the mobile device remotely, over-the-air. Typical services, available from BoxTone, SAP Afaria and Fiberlink, include over-the-air device wipe (erase all applications and data on the device), device lock (block device access) and remote device configuration.
User Authenticationrequires confirmation of the user's identity as described in a corporate directory service (e.g. Active Directory) before giving access to secured data or software. Two-factor authentication is typically recommended for confidential data -- such as a user name/password combination plus a successfully answered challenge question or positive fingerprint identification.
Device Authenticationconfirms the unique identity of the physical device. It must meet security and configuration requirements, independent of any of its users.
Antivirus / Anti-Malware uses software and/or a Web service to protect the mobile operating system and file system from loading, storing or spreading a computer virus or malware. Mobile anti-malware and antivirus software options are available from McAfee, Symantec, Kaspersky and Avast. It's worth noting that almost every product available focuses on the Android platform; iOS remains relatively virus-free so far.
Enterprise-grade mobile app security is so much more than MDM or MAM. It must incorporate each phase of data access and integration, from cloud core to mobile edge. To keep the valuable intellectual property of the organization protected, mobile app security should be every employee's concern and responsibility. It should not be implemented in an ad hoc manner, but as a well-coordinated strategy led by the internal experts: IT.
Complementary access is available to the full Aberdeen research report, "When is Enough Mobile App Security Actually Enough?"
Andrew Borg is Aberdeen Group Research Director, Enterprise Mobility and Collaboration, Director of Aberdeen's Mobility Center of Excellence, and research practice lead in SoMoClo (the converged Social Mobile Cloud construct).