• 10/01/2013
    12:11 PM
    Andrew Borg, Aberdeen Group
  • Andrew Borg, Aberdeen Group
  • Commentary
  • Connect Directly
  • Rating: 
    0 votes
    Vote up!
    Vote down!

How To Keep Enterprise Mobile Apps Secure

Mobile apps must be treated as essential parts of an enterprise security ecosystem, extending from the device to the cloud or data center.

As Uncle Ben said to Peter Parker before Peter became Spiderman, "With great power comes great responsibility." So it is with enterprise mobile apps -- when properly implemented, they can bestow great benefits to an organization; yet to protect those benefits requires attention to a broad set of security measures.

A mobile software initiative (MSI) that starts and stops with mobile device management (MDM) hasn't done enough. Simply controlling the mobile device itself doesn't protect the data that the device accesses, transmits and stores. Nor is it enough to just implement mobile application management (MAM) without considering the security of wireless communications, the data center and cloud services.

A comprehensive approach to mobile app security is required -- where the mobile app is viewed as an integral part of a security ecosystem, reaching from the mobile device to the core of the cloud and/or data center.

The Essential Mobile App Security Ecosystem

EMM chart

Although an end-to-end security strategy is the goal, this column focuses on those security capabilities that center on the mobile endpoint, its apps and data -- as described in previous Aberdeen research on enterprise mobility management (EMM). These essential EMM security features include:

Environmental and Biometric Sensorsin the device (such as video/still image capture, geo-location, sound, motion, fingerprint or iris scan, orientation, proximity, acceleration, ambient temperature, humidity, etc.) should comply with the organization's data capture policies, and their use should be selectively controlled by MDM (as described below).

Device Access Controlprotects physical access to the device by requiring successful recognition of a policy-defined password, pattern swipe, biometric scan, voice or facial recognition.

Content Management / Data Loss Preventionsoftware uses encrypted on-device data storage ("containerization"), policy-defined cut-and-paste controls (to prevent data "leakage"), and/or website access control via URL filtering to restrict the intentional or inadvertent non-compliant sharing of protected content.

Encrypted Data Storageis cypher-encoded protected data (typically hardware accelerated to speed up access) stored on the device, whether in volatile memory, persistent memory or removable storage.

Application Management and Securityuses MAM to secure access and deployment of approved enterprise mobile apps, including the ability to approve (whitelist) compliant apps, and quarantine (blacklist) non-compliant apps. MAM services, such as those from AirWatch, MobileIron and Apperian, typically incorporate an enterprise app store, which provides a central online location for distributing, downloading and tracking policy-compliant mobile apps for use by employees.

Device Management and Securityuses MDM to define and enforce policies regarding control of the mobile device remotely, over-the-air. Typical services, available from BoxTone, SAP Afaria and Fiberlink, include over-the-air device wipe (erase all applications and data on the device), device lock (block device access) and remote device configuration.

User Authenticationrequires confirmation of the user's identity as described in a corporate directory service (e.g. Active Directory) before giving access to secured data or software. Two-factor authentication is typically recommended for confidential data -- such as a user name/password combination plus a successfully answered challenge question or positive fingerprint identification.

Device Authenticationconfirms the unique identity of the physical device. It must meet security and configuration requirements, independent of any of its users.

Antivirus / Anti-Malware uses software and/or a Web service to protect the mobile operating system and file system from loading, storing or spreading a computer virus or malware. Mobile anti-malware and antivirus software options are available from McAfee, Symantec, Kaspersky and Avast. It's worth noting that almost every product available focuses on the Android platform; iOS remains relatively virus-free so far.

Enterprise-grade mobile app security is so much more than MDM or MAM. It must incorporate each phase of data access and integration, from cloud core to mobile edge. To keep the valuable intellectual property of the organization protected, mobile app security should be every employee's concern and responsibility. It should not be implemented in an ad hoc manner, but as a well-coordinated strategy led by the internal experts: IT.

Complementary access is available to the full Aberdeen research report, "When is Enough Mobile App Security Actually Enough?"

Andrew Borg is Aberdeen Group Research Director, Enterprise Mobility and Collaboration, Director of Aberdeen's Mobility Center of Excellence, and research practice lead in SoMoClo (the converged Social Mobile Cloud construct).


re: How To Keep Enterprise Mobile Apps Secure

Great article! But I am wondering if the CIO/IT admin has the time/budget to carry out all these steps before rolling out a mobile program. And what about BYOD, where lots of these might not be possible to enforce (e.g. anti-malware on devices, MDM, device authentication)?

Isn't something simpler possible where the TCO and time to value is much lower? And what about user privacy. Is (s)he giving in to corporate controlling his/her device, the way the desktop/laptop was?

(We at Armor5 tend to believe we have a solution to these, but will like to hear from author and others if these are also points of consideration).

re: How To Keep Enterprise Mobile Apps Secure

You make many fine points.  Check out a book called "I.T. WARS" - it has some advice on how to balance burdens, when it makes sense to offload to a service vendor, etc.  Might be in the library, some college libraries have it (UofW had a course that used it); I know it's on Amazon.

re: How To Keep Enterprise Mobile Apps Secure

This is an excellent article! Enterprise mobility is an emerging trend, and the security of Enterprise Applications is an important area...

RE: How To Keep Enterprise Mobile Apps Secure

Great post Andrew! This detailed coverage on the basics of mobile app security will hold good for years to come. to add to your views, while developing the mobile strategy, it is advised that enterprises define assets and how mobile apps use these assets, identify and prioritize potential threats and enforce sound app security processes to prevent unauthorized code manipulation. A sound MAM and MDM strategies will only help to an extent. If you are looking for an absolute solution, follow the suite of Intel and SAP, implement private app stores. Read the detailed benefits of owning a private enterprise app store here: http://mlabs.boston-technology.com/blog/why-do-we-need-enterprise-mobile...

Mobile Apps Security - Do what we did...

Do what we did - called ShuffleLabs (in Herndon, VA - DC Metro area).  If you can, let experts do security, especially in the mobile realm - if you're getting further and further into that as a serious support to business.

Full mobile security...

...can only be guaranteed by implementing a complete solution for enterprise mobility. This should include MDM, MAM, file access, file sharing and collaboration, as well as security features and auditing. Most of the points given are fulfilled by EMM solutions. Especially when using iOS devices combined with an effective management tool, companies can gain a very high level of security. Further detailed information on a complete mobile security concept can be found on Cortado Corporate Server's mobile security topic page.

nice information

The Article about how to keep secure Entreprise Mobile Apps is necessary. The Data are B2B and B2C should be secure.Thanks for Sharing the tips to secure Mobile Apps