Five Steps to Solid Cloud and Mobile App Delivery

While the idea of an enterprise app store may appeal to enterprises for a number of reasons, most organizations still need to lay a considerable amount of groundwork to ensure the success of their initiatives.

Natalie Lambert, a former Forrester analyst and one of the thought leaders responsible for pushing the acronym BYOD into the limelight, said she believes organizations need to go through five stages to reach app-delivery nirvana. We take a look at some of her recommendations, along with commentary from other industry pundits discussing the challenges of supporting an environment that consolidates the best in mobile and cloud technology.

Step 1: Unify Cloud Apps.

A well-oiled enterprise app store will likely play into a broad goal of managing application and data delivery across all devices and locations. Cloud infrastructure plays a big role in this kind of unification, according to Lambert, who's now directory of product marketing at Citrix.

"Centrally managing access to corporate intranet, Web, SaaS and virtualized Windows desktop applications from the cloud is a key strategy for any enterprise," she says.

On the mobile front, this unification will take foresight and planning around the new paradigm of user interfaces introduced by mobile devices.

"Since most Windows apps were designed for a keyboard and mouse, the key for these applications is to use a solution that can optimize the user experience for mobile devices," says Lambert.

Most importantly, she notes, single-sign-on authentication will prove an important ingredient to the mix.

"A unified content controller approach with single sign-on can provide necessary management across a broad array of application types," she explains.

But experts warn that it's critical to ensure that single-sign-on (SSO) deployments aren't rushed for the sake of expedience without taking care to implement a truly secure authentication mechanism to support that ease of use. The nature of SSO is such that the stakes are much higher if the authentication process is compromised, sayd Eric Olden, founder and executive chairman of identity management firm Symplified.

"When you concentrate so much access behind a single authentication and that authentication is a weak password, then you run the risk of 'hack me once, compromise me everywhere,'" he says.

Step 2: Secure Local Content.

Organizations may be spending too much time mired in the minutiae of mobile device management, and not enough on local application and data management, Lambert warned. Enterprises must do a better job of refocusing on managing and securing the content rather than the device itself in order to put "fine-grained information control back in the hands of IT," Lambert says.

Development planning needs to be on order to gather the reins of control on that local content when delivered through native mobile apps, she says.

"For native mobile apps, there are two keys to securing and delivering mobile applications: 'wrapping' the application for native execution and providing flexibility for cross-platform development, such as HTML5 apps," she says.

At the beginning of the year, IDC reported that a survey of mobile developers found 79% were planning on integrating some kind of HTML5 support within their mobile apps in 2012. It remains to be seen whether those plans pan out at year's end, but Gartner analysts warn that HTML5 still has a long way to go in the enterprise.

"There is visible momentum around HTML5; however, as with most technologies, especially on the Web, interest is occurring primarily outside the enterprise sector--among progressive Web designers and among mobile application developers," wrote Hung LeHong and Jackie Fenn in a recent Gartner report, "Hype Cycle for Emerging Technologies."

Regardless, cloud data needs additional attention to securely and sanely deliver that content across all devices, including smartphones and tablets, Lambert says.

"For cloud data on mobile devices, this involves encrypting the data files on mobile devices, providing 'follow-me' access across devices, and supporting the ability to wipe the data if needed," she says.

Next: Steps 3-5, From Controlling Access to Bringing It All TogetherStep 3: Control Access Based on Identity.

The rapid proliferation of apps within the enterprise, mobile or otherwise, plus the concerns Olden voiced about reinforcing the security of SSO mechanisms, make it doubly important that organizations do a better job mapping data and application access to job functions, Lambert says.

"Core to this principle is role-based identity management," Lambert adds.

She recommends that in addition to SSO, organizations build their identity and access management (IAM) practices around products that support multiple authentication types, active directory federation and role mapping to appropriate applications and data stores. Also critical are mechanisms for "active" identity management to automatically grant and rescind access as people come and go and their roles change within the organization.

Industry watchers have noted that the combination of mobility and cloud have surged to become a big driver of IAM in 2012.

"The problem is, how do I manage user identification both in my own network and in my cloud without having to duplicate efforts?" says Pierluigi Stella, CTO of Network Box USA. "How can I be assured that the iPad being used to access the company's data in the LAN and in the cloud is legitimate, used by the actual and legitimate user, and all this without having to manage identities in three different places?"

He agrees with Lambert that role-based access control will play a big part in answering those tough questions.

Step 4: Control Access Based on Policy

As an offshoot to step three, organizations should institute access management that manages not only based on who you are, but also what you are accessing data from. This should provide an additional layer of security and control.

"Policies must provide 'contextually aware' mobile information access," Lambert says.

She suggests that policy and automation work be focused around location, device type, network, authentication requirements and event-driven access disablement.

"These policies should then be applied down to the specific application or file to allow or restrict access," Lambert says.

According to Corey Nachreiner, senior network security strategist at WatchGuard Technologies, context is king when it comes to access control.

"If you see a TFTP connection sending an AutoCAD document to an IP address in China, it has very different connotation than if you see an authenticated user you know, with a C-level role, uploading that same AutoCAD document," he says. "In both cases, a sensitive AutoCAD document is leaving your network, but one of those scenarios is probably company approved."

Step 5: Bring It All Together

It isn't until the previous steps have been taken that enterprises are ready for a more pervasive application and data delivery mechanism for any device, Lambert says.

That's where the app store comes in.

"What's left is balancing IT control with an end-user experience built around convenience through an enterprise app store," she says, recommending app availability based on role, app request workflows and self-service subscriptions. The app store should also be able to offer native app delivery for mobile devices in use and "follow-me" access for information across devices.

Sounds good in theory, but, according to Gartner analysts, it may take a while for enterprises to realize those kinds of goals.

"The technology industry has long talked about scenarios in which any service or function is available on any device, at any time and anywhere," wrote LeHong and Fenn. "The technologies and trends that are part of this scenario include BYOD, hosted virtual desktops, HTML5, the various forms of cloud computing, silicon anode batteries and media tablets."

Among those, Gartner considers HTML5, silicon anode batteries and hosted virtual desktops to be keystones; the first two are still at the peak of the hype cycle, and hosted virtual desktops are just now sliding into the "trough of disappointment." If its prediction holds true, that means it may take up to five years for these lynchpin technologies to bear fruit within the enterprise.