Tuesday, January 8, 2013

One thing enterprises can't compromise on: mobile security

The latest in our series of 7 dos & don’ts for bringing enterprise applications to iPads is likely so self-evident – and important – that it probably should have been listed first.
The topic is mobile security.  No surprise.  In fact, not thinking about how to avoid unauthorized access and data breaches would indeed be a serious (and job-threatening) confession from anyone in IT related to a mobile project.
Here’s what our CTO and co-founder Stephen Vilke recommended in our recent webcast:
DON’T even think about it if it’s not secure.  That goes for both hardware and data.
While IT is often driven by end user expectations – especially when dealing 
with mobile devices – security is still an
 IT mandate. Naturally, enterprises wanting to make use of tablets, smartphones, and the like will
 have more stringent security requirements than those provided automatically by consumer devices.
Stephen went to great lengths to emphasize that it is an absolute must for IT to properly secure both an organization’s data at rest and data 
in motion.
 Ideally, no data should be stored on the mobile device itself. Instead, newer technologies can ensure that no data leaves your data center. Sophisticated communication protocols should be leveraged to provide a mobile connection to enterprise systems without the physical transfer of data between device and network.
On the hardware side, because most tablets lack USB ports and DVD drives, at least
 one element of security is easier to manage than for conventional laptops (although this may change in the future). However, in addition to being easier to misplace, tablets’ portability and desirability make them obvious targets for theft.
As a result, robust encryption and password enforcement are critical to ensure data security, and tracking and remote wipe can be important to make sure that lost or stolen devices do not lead to major breaches of confidentiality or disclosure of sensitive information. And given the rate of change, IT has to be on top of the latest, while remembering a few of the things from the past.  Says Stephen:
 “As companies develop security and mobility strategies to deal with these devices, it is worth bearing in mind the lessons we learned from managing laptops, and how we thought about securing those devices way back when. 
“There are now more attack vectors than ever for the bad guys, so having policies, standards, and guidelines around security are a must.  Education is key only if it’s enforced. This goes from two-factor authentication (2FA) to sensitive client data to VPN connections to credentials storage. 
“The tablet is forcing us to build on what we’ve learned before and to rethink what needs to be secured – and when.  Tablets won’t be powerful enough for the foreseeable future to run edge-point analysis, intrusion detection, anti-virus and yet still supply the user with app functionality. We (IT) crippled hugely powerful machines to the point of 10-minute boot times – these tablets have no chance. However, their simplicity offers new strategies – these need to be thought out.”
If it’s not obvious from these comments (or previous blog posts), Stephen sees security as one of the most important issues in enabling tablets in your enterprise IT environment.
It’s no surprise, then, that we’ve wrapped strict security measures into everything we’re working on here at Framehawk.  In fact, we've taken some new approaches to enable a whole new level of security for applications that will be mobile-enabled.  For more on the architectural differences that make security a big differentiator for Framehawk, you can start with this white paper (registration required).
To read more of our CTO Stephen Vilke's perspectives on enterprise mobility, you can download “Confessions of a CTO: 7 Dos & Don’ts for Bringing Your Existing Apps to the iPad,” the companion white paper to this series of blog posts and our recent webcast (registration required).
[This post also appears on the Framehawk blog.]

No comments: