Even though the use of mobile in business is becoming more prevalent,
there are still big concerns about it from a security standpoint.
Security concerns significantly influence how confident people are about
applying mobile technology within their organizations. According to the
survey results talked about in a recent press release (download available here)
from the US Federal Reserve System, 25 percent of mobile phone users
believe their personal information is “somewhat unsafe” when using
mobile banking and 18 percent believe that it is “very unsafe.” The
natural portability of mobile technology and other characteristics
specific to the mobile environment demand that your organization’s
approach to address these security issues is sufficient enough to gain
the users’ confidence and to actually win competitive advantages by
using the technology. Below are three key focus areas you should
consider when implementing security for your mobile enterprise.
1. How to secure the device and corporate data
You need a complete solution that will protect corporate-owned devices as well as the bring-your-own-device (BYOD) types of devices that people use with the expectation of accessing enterprise resources. Management of these devices should include enrolling and provisioning the device when it comes into your enterprise environment. Given how easy it is for a device to be misplaced or stolen, data loss prevention is of the utmost importance. Hence, being able to remotely lock, locate and even wipe corporate applications, documents and settings without touching personal information is a fundamental requirement for the solution you choose. You need to ensure that you can enforce your enterprise policy on these devices—passcode, jail-breaking and rooting detection, encryption and so on—and that you have the ability to fingerprint each device. This means that not only should you be able to look at the media access control (MAC) address or name of the device, but you should be able to deeply inspect it to determine if you can trust the device and its user.
Also, the natural portability of the mobile environment is
challenging your organization to have sufficient control over the data
that is being stored on or shared across devices. Sensitive corporate
information can be leaked from these devices during sharing activities.
The technology you choose should allow users the freedom to share, cut
and paste information between their mobile enterprise applications, but
should also be able to keep this information separate from any of the
users’ personal applications.
2. How to secure the application
One well-known approach for securing applications is containerization. Essentially, this means putting a security perimeter into your application itself to enforce enterprise security policy and to prevent data from leaking out of the application. In order to do this, it’s critical to consider both a software development kit (SDK) and an app-wrapping approach to support both the apps you develop and the apps you buy.
The first thing you need is a comprehensive mobile application
development lifecycle approach as well as a comprehensive integrated
development environment (IDE) where you can include these security
considerations by design. You need to detect the security
vulnerabilities in every corner of your application while it is being
developed, not after. Besides applying best practices and writing
secured source code, you can use static scanning tools (for example, IBM Security AppScan) to automate the security assurance. A comprehensive IDE like IBM Worklight Studio
can help your development team to implement a security strategy on all
of your mobile applications for a wide range of supported mobile
platforms. An IDE can also extensively enforce this strategy vertically
on each platform by making use of platform-specific, security-related
features.
The next thing you should do is put the instrumentation into the apps
that is necessary to wrap the apps into a container and then harden the
app. Lack of binary protection is the newest item in the top 10 mobile security risks introduced by the Open Web Application Security Project (OWASP)
in 2014. Given that, it’s important that you make it difficult for an
attacker to go in and identify a weakness in your application, inject
malware, recompile and redistribute the app.
3. How to secure the transaction
This focus area is about securing the transactional workloads that occur on the mobile devices between clients, business partners, contractors and so on within your organization. You may want to make sure that you have both access control as well as transaction integrity for all interactions (even for ones that involve users that are not part of the security framework being used by your employees).
In order to secure the transaction, your organization should use a
robust mobile access management system and have a strong
fraud-prevention and detection approach at all points of impact. Your
fraud-prevention approach should include cross-channel fraud detection,
IP velocity, mobile malware detection and real-time detective services.
These are some of the key security focuses in mobile enterprise, but
there are probably others. What do you see as possible security
challenges in mobile enterprise? Leave your comments here or follow me
on Twitter @duyhat to discuss further on how to effectively overcome security challenges in your mobile enterprise.
*This post was originally published on IBM Mobile Business Insights
No comments:
Post a Comment