A recent survey by US company Mobile Helix found that 63 per cent of CIOs are delaying full deployment of enterprise mobile applications due to security concerns. So what are we all so scared of, and what can we do to alleviate these concerns? Danielle Cullen investigates.
Presenting at last year’s Mastering Mobility for SAP conference, it became very apparent that many Australian and New Zealand-based organisations are also holding back from implementing mobile solutions due to concerns around security. For some, it was the cost involved in implementing these solutions; for others, it was confusion about what should actually be implemented. The bad news for these organisations is that there is no silver bullet software that addresses all of these concerns. The good news is that you don’t need a 12-month multi-million dollar project just to get going with mobile.
Beware: threat alert
The threats around mobile security can be broadly split into six categories.
1. Loss of control of physical assets
Perceived by many as the biggest threat to mobile security is the ease with which mobile devices may be lost or stolen. The Australian Mobile Telecommunications Association (AMTA) claims that one mobile device is lost or stolen every three minutes. The concern is not for the device itself, but how do you stop the data and applications being accessed once the mobile device has gotten into the wrong hands?
2. Rogue users and devices
So you’ve built an app and distributed it to the appropriate users. Now how do you stop users or devices outside of your organisation accessing it? With native apps, this is typically less of an issue as they are distributed via an Enterprise App Store or similar, but HTML5 or web apps can be more of a concern as they are essentially just a URL – albeit (hopefully) a secure one.
3. Hacking
Hacking has always been a concern for corporates and the inherent features of mobile solutions augment this risk. Not only does an organisation need to be concerned with the back-end systems, they now need to consider the front-end (mobile devices) and transmission. But let’s be realistic here – hackers do what they do for financial gain. It’s unlikely that hacking into Fred Smith’s leave request app is going to do much for the typical professional hacker.
4. Loss of data control
Predicted to be the hot topic for 2014 is the control of data being sent to mobile devices. Often companies go to extreme lengths to enforce security on mobile applications, but at the same time send sensitive corporate documents via email which can be easily accessed by mobile devices. This is the one to watch in the next 12 months.
5. Malware/spyware
Malware is a piece of code installed on a device to corrupt or spy on another piece of code. Similar to hacking, this threat needs to be taken with a good dose of reality for many businesses. Organisations such as banks developing mobile apps for millions of customers need to be very concerned, but developing a simple app for a handful of users is perhaps less worrying for a typical company.
6. Jailbreaking
With Bring Your Own Device (BYOD) comes the problem that organisations can’t control what users do with their mobile devices. Jailbreaking (iOS) or rooting (Android) is something done by many users to achieve additional functionality and features. Unfortunately, with this comes increased security vulnerabilities.
What is the solution?
Many successful mobile projects combine both technical and non-technical components to build a security solution. Whilst there are many great products out there (offered by both SAP and rival companies), these are never a silver bullet quick fix. Many companies are now choosing to go their own way with a pick ‘n’ mix approach of off-the-shelf products, custom solutions and a good healthy dose of commonsense.
The technical components
Affectionately known as the M&Ms, the technical components of a security solution are classified as MDM, MAM and MCM (or MIM).
Mobile Device Management (MDM)
This was the first cab off the ranks in terms of mobile security and multiple vendors offer software solutions to both deploy applications and remote lock or wipe devices. SAP Afaria was at the forefront at the charge and consistently rates highly in Gartner quadrants for MDM solutions. The problem with such solutions arises with BYOD policies. Companies have found employees increasingly reluctant to report their devices lost or stolen due to the fear of personal items such as photos and personal contact details also being wiped. Mature MDM solutions do offer selective locking and wiping but companies are increasingly looking at other ways of managing security.
Mobile Application Management (MAM)
Due to some of the concerns with MDM, MAM solutions have in the last two years experienced fast growth. SAP itself announced a partnership with Mocana earlier this year to provide MAM solutions for SAP and non-SAP applications. The Mocana product essentially offers a security wrapper that can be applied to applications of any type in line with the company’s security standards. Other organisations in Australia have implemented custom solutions to achieve a similar result. One word of caution: the term MAM is still used in different contexts across industries and geographical locations – sometimes used to describe wrapper solutions, other times used to describe application whitelists and blacklists, and also sometimes applied to more traditional MDM functionality. Mobile watchers can expect more M&M acronyms soon for each of the different usages!
Mobile Content Management (MCM) or Mobile Information Management (MIM)
Our predictions are that this area will see significant growth in the next 12-24 months. Companies previously focused on locking down mobile applications are now realising vulnerabilities in the way other documents such as contracts, sales orders or OH&S statistics may be accessed from mobile devices. The SAP Mobile Documents solution was announced earlier this year, but the main challenge with this is changing the mindset of users who have been used to working in a certain way for many years.
Non-technical components
Not everything can be controlled through a solution or device, so it’s important to consider the non-technical aspects of a mobile security solution too.
Policy management
Users need to know what they can and can’t do on their mobile devices. Is BYOD ok? Can personal applications be loaded onto corporate devices? What steps need to be taken in the case of a lost or stolen device? But perhaps more important than just having the policies and procedures in place is the communication of these. The mobile world changes quickly and policies need to follow suit. How do you communicate changes to a remote workforce who use mobile devices sparingly? There are some great solutions out there including embedding policy update notifications into the mobile apps themselves, but every company is unique and needs to consider the appropriate way to communicate.
Workforce enablement
Giving employees the right applications on the right devices at the right time can help to alleviate security issues. Users are increasingly mobile-aware and are able to download applications for themselves to solve problems. Consider the airline company whose workers had access to a corporate-built application to view arrivals/departures of flights but preferred to check airport websites as they were more reliable and timely! Providing users with the applications they need helps to alleviate potential security risks associated with third party products.
End user support
Bringing all of the technical and non-technical components together is exceptional end user support. When users cannot find a way to do something easily or when something breaks, they can – and will – find another way. If a company needs workers to have mobile access 24/7, then supporting them to be able to do this is absolutely essential.
In summary, there is no easy way to address mobile security, but there are some great products and other options out there to alleviate security concerns. Companies need to focus on the specific problem that they are trying to solve, consider the consequences of inadequate security and adopt a combination of technical and non-technical components to achieve a successful and secure result.
Danielle Cullen is operations manager for Clarimont, providing digital solutions for the enterprise and consumer. This article first appeared in the Summer 2013 edition of Inside SAP.