Driving Sustainability with Connected Intelligence
Mirko Ross from asvin.io hosted a lively discussion on securely building smart cities with:
I guess developers can’t count on anything these days. How you deal with security is what separates consumer app developers from enterprise app developers. The best apps assume an insecure, unencrypted and completely compromised mobile platform. In a world of bring your own app (BYOA), this will differentiate consumer app developers from trusted enterprise app developers. Imagine the scenario where a logged-in device is left behind in a taxi and is stolen before device security kicks-in to log the device out. A window of time ranging from five to fifteen minutes of exposure is realistic.
So how does a mobile app take charge of its own security? On launch, it must prompt for enterprise credentials like a password, PIN, face or fingerprint before allowing a user inside the app. Eliminate the use of cached credentials and tokens or keep expiration times to a minimum. Next, the app must provide its own encryption for data at rest. This is accomplished through the use of a mobile platform’s crypto APIs. Oftentimes you can reuse login credentials as a password and salt value. Use this to encrypt all downloaded and user-entered data before saving to local storage. The app must use TLS or per-app VPN tunnels for all remote communication to secure data in transit. Lastly, trustworthy apps should never take dependencies on platform capabilities they don’t actually require.
Reduce risk to your business by insisting every enterprise app you build or buy provides its own comprehensive security capabilities. Is your company making app security a top priority?
I get it. Migrating all those apps to mobile seems like eating the proverbial elephant. They cost a lot of money to build, the highly-skilled developers needed to rewrite the code are harder to find than ever, the code isn’t commented and there aren’t any docs. This often leads to IT decision makers putting off these projects, perhaps until it’s not their problem anymore. So why do it?
For starters, your employees will be significantly more productive running your apps on the mobile devices they actually use. Since work is not a place to go but a thing to do, employees can get their jobs done from anywhere. Millennials won’t be chained to a desk and they’re going to use the devices they like best. Face it, those Win32 apps are never going to run on someone’s iPhone and your new generation of employees haven’t ever heard of Windows 95. Not changing is a non-starter as you’ll just miss out on younger talent entirely.
Another good reason migrate all these apps and systems is because they’re running on outdated hardware and software. It goes without saying that this infrastructure has far surpassed its end of life (EOL) and there is absolutely no support coming from the original vendors of the computers, operating systems, software and development tools. I’m actually not 100% correct on this point. There are some giant technology vendors that charge tens of millions of dollars per year to support old systems that reached EOL without migrating. In the end, migrating is significantly cheaper and it rescues your valuable intellectual property from fragile, unsupported, failing systems.
This older and often unattended software is putting your company at risk. Individual and state-sponsored hackers are attacking the software of companies all over the world. Valuable intellectual property and sensitive customer data is being stolen daily. Company executives are getting fired. You absolutely don’t want this to be your priceless intellectual property or your customer data. This is a fast ticket to losing your competitive advantage as well as the trust of your customers. Oh, and you might be looking for a new CEO and CIO.
When rewriting the remaining apps, focus less on the code and more on data sources, workflows, user interfaces, performance and latency. I’ll talk later about new ways to connect to data and build new apps. It’s more important to reverse-engineer the way employees perceive these apps to work than how the existing code actually makes them work. This provides a good opportunity to stealthily update business cases.
Reduce risk to your company by migrating unsafe, unsupported, end of life software to modern, secure platforms and programming languages. How rapidly is your company de-risking its exposure to legacy business applications?
So far, our EMM journey to secure corporate data has dealt with the issue by broadly securing the entire device via MDM or more narrowly securing the apps that deliver the data using various MAM techniques. The application of security can get narrower still.
The use of digital rights management (DRM) allows IT departments to apply policies directly to documents keeping data secure no matter where it flows or resides. Sometimes DRM is clumped-in with the broader mobile content management (MCM) component of EMM. This security applied directly to data is an effective method of DLP using a combination of enterprise directory services, encryption, user identity along with server and client software to keep information in sensitive files from being viewed by the wrong people or systems.
Imagine the scenario where a confidential business document is uploaded to an Internet file sharing provider or emailed to a competitor. Traditional corporate security mechanisms like firewalls or file server access controls lists won’t save you in this situation. If DRM encryption and security policies were previously applied to this document, it would be unreadable by anyone who tried to open it. This is arguably the most difficult of the EMM security components so not many vendors will offer this.
Reduce risk to your organization by keeping sensitive data secure no matter where it travels or where it rests. What is your company doing to protect its critical data?
Baby steps. While you might not say Microsoft Exchange Server in the same breath as enterprise mobility management, this product has managed more devices than any other system over the last decade. Since most enterprises already use Active Directory for identity coupled with Exchange Server on-premises or via Office 365 in the cloud for email, calendar and contacts, this is a simple way to get started. A protocol called Exchange ActiveSync (EAS) that dates back to the Pocket PC and is used by virtually every mobile operating system to allow the magic to happen.
So what does this have to do with managing devices? Well, EAS helps secure smartphones and tablets via policy enforcement. This allows you to require PINs and passwords, device and storage card encryption, remote wipe for lost or stolen phones, and S/MIME email encryption, to name a few. It also lets you disable features like a phone’s camera, removable storage, Wi-Fi, Bluetooth, SMS and others. If you’ve worked in the public sector, this probably rings a bell.
If you think managing your mobile devices via Exchange ActiveSync is unorthodox, remember this was the only way to manage iPhones until iOS 4 and Android until version 2.2 was released. I think EAS facilitated the BYOD movement more than any other factor.
Reduce expenses and risk to your company by enforcing security policies on your mobile devices using the capabilities found in an email server you probably already own. What basic steps has your organization taken to enforce mobile security on smartphones and tablets?