There are moments, brief moments to be sure, during the epic classic movie Armageddon when your suspended disbelief comes rushing back in to take control of your brain and ask, “Wait a minute, wouldn’t it be a million times easier to train an astronaut to drill than to train an oil driller to fly the space shuttle and land on a meteor?” Pushing that thought away as the final moments of the movie wash over you and Aerosmith croons in the background is the best course of action for enjoying a little down time, but when it comes to your enterprise, that gnawing mantra of selecting “the right people (and tools and processes) for the right job” should probably be heeded.
So is the case with mobile app development, and most assuredly mobile development of apps and infrastructure that involve enterprise services. It is critical to apply the appropriately skilled resources to such an important job as protecting your business from adverse events. And that protection starts with securing your data, whether it is in-flight, at-rest or in-use.
A recent Mobile Privacy IQ study conducted by Lookout surveyed smartphone owners in the U.S. to determine user perceptions toward privacy and data on mobile devices. The most telling, and worrisome, results of the survey come from user perceptions around corporate data on mixed-mode, or BYOD, mobile devices. While 76 percent of respondents claimed they would take extra steps to secure their personal data, only five percent felt the same about securing data for their workplace. This should serve as a warning and reminder to enterprise IT and security teams to take action by reducing the scope of vulnerability for corporate data on mobile devices through the use of MDM/MAM controls, proximity sensors and secure wireless networks.
The fact of the matter is that the plane of vulnerability across corporate data extends significantly as soon as you include mobile in your portfolio, and one of the most critical threats to enterprises comes from within – the mishandling and misappropriation of sensitive corporate data by employees. Verizon’s invaluable annual Data Breach Investigation Report (DBIR) for 2015 states it thusly: “...the common denominator across the top four patterns—accounting for nearly 90% of all [security] incidents—is people.”
The first three of these tenets come straight from the “manual” on best practices for information security principles, and any CISO will recognize the C-I-A triad: Confidentiality, Integrity and Availability. These are the foundational principles of information security upon which every model, policy and process is built.
First, data must be kept confidential in order to protect its sensitive nature. Data comes in all forms, but as a rule, any data that is acquired and maintained is valuable, and therefore sensitive, in a given context. Corporate data reflecting business operations; customer data reflecting personal, financial or health-related information; and system data reflecting the inner workings of the architecture are all considered sensitive and valuable to the right (or wrong) people.
There are several tools and processes to enforce data confidentiality, including:
Second, the integrity of the data must never be called into question if it is considered of any value. As data is stored and accessed, it must be done so with operations that are completely traceable and fail-safe. This ensures (1) accountability: operations performed on the data can be traced back to a user, and (2) veracity: operations performed on the data at any given time did not adversely affect that data in unintended ways.
To enforce data integrity, it is critical that:
The third tenet, often overlooked from a security angle, is that data must be made available whenever needed. It is critical to ensure that data is made available to people and processes when required, otherwise actions and decisions that impact the continuity of business operations cannot be made in a timely manner.
To ensure high-availability of data across mobile:
Finally, in order to protect data, architects, developers, DevOps and IT must work together to know where data resides and how it flows through the system. This is the Data Journey—the map that shows the subsystems that data traverses, the operations that act upon data, and the locations at which data eventually resides. The Data Journey helps to expose areas within the system that are vulnerable to data leakage by identifying all of the locations and all of the actors that interact with data throughout the system. This is especially critical with mobile devices because mobile compounds the problem with multiple storage options, multiple data access networks, and multiple ways in which data can be released into the wild, creating a sieve through which corporate data can readily flow without the proper controls in place.
Security in the mobile world requires a multilayer, multifaceted approach that relies on an integration with existing backend processes. This is especially true with B2E applications that are delivering sensitive corporate data to its most vulnerable of assets—the employee. Best practices for secure mobile app development are built over years of research and applied practice, and while a number of tools and frameworks can help in building out and maintaining such best practices, the key is to have these practices in place and in use with skilled development teams before attempting to deliver an app to its intended end-user. And skilled teams emerge with education, proper tooling and defined processes, all of which happens in a continuously evolving cycle, growing over time and not overnight.
This is where enterprises should take advantage of mature enterprise mobile service providers, and partner with them to either develop or review their existing tools, applications and infrastructure to ensure that apps are adhering to the highest levels of security and compliance.
Coming up: Part 2 in this series of mobile app security will explore the role of the user in a secure mobile framework.
We believe that addressing customer challenges gives you opportunities to delight. Using our proprietary Friction Reports and strong industry expertise, we dig deep into customer sentiment and create action plans that remove engagement roadblocks. The end result is seamless, relevant experiences that your customers will love.
