With the fast growth in mobile devices being used to access corporate applications and data, board-level GRC (governance, risk & compliance) requirements for mobile security need to be on par with the security demanded of all other devices used to access corporate applications.
The GRC process often results in approval bottlenecks on the mobile side, delaying the ability to address business requirements. With the mobile consumer device industry setting the technology pace, deploying policies to manage mobile devices, or seeking to steer users towards certain apps is a struggle. This is set to get a lot worse as business processes further embrace the Internet-of-Things (IoT). Gartner estimated in a June 2014 analysis, that 75% of mobile applications will fail basic security tests through 2015 and could offer an entry point for hackers looking to breach enterprise networks.
Protect the hardware
At the chip level, hardware developers led by Intel and ARM are developing chipsets for mobile devices with hardware embedded security features. At the mobile device level, manufacturers of devices that use the Android and Windows are following Apple’s lead with new operating system versions that harden security procedures and bring them closer to corporate software standards. However, Apple devices may still be jail broken, Android phones may be modified, and the limited IoT device encryption may provide hackers with easy access to corporate networks.
Protect the core apps
Traditional mobile device management tools have focused on containers to ‘sanitize’ and secure apps, but that requires secure, encrypted containers on the devices to house corporate data, which BOYD users may resent, and IoT devices may be unable to support.
Major enterprise application packages such as Oracle e-Business suites and SAP Business do address the security and manageability of mobile access to their services in line with corporate GRC requirements.
SAP’s Mobile Secure enterprise mobility management portfolio includes mobile device, application and content management services. All can be secured on iOS, Android and Windows 8 devices. Similarly, Oracle recently released fourteen Oracle E-Business Suite mobile applications that provide companies with GRC compliant accessibility for their mobile workforce.
However, wouldn’t it be better to inject or wrap security around any app that wants access to corporate data sources? The GRC policy can then be formulated as a mobile apps ‘inoculation’ requirement. Any app that can be security wrapped may pass – any app that does not get security wrapped fails.
Protect any mobile app
This is the approach that has been developed by security vendors Bluebox and AppCentral, app store vendors Apperian and Good Technology and VDI providers such as Citrix.
Another key player in this market is Mocana with its newly released Atlas Platform, which resides on a single shard in the data center and able to handle very high volumes of encrypted tunnels to mobile users’ apps. The Atlas Appliance Gateway delivers secure connectivity using per app VPN tunnels (rather than the traditional VPN tunnels per device) and brokering comms for secure certification and single-sign-on integration with corporate back-end infrastructure, notably Active Directory. The Atlas MAP component ensures that any app is enveloped with data protection – on the device and in transit. It also handles any other GRC policy requirements regarding jail breaking, data leakage prevention, geo-fencing, and device posture (attributes that play a role in the conduct and “health” of the endpoint device). Security wrapping a new app takes just 8 seconds according to Mocana, and user inconvenience is limited to a Tap ‘n Go procedure to access corporate data from a mobile device. App wrapping is vendor agnostic so the Atlas platform integrates with both SAP and Oracle suites and generates the documentation required by corporate GRC.
As with all really good security – the goal is to detect, deter and document breach attempts in accordance with GRC policies, while remaining transparent to normal user activities.