The days when everyone is chained to a fixed desktop computer are long over. But it isn’t just about being more mobile, or using more mobile devices, or letting your users bring their own devices and use them at work. It isn’t that the workday is no longer 9-to-5 and users expect to get their jobs done whenever and wherever they might be in the world. No, it is about moving to a completely new way of delivering IT services, which presents both challenges and opportunities for IT, specifically around security.
The challenge is being able to secure all these different devices and still allow users to get their work done. The opportunity is that IT can become a more agile place, while at the same time being able to finally implement a consistent and universal applications security policy across the enterprise. This means that we need to secure the app and not the endpoint device itself, whatever it may be. We need to build apps from the start with the requisite security, rather than rely on some dubious perimeter protection.
It makes sense for IT to allow users to bring their own devices. “We started out trying to manage our mobiles and standardize on particular corporate-owned devices, but within two or three months, we found that we had a completely new set of devices to choose from. Phones were being introduced faster than we could vet them for our approved list,” said American Red Cross CIO John Crary. Now the Red Cross can focus on more important matters.
There are several ways to do this. One is to deploy a mobile device management (MDM) tool. These products set up security policies for a device, such as what happens a device is lost or stolen, or how personal data is stored on the phone or tablet. A recent survey by independent analyst Jack Gold shows that there is a wide variation in which MDM components are actually deployed by large enterprises.
Another is to purchase a single sign on (SSO) product that offers some MDM features. I agree with Gartner and other analysts who see a bright future when these two types of products can be better integrated. Single sign-on products could be a good choice if you want to protect your mobile endpoints with more than just their login passwords but don’t want to purchase a separate MDM solution.
While MDM and SSO tools are useful, an even better method is to make use of an application construction kit such as what CA Veracode offers and build in security controls for each mobile app. If you go this route, you’ll want to think about the following five issues:
1. To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. What is untrusted input? Basically anything and everything coming from the Internet. The best way to do this and stop SQL Injection is with the programming technique known as Query Parameterisation. While you are browsing this link, check out some of the other common vulnerabilities that Open Web Application Security Project has compiled. Better yet, make sure you have their top 10 list covered by your developers, or that they know where to find and fix them with appropriate security controls.
2. Make sure you treat your passwords with care. Forget about storing them in plain text, you should employ the most current encryption techniques to protect them, such as using salted random numbers and one-way encryption algorithms.
3. Do you need geofencing? If your staff travels outside of the United States, having the ability to lock or permit access from particular geographies could be important for keeping your data on your mobile devices more secure. There are numerous tools that can help build this into your app.
4. Properly authenticate your user logins. An application should require users to re-authenticate to complete a transaction or event to prevent in-session hijacks. They also should make use of multi-factor authentication as part of the app itself, or deploy this authentication inside an SSO or MDM tool.
5. Know the vulnerabilities in your chosen programming language and make sure your code avoids them. There are various tools (such as from CA Veracode) that can help spot these.