Monday, September 10, 2012

Enterprise Security and Mobility

Security is the most important thing in everything we see around. It is no exception when it comes to Enterprise solutions. It is the prime concern for all IT departments and CTO/ CIOs of the enterprises. Security is generally understood as just the policies and regulations by end user but we must also note that the enterprise applications and solution are first candidates to consider security. With the proliferation of consumer mobile devices into the enterprise networks and BYOD policies it is even more difficult to keep the enterprise information secure. The workforce demands to enable wide variety of application onto a scalable mobile platform throws larger challenges in front of an enterprise. Due to the mobile nature of the devices and criticality of the information residing on those devices, security can be the most important thing on any CIO's mind!

The sound mobility roadmap should be built keeping security at the core and considering growing trends, user profiles and needs of near future. The security isn't only about extending the IT policies to devices or computers but effectively building it into the solution DNA. Companies have realized the importance of mobilizing and empowering their field force or employees. However, IT is indebted to choose an implementation, which will not compromise enterprise security.

Assessing the current security implementation, understanding enterprise mobile risks, designing a mobile security policy and selecting a robust mobile security strategy should be a ‘must do’ for the enterprises rather than a ‘good to do’ exercise. The enterprises have matured in enterprise security practices over the years and have robust security infrastructure in place for their current system or network infrastructure. But the enterprise application on tablets or Phones opens up an array of concerns, which they never had to bother about earlier. There is no single device/ platform that offers real end-to-end security infrastructure as well as best use case. So, the challenge is, how do we make the mobile a trusted device for the enterprises!

Security Approach
To build a robust and secure policy, one need to visualize the security as multilayered approach. Ideally the solution/ strategy needs to depend on more than one layer of validations and not just one. Most enterprises might already have invested in security in some or the other way. The one term strategy must consider the return on this investment. Mechanisms such as two-factor authentication, VPN networks etc. may be already in existence. The mobility must extend or be built on those premises. The chosen strategy and solution should be easy to manage, infallible. Typically enterprises would safeguard their networks and sensitive from single point of failure. The security should be seen as end-to-end. That typically means - On device, In transit, and Inside network. As long as enterprises put together a strategy to secure the information/ data in these three places, any devices can ideally be trusted!

The key touch points of the Enterprise Mobile Security are depicted in the figure below.

The multilayered security approach entails the following considerations Application Level security, Network level security and device Level Security.

The application level security mainly encompasses Runtime Protection
       Mandatory Code signing
       Secure authentication framework
       Common crypto architecture
       Application data protection

The network level security can be easily devised dependent on VPN, SSL/ TLS or WPA based transmission channels. The device level security can be handled through use of robust mobile Device Management (MDM) solution.

The data security on the device can also be viewed in different modes such as Access Mode (Authentication and Authorization), Storage Mode (Encrypt, sandboxed). Security requirement of a mobility solution must be assessed in various stages of the project life cycle such as architecture and design, development and deployment.

The choice of the device and solution delivery plays an important role in security. The advanced mobile operating systems such as iOS, Android and Windows Phone support security to a greater extent anyway. The security strategy must use these out of the of the box features provided by mobile operating systems.