3. Securing apps in the right way for each scenario
Traditional computing environments lent themselves to a one-size-fits-all approach to security. All apps were used in the same place, over the same network, and on the same type of device, so security policies didn't need to be granular to ensure effective protection. Today, mobility and the diverse use cases it enables call for a more nuanced approach. People must be enabled to use apps and data in as many scenarios as can be permitted securely, while avoiding risk in scenarios that call for higher levels of protection.
A fundamental operating principle of mobile security is that not all apps are created equal -- and their security shouldn't be handled the same way, either. Similarly, not every scenario calls for the same level of security. IT strategy should focus on managing and securing what matters, when it matters, where it matters.
Consider two common use cases. Let's say a doctor in a hospital uses a personally owned tablet to access an electronic medical record app on a mobile device. These apps tend to be quite complicated in the amount and structure of information they access in back-end repositories; they also face strict security requirements to comply with patient privacy regulations.
Clearly, a high level of protection is required. One can either deliver the app virtually, avoiding local data storage, or use a mobile app management (MAM) solution. In either scenario, policies restricting the app's usage to the hospital's secure network may be necessary. IT may also want to require two-factor authentication, prevent local data storage, or apply other measures. For a more flexible approach, policies could define different usage zones and allow different levels of functionality and data access depending on the respective location and network connection.
Now consider an expense management app -- the kind found in any public app store. IT could make it enterprise-ready by wrapping the app to secure it, but might also decide that even this basic protection isn't really necessary for the organization. After all, no credit card numbers, personally identifiable information, or other sensitive data is being transmitted, just a list of expenses and vendors -- as would be displayed on a discarded receipt.
The point is IT doesn't have to look at every single app as a potential security hole. If it's a highly sensitive or mission-critical app, by all means, secure it. But if high security isn't needed, go ahead and let people use whatever app they like, however they choose, so IT can focus attention and resources more productively elsewhere.
SaaS apps should not be overlooked. Whether used on a mobile device or on a desktop PC, SaaS apps can open security gaps, such as when a terminated employee uses his or her credentials to access an active account from outside the network. Citrix handles this with a single-sign-on capability, which proxies user credentials rather than having people use their own credentials directly. Users never knows their actual credentials on the system.
It's a win-win: Users don't need to remember multiple logons to access frequently used applications, and the process to securely remove users from the system is easier. By revoking the SSO credentials, IT can render all the user's SaaS accounts inaccessible at once.
As we develop more granular, app-specific, and scenario-dependent approaches to security, it's important to ensure that these same policies can be applied easily across all types of apps to ensure consistency and simplify administration.
A more diverse and complex enterprise environment is now emerging, and with the right tools, this comes as good news for organizations and their employees. Empower employees to work in more ways and in more places, and they'll be more productive across a broader range of use cases. For IT, this evolution calls for new tools and new ways of thinking. By taking an app-centric approach, IT can adapt seamlessly and deliver stable and secure applications across the enterprise.
New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to firstname.lastname@example.org.