API Development

The 6 Layers of Mobile Enterprise Security

Enterprises are starting to take mobile security seriously. That’s a pretty obvious statement to make, but is it really true? I’m not saying that security isn’t a concern, but are enterprises really doing enough to truly secure their mobile applications and data?
Just recently, a report was published by researchers from Leibniz University of Hannover and Philipps University of Marburg, that showed how user credentials could be captured by ‘Man-in-the-Middle-Attacks‘ from mobile services run by American Express, Paypal, Twitter, Google, Microsoft, & WordPress due to their implementations of SSL & TLS. Also according to the Ponemon Institute, 6 out of every 10 cyber-security breaches occur as a result of a laptop or mobile device.
So while enterprises speak loudly about security, it’s not clear that adequate steps are being taken to properly secure the mobile devices and applications. Security for mobile is not all together different from security in any other IT discipline – An holistic approach is the only way the issue can truly and effectively be handled. While many enterprises will tell you about the MAM or VPN products they are using, few of them actually have complete end-to-end coverage from a security perspective, whether it’s for a consumer app or an employee app.
Data in transit between the mobile device and the backend as well as the secure distribution of the apps are really only two pieces of the of an overall mobile security solution that enterprises need to be concerned with. In all, there are 6 different layers of security that need to be addressed:

  • Authentication & Authorization
  • Data at Rest (on device): Data stored on the mobile device
  • Data in Transit: Data being transferred to or from the mobile device
  • Data at Rest (in the cloud/data center): Data stored in the cloud/data center
  • Application Code Security: Obfuscating and signing application code
  • Application Distribution: How to properly distribute the application to users

In some cases the problem stems from the fact that the mobile applications are invariably delivered by the different Lines of Business (LOB), with little to any centralized oversight or governance regarding security. The enterprise may have security mandates in place, but because the apps are developed and deployed outside the purview of IT, governance and enforcement is sporadic at best. In other cases, IT doesn’t have the information required to identify an adequate risk profile, so a heavy-handed approach is taken, which unfortunately impacts the usability of the app, leading to its failure.
There’s a similar analogy to the early days of the web over 15 years ago in response to the inconsistencies of application delivery across different LOBs. To address this, organizations began to establish a centralized group to define guidelines around core functions and disciplines such as backend access, security, and testing.
To address today’s mobile app issues, including security challenges, some of the more progressive enterprises are starting to establish a Mobile Center of Excellence (MCoE). This group is chartered with many roles, one of which is defining the security policies for the mobile apps and devices as well as its enforcement. The MCoE focuses on all the layers of mobile security, as well as industry-specific regulation and market trends, and serves as the corporate voice to all the LOBs.
To learn more about these 6 layers of mobile security as well as why native apps are inherently more secure than HTML5 apps, click here to read the whitepaper.