How do we build enterprise mobile apps with a valid security model for enterprise data?

We need to deploy technologies that put data communicated to/from and resident on mobile devices under that same security policies and assurances for all other enterprise data. I'd recommend the immediate use of VPNs, as is now often done for mobile laptops. Mobile platforms that support VPNs is a requirement; not all of them do.

Enterprises need to select and pay for, wholly or partly, employees' mobile devices. Then they need to provision and control the applications installed on them. This requires a forward-thinking action from the IT management to forestall pressures from employees to allow the latest/coolest devices and apps.

@Anton I can selectively remotely wipe the corporate data from any personal device and my enterprise users have acknowledged and signed statements from our legal council indicating compliance with this procedure. I do not see nor have I heard of existing legal issues with this from any of the MDM vendors or papers I have read.

If I am writing the enterprise apps (and mostly I am), I am 100% certain they do not contain malware, and that they do contain authentication protocols for accessing our private corporate data. All software developers should have secure coding best practices and training. Including 3rd party enterprise apps is a different story and I would rely on on the Apple vetting process for the iOS apps, and for the Android apps I would be MUCH stricter and careful about inclusion. Creating a secure "sandbox" and testing apps against dummy data is a step, especially if you monitor the I/O and do persistence testing inside the sandbox. A good MDM product can help an administrator detect risky or threatening behavior immediately as well as take precautions against it. By having a policy of "BYOD, but you must adhere to the policy if are going to use it to access corp data" is relatively easy to manage. For high security you can restrict a device from using any apps other than your own, or you can simply manage the apps that allow sharing - the policies are highly configurable.

As with any IT system, it will have to be managed by administrators who are quick to respond and up date on any threats to the network. With MDM, I can control the other 3rd party applications allowed on a personal device that might try to gain accesses any of our corporate data. IT administration for mobile is still very important and I did not stress that enough. I have the opinion that everyone in IT needs to be smart about security and actively manage the devices, data, and security. This is true even if we are not just talking about apps and mobile.

And I agree - a VPN without taking steps to secure sensitive data is not ever a good idea. Companies should already have their sensitive data segmented and protected separate from insensitive data, email, and public network access. Yearly security audits help enforce this compliance. I agree this is a must for securing the existing data locally as well as in the cloud, and having a network security solution with rapid response and update capability in the backend infrastructure is critical.

The mobile solution needs to fit the company AND the need. An airtight security solution may not be necessary and can be cost prohibitive for businesses that do not deal with what I would call "hacker interesting" information or hardware. Proper risk analysis is necessary to determine the level of security that is appropriate, and disaster recovery plans should be in place for immediate response to attack. One solution will not fit all so flexibility lends itself to efficiency in this rapidly morphing area.

@glen Is "Enterprises need to select and pay for, wholly or partly, employees' mobile devices" really realistic? This is just not something that I see happen - "consumerization" means employee owned device is used.

And VPN - really? How would it help against a personal device with untrusted, malicious and compromised apps - unless you separate where your VPN link originates from the rest of the device?

@Anton, Having directly experienced the havoc that consumer-supplied devices can wreak on employer networks via malware introduction, I strongly favor employer-supplied and provisioned devices, with VPNs to extend employer network policies and protections to the device. Because the device is configured to comply with enterprise policies and not consumer usgage preferences, it is only fair to expect the employer to pay for them. This is common, but it often requires people to carry a personal device and an employer-supplied one.

I also favor the development of internal firewalling in devices to allow consumer and employer partitions, including VPN and non-VPN domains, but that is not in current technology.

@glen I absolutely agree that it is BETTER to have an employer-supplied and -configured device. But I was told that this battle is largely lost...

Re: VPN and "internal firewalls" - Nukona (nukona.com) does it and a few others. So, definitely current tech. VMWare also showcased an Android VM for that purpose earlier this year

Verizon has a an enterprise product called MVPN - Mobile VPN, which allows a company's mobile users to have a secure VPN tunnel no matter where they are, and no matter what device. This coupled with an appropriate MDM strategy for corporate AND person mobile devices is a good start for most businesses. MDM vendors have special app stores that admins can configure with different policies. I can set up a device to only have access to my enterprise apps if managed through my MDM app store. I can also configure the device to remote wipe the App only if the device is reported lost/stolen OR if the device appears to be compromised or out of compliance. I can also create policies for unauthorized applications. I believe these two products in an enterprise will handle 95% of all issues with security, apps, and various personal/corporate devices accessing corporate resources.

@erica IMHO, VPN+MDM won't do the trick for many, many environments. For example:

- it is likely you cannot wipe personal devices with corporate data after loss; legally it is very dicey
- MDM does not stop malware from stealing corp data - or, for that matter, from initiating a nice VPN connection to your network.
- VPN without control (complete control or "island of control" where sensitive data is) just might give you an extra risk, not a security solution

I'd bet that MDM+VPN will solve your 20-30% - not 95% - of security problems (all numbers are guesses, of course)

@erica Thanks a lot for the insightful comments. Indeed, if you SELECTIVELY wipe personal devices of corp data, then you are in much better shape, but it does call for more advanced tools than just generic, consumer-grade "remote wipe"

The legal issues I referred to included a total "bricking" of a personal device that was allowed access to corp network/data. Let me try to find the references, but I was first made aware of it via a private discussion with a CSO concerned about it.

In any case, as long as you are thinking of scenarios like the one below, you are in a good shape.

1. consumer installs your enterprise app on personal device
2. he then installs a trojaned/malicious app from Android Market
3. mal app steals your corp data and/or accesses your network via your VPN