Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Security - The Necessary Evil
Security - The Necessary Evil

Handset and PDA manufacturers love me. That's because in any given year, I'm likely to lose, and therefore buy, at least three cell phones and two PDAs. I really don't know where they go. I suspect they get left behind in rental cars, airport lounges, and hotel rooms. Once I even found a cell phone that my one-year-old son had dropped in the john.

My CIO hates me. He's the one that has to worry about security breaches that result from my lost PDAs and handsets. He's not much different from other IT professionals. Web seminars conducted by Mobilize found theft and employee termination to be the security issues that most concerned IT workers.

Think about this scenario. Public company CEO loses laptop with this quarter's sales data. Sales data gets published on the Internet. Internet surfers think company is behind on revenue targets. Stock price free-falls. Shareholders sue. SEC investigates.

So what security issues need to be considered when launching a mobile enterprise application? That's the focus of this month's article. In particular, we'll look at five key security issues:

  • Cost: Balancing security needs against user acceptance, deployment cost, and total cost of ownership.
  • Theft and Employee Termination: Both are major security issues. IT organizations must be able to centrally disable mobile devices and, in applications that are very security-sensitive, local file systems may need to be encrypted.
  • Access Control: Ensuring that users see only the information for which they are authorized. Access control needs to be built into every mobile application, and ideally should integrate with existing systems like LDAP or the Microsoft NT Security architecture to minimize administrative costs.
  • Authentication: Validating the identity of the user. Potential solutions range from simple password-based systems to smart cards and biometrics.
  • Encryption: Ensuring that nobody can eavesdrop on a data conversation. Potential solutions use the native encryption of each network segment or overlay an end-to-end technology.
Security Costs
Security is not free. It puts an administrative burden on end users that they dislike intensely. It increases the costs of application deployment, and it creates long-term cost-of-ownership issues, as IT must maintain complex security rules.

Security may not be optional. If information is sensitive in nature, such as the health records of customers, it must be protected. If transactions such as stock trades, which may have significant consequences, can be entered, they must be tightly controlled. So the first order of business is to assess the level of desired security, from low to high. The following questions are critical:

  • How sensitive is the data?
  • What is the impact of theft or loss?
  • Do government regulations require security? (Common within health care and financial services industries.)
  • How likely is it that a mobile application will fall into the wrong hands?
Once IT understands the answers to these questions, intelligent tradeoffs can be made. These are discussed below.

Theft and Employee Termination
As mentioned, Mobilize's Web seminar results found theft and employee termination to be the top IT security concerns. Of the two, employee termination looms larger because it happens more often. IT professionals are used to being able to centrally disable network accounts when an employee leaves the company. However, when information is cached or synchronized on a local device, disablement becomes difficult. The most damaging, and very common, scenario is when a salesperson leaves the company to join a competitor and takes along details about accounts, pricing, and product plans.

IT professionals have a range of options available to address employee termination and theft, including the following:

  • In low-security environments, IT should ensure that key mobile applications can be centrally disabled the next time the terminated worker accesses the network. For more protection, the applications should monitor a network heartbeat and shut down if the heartbeat indicates that the employee is no longer with the company.
  • In medium-security environments, IT should use more advanced authentication technologies, such as continually rotating session passwords (e.g., as implemented by Smart ID) or smart card solutions that continually authenticate the user through challenge-response over a separate network. When sensitive transactions are an issue, IT should ensure that dynamic authentication information is requested before each transaction, although end users often dislike this option.
  • In high-security environments, IT should encrypt local file systems, use boot-level passwords that prevent local storage from being accessed without authentication, and require a potential physical lock on equipment. Unfortunately, most of these approaches are only available for laptops and are not suitable for PDAs and cell phones.
In all of these cases, IT must be careful to balance security needs against end-user acceptance. Business sponsors are not usually willing to trade end- user convenience for closing off every theft and termination security hole.

Access Control
IT professionals consider access control the next most significant security issue. Access control ensures that end users see only the information for which they are authorized. For example, a regional sales manager might be able to see pipeline and revenue status for his or her region, but not for a peer's.

Access control is closely related to personalization. It turns out that most end users don't want to be distracted by information that isn't relevant to them. For example, the government systems' sales representative in New Jersey cares only about a small section of the company intranet - the part that keeps information on his or her territory, accounts, and product line.

To address access-control issues, look for mobile applications that have strong personalization support, specifically:

  • Corporate data should be easily filtered to be relevant and secure for classes of end users (user profile) down to the specific end-user level.
  • IT should be able to centrally administer filtering rules. Administration should be flexible and easy.
  • Personalization architectures should easily integrate with multiple-legacy data sources and not require maintenance when the structure of underlying data changes.
  • Access-control solutions should integrate with LDAP or the Microsoft NT security architecture to minimize total cost of ownership issues.
Authentication
Authentication refers to validating the identity of the end user. In low-security environments this is accomplished with a simple user ID and password. In a more secure environment, a Secure ID can be used.

Secure ID is a technology that changes passwords every minute. End users carry a keychain or other device that displays the current password. The same password algorithm also runs on a back-end server in synchronization with the end- user device. Secure ID provides both authentication and theft control. It also has the advantage of being multi-device in nature since the same password can be used for laptop, PDA, and phone.

Higher protection authentication mechanisms require  end users to keep some type of physical key on them. This could be an actual physical key, a smart card, or ultimately, a biometric key, such as a fingerprint. While biometric solutions are advancing and provide the ultimate authentication solution, at this time they're limited to laptop devices. In general, end users dislike physical or smart card key approaches, so expect some impact on application acceptance and usage.

Encryption
The last security issue to discuss is encryption - how data is protected during transport between corporate information systems and end users. Encryption impacts end-user convenience because it often adds overhead to the network connection. This makes limited bandwidth mobile connections even "thinner" in nature. In low-security applications, IT professionals should consider whether encryption is really necessary and potentially opt for strong authentication mechanisms instead.

When encryption is necessary, the key question is if it's end-to-end in nature or if it relies on the native encryption of the transport mechanism. Consider the different "segments" of the network that data must traverse. Data may begin on a corporate information system, travel via virtual private network to a hosting center, be stored on a server at the hosting center, and then be sent out via a particular cellular carrier's wireless network.

In this example, IT can rely on the encryption technology of each segment or can "overlay" an "end-to-end" solution that encrypts data before it ever leaves the corporate information system, and does not decrypt it until it reaches the mobile device. The end-to-end solution is a stronger approach that gives the IT professional more control over bandwidth versus protection tradeoffs. All of the wireless infrastructure service providers have integrated good end-to-end encryption solutions into their offerings.

One problem with end-to-end encryption is that today's cell phone handsets do not have sufficient local processing to support encryption and decryption on the handset. This means that the link from cell phone to carrier must rely on native encryption technologies. In very secure environments, it means the device should not be used.

Wrapping It Up
That's the quick overview on mobile security - a tradeoff between end-user convenience, deployment and maintenance costs, and data protection. Next month we'll take a look at another key piece of the mobility puzzle - integrating mobile applications into legacy systems.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Latest Cloud Developer Stories
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv i...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Sen...
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CO...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them ...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SY...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021



SYS-CON Featured Whitepapers
ADS BY GOOGLE