yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
Cloud Expo & Virtualization 2009 East
Smarter Business Solutions Through Dynamic Infrastructure
Smarter Insights: How the CIO Becomes a Hero Again
Windows Azure
Why VDI?
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun's Incubation Platform: Helping Startups Serve the Enterprise
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Security - The Necessary Evil
Security - The Necessary Evil

Handset and PDA manufacturers love me. That's because in any given year, I'm likely to lose, and therefore buy, at least three cell phones and two PDAs. I really don't know where they go. I suspect they get left behind in rental cars, airport lounges, and hotel rooms. Once I even found a cell phone that my one-year-old son had dropped in the john.

My CIO hates me. He's the one that has to worry about security breaches that result from my lost PDAs and handsets. He's not much different from other IT professionals. Web seminars conducted by Mobilize found theft and employee termination to be the security issues that most concerned IT workers.

Think about this scenario. Public company CEO loses laptop with this quarter's sales data. Sales data gets published on the Internet. Internet surfers think company is behind on revenue targets. Stock price free-falls. Shareholders sue. SEC investigates.

So what security issues need to be considered when launching a mobile enterprise application? That's the focus of this month's article. In particular, we'll look at five key security issues:

  • Cost: Balancing security needs against user acceptance, deployment cost, and total cost of ownership.
  • Theft and Employee Termination: Both are major security issues. IT organizations must be able to centrally disable mobile devices and, in applications that are very security-sensitive, local file systems may need to be encrypted.
  • Access Control: Ensuring that users see only the information for which they are authorized. Access control needs to be built into every mobile application, and ideally should integrate with existing systems like LDAP or the Microsoft NT Security architecture to minimize administrative costs.
  • Authentication: Validating the identity of the user. Potential solutions range from simple password-based systems to smart cards and biometrics.
  • Encryption: Ensuring that nobody can eavesdrop on a data conversation. Potential solutions use the native encryption of each network segment or overlay an end-to-end technology.
Security Costs
Security is not free. It puts an administrative burden on end users that they dislike intensely. It increases the costs of application deployment, and it creates long-term cost-of-ownership issues, as IT must maintain complex security rules.

Security may not be optional. If information is sensitive in nature, such as the health records of customers, it must be protected. If transactions such as stock trades, which may have significant consequences, can be entered, they must be tightly controlled. So the first order of business is to assess the level of desired security, from low to high. The following questions are critical:

  • How sensitive is the data?
  • What is the impact of theft or loss?
  • Do government regulations require security? (Common within health care and financial services industries.)
  • How likely is it that a mobile application will fall into the wrong hands?
Once IT understands the answers to these questions, intelligent tradeoffs can be made. These are discussed below.

Theft and Employee Termination
As mentioned, Mobilize's Web seminar results found theft and employee termination to be the top IT security concerns. Of the two, employee termination looms larger because it happens more often. IT professionals are used to being able to centrally disable network accounts when an employee leaves the company. However, when information is cached or synchronized on a local device, disablement becomes difficult. The most damaging, and very common, scenario is when a salesperson leaves the company to join a competitor and takes along details about accounts, pricing, and product plans.

IT professionals have a range of options available to address employee termination and theft, including the following:

  • In low-security environments, IT should ensure that key mobile applications can be centrally disabled the next time the terminated worker accesses the network. For more protection, the applications should monitor a network heartbeat and shut down if the heartbeat indicates that the employee is no longer with the company.
  • In medium-security environments, IT should use more advanced authentication technologies, such as continually rotating session passwords (e.g., as implemented by Smart ID) or smart card solutions that continually authenticate the user through challenge-response over a separate network. When sensitive transactions are an issue, IT should ensure that dynamic authentication information is requested before each transaction, although end users often dislike this option.
  • In high-security environments, IT should encrypt local file systems, use boot-level passwords that prevent local storage from being accessed without authentication, and require a potential physical lock on equipment. Unfortunately, most of these approaches are only available for laptops and are not suitable for PDAs and cell phones.
In all of these cases, IT must be careful to balance security needs against end-user acceptance. Business sponsors are not usually willing to trade end- user convenience for closing off every theft and termination security hole.

Access Control
IT professionals consider access control the next most significant security issue. Access control ensures that end users see only the information for which they are authorized. For example, a regional sales manager might be able to see pipeline and revenue status for his or her region, but not for a peer's.

Access control is closely related to personalization. It turns out that most end users don't want to be distracted by information that isn't relevant to them. For example, the government systems' sales representative in New Jersey cares only about a small section of the company intranet - the part that keeps information on his or her territory, accounts, and product line.

To address access-control issues, look for mobile applications that have strong personalization support, specifically:

  • Corporate data should be easily filtered to be relevant and secure for classes of end users (user profile) down to the specific end-user level.
  • IT should be able to centrally administer filtering rules. Administration should be flexible and easy.
  • Personalization architectures should easily integrate with multiple-legacy data sources and not require maintenance when the structure of underlying data changes.
  • Access-control solutions should integrate with LDAP or the Microsoft NT security architecture to minimize total cost of ownership issues.
Authentication refers to validating the identity of the end user. In low-security environments this is accomplished with a simple user ID and password. In a more secure environment, a Secure ID can be used.

Secure ID is a technology that changes passwords every minute. End users carry a keychain or other device that displays the current password. The same password algorithm also runs on a back-end server in synchronization with the end- user device. Secure ID provides both authentication and theft control. It also has the advantage of being multi-device in nature since the same password can be used for laptop, PDA, and phone.

Higher protection authentication mechanisms require  end users to keep some type of physical key on them. This could be an actual physical key, a smart card, or ultimately, a biometric key, such as a fingerprint. While biometric solutions are advancing and provide the ultimate authentication solution, at this time they're limited to laptop devices. In general, end users dislike physical or smart card key approaches, so expect some impact on application acceptance and usage.

The last security issue to discuss is encryption - how data is protected during transport between corporate information systems and end users. Encryption impacts end-user convenience because it often adds overhead to the network connection. This makes limited bandwidth mobile connections even "thinner" in nature. In low-security applications, IT professionals should consider whether encryption is really necessary and potentially opt for strong authentication mechanisms instead.

When encryption is necessary, the key question is if it's end-to-end in nature or if it relies on the native encryption of the transport mechanism. Consider the different "segments" of the network that data must traverse. Data may begin on a corporate information system, travel via virtual private network to a hosting center, be stored on a server at the hosting center, and then be sent out via a particular cellular carrier's wireless network.

In this example, IT can rely on the encryption technology of each segment or can "overlay" an "end-to-end" solution that encrypts data before it ever leaves the corporate information system, and does not decrypt it until it reaches the mobile device. The end-to-end solution is a stronger approach that gives the IT professional more control over bandwidth versus protection tradeoffs. All of the wireless infrastructure service providers have integrated good end-to-end encryption solutions into their offerings.

One problem with end-to-end encryption is that today's cell phone handsets do not have sufficient local processing to support encryption and decryption on the handset. This means that the link from cell phone to carrier must rely on native encryption technologies. In very secure environments, it means the device should not be used.

Wrapping It Up
That's the quick overview on mobile security - a tradeoff between end-user convenience, deployment and maintenance costs, and data protection. Next month we'll take a look at another key piece of the mobility puzzle - integrating mobile applications into legacy systems.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Latest Cloud Developer Stories
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the l...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the...
Daniel Jones is CTO of EngineerBetter, helping enterprises deliver value faster. Previously he was an IT consultant, indie video games developer, head of web development in the finance sector, and an award-winning martial artist. Continuous Delivery makes it possible to exploit f...
The IoT Will Grow: In what might be the most obvious prediction of the decade, the IoT will continue to expand next year, with more and more devices coming online every single day. What isn’t so obvious about this prediction: where that growth will occur. The retail, healthcare, ...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing sm...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)!

Advertise on this site! Contact advertising(at)! 201 802-3021

SYS-CON Featured Whitepapers