Q&A: Securing Your Mobile Environment
How to improve security for mobile users in light of new, complex technologies such as cloud computing.
As your business users push for more mobile access to your enterprise applications, security challenges grow more complex. How do new technologies such as cloud computing impact security, and what should you enterprise do to improve mobile security? For answers, we turned to Raffi Tchakmakjian, vice president, product management at Trellia, a firm that specializes in enterprise mobility management. Rafii is responsible for driving the company's product strategy and has over 10 years of product management experience in enterprise IT infrastructure, software, and data-optical communications.
What critical mobility factors should companies consider when adopting a cloud computing environment that also supports a large mobile workforce?
Typically, a cloud environment provides the flexibility to have the applications and data available to the end-user from wherever they are. In a mobile environment, users are physically in different locations such as the office or at home, or they are travelling; they will try to access their portal from any network, including non-corporate networks (such as public Wi-Fi) and public LANs. They’ll use any device -- a corporate PC/laptop, personal PC, corporate-issued smartphone (such as a BlackBerry) or a personal smartphone (such as an iPhone).
This has a couple of implications for enterprise security and support. The use of non-corporate devices and networks adds the risk of compromising corporate data available through the cloud. Mobile users can download possibly compromised information from a public network on non-corporate devices. From a support perspective, users will expect the cloud-based applications to be available on all networks and devices, which is not always the case because of the variety of viewing form factors and because network access points are not always compatible with the cloud computing environment -- leading to dissatisfaction and frustration.
As cloud environments range from public and private clouds to a new hybrid model, this exacerbates the challenges. Both security and support issues definitely need to be reviewed when moving to a cloud environment.
You’ve implied that enterprises should consider the types of mobile devices they support. What factors should they be considering?
On the physical hardware and OS side, it is essential to match the device type to the application in use. If the application requires a large viewing surface, with many control and entry points on the portal, then typically a laptop or PC should be used. If certain smartphones can easily allow use of the portal, then they should be considered as well. For example, cloud applications on smartphones make a lot of sense because the applications are browser-based and are therefore operating system agnostic -- which means the issues of OS compatibility for mobile apps on smartphones are pretty much non-existent.
The key thing we recommend to our customers is to put mobile policies in place within an enterprise mobility management framework to ensure adequate security, efficiency, and cost control. Without mobile policies, regardless of the device, there is a risk of data compromise, cost overruns, and support issues.
Mobile policies give “control” to the enterprise; they enable a cloud computing environment where the enterprise is assured that data is always safe, regardless of the network or device in use.
Your enterprise can avoid the extra costs to support constant user connectivity to cloud apps -- typical of 3G overusage and unnecessary Wi-Fi expenses. Mobile users will not encounter situations where they need to call the help desk because of technical incompatibilities, nor will they experience frustration trying to use cloud applications while they are mobile.
What additional security measures should enterprises put in place to lock down the exposure points introduced by the mobile workforce?
Typical security measures for mobile workers should be defined for network access and local data protection on the systems. For example, having a “trusted” network access list allows the enterprise to control which networks users connect to and which rules and policies are applied. Usually corporate networks are included as part of this network access list, and public networks (such as home or public Wi-Fi/LAN and 3G) require certain rules to be applied before they are permission to log in.
These rules can include enforcing a minimum authentication and encryption level on the network, making sure no more than a single network is “on,” ensuring firewall and anti-virus systems are running and up-to-date, and enforcing the corporate VPN.
A solid mobility management framework should have all these policies defined and automated for the workforce.
Cloud computing dramatically changes the way end users access their corporate applications. Layering a mobile workforce into the mix makes it increasingly complex. What changes in support should the IT organization prepare for?
Mobility in itself poses a lot of complexity to the support organization. Network access is still not a given because connecting to Wi-Fi and 3G requires different procedures, and these procedures differ according to location. Furthermore, VPN access is not always available and public networks are not reliable.
This burdens the help desk with new types of issues: connectivity challenges in environments which the enterprise does not control. Adding cloud computing increases the burden because connectivity is a prerequisite for access to cloud-based applications. Mobile workers now are required to get connected in order to work, which directly increases the volume of complex connectivity issues.
To best prepare for this situation, an IT organization must consider a mobility management framework that allows controlling the types of networks users connect to (through trusted access) and automates the connectivity process for the end user according to set policies. Having visibility into the user’s environment also helps; it should be built in to the mobile management framework.
What changes to applications are necessary for moving mobile apps to the cloud, or introducing cloud computing to existing mobile apps?
Most mobile applications are already written with access in my mind –--that’s the reason most people think transitioning to the cloud is simple. Yet there are a couple of “gotchas” that can be major issues if they are not dealt with in the architecture from the start. They are related to the lack of a “state” and database server interactions.
Building for redundancy without local databases and known last states is a different approach to regular mobile application development. In the cloud, when a link breaks or the server is not responding, the typical fallback is to start back from the beginning. This requires a different approach to the application architecture.
Due to the “statelessness” of the cloud, even database manipulations are different; typical entity relationships do not hold anymore, and different modeling techniques must be used. In terms of timing, access or availability of information is not the same as that of local applications, so IT must consider this difference.
Finally, because specific APIs are used for part of the cloud, an organization needs to make sure to use industry-standard protocols and not proprietary systems to ensure portability to different cloud services.
What's the best strategy for making the move: starting with a cloud environment and introducing mobile computing, starting with a mobile workforce and moving it to the cloud, or starting from scratch and introducing mobile and cloud technologies at the same time?
Unfortunately, there is no silver bullet answer.
Generally, the best strategy is to assess the current situation in the enterprise and build the right plan to reach the mobility goals. In almost every enterprise, there are some pockets of mobility or cloud computing in place. It’s rare to have the luxury to start with either one of them or starting from scratch.
Most mobility or cloud initiatives usually fail or go over budget because the right organizational units are not synced and working together on an executive-backed game plan. Forming an internal working group, with members from different IT departments, with a mandate to complete the project is key. The business requirements should be well stated and understood by everyone, too. These will drive the priorities during the move.
What can organizations do to ready their help desk and support functions in preparation for a mobility/cloud shift?
I think the essence is in best defining the mobility management framework as a start. This reduces most support issues at their source by eliminating incompatibilities or potential problems, whether technical or due to human manipulation.
In addition, to better manage situations in the field, having visibility into the mobile worker’s connection state, location, network of use, etc. greatly optimizes the support process, and it allows the organization to better understand the user’s mobility patterns and to better define and refine mobile policies. A mobility management framework that includes this kind of visibility allows the organization to eliminate the current issues of the mobile workforce and the cloud environment as well as to optimize mobile technology for the future.
In what situations would you recommend that enterprise mobility management not be deployed in the cloud?
Enterprise mobility management can be implemented in two ways: as part of the private cloud (i.e., on customer premise) or as a public/hybrid cloud-based application itself. Both implementations have the same benefits for managing the workforce in a cloud environment.
Typically, when an enterprise has already embraced public cloud computing, then enterprise mobility management should be a part of that program. We recommend implementing a mobility management system as private on-premise when there is a large mobile workforce and the enterprise is still analyzing their cloud requirements and needs. This way, the mobility management system, with its visibility and control functions, will enable the enterprise to better assess and define their policies in readiness for the cloud environment -- and the migration to the cloud will be very efficient.
What role does Trellia play in this market?
Trellia arms the enterprise with visibility and control so it can successfully embark on mobility projects, especially those in a cloud environment. Visibility and control are offered through our SaaS- or PaaS-based Mobile Policy Management (MPM) platform that gives an enterprise key insights into user mobility patterns, security risks, access expenditures, and support issues, and then defines mobile policies to eliminate these risks, support overhead, and extra costs by automating and enforcing the policies.
The MPM has out-of-the-box mobile policies that can be quickly deployed for all types of networks and access, to control costs, maximize security and optimize productivity. MPM has allowed our customers to reap the benefits of mobility and cloud computing without the security concerns, cost overruns, and support overhead that accompany them.