Cybersecurity and Enterprise Mobility -
Key considerations and Vendor Evaluation Criteria
Due to the rapid increase of mobile devices and wearables, government organizations around the world are looking at how innovative enterprise mobility solutions can transform service delivery and staff efficiencies. As with all new technology, a digital transformation such as this introduces unforeseen security risks. This blog discusses the key security aspects that agency IT and business leaders should consider while selecting mobility solutions and solution vendors.
Should you worry about apps or Content?
Mobile application security is inherently trickier given that the end points are not controllable to the same extent as traditional end points such as Desktop PCs and laptops. End points can change characteristics on a continual basis due to the carrier network, data connections, Wi-Fi hotspots and their servers. If you add the possibility of the mobile device itself becoming undiscoverable because the user removes it from all phone and wireless networks, relying solely on the device end point management will not suffice for securing enterprise mobile solutions. A combination of Enterprise Mobility Management (EMM) solutions and a "Security first" approach to design and development of enterprise mobile solutions should be considered.
A "Security First" approach means that the focus of securing enterprise mobile solutions and mobile engagement channels should be on the data that is handled by the application and the application code itself.
Data at rest on a mobile device must be:
- The absolute minimum required to perform business process flows supported by the application
- Time sensitive in case of offline applications. This means that all offline data must have a configurable expiry date/time after which the application automatically deletes offline content
- Encrypted using strong encryption algorithms such as AES-256
- Hashed using one-way hash keys, in case of authentication credentials, passwords etc., needed for offline operation
- On the server side, adequate measures must be put in place to only pass the minimum required data sets (content) through the interfaces/APIs
- Have appropriate authorization controls built into ensure that end users on a device only see the data that they are permitted to see
- Send/Receive data using a secure transport layer with SSL/TLS and valid certificates
- Validate Input parameters against a pre-defined schema to ensure valid requests are coming from the mobile end point
- Secure the REST/SOAP APIs using appropriate methods such as WS-Security/OAuth
Application security testing plays a significant role in ensuring that the apps that are deployed on mobile devices are vetted for vulnerabilities at the code level and remedial actions are taken. National Institute of Standards and Technology has published standards for vetting the security of mobile applications at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf
Agency leaders should strongly consider using these standards to test and certify all their enterprise mobile applications.
Key questions for Mobility solution vendors
Cybersecurity remains the #1 priority for government IT leaders and mobile technology continues to be among the top 5 budget priorities. As heterogeneous IT environments widen the threat surface for cyberattacks and data theft, agencies will be well served to take a "security first" approach while evaluating mobility solutions and vendors.
7 key security considerations that should be part of an evaluation:
- Does the proposed mobile solution integrate with Identity and Access Management systems for controlling access to agency resources?
- Does the proposed solution leverage industry standard methods to integrate with Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) solutions?
- Has the proposed solution been tested for security vulnerabilities using industry standard scanning tools? If yes, have remedial measures been applied to address any issues identified?
- Does the proposed solution have adequate measures in place to secure offline data stored on the device? What configuration options are available to control the data lifespan on the device?
- Does the proposed solution use web services/REST APIs to interact with Systems of Record? How are these services/APIs secured?
- Does the proposed solution use any cloud based services? If yes, how is data that is passing to these services secured?
- Does the proposed solution follow data encryption standards? How is data secured at rest and in transit?
While deploying mobility solutions, agencies will be well served by focusing on the data flow within the IT environment from the front-end device all the way to the core IT Systems of Record and ensuring adequate data security controls are in place.