The Top Four Security Aspects You Need to Consider For Mobile Solutions
As Health And Human Services (HHS) agencies around the world accelerate the deployment of "Systems of Engagement" for the mobile channel, one of the most important concerns of agency CIOs/IT staff is that of security. By nature, mobile solutions have more areas where security risks can manifest themselves than traditional, server oriented solutions like enterprise web applications.
While the incidence of security breaches around mobile solutions is quite low and a majority of known malware is termed as "annoyance ware," securing mobile applications and the data that they handle is a fundamental requirement for HHS agencies given the sensitivity associated with HHS case work.
One of the pre-eminent organizations leading the charge on security of software is the "Open Web Application Security Project" (OWASP.org). The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. OWASP defined the "Top 10 Mobile Risks" and the latest update to this list is the 2014 "Top 10 Mobile Risks" list. The 2015 update to this list is in progress.
All of the security risks and threats identified as part of this list fall broadly under four categories that agencies should consider for mobile application security at a minimum while evaluating/developing/deploying enterprise mobility solutions:
1. Network Security
Mobile applications operate in a variety of network conditions and over a varied set of networks, both public and private. Using public networks provided by mobile network operators and wireless hotspots has a higher threat of network related security breaches than an agency controlled network or specific VPN tunnel controlled by the agency. Ensuring that all data sent over the network is secured using SSL or TLS protocols will ensure that sensitive data is not compromised in case of a network vulnerability/hack. Mobile solutions should also ensure that session related data and server call parameters passed over the network are adequately secured by using HTTP post methods and encryption algorithms.
2. Device Security
In this era of Bring Your Own Everything (BYOX), securing enterprise data and content on mobile devices that may or may not be owned by the agency is a major challenge. Because mobile devices are easily lost or stolen, data on those devices is highly vulnerable. When corporate data is accessible via a personal mobile device, organizations suddenly lose a great deal of control over who can access that data. Enterprise mobility management (EMM) proposes systems to prevent unauthorized access to enterprise applications and/or corporate data on mobile devices. These can include password protection, encryption and/or remote wipe technology, which allows an administrator to delete all data from a misplaced device. With many systems, security policies can be centrally managed and enforced.
EMM solutions also provide capabilities for Enterprise Content Management (ECM) which gives agency staff the required tools to control access to data and content from mobile devices and/or other end points.
While EMM and Mobile Device Management (MDM) solutions let enterprises secure end user devices, applications and device settings and policies, these solutions heavily depend on OTA (Over The Air) programming capabilities, which require that the mobile device is connected to a network. However, if a user removes their SIM card or disables network connectivity, the data on the device can still be retrieved for malicious purposes using a number of freely available tools.
This brings to the fore; the need for securing the applications that handle enterprise business processes and associated data.
3. Application Security
Mobile applications that get installed on or accessed from end user devices are susceptible to a number of security threats if adequate measures are not put in place. Malicious code can be injected into application binaries which could result in data theft. Applications that store identity and business related data on devices without sufficient encryption and data leakage protection measures (such as copy and paste from an enterprise application to a user's personal application) are vulnerable to data and identity theft.
To prevent such vulnerabilities, application developers and vendors must ensure that "security first" programming methods are followed. These include but are not limited to code obfuscation, disallowing data storage on removable media such as memory cards, ensuring mobile services such as GPS, camera etc., are controlled appropriately, application code security scanning and usage and validation of trusted certificates when communicating with a back-end server.
There are a number of Mobile Application Management (MAM) tools in the market that provide application security through "app wrapping" which involves wrapping the mobile application into a "container" without any changes to the application code (or) through the use of SDKs which provide more granular control for application security but require code changes to the application. Depending on the level of sophistication required, MAM solutions can be used for controlling authentication/Single-Sign-on, selective wipe of application data, per-app VPN tunnel control and data leak protection controls such as blocking out copy/paste and screenshots.
4. Data Security
Securing enterprise data spans across the three categories discussed above. Sensitive data needs to be protected at rest (on the device) and in transit over the network(s). Standards such as FIPS 140-2 encryption standards and HIPAA compliance for security and health related data, must be adhered to. All leading MDM/MAM providers support data security controls that adhere to these standards. At the application level, controls need to be in place for things such as
- preventing access to applications on jail broken devices
- locking down applications and remote wipe data after a number of failed authentication checks
- encryption of data to adhere to FIP 140-2 and HIPAA like standards
Application designs should ensure that data access is restricted to the "minimum set of data elements" required to carry out a business process. This can be done by designing fine-grained APIs that interact with systems of record.
Security and data protection concerns are major impediments to a successful "systems of engagement" strategy for the mobile channel, for Health and Human Services agencies. While looking for enterprise mobile solutions, agencies will be well served to evaluate solution vendors that can demonstrate a "security first" approach in their solutions and how their offerings address the four key focus areas around network, application, data and device security.