I have been attending more and more cloud based meetings over the past year. Looking at services, looking at providing services, development in the cloud, security, etc… Through all those meetings, eventually, the conversation goes to mobile. However I noticed something, the definition of what mobile means and how many different answers you get are vastly different.
I think I know why. Most people, non-Hardcore nerds, have a hard time from differentiating mobile web access and mobile app access. These are two completely different things with different considerations you need to be aware of.
Let me try to break this down –
You have an app you want to move to a cloud service. The first thing you need to do is take a look at what you are doing today. Is this app on the Internet now? If the answer is yes, then you are already dealing with mobile access. Unless you have a specific device registration protection around that app, anything with a browser is accessing the app, or has the ability to.
Mobile access is just a computer using a web browser to access a website/application. No different than your laptop or home desktop. So if you are in a meeting and you are talking about Internet access via a browser, then the fact it’s mobile really doesn’t matter.
I have seen far too often a spiral of security discussions around browser access via a mobile device when they really mean to ask those types of questions for mobile app access. If you think about it a laptop is a mobile device as well…
Mobile Applications is the new piece that company’s are worried. The reason being is the when an application is placed on a mobile device, a device that is probably BYOD (Bring Your Own Device), you lose control on that device’s use. With an app, versus a browser based access, you are probably storing more sensitive data on the device. This is where it makes people nervous. If an employee loses the phone or leaves, how does the company ensure that data is safe and protected?
Email access is the easiest and most widely non-browser type access that mobile devices have today. That means an employee’s personal phone is downloading company emails with company data on non-company devices. If you have Outlook Web Access turned on and enabled you have a more uncontrollable widespread issue with that anyway today so your concerns about only the mobile apps are small comparatively speaking.
Here the things you need to look at for mobile apps
- Putting a tool like MobileIron on the devices that will allow you to remotely wipe company data from the phone. If owners don’t want to have that type of destructive app on their phone then they don’t get email.
- Decide on the method for external/cloud based access and stick with it. If you have a Mobile App or direct SMTP connections from mobile devices then don’t have Web Access turned on. In my past I know people who refused to put the remote wipe on their phone but still wanted mobile phone email… so they just used the browser based Web Access to email.
- Device registration to the users. Limit how many devices the users can have.
- Device encryption.
- Understand web, browser based access is not the same as mobile app access.
- Define what your mobile use policies, strategies, and plans for controlling them LONG before you even talk about any type of access.
Convenience or security? One bad event and you won’t have to worry about either.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.