In January, Apple announced App Store sales hit $10 billion for 2013. This number will surely grow this year as there are around half a million native iPad apps available on the site. Add Android apps available from other sites to the mix and the number becomes much higher.
It’s clear that mobilisation is the way of the future. But it introduces security risks that CIOs need to address.
As you mobilise your workforce, users will need to download apps for work purposes, resulting in the need to integrate some of these apps with back end systems on your network.
Securing these apps will be increasingly important as they become more distributed through APIs. Combine the sheer volume of apps already created with the social requirement for mobile devices to run apps for work and play, and the potential for risk of attack grows exponentially.
Bugs in any non-work apps for instance, can potentially compromise your systems and could even provide access to a mobile device for further hacking.
This is not new to IT; we are used to playing catch up and implementing workarounds or finding ways to mitigate risks and security issues, but never before on this scale.
Many of us have spent the last 20 years concentrating on securing our networks. For the most part, application security has been left for the vendor to deal with. We just facilitate it.
Much of the current literature we have focuses on securing the network, while code and data layers have received considerably less attention.
The point here is all about focus. Data and application security needs to be a focus point for the next generation of corporate mobilised applications. The point of view matters – it’s a completely different mindset in the app world.
Banks will have a distinct advantage because most of them will have gone through the PCI DSS process, which includes application security. Unfortunately, the rest of the corporate world is just starting down this track.
Understanding the security gaps in application data and/or code structure will require in-depth institutional knowledge. Although the IT security industry is growing, I wouldn’t consider it anywhere near large enough to cope with the app boom.
The business of IT needs to understand the message properly – finishing a security project to implement a level of security does not conclude the engagement; rather, it is only a starting point for the future of mobilisation.
When you consider app security it should not be as an academic exercise for cost/benefit analysis. There will be situations where your return on investment (ROI) will not support a critical initiative.
However, you have to consider how much greater the damage could be to the brand or customer base if your company were compromised. Can you afford that risk?
App security should become a part of the design included in every new app release and should be part of the scope of a tender if you are engaging a third-party for development.
Here are some things to consider when you are introducing new apps to your network.
- Establish a risk profile for your apps – consider the value of the information they may contain.
- Integrate industry standard best practices to build your application development security framework. This may require specialised staff or contracts.
- Realise what your security pain points are in your current applications and then develop a process and build the framework around these gaps.
- Develop secure APIs and if they’re only for business, lock them down.
- Create a policy or procedure for pre-defined app development requirements. Applications should be designed and implemented with security in mind.
- Consider a mobile device management suite to secure devices and corporate apps.
I’m not suggesting an intrusive or disruptive complete overhaul. But consider seriously how you plan your mobile security and API development based on the risk that already exists.
Remember, the number of mobiles running corporate APIs to apps will increase the number of possible breach points into your network.
You simply can’t trust third-party unsigned code or applications completely without verifying that the data and/or code has not been tampered with during transit, under execution or by design.
Mobilisation is a great move forward for many businesses. I am convinced it will minimise costs and create greater flexibility in the workforce. However, it must be leveraged within the context of the threat and possible damage to the brand and therefore the business.
First posted as an article on CIO.com.au