Enterprise mobility: Security of data is one of the biggest concerns

“More people have a mobile phone than a toothbrush in the world”.

This is an oft-repeated statement in many mobility conferences. Although the veracity of this statement is questionable, it certainly highlights the ubiquity of mobile devices. Enterprises are not untouched by the proliferation of mobile devices, and enterprise mobility is no more a tactical benefit, but a strategic imperative. This rapid proliferation of mobiles devices is being driven by the deep fall in their costs and the acceptance of the fact that mobile devices increase productivity and enable operational benefits.

The benefits of enterprise mobility span different spectrums of the business. Automation of sales force and CRM directly benefit the field workers to manage customer information and interactions from virtually anywhere. Similarly, supply chain mobile applications allow enablement of m-purchasing to process large volumes of real time transactions. Providing real-time access to information such as inventory, scheduling, shipping status, etc. create opportunities for more responsive and satisfying customer interaction. Enterprises automatically reduce their carbon footprint if their employees work from anywhere and avoid unnecessary paperwork and commute.

Though mobility has a recurring cost in terms of telecom, application maintenance, and IT support; a well thought out mobility strategy would override this if the mobile applications provide an integrated interface to the day-to-day business processes of the enterprise. Many applications on smart phones and tablets allow the employees to work as effectively as they were using their personal computers.

While the benefits of enterprise mobility are aplenty, security of data is one of the biggest concerns that most enterprises face. For instance, the price that an enterprise pays for a lost smart phone is very high, not for the cost of the handset, but of the data it carries. Earlier, data on a mobile was limited to the contact list, and personal information like bank PIN numbers and passwords. However, now with the enterprise applications being installed on the devices, mobile devices have become the repository of critical business information that is privy to just a few people in the company. Enterprises must perform due diligence to ascertain that these applications store the data in an encrypted and safe manner. Employees should also be asked to set passwords for their device. However, these two steps are not sufficient. Users have a tendency to keep short and simple passwords so that it is easy to type on devices that do not have a hardware keyboard or come with a tiny keyboard.  Also, users have a tendency to install many other applications that may compromise the security of the data on the device without their explicit knowledge.

Use of Mobile Device Management (MDM) tools helps the enterprises answer some of these concerns. Most well-known MDM tools allow for setting of a password policy (“ensure that passwords are N characters long and have a mix of letters, digits and special characters”). The MDM tools also allow the enterprises to define a black-list of applications that cannot be installed on the users’ devices. Some MDM tools go to the extent of defining policies that prevent users from installing applications other than those defined as “white-listed” by the enterprise. If the device is stolen, the ‘Remote Wipe’ feature offered by MDM tools comes handy to erase all the data stored on the device. However, it has been observed that even companies that use MDM tools make the grave error of setting policies and forgetting about it. The administrators must therefore establish, enforce, and periodically update security policies using these MDM tools.

Bring Your Own Device (BYOD) policy is being adopted by many enterprises. Under this policy, employees are allowed to connect their personal devices to the enterprise network. Many of such devices may not be governed by the policies of MDM tools. In such scenarios, enterprises must not underestimate the power of user-trainings focused on security aspects. Many of the users are happy to set complex password on their mobile device once they understand the risks. The users also understand the risks of granting full permissions to applications that they do not trust. Many users may promptly install the “Find My Device”-type of applications that allow them to trace their mobile device if lost or misplaced.

From a security perspective, keeping the data safe on the device is alone not sufficient. Confidentiality of data in transit is another area that enterprises must pay attention to. Most of the enterprise applications connect to the back-end servers in two modes – simple mode, and secure mode. In the simple mode, the application connects to the backend using a non-encrypted network channel. This mode is used during the product trial phase to ascertain whether the application meets the functional needs of the enterprise. However, during the production phase, it is better advised to   use the secure mode of communication as it uses an encrypted network channel (like HTTPS) and allows any additional encryption of the payload for added security. The administrators must turn off all non-secure connectivity to their back-end servers once the trial phase is over. Also, the network administrators must mandate a VPN or other secure connection if allowing access through home Wi-Fi networks or public hotspots, as these are inherently problematic since most of them offer no encryption.

Effective mobile solutions for the enterprise can facilitate a more empowered and efficient workforce, by providing them with the tools to access information on the move and to complete action items at any time. This helps create an environment of faster decision making, increased mobile workforce accountability, and removal of process frictions by having real-time communications. Once business processes are automated and mobilized, managers can focus on higher value tasks such as customer acquisition and retention. However, the enterprises must address the security concerns by employing right MDM tools, educating the users and plugging in any holes in the system landscape that could compromise data confidentiality.

Anand Sinha, chief architect, Technology and Innovation Platform, SAP Labs India
[email protected]