As organizations discover the benefits of developing their own mobile applications, IT managers are finding a cost. It used to be sufficient to protect the endpoint with a combination of tools and policies. Now that the application is the real avenue to enterprise data, IT managers must develop new strategies to protect corporate applications as well.
IT managers who find this new focus overwhelming can start their path to application protection with an excellent resource: OWASP, the Open Web Application Security Project, which has put together a Top 10 list for mobile application security. The OWASP resource is written for developers and project managers who want to avoid mistakes that can lead to breaches of enterprise confidential data. But IT managers can also help contribute to application security by bringing their own tools, such as network infrastructure appliances and mobile device management (MDM)/enterprise mobility management (EMM) products, and working with application development teams.
OWASP Top 2: Platform Security and Data Storage Security
Good starting points are OWASP’s top two issues: platform security and data storage security. These are places where IT managers can help increase overall security beyond standard endpoint protection. For example, application developers may not be aware of application wrapping: adding management features — such as access controls, cut-and-paste controls, encryption and authentication controls and remote wiping — to existing applications, without having to code them directly. Enterprise-focused MDM/EMM tools include application wrapping (and the resulting management functionality), but it can take a visit from the IT manager to make these capabilities clear to development teams.
IT managers can sell the concept of application wrapping to developers by pointing out that it saves them having to re-implement the same functionality within their applications. With a small amount of SDK work, developers get access to a full set of security features — and escape maintenance liability for that part of their applications — that will mesh cleanly with other enterprise security management systems.
At the same time, IT managers can help explain and advocate for containerization technology, such as Samsung Knox Workspace — especially if it is already in use across the organization and no single EMM is in play or if the applications have to be distributed to partners. Containerization is typically seen as a contrast or competition to application wrapping, so it will be an either/or question for most organizations.
Additionally, Samsung Knox Enabled App is a separate variation of containerization, creating a secure endpoint by pushing the app inside that container, and adding the Knox badge to the app’s launcher icon to show users that it has been securely contained. This works for any loaded app that is a Knox Enabled App allowing the agent to properly secure the endpoint without disruption to the user or administrator.
IT managers can lay out the cases for both technologies: Generally, binary app wrapping requires MDM/EMM integration, but offers a better user experience than containerization and is more compatible with apps and updates — while containerization is less convoluted, has fewer legal issues and makes very clear the dual persona of a device. A little work with development teams to identify pros and cons of each strategy for your particular enterprise and application environment can save a ton of headaches (and possible data breaches) down the line.
Although application wrapping and containerization don’t solve all of the security problems of platforms and data storage choices, they give developers valuable tools to increase security with a minimum of effort — and enterprise compatibility.
OWASP 3 and 5: Cryptography and Communications
Another area where IT managers can bring tools to help developers is in the network between the application and the data center. Most enterprises use a variety of proxy-like tools (load balancers, application delivery controllers, and application front-end reverse proxies) that provide a management choke-point between mobile applications and the secured enterprise app servers in the data center (or IaaS cloud).
Proper and strict configuration of these choke-point tools to enforce encryption and only use high-security cipher and authentication suites is an easy job for IT managers. At the same time, development teams may have very little knowledge on proper selection of cipher suites or configuration of the server-side cryptography. By bringing existing tools into play and taking some of the burden off of developers and DevOps teams, IT managers get the best of both worlds: improved security, while reducing overall costs and the likelihood of human error in configuring cryptography and client/server communications.
Development teams are famously gun-shy about the use of digital certificates for authentication. IT managers can show how mobile devices with trusted execution environments (TEEs) help to store and protect certificates, perhaps shifting the balance towards certificates and away from passwords. IT managers can also help explain how modern hardware platforms (such as Samsung Knox’s TEE and factory built-in device credentials) can improve security by using built-in and protected digital identities for device authentication.
And the Other 6 from the OWASP Top 10?
These are just a few areas where IT managers can make a direct and quick positive impact on application security. But this shouldn’t be the stopping point. IT managers should start by reviewing the entire OWASP list, and work their way out from there. The Internet is full of resources on ensuring secure application development — and horror stories of enterprises that haven’t.
Gaps in enterprise security can be devastating. Take our mobile security assessment to find out if your company is covered — and how you can stay ahead of the curve.