Security and application accessibility is a bit of a conundrum. When developing an app in an emerging space, at which point should security be introduced? Should it be done during development or after the space has matured and attacks are a reality?
Presently, when it comes to mobile, it seems that organisations are focused on providing new ways for users and employees to interact using their mobile devices. While it is important to make applications and new access methods available, basic security issues are still a large challenge.
Security issues that bothered organisations when mobile devices first came out still remain. Issues like how much data is being removed from the corporate premises and by whom; or what happens if a trusted employee loses his mobile device are still concerns that need to be managed. In today's BYOD world, these issues take on an added dimension as the device belongs to the employee, not the company. Corporate IT cannot wipe a BYOD device remotely.
Ill intent a real possibility
The probability of an employee losing a mobile device loaded with corporate data and with the necessary credentials for accessing corporate applications stored on it, is quite high. Similarly, there's a fair chance that anyone who finds a mobile device will look at private information on it, even if only to try and contact the rightful owner.
As such, a situation of the device being used by someone with ill intent to access corporate information becomes a real possibility.
While it is the job of corporate IT to address these concerns, right now, sufficiently robust tools to implement adequate protection are still lacking.
1. Today, mobile devices do not reliably offer brand/model information on opening a connection. While there are apps that offer this feature, the devices themselves need to make this information more readily available. Devices need to offer some kind of unique identifier so that when one is lost, sites that the user notifies will be able to identify the device specifically.
2. Corporate IT needs a way to block devices that are reported as lost or stolen. If the company supplied the device, then wiping it is a sound solution. But in a BYOD world, blocking lost or stolen devices from access to corporate systems is the best that can be done.
3. Employees need an easy way to report a lost or stolen phone as well as an easy way to inform when it is found. Instinctively, the IT response to these would be "lock out" and "reactivate" respectively. This method needs to be secure and to definitively identify the employee as the person attempting to use it.
Difficult to implement
Sign up for CIO Asia eNewsletters.