What we have today could barely be called enterprise mobile applications.
We have enterprise applications that exist in a mobile form. We even have some mobile applications meant for the enterprise. But what we have very little of is mobile applications that an IT professional would feel comfortable calling enterprise grade. There is a simple reason for this -- lack of viable security and privacy options that meet the needs of a large or even mid-sized enterprise.
Where Mobile Security Works, Where it Falls Short
Mobile security is complex. First there needs to be all of the conventional data center security that keeps the bad people from breaking in and then stealing or messing with corporate data. That’s a well-known problem that IT has dealt with for 30 years or so. Then there has to be a way to secure connections from the device to the backend. Again, a well-known problem that has been dealt with since the Internet became a common business tool.
The devices themselves also need to be made secure. This is where things start to get a bit trickier. Almost any decent security measure -- even lame ones like a password on the devices -- feel intrusive and inconvenient to end-users who will often subvert them or turn them off. And what about the data on the device? Or the applications? We have software to deny access to data or applications when outside the corporate firewall. A bunch of companies can wrap an enterprise app in a rule-driven container including IBM and Citrix. Depending on the rules, you can keep someone from accessing corporate data based on location, time of day, role in the organization, and other rules that an IT person who rarely travels on business can set up. Applications can have workflows that also limit what a mobile app can do, making the assumption that any mobile access to certain data is a bad idea.
These measures, unfortunately, nullify the entire value proposition of a mobile device.
The reason someone has a mobile device is so they can access critical information when not at their desk -- be it communications, information in corporate systems of record or just plain old files. “Not at their desk” often means not in the building, not in the same city or not even in the same timezone. A lot of mobile security and privacy is about denying access whether it’s to a connection, applications, a device or data.
The basic idea is not wrong. There is a time and place for everything including accessing sensitive data. What’s wrong is the level of granularity. By securing only big chunks of data, good security will make many applications unusable or so lacking in value that it’s not worth loading the applications on a mobile device. Many end-users, used to consumer applications, will instead turn to applications whose security is not up to par with corporate systems. These knowledge workers are not to blame since they are only trying to get their work done.
Next Generation Security and Privacy
The answer is to begin to secure individual data elements based on rules that take into account location and the person accessing the system. Data masking technology is one method of maintaining a consistent user interface while securing individual data elements. Similarly, there are mobile application frameworks that can identify sensitive information and simply not display it based on a central set of rules. By obscuring or hiding the data when it is accessed in an insecure place or by the wrong person, you get the best of all worlds. Security and privacy are maintained but only for those data elements that matter.
The first generation of mobile enterprise applications were simple adjuncts to the “real” applications. The current generation has been purpose built for the mobile environment but light on security or designed with too many restrictions. In the next generation, by securing individual data elements based on location and other attributes, enterprise mobile applications will increase in utility and become much more ubiquitous in the workplace.