As new devices and methods for accessing corporate systems and data pop up, IT will have to find new ways to approach secure app delivery.
IT departments have done a good job of focusing on security over the past decade, but the methods used to protect networks and data are changing. Mobile devices are like second computers for many business users. Employees don't just want access to email; they want access to critical line-of-business data and processes. But the policies you apply to manage traditional laptop PCs don't fit with mobile devices, and you can't count on an internal firewall for protection against attacks that are increasing and occurring at the application level.
Understanding mobile app delivery
Unless your company standardizes on a single mobile platform, you'll likely see a mix of Apple iOS, Google Android, BlackBerry, and Microsoft Windows Phone devices in your organization. Each platform offers different app delivery options for both commercial and customized apps. BlackBerry and older mobile operating systems, such as Windows Mobile 6 and Nokia Symbian, have secure app delivery methods that are more traditional. Windows Mobile had traditional installation files and BlackBerry manages apps through BlackBerry Enterprise Server.
The focus of the new generation of devices and operating systems is on app stores that give users simple, one-stop shopping for mobile applications. This turns the traditional management model on its head because you are not the only one in control of the apps installed on users' devices. When delivering custom apps to personal devices, security relies on your public key infrastructure, your authentication system and forced settings via configuration policies.
Secure application delivery for iOS apps involves enrolling devices and distributing configuration profiles, which admins can use to apply policies (through Microsoft Exchange ActiveSync) and ensure security. Before you deliver apps, you must have an Apple Push Notification certificate, which Apple provides. It often takes several weeks to receive the certificate from Apple, so plan early.
More on secure app delivery
Four mobile app delivery options for IT to consider
Black Hat 2012: Poor mobile app security drains enterprise data
Delivering cloud-based mobile apps to the enterprise
For secure app delivery on Android devices, you can set up your own app store and lock down users' Android devices to only download from your store, which is often a feature of third-party MDM software. The Google Play store may be an easier app delivery option for many departments because it is the default application store on all Android devices. You can set up a private Google Play channel if you use Google Apps for Business, which allows apps that integrate with Apps for Business to use the same authentication system to make private apps available to the right users.
Windows has an app distribution program that allows you to publish private apps to the Windows Store and gives you the ability to install Windows Store apps without using the Windows Store. This sideloading method requires a quick modification to a registry key, and the developer must apply a certificate and a key to ensure the app is secured. After packaging the app using a simple PowerScript command, "add-appxpackage," you can distribute the app via a USB storage stick, email or almost any other delivery option you want. A similar setup using a secure digital card for Windows Phone 8 apps is available. These options may be the primary distribution method for IT shops that don't want to fully support Windows Phone 8 or Windows RT with MDM or the Windows Store but still want to install apps on a few Windows Phone devices.
Cloud-based apps are different
Working with commercially available cloud applications presents new challenges. The proliferation of easy-to-use cloud storage and productivity apps means your data could be sitting anywhere. Identity management is key to maintaining control. Instead of allowing multiple unknown accounts to store sensitive information, you can centrally control anything from Gmail to Dropbox. Cutting off accounts, controlling access and grouping accounts into business units is as easy as managing your internal resources.
Mobile apps that use cloud resources should be integrated with your internal authentication systems. Some systems allow you to use integration with Lightweight Directory Access Protocol or Active Directory Federated Services to provide that centralization. There are also options that put all that authentication integration into one spot through a third-party cloud tool so you only have one channel accessing your internal authentication system, which improves security.
The larger picture
You cannot control mobile devices the way you do laptops and desktops. When it comes to managing smartphones and tablets, firewalls are mostly useless. You need to integrate security into any custom applications, provide central management to cloud-based services, control how your apps are delivered and ensure devices are compliant with your security policies before they get access to any data. Address each mobile platform you will support and address cloud-backed apps as a separate platform. They all use certificates and encrypted networking, but the key is to ensure that people use the apps and data securely.