Sergey Nivens - Fotolia
There is no bigger impediment to the release of an enterprise mobile app than the approval of the security department. It's not that employees in security are trying to slow the process -- and they definitely don't want to be the bad guys. But it's their responsibility to counterbalance the disregard for mobile app security that is often part of an app's development process.
Typically, developers only inform the security team about an app when the business unit is well on its way to releasing it. Developers need to partner with security much earlier in the process. Taking mobile app security into account before an app goes to users can help smooth out the constant seesawing between usability and security.
Your employees and your customers -- and to be fair, your employees are your customers, too -- just want to get their tasks done with an app that's easy to use. Google usability studies show that even a tenth of a second delay in an app's performance can negatively affect the user experience.
Members of the security team, on the other hand, are focused on protecting the company's assets. If it takes a few more seconds to keep that data safe, that's okay with them. They aren't worried about usability but rather whether the customers' credit card data is safe or the company's proprietary data isn't compromised.
Think like a designer
In reality, you aren't trying to balance security and usability but rather create usable processes with mobile app security measures that do not interfere.
The best way to achieve secure usability is by understanding that security isn't really part of IT but instead part of the business. The business can't succeed if it isn't secure. Members of the security team spend their time understanding risks and the best ways to mitigate them; to succeed, they need to become design thinkers, just like the developers creating the app. That means getting into the trenches as developers architect and build apps.
When security embeds itself into the design and development teams, the "Us versus Them" mentality quickly disappears. Developers learn how to code applications using secure frameworks, and security can test parts of the app before it even hits the alpha milestone.
Developers shouldn't be figuring out how to securely connect to the enterprise every time they build an app. When security steps in, they can help build a secure connection, VPN or otherwise, that developers can even reuse for other apps. In the same way, security should work with the identity and access management team to design a secure way for users to log into these apps -- another reusable component developers can bank on.
In the last issue of Modern Mobility, I talked about the focus on user needs (FUN) principle. But to provide a good user experience, you have to focus on the developer and security needs as well as FUN. Your consumers want the safety of a secure app and an experience that is easy and sheltered from the dangers that lurk.
The FUN principle helps achieve user buy-in for mobile apps
Mobile app security threatsto look out for
How to protect mobile applications
- Weighing the Options for an Enterprise Mobility Strategy –SearchSecurity.com