Re-Thinking Mobile Security: Lock The App, Not The Device

Your work may have moved from PC to mobile, but the traditional approach used successfully for security on the PC cannot be just transplanted into the mobile world. Here’s why CIOs need to re-imagine security for the mobile platform.

The traditional security methods may look very straight forward, but when the same are put on a device that has lower battery, lower CPU, smaller screen size, a lot of the security elements are no longer usable.

For instance, the old school approach would include locking down the device, running VPN to secure the connection from mobile device to the corporate network, and installing numerous monitoring tools. Kenneth Hee, Director of Business Development Enterprise Security, Asia Pacific Division, Oracle, all these may do just fine but for the one big problem that our phones are not designed for high-performance CPU that can manage encryption. From an industry perspective a strong password of 12 character alpha numeric is recommended. Now, try doing that on the phone. With a smaller screen size it can turn out to be a cumbersome task. “There is always a limitation to what you can do in a mobile environment because of the form factor and the way it’s used,” explains Hee.

This requires the CIO to re-think mobile security: understand the mobile environment’s limitations, and then re-engineer enterprise class security that is suitable for it, right from Day 1. Even more so now as almost 90 percent of the Fortune 500 companies are building their corporate apps. These apps are serving them in their business process, and hence contain sensitive data.

Hee suggests a security strategy built around Mobile Access Management. This is built on the premise that it’s a lot easier to manage the app’s access to the corporate back-end than locking down the device, and disabling features like Bluetooth, camera, etc. to the point that it becomes a dumb terminal and restricts usability.

What Mobile Access Management essentially does is protect the apps that belong to the corporate or those that are built by the company for its consumers. If the app itself is protected it means that when it connects back to the infrastructure the CIO will have the assurance that the app is an authorised one, and that it has the right credentials to connect. This also helps protect the device against its vulnerability to loss and being compromised. This is enterprise security built for the app as opposed to the device.

Oracle’s mobile security offering is also based on the principle of securing core data. Currently it supports both iOS and Android environment. Other platforms are under evaluation. A key highlight of the offering is the dynamic and adaptive nature of authentication it provides.