Israel Lifshitz
It is well known that every organization must provide some kind of mobility support. This applies to all enterprises, let alone financial services firms, hospitals, and even defense agencies. Moreover, organizations today are exposed to a wide range of threats and securing mobile systems has become a must. The level of security required is of course different from one organization to another, and depends on factors like: threat level, risk involved and others.


It’s obvious that the highest level of security needs to be enforced in military and such related industries. In this article, I would like to outline how secure mobile programs should look like for the most secure organizations. If you work for such an organization, you will immediately relate to the content below, but if you work at a less secure industry and/or organization, stay close since you will learn how to apply some essential security measures to your mobility program.


Main considerations to be addressed when planning the system

  • End to End Protection – Consider all the different components in the system. The attacker is likely to attack the least protected component, just like the wolf attacks the weakest sheep in the herd.
  • Threat Types – Make a list of all potential threats and prioritize them  according to their severity. Be as thorough as possible, since   most security precautions are directly tied to the specific threat they   are supposed to handle.

  • User Experience – Since security measures often compromise user  experience, bear in mind that maintaining proper UX  is necessary, when users use the system for their ongoing work.




Security system – Ground rules

Based on the threats at hand, start outlining some ground rules.
Here are some rules to be applied in the toughest of`environments:

  • Protect the Mobile Devices – In mobility systems, the weakest and least secure component in organizations is usually mobile devices. There are thousands of them wandering around and they can be easily breached by a countless number of external sources.

  • Zero Data on the Device – Sharing a huge amount of data on a large number of mobile devices make it almost impossible to track and detect data breaches. It is better to operate with a system that actually stores no data on the devices.

  • Protect the Data Center –Many organizations think about device protection, while overlooking the data center. However, data center breaches can be much more dangerous. When an attacker enters the data center, he gains access to all the data in the organization and what can happen then is all up to him. Think about risks such as a critical system suddenly shutting down at an airport or a big financial institution. Even the sky is not the limit when hackers penetrate enterprises’ data centers.

  • Apps Pose risks – People easily understand the risks on hardware and network connections. However, the main risks are usually found at the software level. This is simply because software code is so huge that it’s fundamentally impossible to make sure all the apps in the organization are secure.



Detailing security measures by component

 

Now, let’s see how high security systems really look like and group the security measures by component:


The mobile device:

  • Secure the operation system and hardware to make sure unauthorized malware/people do not damage the software modules.

  • Remove unnecessary network components. Today, each smart phone has many different network components, such as Bluetooth, Wi-Fi, cellular, NFC, USB and more. Each network connection poses a potential risk, so it is better to remove unneeded components.

  • Have a centralized encryption component in place, to make sure all apps use one safe encryption and no un-encrypted data is going out of the device.

  • Install only apps that store zero data on the device and had been previously tested using penetration tests. Bear in mind that each new app version needs to be retested.

  • Make sure all admins know exactly where all the devices are located (i.e. Mobile Device Management).

The network

  • Military graded networks are not connected to the Internet,   but use private closed networks that only pre-approved devices can connect to. This can be done by having an organization build its own private network, or by buying a virtual-private network from a carrier.

  • The network itself needs to be fully encrypted and not allow regular traffic to go through.

  • Advanced firewall that does IP inspections of the app protocols, as well as strict filtering should be put in place.

The data center

  • Sandboxes – Datacenters usually provide several types of services. Each service needs to be separated from the other services, so that if one service is compromised, it will not affect the other ones.

  • Split services to frontend and backend – Each service should be separated to both frontend and backend service. In that case, if a frontend service with a direct connection to the device gets compromised, the main service data remains safe.

  • Strict input validation – Each component needs to strictly validate its input parameters to make sure no one is trying to insert data into the service.

Virtual Mobile Infrastructure

With all such complicated security systems in place, there is only one technology that really does 
the job faster and much simpler – Virtual Mobile Infrastructure (VMI).

VMI actually:
  • Allows zero data to be stored on any app.

  • Displays only one major app on the device (i.e. the thin client), which makes it easy to test the app.

  • Uses one encryption protocol for all apps.

  • Provides an additional separation in the data center since the secure VMI platforms actually separate between the devices and the apps,  and the datacenter.


As this article draws on the most severe situations, which hopefully your organization will never need to experience, you can still implement some of the guidelines mentioned above, and get prepared for the security level your organization requires.

Israel Lifshitz

In today’s mobile and cloud era, IT is losing much of its control.

Devices are often owned by employees and IT has limited control over them (BYOD). The apps are usually 3rd party apps and IT has zero knowledge and control over the apps’ content and security. The network, which the user uses to access data, is often a public/shared network and even the services/servers are now becoming cloud-based.

This lack of control has already caused lots of problems, which result in losses of billions to organizations. One major impact of these problems, is when security issues start to pop up.

The organization becomes more vulnerable to cyber threats, even though it’s hard to see the immediate damages caused. It’s inevitable that at one point, something would surface and dramatically affect the organization in both direct cost damages, as well as reputational ones.

So, how can IT get control and security to come back home?

Virtual apps can definitely do the work. Virtual mobile apps are the actual apps that employees run on their mobile devices (e.g. Salesforce1, Dymamic 365, SucessFactors, etc.), but actually run on a secure virtual platform. The users can access those apps from a thin client (running on their device), which only displays the screen of the apps on the secure platform. The diagram below shows how it works.

 

The secure virtual app platform is under full control of the IT department. IT can decide exactly which app to install (and of course which not to) and which users can access each app. All the data is safely under control of the IT team, which has the authority to decide what should be backed up, deleted, shared, etc. The network itself is also fully controlled by IT, which can decide the network service that could be accessed by specific users and apps. Even if the network service is on the cloud, you could still limit that service to be accessed only from the secure platform.

One of the common questions I get from people is: “Do I need to be an app developer to build virtual apps?” The answer is: “Absolutely not”.

Each app can become a virtual app. You just need to add the app binary (without any modification required) to the Nubo platform and the platform will immediately generate a unique virtual app for you. Beside the common security and control benefits, virtual apps allow you to move fast, when facing tight schedules, and deploy any app to your users with minimum cost or investment.

Israel Lifshitz


Congratulations… You have been given the task to develop an app for your organization.

The App Development Journey

The first step you should take is to develop the app itself. You can develop two apps for iOS and Android or develop one app with a cross-development platform. People, who are not well familiar with enterprise development, might think that developing an app is the most important task to be carried out. However, enterprise deployment requires much more.

QA for instance, requires that you test your app endlessly using all the required hardware and software versions. Once that is completed, you go to move on to performing security checks (and we know how time consuming that may be). Several months have already passed since we set out on our app development journey and there is still a lot to be done.

Now, you need to go to the network infrastructure architect, decide together on the right architecture for your app and consider the best ways to access the enterprise data. This may result in additional costs for your organization when adding equipment such as VPNs and authentication protocols. It’s not only a matter of more time and resources spent, but it also creates obstacles to the app deployment process. Many app projects end here, because organizations don’t find secure ways to access the organization’s data.

The architecture also requires that you run the app inside an EMM container. This doesn’t only add additional resources to the process of wrapping the app into the container, but it also limits the app’s reach, which is only for managed devices.

Is There a Better Alternative?

Now, what if, after all has been said and done, you just realized that all your hard work could have been dramatically reduced.

For your next project, just remember that you can “Virtualize Your App”.

Mobile App Virtualization provides a way to run apps inside the datacenter, in a virtual mobile OS. Each virtual app is individually packaged and deployed to all types of mobile devices, as a thin client app. By removing the dependency between your mobile app and the physical device, you can save lots of time and resources during the app development journey:

First, you just need to develop the app for one environment and one OS version – the one that exists in the virtual environment that you control. You do not need to use cross-platform tools – just use your favorite development framework that is available on the target platform. You can develop it on any Android device or emulator.

You probably think that you have already got your money’s worth, when actually, your major time savings are yet to come. The QA activities are now becoming much faster. You just need to test your app in the virtual environment and you do not need to test it repeatedly on any device type or OS version. This doesn’t just dramatically decrease the QA time, but also minimizes the number of iterations needed between development and QA.

Now, security checks are also becoming much easier. The main threats that security checks on mobile apps, simply do not exist in a virtual environment. Virtual apps do not store any data on the device itself and the protocol between the apps and the datacenter is a remote display protocol that had already been tested using the stringiest penetration techniques.

You will make your network infrastructure guys really happy because now you do not need any architectural change to enable ways to access the enterprise data. This is done simply because the actual apps are already running in the datacenter. You won’t need to look for secure ways to access your data, as everything will be ready for you.

The virtual app itself can be deployed in different ways. It can still be deployed in your EMM  enterprise app store, or as a standalone app, even in public app stores.

Now I’m sure that you can easily imagine how this approach can save you tons of time and money, during the development and deployment processes. Still, it will also help you afterwards – much of the work on mobile apps has to do with the continuous and much needed support and maintenance. With virtual apps, you do not need to worry about supporting mobile device upgrades, which that alone, provides you with a great deal of peace of mind.