The Case for In-House App StoresA Do-it-Yourself Approach to Ensuring Mobile Security
As personal mobile devices become ubiquitous in corporate networks - even in organizations without official bring-your-own-device policies - IT and security personnel are implementing new approaches to prevent malware and ensure data integrity.
One approach beginning to take root is the creation of in-house corporate app stores, where organizations offer users access to custom-built, secure applications designed specifically for that organization, along with access to approved public apps for smart phones, tablets and other personal devices.
Two such organizations are the U.S. Department of Veterans Affairs, which has an internal app store to service the mobile devices it issues, and Sanofi US, a pharmaceutical company that deploys commercial and custom-built apps through its store.
Tackling Application Insecurity
With malware infesting the authorized commercial app stores, including the two largest - Google Play for Android and to a lesser extent, the Apple iOS App Store - corporate security and IT executives are exploring new strategies to limit the use of unauthorized applications on devices connected to corporate networks, says Steve Santorelli, director of global outreach at Team Cymru, an Internet security research firm based in Lake Mary, Fla.
Because of the rapid growth in the use of personal devices for work-related tasks, "There has not been enough time to instill a healthy dose of reality," Santorelli says. IT departments generally do not permit users to install any application on corporate computers, he notes, but many companies still have not yet established similar policies for personal devices.
"The vast majority of chatter in the underground economy is about mobile malware," says Santorelli, a former Scotland Yard detective. Many users today "don't recognize or are willfully ignoring risk." Companies that opt for a private app store can minimize much of that risk by requiring users to select only from applications that are certified by their employer as safe.
VA Rolls Out App Store
The Department of Veterans Affairs has been running a pilot app store project for nearly a year and is getting ready to deploy it to all VA employees. The VA's goal is to deliver mobile apps that are as secure as they are effective.
"We were driven [to launch our own app store] by our ability to send users to a single location to get apps for multiple devices," says DJ Kachman, director of security and mobile technology for the VA's Enterprise Systems Engineering group. "We anticipate a mixture of homegrown apps as well as public, purchased apps. From a security perspective, [public apps do not] allow us to ensure we deliver the correct apps that meet VA's security and management requirements."
The VA's approach is to offer custom-built medical apps designed to help identify sources of assistance VA staffers can use to help veterans. The VA also links to white-listed consumer apps that already exist in public app stores.
Kachman says that one approach the VA uses to ensure security is - for now - not allowing employees to use their personal smart phones or tablet computers on the job, except in limited situations.
"We are working through policy issues around BYOD, as well as working with other agencies to ensure that sanitization of data is done correctly and in compliance with any federal law or requirements," he says (see: VA Revamps Mobile Device Plan).
Providing smart devices allows the VA's IT department to specify hardware and operating systems, he says. The VA currently supports Blackberry, Apple iOS and Android devices, depending on the user's individual requirements. Management of the app store itself is done by the agency's existing IT staff.
Because the VA controls all of the data on the devices and runs all applications in a virtual environment tied to back-end servers, it is not necessary to wrap public applications with mobile device management and mobile application management, Kachman says. Devices are linked to specific users with credentials both for obtaining applications and accessing them, providing additional security levels.
Sanofi US App Store Strategy
Brian Katz, director of mobility engineering for Sanofi US, an affiliate of the multinational pharmaceutical firm, says his company also is taking a hybrid approach to mobile apps because commercial applications do not meet the security and regulatory requirements required by a drug company.
Using a combination of internally developed and contracted applications that meet privacy requirements, along with white-listed, publicly available programs that are distributed from a single user interface, is the most cost-effective and efficient method of distributing the apps to the employees, Katz notes.
In some cases, the company is wrapping publicly available applications with MDM or MAM tools that provide additional security to what normally would be a consumer application, Katz says. MAM can add controls, such as turning off screen grabs of company-confidential information, eliminating the ability for the user to forward company data via private e-mail, controlling network traffic, and dealing with other potential security vulnerabilities, while MDM tools can wipe lost devices remotely.
"People develop in-house apps to meet the needs of their business, whether it is specific information, a specially designed workflow, or just something that doesn't exist in the public app store," Katz says. "It can also be done for compliance reasons and the like, but the driver of building an app is to enable the user to get their work done the best way possible."
When building applications, developers need to understand the app's ecosystem, Katz says. Mobile devices are used differently than PCs and require apps that are optimized for that environment. From a security standpoint, mobile apps are no different than those for other computing devices, he says, so they must pass a security audit before being made available to users.
Sanofi's app store is part of the company's overall mobile strategy, so the company does not need employees dedicated full-time to the store, Katz says. "It's not a traditional store where you need a clerk. It becomes part of the responsibilities for the team that handles mobile."
App Store Recommendations
If you plan to develop your own app store, here are some suggestions from Katz, Kachman and Santorelli.
- Make sure the app store is easy to use, maintained so that all links work and apps are updated and provide users with clear navigation options.
- Only link to public applications that your team has tested and certified as malware-free.
- Plan to provide support for the mobile devices and apps.
- If employees will use personally owned devices, consider building custom apps that have a simple user interface and run on back-end servers over a virtual private network. This will segregate private, corporate data from users' personal information and store all confidential data on corporate servers.
- Utilize HTML5 Web apps and cloud apps to reduce the cost of developing, testing and deploying mobile applications.
- Use multifactor authentication or require multiple credentials for users to download apps and to access backend databases. This further ensures that if an unauthorized user gets access to an application, the data is still behind a security wall.
While building a corporate app store is no guarantee that mobile devices will be free of malware, it can provide an added layer of security. "We lost (the malware) war 10 years ago," Cymru's Santorelli says. Today's goal is to "keep the tsunami of malware from taking over" mobile devices.(Contributing writer Stephen Lawton has been a technology and business journalist for more than 25 years. He is based in the Seattle area.)