We are going to be talking about security a lot because we see some real issues with the current enterprise security models and we also have some smart and practical ideas about how to do it better. To help frame our thinking at the highest level, it all starts with a shift in focus to securing sensitive corporate data and not the device that is being used to access it. This shift is profound, and has impacts on the whole enterprise security paradigm.
Over the last 10 years, corporate IT has witnessed an astounding transition often called “consumerization”, but better termed “empowerment”, as individual employees have assumed the right to seek and adopt the tools that they need to best execute their jobs. Consumerization has had a profound impact on IT’s software infrastructure, and now its impact is extending to endpoint computing devices. Technology has arrived at the point where IT can cease to treat the various devices that employees use to interact with corporate data and applications as infrastructure, and can treat them as tools.
Infrastructure should be centrally managed and controlled by IT. However, the increasing device diversity in today’s endpoint computing market does not fit with a “command and control” model. Diversity in form factor and operating system encourages consumers (who are also employees) to adopt the devices that best fit their personal needs, budget and preferences. As such, IT’s preferences are becoming increasingly irrelevant, as employees find a way to bring their chosen tools to work – starting with mobile phones and then tablets and now leaking into other computing devices. Hence, IT needs to recognize that devices are tools, not infrastructure, and IT can (and should) embrace this transition.
Rethinking endpoint devices as tools requires two fundamental changes in thinking for corporate IT: (1) applications infrastructure must migrate to a ubiquitous platform, not a vendor or device-specific platform, and (2) endpoint security must focus on data, not devices.
Corporate applications, whether they are built in-house or built by a 3rd party, must operate on any device to enable employees to choose the best and most convenient device tools for their jobs. IT has already made great strides in this area – application infrastructure for “fixed” use has increasingly moved to the corporate intranet or, more recently, the cloud. The web and the browser is already a ubiquitous delivery vehicle. What has been missing is the full feature set required to power IT’s complete application stack across both fixed and mobile access and use: including sufficient performance, offline access, flexible and powerful graphics, and a complete client-side programming language.
HTML5 is very close to being that platform. Where gaps in the standard remain, PhoneGap (now Apache Cordova) is a viable, cross-platform, and open source option for closing those gaps through simple integration. Hence, with the browser as the target application platform, IT can build a unified applications suite targeting devices as varied as smartphones and desktops.
While HTML5 addresses the development and delivery of applications to any device, it does not necessarily secure the data. However, browsers do solve one of the most important aspects of endpoint security via the https protocol – browsers can ensure end-to-end trusted communication to the corporate network. Hence, a security solution for browsers is simply a matter of securing data at the endpoint and leveraging the features already available in the https protocol to ensure trusted communications.
Notice that device security plays no role in securing corporate data delivered through a browser. IT cannot keep up with the diversity of devices employees will demand while dragging along an expensive and complex software security stack (including anti-virus, personal firewalls, full-disk encryption, network access control, application whitelisting, mobile device management, etc.) to secure them. A more reasonable and effective goal than securing all devices touching corporate data is to secure all apps touching corporate data. The more those apps converge on the browser as the delivery platform, the more this challenge reduces to building a secure, cross-platform corporate browser. In brief, building a truly secure corporate browser requires:
• Full encryption of all client-side data
• Client and server validation using https’ certificate validation features
• Protecting access to corporate apps with a unified sign-in
• A comprehensive data policy engine built into the browser that allows policies for data sharing and offline access to travel with the data itself and be contextually aware
• App-level device-independent implementation of all critical security functionality to ensure that security is not compromised by a compromised device or operating system
A secure browser that enhances the rendering and communication features of a standard browser with the additional security features outlined above enables corporate IT to build a unified applications platform that extends across devices of all shapes and sizes without compromise in functionality, performance, or security. The endpoint device then transitions to a tool for employees to select, rather than another piece of infrastructure that must support the sanctioned IT software stack to ensure its acceptability in the corporate environment.
Mobile security is part of our mission at Mobile Helix. We provide our customers with highly secure solutions which allow their employees to meet and exceed the company’s business objectives. Our solutions support this approach to security – to find out more about them, please go to our website: www.mobilehelix.com