Have Your (Mobile) Cake & Eat it, Too: The Recipe for Secure Mobile Content
You’ve had it with PDFs. And so has your sales team. Like a sock collection, it feels as if your PDFs are everywhere and nowhere, and worst of all, they’ve become a huge security risk. But now, you’re in the business of building content that’s web-based or within an app, and the issue of security hasn’t gotten much clearer. Sure, you know that it’s time to think about log-ins and passwords, but what are the trade-offs between locking your content behind a lot barriers and giving your reps immediate access? And how can you best communicate with IT to ensure easier implementations and less red tape?
In this post, we explore some of the major security considerations for both the mobile web and mobile apps, so that you’re ready to make the right decisions when the time comes. We’ve included relevant questions and best practices, but keep in mind that every organization will have different security needs.
Often, security is the last barrier to giving reps mobile devices or allowing BYOD (Bring Your Own Device). With a little advance planning, it will be easier to get IT clearance, and your reps can have access to the information they need, when they need it, selling smarter and faster with the right content in hand.
What to think about: How do I give people the right amount of access, while still protecting my content from those who aren’t authorized to see it?
Our take: Your IT team knows that maintaining authority over content access is key to security success. Use role-based permissions as often as possible, including a separate role for mobile devices, and audit these roles monthly. You’ll know who is accessing your content and where, without slowing your reps down.
What to think about: Should I put my content behind a private network?
Our take: If your content is highly sensitive, it may be a good idea to keep it behind a private network. However, you should also consider that reps with internal access are easily capable of copying materials onto their local devices, anyway. When it comes down to it, convenience will always win over security. It’s better to plan for external access but have the ability to wipe content from any device, should you need to.
What to think about: Should I require a login to view the content? How often should that login expire?
Our take: It makes sense to include a login flow but not one so cumbersome that every individual document requires another authentication. Have your reps login when they open their device (use single-sign-on SSO with the corporate authentication system), and that session should expire once the device has been locked or after it has been unused for three minutes.
What to think about: If it’s an off-the-shelf app, how are my company’s items separated from other companies’? Once a user has access to content, can you remotely shut off access at a later time?
Our take: When looking for a mobile app solution, make sure that it has been tested by a third party to ensure that it’s secure. Pay close attention to how the application sandboxes your data, or isolates data from other applications, once it’s on the device. In addition, you should also understand how that data is stored on backend servers: do you have the ability to restrict access IP addresses? Inkling Axis, our off-the-shelf app, for example, uses company codes to separate usernames from different companies, unlike Google Docs, which mixes users from your company with those on the Internet at large.
At minimum, any application that has access to your data should be able to remotely shut off content access AND remove all of your company data at the same time. However, this doesn’t cover everything: if your employee’s device was lost or stolen, anyone could disable wireless access and prevent administrators from deactivating the application. Consider policy-based device management, which means enabling complex passwords, encryption and not allowing jail-breaking, or installing non-supported third-party applications.
What to think about: Who can install the app? Is it on a public app store, or is it distributed privately within my company?
Our take: Your company should support the application and strongly consider deploying a Mobile Device Management (MDM) system. All MDM systems will allow you to manage the devices from a centralized location, which will make it much easier for your IT department to support the devices.
Depending upon the maturity of your mobile device management (MDM) capabilities, you may want to distribute the application remotely. If you don’t have MDM, regularly communicate with everyone at the company about what applications you support. Explain how easy it is to load and use the supported applications, and the process for selecting applications.
What to think about: How do users authenticate within the app? SSO? Username/password?
Our take: Having a centralized authentication system is best, which means users don’t have to remember multiple passwords. In addition, having SSO allows IT to enforce stringent passwords since a single password can be stronger and still easy to remember.
The bottom line:
Understanding the risk of mobile content, and having a plan in place across departments to solve for it, is the key to mobile success. However, keep in mind that, despite these strategies, there is no silver bullet to solving risk. Your IT team will need a layered approach to managing mobile devices, and they’ll look to you for help in navigating security hurdles.
When you’re beginning to think about mobile, start by forming a partnership with IT and demonstrate to the organization that you care both about security and ease-of-use. Then, you can give your employees better access to the secure mobile content they need, when they need it, and rest easy knowing that it’s secure.
[eBook] The IT Professional’s Guide to Mobile
Learn how to get business-critical content securely to mobile.