Is App-Level Security the Way to Go for Enterprise Mobility?
A number of collaboration apps have taken hard security hits this week and last, a grim reminder that enterprises need to keep their guard up when it comes to the tools in use for business meetings and content sharing.
In one incident, as widely reported, scammers have sent phishing emails to Gmail with the aim of gaining access to Google contact lists and Google Drive accounts. In another, as reported by IT security intelligence firm Rapid7, a security vulnerability allowed unauthorized access to meeting recordings in the Fuze collaboration platform. And in a third, Atlassian discovered a "security incident affecting a server" in the cloud tier that hosts its HipChat team collaboration app.
All are troublesome, even as the companies involved have taken quick-fix actions. But the one that jumped out to me in particular is the HipChat hack, which the company attributed to a "vulnerability in a popular third-party library used by HipChat.com." That drew my attention given the recent plea we heard from enterprise IT executives to team collaboration app providers for improved security measures, as I wrote about in a recent No Jitter post. As discussed in that piece, IT executives had expressed frustration over the need to rely on mobile device security wares on top of team collaboration apps in order to meet their enterprise security requirements.
Thinking about this issue, in turn, perked up my interest in a startup mobile security platform vendor called Blue Cedar and the news it issued yesterday about an app-centric alternative to traditional mobile device management. "Could such a platform address enterprise IT concerns around mobile team collaboration apps?" I wondered.
I posed the question to Chris Ford, chief product officer at Blue Cedar, and the answer is yes, he told me: "Our focus is on securing mobile apps for enterprises, primarily for employees accessing sensitive data." The Blue Cedar platform can secure access to any enterprise mobile app, whether developed internally or purchased commercially, he said. "Security follows the app."
Ford makes the process sound simple. In the case of a team collaboration, for example, enterprise IT would upload the mobile enterprise app into the Blue Cedar console and then select from a list of security policies to apply to it. Blue Cedar offers more than 30 security policies, including for biometric-based authentication, data leakage prevention, Federal Information Processing Standard (FIPS) compliance, secure microtunnels, VoIP encryption, and more. "We have security policies for everything from how the data should be encrypted to which apps can work with which other apps, and what a user can copy and paste," Ford said.
Once you've selected the desired security policies, Blue Cedar injects the appropriate security code into the app, and then begins enforcing the policies. The functionality of the enterprise app remains unchanged, and users can download the Blue Cedar-infused apps from either their enterprise app store or from public app stores like iTunes and Google Play, Ford said. And, users will only have to enter login credentials once after download, ensuring rapid access for users on the go.
This was an important criteria to early user MedStar Institute for Innovation when investigating how to protect patient information in a mobile app it was developing for use by clinicians on their personal devices. I haven't yet had the chance to speak with MedStar directly, but the organization was looking for "simultaneous fulfillment of two critical design specs: rigorous security and rapid access," said Mark Smith, MD, chief innovation officer of MedStar Health, in a prepared statement.
MedStar wanted a solution that acted heavy but felt light, and that was "transparent to the busy clinicians who cannot spend even seconds navigating layers of controls that create user friction and discourage use, which can ultimately impede early diagnosis and immediate treatment." He continued, "Blue Cedar platform met our design criteria to a T."
Blue Cedar sees its app-level security methodology as a natural progression for enterprise mobility, Ford said. When BlackBerry devices were the enterprise mobile device of choice, hardware-level security made sense. As device types proliferated in the enterprise, containerization of apps became the more reasonable approach. But apps need to be coded to work in the containerization model, and the software pre-installed on the device proved too inflexible of an approach for today, and so "we find the fence around the apps is shrinking."
Conceptually, the Blue Cedar approach is interesting -- whether to secure team collaboration or any other enterprise mobile app. Would you agree?