As mobile BI and other enterprise software applications reach your smartphone and other devices, one of the first questions that puts a halt to this wonderful progress is the dreaded…
“…but what about security?”
Even though we have written about mobile security before, and admittedly about our own software, it just keeps coming up. We aren’t surprised, given how important security is, but we are a bit shocked by “how” our users, prospective customers, and others look at this topic. We thought it made sense to expand a bit further:
What is meant by mobile device security?
The first thing we want to tackle is just how broad this topic can be. We live this business every day and hear many opinions about mobile device and data security, but they are all a bit unique. Here are a few of the ways we get asked:
- How can we keep our data out of the wrong hands?
- What if a phone gets stolen or lost?
- Is the data transmission encrypted?
- Are dedicated apps more secure than web apps in the browser?
- IT won’t give us permission to access corporate systems except for email on our phones or tablets. Can you help us convince them?
- Many, many others…
Let’s break these down a bit and crush a few myths while we’re at it, shall we?
Most IT departments go to great lengths to control the technical security requirements but often fail to see the biggest potential issue: email. It’s not that email can’t be secure. It can. The problem is that it is the most common way your users interact with sensitive information and the easiest for them to do something damaging, like forwarding information to the wrong person, a competitor or the press. You can add all of the buzzwords you want (x.509 certificates, 128bit encryption, hardware or software SSL, key fob / time-based authentication, etc.) and still have the exact same issue. Technology security is critical, but we need to put it in context.
First, there are three types of IT security mechanisms that everyone should be familiar with:
- Authentication – proving you are who you say you are
- Rights assignment – once you’ve proven you are legit, this part decides what information you should have access to and what is blocked.
- Encryption – this determines how secure things are while they are in route to you over the Internet.
All of these are important, but they won’t secure you from everything. For example, you can log into your phone with a PIN or password (authentication), access the latest company sales report (rights assignment), and email it to your buddy at the Wall Street Journal over a secure path (encryption), but none of that will stop it from hitting the front page tomorrow. Remember, encryption only keeps it secure while traveling. Once decrypted on the other side it is fair game.
No matter how secure your technology is, your users’ actions are still the biggest threat.
So, what are the best ways to keep information from making its way into the wrong hands?
We spent years on this topic, including understanding it, talking about it, teaching it and most importantly building security into our own mobile monitoring software. We found some simple things that, while less geeky, are the most effective ways to keep things secure on a mobile device:
- As little data on the device as possible – in our case, this means showing everything in the phone’s browser. When the browser is closed, the data is gone. Very simple and very secure. Oh, and no you don’t need an app to have a rich experience – smartphone browsers have become very powerful and can be as rich and fast as a dedicated app.
- Share links to data and never the data itself – when you use the browser, you improve the way people share information. In our case, you can easily share information right down to the real-time trend you are looking at or the specific alert you received. It is just as easy as sending an email but with one major difference: you are only sending a link. You could send this link to the whole world, but only those who are authenticated and have the proper rights assignment can get access to the information.
- Take advantage of existing security efforts – this means inheriting the permissions, technology and policies that are already in place. We call it security inheritance and it makes life easy for us and our customers, but it doesn’t matter as long as you get the benefits of secure authentication, rights assignment and encryption. This also means that we automatically support all of the latest security technologies by default, so answering “does Visual KPI support [insert security buzzword here]?” we can always say yes.
- Educate your users – there is no better way to assist your security efforts than to educate your users on the risks, benefits and policies concerning security. If they understand “why” it is so important and “how” they can help, a majority of your issues will be solved.
I have a feeling this won’t be the last time we talk about this topic, but we hope this helps a bit when asked about the latest security buzzword and whether or not we support it. In fact, we just came across an old whitepaper about our security model that we will refresh and make available to provide even more detail about how it actually works. Stay tuned for that.