As the use of mobile devices continues to soar, enterprise cloud applications are now resident in the palm of your hand, like your ordinary e-mail and mobile Web browsing. And with mobility comes ever greater responsibility to keep enterprise data safe.
"The power of these devices in consumers' hands is now equal to that of what people have in their hands to access their enterprise data, and the two things are all getting smashed together," said Tom Barber, vice president of marketing for DecisionPoint Systems, provider and consultant for enterprise cloud and mobile applications.
Kendall Collins, chief marketing officer at Salesforce.com, acknowledges that security is an area of concern for mobile devices. "Security on mobile devices is an area where we’ve invested a lot of time to make this world class," he said. "We’ve seen a lot of custom applications being employed in mobile devices."
Here's what you need to know to keep your mobile cloud data safe.
Complete the link
"Security is an end-to-end problem between the end user and where the data lives," Barber said. Overseeing the entire chain in your cloud operation is essential, from the technical infrastructure to the SaaS application to the mobile device. "To be able to manage and oversee the whole technical infrastructure — that is the mobile devices themselves and how they connect to the wireless network — is key to being able to keep it secure," Barber explained. The mobile device is the weakest link in this chain and needs to be secured, he said.
"If you tackle the security for the mobile infrastructure, but you don't tackle the security for the SaaS application, you're still vulnerable," Barber added. "You have to tackle both pieces of it, so you're assured it's end to end."
Factor in multiple-step authentication
Mark Beccue, senior analyst for consumer mobility at ABI Research, explained that because enterprise workers access cloud applications on mobile devices using an ordinary SSL Internet connection, security is the same as on a PC. The airwaves are also encrypted from the handset to the tower. "The biggest problem is when people drop their phone and leave it somewhere," he said. To combat loss or theft, you need multifactor authentication on the mobile device.
Two- or three-factor authentication is important, agreed Barber. In addition to a username and password, a third piece of information — often a challenge question — is required for a particular device. This is a one-time process per device, he said. This extra step in the authentication process helps guard against phishing attacks.
Enable remote wipe
Several experts we spoke to recommended maintaining the ability to wipe data off devices remotely in case of theft. "A lot of admins really love this feature," said Collins.
And although regularly cleaning out your in-box and out-box is a necessary chore, remote wipe may save you the trouble, according to Beccue.
Lock 'em out
Collins said Salesforce.com implements remote lockout procedures for its cloud offering. "Each device has its own locking mechanism and password protection, but we have our own level that follows all the standard protocols," he said. "We give them all the freedom to basically say, if the user hasn't touched the application in a minute, or in 120 minutes, or whatever the range is that they like, we can lock them out of the application and force them to enter a password."
Collins noted that you can also disable a particular device type such as iPhone or BlackBerry and restrict IP addresses. "You can set a series of IP addresses and ranges, so people cannot access Salesforce.com by the mobile device or by PC when they're outside these IP ranges," Collins said. "That allows more granular control. That's what we do at the device level."
You can also lock out specific devices for specific individuals, Collins noted. And when you get a new device, your previous device can be wiped. Also avoid unlimited tries to log in. A limit works best, said Collins.
Use Secure SMS
Beccue suggested using Secure SMS from companies such as CellTrust and VeriSign.
Opt for one-time passwords
Beccue recommended taking a tip from the banking industry and using one-time tokens in the form of a downloadable app or widget to log in.
Use proper encryption
According to Collins, AES 256-bit is the proper layer of encryption for mobile devices running cloud applications.