• No results found

Best Practices: Developing Secure Enterprise Mobile Apps

N/A
N/A
Protected

Academic year: 2021

Share "Best Practices: Developing Secure Enterprise Mobile Apps"

Copied!
11
0
0

Loading.... (view fulltext now)

Full text

(1)

 

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

 

Best Practices:

Developing Secure

Enterprise Mobile Apps

(2)

 

2

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

Executive Summary

Mobilizing enterprise applications entails more than simply modifying

the UI of desktop solutions to fit a smaller screen. To take full

advantage of the potential of mobile devices, to deliver enhanced

worker productivity, organizations need to develop native mobile

applications that utilize the hardware features inherent to the devices,

such as a camera or GPS, as well as understand the way in which

employees will interact with the applications and implement the

necessary security precautions.

While the first wave of apps designed with a mobile-first approach exist,

the majority are designed for consumer use. When it comes to

enterprise use, many mobile workers are forced to connect to an

internal network via VPN and navigate interfaces or applications

designed for desktop computers with 13 or 24-inch screens. Employees

are using mobile devices in different ways than traditional desktop or

laptop computers. Applications need to be designed to optimize the

user experience for both the size of the screen, as well as mobile usage

patterns and capabilities of the new generation of devices.

(3)

 

3

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

Taking Mobile Worker

Productivity to the Next Level

The BYOD revolution has unquestionably led to an increase in productivity with industry studies estimating the typical mobile user works two more hours per day.1 Most of that increase is due to employees accessing

traditional enterprise applications in “off” hours—in the morning before work, at lunch, and in the evening. Of all the applications accessed during off hours, email is the most popular. 2

While there is nothing wrong with workers being more productive by checking email during off hours, there are three obvious limitations to this surge in productivity. First, there is a limit to how much time employees can engage in extra work outside of the job. Second, simply working after hours, or extra hours, does nothing to make business processes more efficient and productive. Third, email applications are not the most efficient way to collaborate.

Instead of simply extending work hours, organizations have the opportunity to enable their workers to use their mobile devices more effectively during the workday. Today’s mobile devices are capable of so much more than providing access to email.

Becoming a mobile enterprise means taking full advantage of the potential of mobile devices to increase productivity, while also meeting the challenges and limitations of those devices head on.

Best Practices

Here are seven best practices for developing secure enterprise mobile apps that adhere to information security requirements and also offer the

opportunity to transform business process for increased productivity.

#1: Think in Terms of Mobile Moments

Mobile interactions are very different from traditional desktop interactions. Activity on a smartphone may last a few seconds but occurs multiple times a day. A tablet may be used for minutes at a time, and a desktop may be used for longer periods. Recognizing the variations of these interactions, Forrester Research has developed the concept of mobile moments. According to Forrester, “a mobile moment is a point in time and space when someone pulls out a mobile device to get what they want in their immediate context.”3 For example, a field worker for an energy company comes upon a cracked pipe. The worker can immediately pull up schematics for the system

 

1 A 2012 survey by Cisco found broad support for BYOD’s productivity claims. Companies that embraced BYOD saved $1,300 per employee per year. In the

US, mobility saved the typical BYOD user 81 minutes per week. http://www.cisco.com/web/about/ac79/docs/re/byod/BYOD-Economics_Econ_Analysis.pdf. In addition, three out of four IT managers surveyed by BMC Software agreed with the statement, “BYOD is a big productivity boost.”

http://www.cio.com/article/2449817/byod/byod-users-work-longer-and-earlier.html

2 “According to a BMC Software survey, the average BYOD-carrying employee works an extra two hours and sends 20 more emails every day. One out of

three BYOD employees checks work email before the official start of their work day, between 6 a.m. and 7 a.m.” http://www.cio.com/article/2449817/byod/byod-users-work-longer-and-earlier.html  

3 “Mobile Moments Transform Customer Experience,” Forrester Research, January 24, 2014.

(4)

 

4

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

using a mobile app for repairs, and determine how to turn off access to this particular pipe until a replacement is installed.

This is a mobile moment: in a particular context (working in the field), the user uses a mobile app to pursue a specific goal, in this case, diverting energy flow to other pipes to prevent a larger problem. The app should be designed to solve the user’s problem or meet the user’s goal quickly and efficiently within the current context. Forrester notes: “Because people carry their mobile devices with them at all times, mobile moments are the frontline of customer experience.”4 Now that many

employees are doing about half their work on mobile devices, mobile moments are the frontline of employee experiences, as well.

To design for mobile moments, Forrester recommends that developers map the “journey” of a mobile user—the typical progress of the user from context to context (for example, from office to their vehicle, to off-site inspections). Within each context, developers should ask:

• Whom are we serving? • What is the context?

• What is the motivation or goal?

For example, to create a mobile app with repair updates, developers would recognize the pipes being serviced, the actual site where the pipes are located as the context, and discovering backup repair work or actions taking place as the goal. A single mobile app might serve the same user in a variety of contexts for a variety of goals. Focusing on mobile moments helps developers zero in on giving users the information and features they need, quickly and efficiently.

#2: Create a Model of the Process Being Mobilized

As with any development process, there should be a model of the process or workflow being developed. The model should identify:

• The goal or purpose of the process

• All the participants in the process, including their roles

• All the stakeholders in the process (people or organizations affected by the process, even if they are not direct participants in the process)

• The stages of the process

• The flow of information and critical decisions in the process • The data required for the process, both as input and as output • The sources for that data

The Object Management Group (OMG) organization has defined two standards that are useful for workflow monitoring: Business Process Models and Notation (BPMN)5 and UML6.

 

4 “Mobile Moments Transform Customer Experience,” Forrester Research, January 24, 2014.

https://www.forrester.com/Mobile+Moments+Require+A+New+Technology+Strategy/fulltext/-/E-RES117613  

(5)

 

5

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

Developing a model with either of these standards or some other representational model helps provide a foundation for all the best practices that follow.

#3: Evaluate the Role of Location at Every Step

Few business workflows today incorporate location as a factor in their design, except those related to logistics or manufacturing. While paperwork may flow from a manager to accounting to the CFO, traditionally the location of these individuals, at any step in the workflow, does not figure into the design of the workflow itself. Location is much more important for mobile workers who may be outside of the office when completing a task. In fact, mobile workers such as field technicians are probably rarely at their desks. If a task previously assumed a worker was rooted in his or her office and capable of accessing desktop systems and juggling (perhaps even photo-copying) stacks of paper, that task may need to be re-imagined and possibly divided into subtasks in order to mobilize the workflow. How might a task, such as a manager reviewing and signing off on a report, be designed to be accomplished anywhere—even in line at Starbucks?

It can be useful to adapt traditional process models to take mobility into account. For example, many IT architects use “swim lanes” to identify the users and their

respective actions in a process.7 You might find it useful to subdivide lanes to note the location of users. A user might be able to perform certain actions anywhere. Other actions might need to be performed at a specific location, such as a loading dock or a bank lobby. By incorporating location (and by implication, mobility) into traditional process designs, it is possible to realize opportunities for redesigning processes for greater flexibility and productivity.

#4: Evaluate Mobile Device Characteristics at Every Step

For every mobile moment or step in a business process, consider how the features and characteristics of mobile devices can best be put to use.

Mobile device characteristics obviously include small screens. Rather than designing a traditional desktop application and then trying to shrink it for mobile devices, it’s better to design a flexible user interface from the start – one that accommodates screen sizes from small smartphones to larger desktops.

But device characteristics go beyond screen dimensions, and also typically include: • One or two cameras for still photography or video streaming

• A microphone and speaker • A GPS system

• An accelerometer

Cameras can be used for many input shortcuts. They can be used to copy or scan documents, or read bar codes on equipment in the field. They can also be used to record visual data, such as the condition of a piece of equipment being repaired in the field.

A GPS system can automatically detect when an employee is in a particular office or at a known customer site. These various features can be used to collect valuable

 

(6)

 

6

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

information while minimizing the amount of typing or tapping that users need to perform.

#5: Identify Content and Its Sources and Destinations

Enterprise mobile apps will likely need access to enterprise content, which may be stored in a variety of on-premise and/or cloud content systems, including everything from Microsoft SharePoint to EMC Documentum to Box or Dropbox. A single workflow might require access to data in many different repositories. Building all this content connectivity into mobile apps can be unwieldy, error-prone, unsecure, and difficult to maintain. Many of these legacy data repositories were not designed to accommodate swift, secure access from mobile devices. Connecting to a single repository can be difficult, and connecting to many repositories can be exasperating. A better approach is to leverage a mobile content management platform that provides a single, secure unified interface to all the repositories in the enterprise, unifying data access for all enterprise mobile apps. This approach yields several benefits:

• Accelerated development, as all content access and management flows through a single platform rather than multiple independent repositories • Reduced complexity and reduced risk of error

• Reduced costs for development, testing, and support

• Reduced maintenance of mobile apps (if a repository’s credentials or APIs change, that change can be made once in a platform connector rather than in every mobile app deployed in the enterprise)

• Ensures sensitive content isn’t being stored locally on an unencrypted device

Managing secure access to data repositories via a secure mobile content platform eliminates the need for development teams to create unsecure workarounds, such as duplicated content stores that facilitate access for mobile users but undermine best practices for data security, data integrity, and compliance.

#6: Build Security into the Mobile App Itself

Mobile computing delivers obvious benefits to enterprises, but it brings risks, too, particularly in the area of security. These risks include:

• Devices, along with their confidential data and login credentials, being lost or stolen

• Devices becoming infected with mobile malware

• Users accidently disclosing confidential data by communicating over unsecure Wi-Fi networks

As CIO Magazine recently noted, “The rapid development cycle and lack of security considerations around mobile apps make them a prime target for cybercriminals and hackers seeking a way into the enterprise.”8 Users’ security knowledge and daily

habits are contributing to the security problem. Many enterprises fail to educate

 

8http://www.cio.com/article/2368648/security0/149359-10-Top-Information-Security-Threats-for-the-Next-Two-Years.html. For a list of IT concerns about

(7)

 

7

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

users about BYOD security best practices. Even when taught best practices, many users fail to regard BYOD security as their responsibility.9

Because BYOD devices are so vulnerable, and because IT departments cannot assume that users will always follow best practices for mobile device security, enterprise development teams would be wise to build security and compliance into their mobile apps.

Security features should include:

• Encryption of data in transit and at rest

• Restriction of open-in functionality of third-party apps to prevent data leaks • Enforcement of internal security policies and access controls

• Screening for mobile malware

• Logging of all content access and distribution

• Support for remote wipe—the ability for IT departments to delete sensitive data from mobile devices when they are lost or stolen

#7: Use Metrics to Evaluate Success

Any enterprise mobile app deployed should be evaluated for success.

Your IT organization may have its own criteria for evaluating new technologies. If it does not, consider adopting other evaluation frameworks such as the HEART metrics developed at Google.10 HEART stands for Happiness, Engagement, and Adoption, Retention, and Task success. The HEART framework combines usage metrics that can be gathered from log data along with qualitative data from user surveys. It provides app developers a useful, in-depth evaluation of how a new app is solving problems for users. Is it enabling users to complete tasks as designed? Are users pleased with the experience? Are they returning to the app over and over, or abandoning it for an unauthorized workaround or “shadow IT?” Deciding up front to measure the success of an app ensures that questions such as these will not go overlooked.

Developing mobile apps that take into account mobile moments, location and context, and that securely deliver content to all authorized users will go a long way to achieving high scores in software evaluations.

 

 

9 Surveys have found that 15% of users do not regard data security on personal devices to be their responsibility, and 59% of employees estimate that the

value of business data on their devices is less than $500, despite the high costs that typically accrue from data breaches. See

http://www.cio.com/article/2376794/byod/cios-face-byod-hard-reality--employees-don-t-care.html and http://www.cio.com/article/2378170/cio-role/cios-battle-worker-apathy-towards-lost-or-stolen-mobile-phones.html.  

10 The original HEART technical paper by Rodden, Hutchsinson, and Fu was presented at ACM CHI '10 Proceedings of the SIGCHI Conference on Human

(8)

 

8

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

About the kiteworks Secure Mobile Content

Platform

kiteworks by Accellion is an award-winning secure mobile content platform that offers mobile app developers advanced, proven security and content management features for rapidly designing mobile apps for the enterprise. Through the platform’s mobile SDKs and enterprise software REST APIs, enterprise software teams gain access to features and services that enable them to quickly build secure mobile apps that safely put enterprise data at the mobile workers’ fingertips.

The kiteworks platform is designed expressly for workers using a variety of devices ranging from smartphones to desktops. The platform makes it easy for workers to share and sync content securely across all their devices and to share content securely with authorized users both inside and outside the organization. kiteworks was built from the ground up for enterprise-grade security and monitoring, enabling IT administrators to retain full control over file access and file sharing policies. All file-sharing activities are monitored and logged,

facilitating compliance with industry security regulations such as HIPAA, (FIPS?) and SOX. More than 12 million business users and 2,000 of the world’s leading corporations and government agencies trust Accellion solutions to securely connect people to enterprise information from any device.

Here are some key features that the kiteworks secure mobile content platform offers mobile app developers:

• A ready-to-use secure mobile container • Universal secure access to enterprise content • Enterprise-class security and scalability • A rich development environment These features are described in detail below.

A Secure Mobile Container SDK with Rich Security Features

The kiteworks secure container is a protected area of storage and memory on a mobile device, which is an out-of-the-box feature available for use by any app built on the kiteworks platform. Within the container, critical business content is protected from infection from any mobile malware latent in other files or mobile apps on the device. Accellion’s secure container also delivers four critical features for secure enterprise apps.

Encryption: The kiteworks platform encrypts all data in transit and at rest with AES 256-bit encryption. Unlike public cloud services that retain the keys used for encryption, kiteworks gives enterprises themselves the ability to store and manage encryption keys.

(9)

 

9

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

Remote Wipe: kiteworks enables IT administrators to remotely wipe protected content from mobile devices that have been lost or stolen or that belong to employees who have left the organization. The kiteworks remote wipe feature removes content from the secure mobile container, but does not disturb any personal content stored on the device. Sometimes employees do not report devices as lost or stolen, because they worry that IT will wipe all content, including personal content such as family photos and videos, off the device. By enabling remote wipe of only business content, the kiteworks platform enables development of enterprise apps that let employees feel confident that they can follow security policies, promptly report devices as lost or stolen, and still recover personal data should a lost or stolen device later be recovered. • Logging: The kiteworks platform logs all content access and sharing within the

secure mobile container. Logging helps IT organizations comply with industry regulations such as HIPAA, (FIPS) and SOX that mandate logging the distribution of protected data. It also helps IT organizations discover patterns of usage that might merit investigation. Enterprise apps designed using the kiteworks platform can leverage the out-of-the-box, comprehensive logging capabilities.

Universal Access to Enterprise Content

When developing enterprise mobile apps that need to access enterprise content stores the new kiteworks platform can greatly reduce the development time with its integrated content connectors. Instead of developing individual connectors for Box, Google Drive, Oracle, Microsoft SharePoint, and other content stores, developers can build applications on the kiteworks platform and benefit from kiteworks’ secure universal data access to all these data stores.

kiteworks enables development of enterprise apps that can provide a single, secure interface to all the ECM platforms and cloud storage services used in most enterprises today, including:

• SharePoint 2007, 2010, and 2103 • Box

• SharePoint Online • Dropbox

• Windows File Shares and Distributed File Systems • OpenText

• Microsoft OneDrive for Business • Documentum

• Google Drive for Work

(10)

 

10

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

Enterprise-class Security and Scalability

All mobile applications designed using the kiteworks mobile platform can take advantage of the platform’s secure, scalable, and flexible architecture.

The platform features a multi-tier architecture with separate tiers for Web services, application services, and data storage. For example, if an enterprise requires extensive data storage services but is serving small number of users, it can scale the data storage tier without having to scale the application services and Web services tiers simultaneously. This enables developers to focus on the workflow of the application, as the architecture security is already built into the SDKs and APIs.

The platform also gives IT organizations the freedom to select the cloud deployment model that best suits their security and performance requirements. kiteworks supports private, cloud public, and hybrid cloud deployments. This gives developers the flexibility to design their enterprise applications in a way that best fits their existing IT infrastructure.

Finally, the platform also offers out-of-the-box integrations with other IT services, such as single sign-on services and data loss prevention (DLP) services. Driving content management through the kiteworks platform ensures that all internally developed mobile apps comply with internal security policies, are tracked and managed in a centralized solution, and take full advantage of IT iinfrastructure already in place.

Figure 2: The kiteworks platform allows Web, application, and storage tiers to be scaled independently or together.

A Rich Development Environment

The kiteworks platform features:

• Mobile SDKs for Android, Google Glass, and iOS • Secure RESTful APIs for enterprise services

• Built-in Content Connectors for access to enterprise content stores such as Microsoft SharePoint, EMC Documentation, Box, and others

• Documentation and sample code

(11)

 

11

 

Whitepaper |

Best Practices: Developing Secure Enterprise Mobile Apps

Benefits of Building Mobile Apps on the

kiteworks Platform

The kiteworks secure mobile content platform delivers these benefits to mobile app delivers:

• Ready-to-use security features for mobile devices and the data services supporting them

• A centralized platform managing all content access and sharing, with ready-to-use connectors for data sources as diverse as Microsoft SharePoint and Google Drive

• Centralized content management and security monitoring for mobile apps • Support for other IT services, such as DLP services, LDAP and other directory

services, etc.

Conclusion

The growing market for enterprise mobile apps means that developers are looking for secure ways to rapidly design and deploy apps that transform business processes and workflow, while at the same time ensuring security. By following the seven best practices outlined in this whitepaper, developers will create mobile apps that improve the way mobile workers interact with critical business data, and provide IT teams with a way to manage access and control of enterprise content, no matter what device accesses the information.

The kiteworks mobile content platform is the leading option for developers, as it provides a rich, robust, and flexible platform for securely managing content—a critical component of any mobile app. Standardizing content access and security on the kiteworks platform enables developers to benefit from mature, proven content security solutions while reducing the cost and complexity of development. kiteworks provides a proven,

centralized solution for delivering content from any enterprise data source to mobile app users while upholding the most rigorous standards for data security and regulatory compliance.

To learn more about the kiteworks developer program, visit developer.kiteworks.com.

 

About Accellion

Accellion, Inc. provides the leading mobile content platform to increase enterprise productivity and ensure data security and compliance. The foremost provider of private cloud solutions for secure mobile content management, Accellion offers enterprise organizations the scalability, flexibility, control and security to enable a mobile workforce with the tools they need to create, access and share information securely, wherever work takes them. More than 12 million users and 2,000 of the world’s leading corporations and government agencies including Procter & Gamble; Indiana University Health; Kaiser Permanente; Lovells; Bridgestone; Harvard University; Guinness World Records; US Securities and Exchange Commission; and NASA use Accellion solutions to increase business productivity, protect intellectual property, ensure compliance and reduce IT costs.

Email: sales@accellion.com Phone: +1 650 485 4300 Accellion, Inc.

1804 Embarcadero Road Palo Alto, CA 94303

ACC-WP-0210-Best-Practices-Mobile-App-Development © Accellion Inc. All rights reserved

 

References

Related documents

MAM (Mobile Application Management) solutions, including Enterprise App Stores, provide for secure access and deployment of enterprise apps.. They enable

Mobile content management solutions for the enterprise provide IT with a secure way to provide access to files/content/data sitting in various data stores to mobile devices.

Accellion Mobile Apps work with Accellion Secure Collaboration, a secure collaboration platform that makes it easy for enterprise users to share information with internal and

As the leading provider of private cloud solutions for secure file sharing, Accellion offers enterprise organizations the scalability, flexibility, control and security to enable

SAP Mobile Documents lets them access files while they are online or offline, present documents to customers or partners, share documents with team members and business partners,

This is made possible because GO!Enterprise Office is deployed to mobile devices via GO!Mobile Client, a secure native container which provides controlled access to GO!Apps

In this paper, we examine the challenges of managing content on mobile devices and discuss one solution for secure document sharing.. Solving the Secure

 Mobile content management  Secure editor  Secure document sync Advanced Mobile Management Secure Productivity Suite Secure Gateway Access Secure Document Sharing..