BYOD security and the importance of covering your backend

Last year I declared in a post on this site that resistance to the enterprise BYOD movement was futile. Fourteen months later, the statistics certainly bear that out. Most enterprise IT groups have moved out of the denial stage, and are busy figuring out how to deal with the operational complexity created by employee-owned, multi-platform mobile devices connected to their networks.
On the bright side, these same enterprises are able to provide productive apps to their captive employee audience. As I outlined in last year’s article, there is an emerging mobile backend that powers those apps which now presents a new security perimeter for the enterprise. The next realization for these companies is the need to focus on enabling and securing this mobile backend if they want to be successful with BYOD.

Get your rear in gear

I work with a lot of mobile app development companies and I find their definition of “the cloud” delightfully simple. While enterprise architects debate public vs. hybrid vs. private in the halls of the ivory tower, mobile developers consider anything they can access on the network to be the cloud. Popular network-based services they look for include caching, social media integration, user authentication and business integration. These services can be run on SaaS intermediaries, in Amazon, or on enterprise servers. The cloud concept abstracts these services in the minds of app developers, so they will take them wherever they can find them.
Since your company needs to deal with mobile apps, it is important to take control of the data and applications that feed them.  If you don’t, the mobile app tail will start wagging the enterprise IT dog, which is a recipe for disaster. For instance, I know large companies whose first foray into Amazon Web Services was through the implementation of an off-the-shelf mobile app whose proprietary cloud services were an unknown part of the package. AWS and other cloud providers are great platforms for enterprise mobility, but service placement needs to be determined by the enterprise itself.
A useful approach is to look at these data and application services collectively as your enterprise’s Mobile Backend. Mapping out your company’s mobile backend services will allow you to determine which ones can be re-usesd across apps, and where you should run them.

Who owns your data?

Apps get value from data. The big data revolution sweeping the enterprise landscape (in parallel with mobile and cloud) allows more enterprise data to be accessed and analyzed in real-time. Backend APIs provide a gateway to this data. However, if you don’t know how this data is being accessed and fail to put the right access control in place, those pragmatic app developers will take the shortest path to what they need and potentially expose the wrong information to the wrong end user. That’s a potentially disastrous situation.
Aside from the rudimentary risks around data security, BYOD complicates data ownership. Company employees using data on their mobile devices have dual personalities ([email protected] vs. [email protected]), personal devices and cloud platforms that transport the data are outside the enterprise boundaries, and the data itself is subject to increasing privacy and compliance restrictions. If you factor the burgeoning Internet of Things trend into your enterprise mobility plans – which you should – then you also have the prospect of automated endpoints producing and consuming this data. That’s a lot of moving pieces, and all of these identities and their relationships to the data are key considerations for protecting your backend data.
As an example, consider an energy company that is providing smart meters to consumers, smartphone apps for these consumers to control and monitor their power consumption, and tablet-based apps for their technicians to service the smart grid. Privacy rules dictate that only the consumer can see the detailed data around their power consumption – as otherwise strangers could determine when people are at home. Yet practicality dictates that more intrusive functions on the smart meter should only be made available to the service technicians. So how can this company ensure these restrictions are enforced?

Back to basics, back to front

A number of solutions come into play when addressing security for BYOD, from device level MDM security to containerized app specific MAM technology. While these approaches secure data on the device, how can you secure the data from the device to the data center? Your mobile backend security strategy also needs to ensure that appropriate security and integrity is in place before the data reaches the app. Looking at things from the backend perspective will allow you to address these requirements, whether your data resides in an on-premise data center or in the cloud.
Since an app accesses enterprise data through an API, protecting the API while managing how it shares data is essential to a backend security strategy (Disclosure: The author’s firm, Layer 7 Technologies, markets an API gateway product). So as you work on addressing device and app security for your BYOD strategy, make sure you don’t leave your backend exposed. If you do, you’ll sure feel it when it gets bitten.
Matt McLarty is vice president of client solutions for Layer 7 Technologies, a CA Technologies company, and is a provider of API management products and solutions. Follow him on Twitter @mattmclartybc.
Have an idea for a post you’d like to contribute to GigaOm? Click here for our guidelines and contact info.
Photo courtesy of Maksim Kabakou/