The perimeter surrounding enterprise applications expanded exponentially since the birth of mobile and cloud, and IT security professionals are looking in all the wrong places to try and find a fix. Traditionally, organizations secured their data using a walled off perimeter -- like the walls of a medieval castle -- which contained a multitude of layers to help mitigate the risk of data compromise or exposure. The advent of mobile has altered that landscape dramatically, essentially opening up the front door of the castle and allowing that data to escape into unknown territory -- the mobile device.
I’ll be presenting a webinar on this subject, Managing Security Risks with the Rise of Mobile and Cloud, on Feb. 28 at 11:00am EST, but I wanted to answer some questions you might have here on the CAST blog beforehand.
What new challenges exist in mobile application development?
The new paradigm of application development moves away from focusing our efforts on building an internally protected web application. Development now focuses on using the various mobile SDKs that exist to put web apps on mobile devices.
The problem is, those SDKs are made by “mom and pop shops” and do little to address the challenges of securing a mobile device. And as a result, we’re seeing “old vulnerabilities,” that have been discovered and remediated as part of the more traditional development methodology, starting to resurface.
Is the industry doing anything about it?
From a standards perspective, the industry hasn’t outlined the proper way for organizations to engineer and develop mobile applications. There are no formal methodologies or processes around Android or iOS that the industry can grab ahold of to help bring this challenge back to a more manageable state. It’s almost like what we saw in the 90’s with the Dot-com boom, but we’re seeing it now with mobile SDKs.
Is this a new trend? When did you hear about it?
I first caught wind of this trend towards the end of last year. I found out a client’s International division was using a third-party SDK to create its mobile business applications. The problem was that the SDK just wrapped a mobile aspect around a normal web app that then fed the data back to the client through the third party’s servers. That was scary on a lot of different levels.
What can organizations do to be prepared?
There are strategies that organizations can use to help determine what the overall risk of a particular application is before it goes to market. During the webinar, I will discuss a real-world case study with an organization that instituted an assurance program, and how that helped mitigate and control the risk that applications presented to their business.
With the advent of mobile devices, the threat vector for an organization has grown to an infinite level. IT leaders cannot put their trust in the mobile devices themselves to protect against the potential compromises of their data. Ultimately, they’re losing control of how those applications interact with their devices and, more importantly, how the data is communicated back to the organization.
The time has come for IT leaders to begin instituting stringent security controls and processes around how their mobile applications are being developed and secured. The traditional “castle” defense can no longer adequately protect an organization against the new threats facing it in the mobile and cloud landscapes.
For a more in-depth look into how to protect your organization, tune into our webinar, Managing Security Risks with the Rise of Mobile and Cloud, on Feb 28 at 11:00am EST. Even if you can’t make that time, you can still register for access to the recording when it is available.