Give mobile apps the protection they need
Free white paper: Defend hidden mobile web properties Download
Is your backend mobile infrastructure at risk? Don’t turn your back on hidden mobile web properties.
Enterprises rely on the responsiveness, usability and safety of mobile apps to engage customers and maintain employee productivity. However, the complexity of the backend infrastructure supporting these applications makes it difficult to protect users and data against underlying threats.
Mobility is transforming the online world
More and more people are online than ever before and the number is increasing. The knowledge base of humankind is no longer the exclusive preserve of academics and experts. Rather, the advent of the intelligent mobile device has democratised access and driven us forward. With the mobile device comes the mobile application for accessing content. These little packages of software have been cleverly designed to retrieve data from sources and present it in a way that is custom built for the platform requesting it. So dominant is the “app” and the way that it hides browser functionality from the user that the browser is being forgotten as the way to view web pages
Media rich and seamless interactions – this is what makes a great experience
The Internet is still the Internet and the web is still the web. Indeed, it can be argued the mobile app is nothing more than a regular web application, with all the rich user experience that entails, in a fancy wrapper. In fact, the mobile app is probably even better for most users as the nature of the mobile device allows more of our personal information to be injected into a request to tailor the response and enhance the experience.
- No need to go to the window to see what the weather holds for you where you are now.
- Just pull up a map to see what restaurants are currently local
- Find out which of your friends are nearby.
The possibilities are endless.
Applications on the go make for more productivity
Mobile devices have revolutionised the way we do business, adding productivity to every corner of the working (and non-working) day. Few companies would be competitive without allowing their staff to work “their way”. In fact, Gartner report that CIOs see this being disruptive for the next decade. The seamless interaction that pulls data from different sources, some internal, some external, using APIs is such a step forward in putting information at the fingertips of employees it can appear to be like magic. All this trickery may have its price however.
But should you trust it for everything?
Pulling data together from unknown sources can have major security implications. Perhaps when retrieving local weather conditions or storing photographs online there need be little concern for security, but when it comes to more serious business applications and manipulation of corporate data – should you really trust it? As with everything else in life, functionality and convenience trump security and, sadly, with mobile applications security is often an afterthought at best.
Security is still a headache for the Enterprise
The mobile application is like the front door to this extended productivity. But like any front door it needs to be secured. Are the apps storing valuable data on the device? Is it safe? Is it authorised to be there? Can it be altered? Is it wise to store data on a device in the first place – should you force a connection to retrieve data? Perhaps a compromise is to encrypt the data. Is this feasible? There are a lot of questions that need to be answered.
But that’s not all. Even if data is not kept on the door step (mobile app) there are several other points of weakness that need to be considered to protect your web properties from misuse and abuse.
Weak server-side control is perhaps a bigger problem. Mobile apps frequently expose systems that were not visible before and hence the security of these systems is untested, full of flaws and unsuited for the Internet use. In the by-gone era, the servers may have only ever been accessed from within the perimeter where everything could be trusted. Now, however, there is a need to ensure that things being accessed have the right form of authentication and authorisation in place to prevent non-friendly encounters.
More than this, the mobile app makes requests to all sorts of data repositories – can the data provided be trusted? Has it been manipulated in transit? Is it even the source I think it is? How can you make sure that all this is correct? It is crucial that back end systems are hardened or protected. This means that all APIs should be verified and proper security methods put in place to ensure that only authorised entities have access.
What can you do?
There are many moving parts to defending mobile web properties and like other security problems it comes down to segmentation.
- Make sure that you tackle each of the problem areas adequately and test and report on it. Only store data on a device if it’s necessary and make sure it is encrypted and can be remotely wiped in case the device is lost or stolen.
- Make sure that the connection between the application and back-end servers is secured. Connections should be application specific and secure, using a micro-VPN technology.
- Ensure that applications can only make a connection to the right servers based on well-defined per-user/per-device policies that are strongly enforced at the perimeter.
- Protect the web applications at the back with the right technology. A firewall is the right thing to enforce a perimeter, but for protecting an application from attack you need to deploy an application firewall. These devices understand how applications work and the protocols they use to communicate. Putting this in the data path and monitoring traffic in and out can help ensure that your applications are protected, not only form malicious attack but also poor coding and data leakage.
If you put all these things together you can go a long way to protecting your mobile web property and securing the communication between users-devices-servers. This is something that needs to be done if the benefits of additional productivity are to be effectively realised.
Mobility solutions from Citrix
Citrix has been delivering applications to users for 25 years. Citrix Mobility solutions take all these security issues into consideration and offer in a single step way all the components required to secure your business from web and Mobile threats. Citrix XenMobile and Citrix NetScaler when used together provide the right solution for:
- Mobile device management
- Secure control of on-device applications
- Encrypted per-application micro-VPNs to protect data in transit
- Policy definition based on users and devices
- Strong enforcement points at the perimeter
- High availability of components and datacenters to avoid downtime and boost productivity
- Secure web application protection
Mobility offers so much but can be fraught with so many security issues. Building and protecting the right environment to take advantage of these new disruptive technologies is paramount to retaining flexible IT and the advantage in today’s competitive market place. Citrix understands this and can help you protect your investment and get ahead.