Mobile Doesn't Have to Mean Insecure

In my last blog, I stated that security is the number one concern for retail bank customers and investment bank managers. In fact, at one time or another, nearly all of our investment banking clients who are considering building mobile applications for their employees have asked, “what if they lose their iPad on the Tube?” – a good question.

I think the best way to answer that question would be with another: “what if it were their laptop?”

Banks are perfectly comfortable providing portable computers to their employees and providing a mechanism for them to gain access to critical bank systems via the Internet (via a VPN or web access with SecurID-based two-part authentication). They do, rightly so, because they have mitigated the various security risks:

• physical security – access to the portable is controlled by username / password
• data security – data on the disk drives of their portables is often encrypted and password controlled as an additional protection; in this way, the disk drive cannot be read if removed
• communication security – access to the bank systems is controlled by username and password and communications are encrypted via software (VPN client); web communication is always encrypted (https)
• role based security – access to individual applications and functions within those applications is controlled by role-based authorization to ensure that employees can only do what they are authorized to
• software security – portables have anti-virus and anti-malware software to inhibit malicious attacks

Well, you know what? You can do all the same things on mobile devices!

• physical security – access to iPad, iPhone, Android or Blackberry devices can be protected by password and enforced upon installing an enterprise app. Disabling this feature can also disable the use of the app. Using a push notification system (near to real time) messages delivered to the device can also force the app to deny access or wipe any sensitive data
• data security – application data on the device should always be minimized (in comparison to a portable computer, mobile devices will tend to hold far less information), and apps are capable of encrypting the data written to disk
• communication security – as with enterprise web applications, apps should communicate with servers only via encrypted communication (https). Access to VPNs is also available on mobile devices both via the device’s browser and via device-specific apps
• role based security – the same mechanisms used in web applications (user identification and authorization) should be applied to mobile apps
• software security – for now, virus and malware are not a problem, but implementation of cross-site scripting prevention code can inhibit hackers from injecting client-side scripts to gain unauthorized access. Detecting if the device is jail broken or has rooted access, and subsequently locking the application or making the application unusable, also protects unauthorized access

Investment banks’ concerns about security of mobile devices and applications are warranted, but the technologies and best practices already exist to appropriately mitigate these risks. However, the bank must ensure that the applications built and used by its employees adhere to these best practices. In this respect, the support of a trusted technological partner with experience in mobile security is a welcomed advantage.

Karl Rieder, Delivery Manager, GFT