While Neuralytix was putting together the IT21 presentation this year, there was a lot of discussion about data and its relationship to the big problems of IT. Inevitably, for me anyway, this led to a discussion of mobile applications and security. How does one provide universal access to data while maintaining privacy and security? It’s not a trivial question. If security and privacy concerns are not met, then mobile applications will not be deployable within a good number of industries and certain applications will never be deployed for any industry. If a company lacks mobile application capabilities, they will not have the flexibility to respond to business needs outside the office. That will create a competitive disadvantage.
The good news is that the landscape for mobile security is quickly growing. Product initiatives such as IBM’s MobileFirst are pulling together groups of products to secure mobile applications using a multi-layered approach. In addition, conventional network and data center security is adapting to the mobile environment. Mobile security product portfolios can secure the application access, transactions, and connections. It can even moderate the ability to run applications based on location, time of day, and other circumstances.
But, that’s not nearly enough. At present, mobile security is still too coarse grained an approach. Securing individual data elements is what is needed to gain the correct balance between mobile access and security and privacy. Right now, mobile security and privacy is an all or nothing endeavor. Either the conditions are right for access or they aren’t. That’s too simplistic. Instead, applications need to be able to determine which data is appropriate to be displayed depending on location and the credentials of the person accessing the application. For example, it may be perfectly fine for an employee to view a customer record with a social security number when in a secure location or within the company firewall. Outside the firewall, however, the other information in the customer record may be acceptable to view but not the social security number. In most cases, a mobile application will either not show the social security number inside the firewall or deny access to the application outside the firewall. The mobile application places restrictions on all the information and possibly the entire application instead of only the sensitive information. This greatly reduces the utility of the mobile application because of one piece of sensitive data.
One solution to this problem is to use data masking. Data masking obscures individual data elements based on a set of rules some of which can be location based. With data masking in place, a mobile application can access important information while making the more delicate information unusable when outside the corporate firewall. This serves up the best of both worlds – the ability to access whatever information you need while on the go and yet keep data safe. This doesn’t mean that other forms of network or mobile security are obsolete. Quite the opposite. When it comes to security a belt and suspends (and second belt) approach is the best practice. Data masking sits on a continuum of security practices that help keep mobile devices and applications secure.
I saw an example of this recently when discussing the recently announced Imperva-Informatica partnership. Imperva excels at putting up the type of high walls that keep corporate data safe in the data center including access control. Informatica’s data masking, on the other hand, secures the data itself by scrambling sensitive data based on a set of rules including location. For the mobile application users, this provides a means to access information that is useful when outside the firewall without worrying about disclosing private or sensitive data inadvertently. It strikes the balance between accessing information away from the office and being safe and secure.
Mobile security is still evolving. What IT professionals have to understand is that simply saying “no access” doesn’t cut it with users used to consumer mobile applications. These new breed applications give access to data anytime and anyplace. Securing the connection and the back-end, while necessary, has its limitations especially once the data gets to the mobile device. Adding data masking to the mobile toolbox is a necessary next step in increasing mobile security.