Best Practices for Mobile Application Lifecycle Management Security From Design Through Deployment PDF 9 w 1043

1

Best Practices forMobile Application Lifecycle ManagementSecurity from Design through Deployment

www.maas360.com

2

MaaS360.com > White Paper

Copyright 2014 Fiberlink Communications Corporation. All rights reserved.

This document contains proprietary and confidential information of Fiberlink, an IBM company. No part of this document may be used, disclosed, distributed, transmitted, stored in any retrieval system, copied or reproduced in any way or form, including but not limited to photocopy, photographic, magnetic, electronic or other record, without the prior written permission of Fiberlink.

This document is provided for informational purposes only and the information herein is subject to change without notice. Please report any errors to Fiberlink. Fiberlink will not provide any warranties covering this information and specifically disclaims any liability in connection with this document.

Fiberlink, MaaS360, associated logos, and the names of the products and services of Fiberlink are trademarks or service marks of Fiberlink and may be registered in certain jurisdictions. All other names, marks, brands, logos, and symbols may be trademarks or registered trademarks or service marks of their respective owners. Use of any or all of the above is subject to the specific terms and conditions of the Agreement.

Copyright 2014 Fiberlink, 1787 Sentry Parkway West, Building Eighteen, Suite 200, Blue Bell, PA 19422.

All rights reserved.

http://www.maas360.com/resources/white-papers/

3


Security Best Practices for Mobile Application Lifecycle Management

Table of Contents

The Role of Security in Mobile Application Development . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Proactive Application Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

In-App VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

App Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Enterprise App Store Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Benefits of a fully integrated app store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Deploy and update apps without delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Integration with existing enterprise security and identity infrastructure . . . . . . . . . . 7

Comprehensive control of app security and management . . . . . . . . . . . . . . . . . . . . . . 7

App version control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

App discovery and user collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Real-time app inventory control and reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Think One Platform for Simplicity and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Passive Application Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Secure Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

MaaS360 WorkPlace SDK for Application Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

MaaS360 Instant App Wrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Another Critical Step on the Path to Enterprise Mobility . . . . . . . . . . . . . . . . . . . . . . 9


4


The Role of Security in Mobile Aplication DevelopmentMobile devices are now a reality in most organizations. Building on Mobile Device Management (MDM) and Mobile Application Management (MAM), organizations are increasingly developing their own enterprise apps for specific job tasks to improve productivity, business partnerships, customer satisfaction and bottom-line performance. But to achieve these benefits, it is imperative that mobile security best practices are incorporated throughout the lifecycle of the application.

Mobile Application Lifecycle Management (MALM) inherits all of the issues introduced at the start of the mobile era security, compliance and privacy. This includes the security of corporate and personal data, compliance with government and industry regulations, and employee privacy. While building custom mobile apps might seem like an onerous task, the greater challenge is ensuring the security of apps and associated data once deployed.

MaaS360 by Fiberlink, an IBM company and recognized leader in Enterprise Mobility Management (EMM), offers application security best practices for use during app development and deployment. For enterprises designing and developing their own mobile apps, these features can be delivered through a Software Development Kit (SDK) or automatic app wrapping.

Proactive Application Security Best PracticesIts great to have a security policy and implement it after an app is ready for deployment, but incorporating security into your apps design and development simplifies and strengthens your efforts over time. In addition to the data encryption available with device operating systems, there are several proactive security features that can be added through MaaS360 during app development. These features include:

AuthenticationIn addition to device authentication with MaaS360, which can include basic passcode enrollment or two-factor authentication synchronized with your Active Directory or LDAP, you can embed authentication into your apps as well. Only the users intended to access specific apps and associated data will be able to open them, even if distributed to an unauthorized user by mistake.

Organizations are facing a new

challenge: how to extend compliance and security best practices

to laptops and other mobile devices.


5


Single Sign-onYou can design apps for a user to access all of their authorized enterprise apps with a single, shared passcode. This MaaS360 support feature provides a more user-centric approach when building mobile apps with a developer platform such as IBM Worklight. You can ensure strong authentication without impacting the productivity of users. MaaS360 WorkPlace simplifies app design for Authentication, Single Sign-on, Data Loss Prevention (DLP), In-App VPN and App Blocking across mobile platforms.

Data Loss Prevention (DLP)MaaS360 supports a dual persona environment that fully separates corporate from personal data on mobile devices. Developers and MDM administrators can leverage this secure container, MaaS360 WorkPlace, in a variety of ways to prevent data leakage, stem the comingling of corporate and personal data, and address any employee privacy issues.

MaaS360 WorkPlace: This container with FIPS 140-2 compliant AES-256 encryption can be password protected and inaccessible without the device owners authentication. Should a device be lost or stolen, corporate apps, documents and data remain secure while the incident is reported and the container is remotely wiped. Company information is protected, even if an employee embarrassed by losing their device waits days to notify IT.

Selective Wipe: Any and all information that was pushed to a device through MaaS360 can be remotely wiped from the container without affecting any information downloaded by a user for personal use. (MaaS360 also offers a Full Wipe feature that can restore the device to factory settings.)

Restrict Copy-and-Paste: MaaS360 provides the ability to disable copying and pasting information outside the container. If the user tries to paste from the container to a resource accessible from their personal space, such as to a notepad, native email application, file sharing website or backup data cloud, a message reminding the user of your corporate security policy is pasted instead. An automatic alert about the attempted activity can also be sent to the MaaS360 administrator.

Open-In Controls: MaaS360 also provides open-in controls so that users can only open documents and files in an app that belongs to and is controlled by the company in the WorkPlace container. Company information cannot be opened or moved outside the container.


6


In App VPNWhile all of the above solidifies security for data at rest on a mobile device, enterprise app developers must also secure data in motion i.e., any information transmitted from the MaaS360 Workplace container to your corporate servers. To secure those transmissions, there needs be a VPN connection. App-level tunneling ensures user transmissions can be sent securely through only an app-level VPN connection without needing a device-level VPN. Leveraging the MaaS360 Mobile Enterprise Gateway, this can be done independently of any VPN infrastructure.

App BlockingYour app development can also set policies to block an app from being opened on a device that is non-compliant with MaaS360s automatic security monitoring features.

Enterprise App Store Best PracticesOnce apps are developed, the easiest and most secure method of distribution and control is an Enterprise App Store. In fact, many MaaS360 customers already use the systems App Catalog feature to manage public apps from stores such as the iTunes App Store, Google Play and the Windows Store, as well as in-house enterprise apps. More granular control of apps can be achieved by using the MaaS360 WorkPlace container in tandem with the App Catalog. With this approach, IT-procured apps, whether 3rd party or homegrown, are completely separated from personal apps.

Benefits of a fully integrated app store

The MaaS360 App Catalog offers a consolidated interface independent of mobile operating systems so you can manage apps across all different platforms from one window. Among other advantages of a fully integrated App Store:

Because mobile devices are beyond the direct

control of managers and IT personnel, they are

particularly vulnerable to employee mistakes and

employee wrongdoing.


7


Deploy and update apps without delay

In addition to your custom enterprise apps, the App Catalog integrates with public app stores. You can push apps and track their installation over-the-air to individual devices, groups of users, or all users with bulk distribution. If you want, for example, to get a purchased iOS app to your employees using Apples Volume Purchase Program (VPP), you can upload the VPP file directly and manage those licenses through MaaS360. If a user leaves the company, you can remove that application from their device and redistribute the license. If a user ever needs to delete an app and reinstall it, they dont have reach out to IT to get another license or go through a public app store. Instead, they simply go to your organizations App Catalog and hit the apps install button.

Integration with existing enterprise security and identity infrastructure

Many organizations need to deploy apps for specific user groups. While you can set up user groups in MaaS360, coordinating your Enterprise Mobility with existing user identities based on Active Directory or LDAP saves steps to ensure that the right apps are distributed to the right people. This can be achieved with the MaaS360 Cloud Extender. For custom functionality, web services are highly recommended for integrating MaaS360 with any type of IT infrastructure because they are robust, flexible, efficient, easy to code and easy to expose to the Internet while keeping apps, documents and data secure.

Comprehensive control of app security and management

When managed through MaaS360, custom enterprise apps have the same protections as those provided for all other apps. (See next section on Passive Application Security Best Practices.)

App version control

With public apps, you typically have only one version of an app for all intended end users. With your custom enterprise apps developed in-house or by a third party, you can have a newer version of the app that you would prefer to push to just a handful of users before a full enterprise distribution. Using MaaS360, you can deploy and manage different versions of the same app.

App discovery and user collaboration

Users must be able to discover and access authorized apps recommended or required by your organization to do their jobs. With the MaaS360 App Discovery Portal, apps can be easily found in a simple-to-use interface. Users can also securely share and link apps approved for their WorkPlace container. They can comment and rate apps to help identify their usefulness and easily communicate which apps need to be updated or enhanced to improve job value.

Real-time app inventory control and reporting

Your MaaS360 administrator can see and report on all apps available in the App Catalog, authorized users, and apps in each users WorkPlace container on their device in real time. The administrator can delete apps from any user, group or all devices, such as an earlier version of an updated app.


8


Think One Platform for Simplicity and SecurityUse one window for app development across mobile platforms with IBM Worklight. Use one window for MDM, MAM and MALM across platforms with MaaS360. These integrated approaches increase the advantages of Enterprise Mobility with higher levels of control, security, compliance and productivity while lowering demand on resources, time and budget.

Passive Application Security Best Practices

When managed through MaaS360, all public and enterprise apps have the same organizational control and protections, such as:

Application whitelisting and blacklisting

Configuring security and restrictions

Automatic enforcement actions for non-compliance (alerting, device blocking, selective or full device wiping)

Automatic monitoring of jailbroken, rooted and non-compliant devices

Real-time visibility into the compliance status of all devices

Reporting on security and compliance history

Secure Browser

Many organizations have invested significant resources and have well-established business processes that rely on existing web applications. With the MaaS360 Secure Browser and Enterprise Gateway, you can enable your employees with secure access to corporate intranet sites and applications such as private SharePoint, Windows File Sharing, and internal websites from mobile devices. This allows you to mobilize all your web apps without having to rewrite them as a mobile app or set up a full device-level VPN.

The Secure Browser also allows your MaaS360 administrator to restrict access to websites from any device by category, and make exceptions to access restrictions for business purposes. For instance, if your organization blacklists social networks, the administrator can make exceptions for a marketing or PR person to use LinkedIn if needed for business posts. Should anyone else try to access social networks, they will be denied. (The administrator will get audit logs with a time and date stamp identifying the user and the device for each instance of a user trying to access a restricted website. Repeat offenders can be warned via the MaaS360 messaging system.)

More sophisticated products are also

becoming available that can monitor

and log the transfer of sensitive files to

storage devices and to other computers via

email, file transfer or instant messaging, or alternately can block

all such transfers completely.


9


MaaS360 WorkPlace SDK for Application DevelopersThe MaaS360 WorkPlace SDK enables developers to embed MaaS360s robust security features in their app as a configurable security layer in as little as a few hours. MaaS360s robust security can be embedded in apps in as little as a few hours with the WorkPlace SDK or in seconds with app wrapping. Enterprise apps can have all MaaS360 protections tuned to an apps precise needs by incorporating the SDK during development. The WorkPlace SDK also allows developers to integrate MaaS360 with many features that are built into iOS, Android and Windows Phone devices.

MaaS360 Instant App Wrapping

For apps already developed, MaaS360 app wrapping automatically injects the necessary code into your app. You dont have to do anything but hit a button to add MaaS360s full app security and management capabilities in seconds.

Another Critical Step on the Path to Enterprise Mobility

While BYOD took organizations a few years to accept, MALM will occur at a much faster rate. The value of Enterprise Mobility tuned to an organizations mission and operations is undeniable in terms of productivity, customer and partner relationships, employee satisfaction and bottom-line performance. From job hire to exit interview, the employees mobile phone will eventually be the primary access point to all authorized digital and physical assets within an organization. Custom enterprise mobile applications are a critical next step that most organizations are eager to take if mobile security can safeguard information at the same level as fixed IT infrastructure. MaaS360 is already helping thousands of organizations worldwide ensure their mobile initiatives address MDM, MAM and MALM with solutions that are quick for IT to implement and manage, easy for end-users accept, and rapidly nimble for an evolving mobile world.

WP_201110_0033

For More InformationTo learn more about our technology and services visit www.maaS360.com.1787 Sentry Parkway West, Building 18, Suite 200 | Blue Bell, PA 19422Phone 215.664.1600 | Fax 215.664.1601 | [email protected]

All brands and their products, featured or referred to within this document, are trademarks or registered trademarks of their respective holders and should be noted as such.


Best Practices for Mobile Application Lifecycle Management Security From Design Through Deployment PDF 9 w 1043

Documents

mobile security best

mobile era security

security of corporate

existing enterprise

application developers

services of fiberlink

service marks of fiberlink

app vpn