A growing concern for many enterprise IT security managers and system administrators is how to prevent devices such as smartphones and tablet PCs from becoming a security liability.
Recent news coverage has centered on the increase in Android malware; the resulting security problems often originate with users downloading malware-laden third-party apps. One way to combat these problems is to set up and run your own corporate app store where employees can only download an approved list of internal or third-party apps. In this tip, we'll discuss the security benefits of using a corporate app store to foster Android application security, and how to set one up in your enterprise.
An enterprise application store is a distribution model, an in-house portal if you like, for employees to set up their smartphones and tablets with the apps and documents they require. For instance, an organization may have mobile versions of its CRM or sales applications for remote workers or travelers to use in the field. Having a centralized repository for these applications makes it easy for employees to install and update their apps.
The Android platform is a natural fit for this model because of its open nature: Anyone can create and offer apps for the platform, unlike Apple Inc.'s iOS platform, which is tightly controlled by Apple, hence the only place to download authorized iOS apps is the Apple App Store. Yet it's that very issue that is a cause for concern among security pros because the Android platform comes with few built-in restrictions regarding app downloads, it's proven relatively trivial for attackers to trick unsuspecting Android users into downloading malicious apps. Therein lies the security value proposition for a corporate app store: By setting a policy in which Android devices allowed on the corporate network can download apps only from the corporate app store, the organization can control which apps reside on its employees' devices and prevent malicious third-party app downloads from other sources.
Apps considered for a corporate app store should be reviewed by the IT department to ensure they pass performance and security thresholds, meet security policy requirements, and are value for money (if the corporate IT department approves a third-party app for download via the app store, the app license could involve a fee, but managing all app downloads via the corporate app store makes licensing, bulk purchase discounts and of course security easier to manage). Providing a pre-approved list of applications is a form of whitelisting and can be effective in preventing malicious or inappropriate apps from entering the enterprise. However, be sure to get employees on board with the need for this type of whitelisting control to stop them from trying to circumvent it. As always, start with a clear policy about smart devices in the workplace, including which applications can be used for business purposes and how company-owned data should be treated.
Security and governance are the cornerstones of any app store. Security requires authentication and access control, so look for a mobile application provisioning product that can integrate with your existing identity management processes. For example, if you use a single sign-on platform such as LDAP, then integrate the app store with that directory service. A well-defined governance policy helps ensure only relevant and robust apps get listed. Internally created apps should be put through an even more rigorous vetting process as the actual code can be reviewed.
Employees should be made aware of which applications are available or under review, and be encouraged to give feedback about which apps they find useful and what apps they’d like reviewed for inclusion. This gives employees a sense of involvement, an opportunity to customize their devices to best suit their needs and select apps that boost their productivity and improve their work lives; it also stops complaints that apps are only chosen by "the powers that be."
To make the store easy to use and give employees a sense of ownership, provide rating, feedback and comment functionality as well as easy access to IT support. Organize apps in the context of what users will need or want to accomplish. Most users will have similar app requirements, but only display apps that are relevant to the user’s job role. This avoids ballooning license costs from commercial third-party apps, as many users will install apps just because they are there. It is important to keep stats on the number of downloads from your store, not only to track software costs and manage enterprise licenses, but also to understand how the store is being used and by whom. This information will provide evidence of how well the store is supporting users and the company.
Another benefit of centralizing control of apps is the ability to take advantage of volume purchasing to help offset the costs of evaluating selected apps, which is a labor-intensive process. The effort is worth it though, as it is possible to achieve consistency throughout an organization, as everyone will have the same tools and documents, all centrally managed. This is critical to ensure outdated documents or tools aren’t being used.
There are a number of enterprise app store products on the market, probably a cheaper and easier option than trying to build your own. Vendors include Apperian Inc., which offers a product called Enterprise App Services Environment (EASE), and Sybase Inc.’s Afaria, which can host a company’s own apps as well as links to third-party apps hosted on external sites such as the Apple App Store or the Google Marketplace. Partnerpedia Solutions Inc.’s Enterprise App Store also allows the inclusion of third-party apps from external sites, and Zenprise Inc.'s Enterprise App Store can push new applications and documents such as videos and presentations to users' devices, while also updating existing ones. Zenprise also offers a Remote Control for Android feature, which allows IT support to access a device remotely.
Running a corporate app store will involve some upfront costs and manpower resources to get it up and running, but in return you can offer users the apps they need for their jobs while maintaining control over what can be used on your networked devices.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.