This document describes the security features of the Appear IQ mobility platform. It allows businesses to securely build, integrate and manage enterprise mobile applications. The platform uses encryption, authentication, authorization and application management to secure data on devices, in transit and in the platform. It integrates with enterprise directories to authenticate users and control access. The platform is hosted on Amazon Web Services which has obtained security certifications.
1. Over recent years, small
and large businesses alike
have seen the
proliferation of mobile
applications accessing
enterprise data. These
applications are either
introduced by employees
through word of mouth or
developed by internal
teams without further
coordination. This trend is
compounded by an
increasing push from
employees to use their
personal mobile devices to
access enterprise data.
This paper describes the
approach AIQ takes to
securely manage and
protect enterprise data.
SECURING MOBILE
ACCESS
TO ENTERPRISE
DATA
An Appear Whitepaper
2. SECURITYPOSITIONINGWHITEPAPER
1
Introduction
Over recent years, small and large businesses alike have seen the proliferation of mobile
applications accessing enterprise data. These applications are either introduced by employees
through word of mouth or developed by internal teams without further coordination. This
trend is comforted by an increasing push from employees to use their personal mobile devices
to access enterprise data.
Analysts agree that businesses should embrace these trends rather than work against them,
as they can increase employees' productivity and job satisfaction as well as ensure a higher
quality of service and improve compliance with regulations in place. In the Forrester report
"How Consumerization Drives Innovation", Ted Schadler, vice-president and principal analyst
at Forrester Research, confirms: "Allowing employees to use available devices and
applications is a key driver to solve new customer and business problems". However, the
availability of enterprise data in the field is extending the boundaries of businesses' IT
infrastructures and adds additional risks and strains on the IT departments.
At Appear we are convinced that businesses will be better equipped to succeed when
empowering their employees with devices, applications and data that match their needs.
However, it is critical that enterprise data remains carefully managed and secured. To achieve
this, businesses need more than legacy mobile device management (MDM) solutions. Today,
businesses need the ability to promptly address the requirements for new mobile solutions,
which may be initiated by customers, employees or competitors. This requires an
infrastructure to quickly and securely build, integrate and deliver to market new mobile
solutions that will allow those businesses to adjust to fast moving competitive landscapes.
At Appear, we develop the Appear IQ (AIQ) mobility platform, which enables businesses to
securely build, integrate and manage enterprise mobile applications. Keeping information
secure on mobile devices is critical for any business. Because all data is important, the
platform has been built to maintain a high level of security without compromising the user
experience. The AIQ platform has been designed with security at its core. This document
describes the approach AIQ takes to securely manage and protect enterprise data.
3. SECURITYPOSITIONINGWHITEPAPER
2
Appear IQ Architecture
The Appear IQ Mobility Platform simplifies the development and management of mobile
applications, as well as their integration with enterprise systems. It enhances the creation of
secure application portfolios through the following key functionality.
Secure mobile application development
Communication frameworks
The platform offers synchronous and asynchronous frameworks (including data
synchronization and messaging) which abstract connectivity and integration challenges.
The platform's asynchronous frameworks ensure that the relevant data is securely available
on the device, ready for consumption by authorized mobile applications. This guarantees full
offline functionality in a secure manner, which is critical for the successful introduction of
mobile applications.
The platform's synchronous frameworks guarantee that all communications to backend
enterprise systems are securely tunnelled through the platform.
Cross platform applications
The platform simplifies the development of cross-platform1
applications using a hybrid2
architecture.
Secure application deployment
User management
The platform integrates with enterprise directory services to authenticate and authorize
mobile and back-office users based on corporate policies.
App management
The platform simplifies the approval, distribution and removal of cross-platform mobile
applications.
Secure and scalable delivery model
The development and management platforms are normally available as a service using
Appear’s public or private clouds, which reduces deployment costs, infrastructure investment
and reduces update complexity.
For customers that require more control, the platform can also be deployed outside the
Appear clouds in a more traditional private IT environment.
Appear IQ key components
Figure 1 below depicts the key components of the platform.
1
Cross-platform applications are applications developed once, and available
across different operating systems like Android, iOS and Windows Phone. This
significantly shortens the development times required to support different
devices and manufacturers.
2
Hybrid applications combine different technologies. At Appear, we enrich
cross-platform web applications with additional functionality exposed by the
platform or the underlying hardware. This combines the portability of mobile
web applications with the performance and functionality of a native layer.
4. SECURITYPOSITIONINGWHITEPAPER
3
FIGURE 1 - APPEAR IQ HIGH LEVEL ARCHITECTURE
The key components of the Appear IQ mobility platform are:
Mobility platform
The Mobility Platform offers an administrative console which allows authorized administrative
users to manage mobile and back-office users, applications and devices in a secure
environment. In addition, it connects mobile applications with enterprise systems by
managing data to/from mobile devices and terminating the communication frameworks.
It is available as a hosted service, or on-premise.
Integration adapter
The integration adapter (IA) enables the interworking between the AIQ mobility platform and
the back end systems within the organisation’s IT infrastructure. It is responsible for securely
adjusting the data coming to/from the enterprise systems in a mobile friendly format, and
then distributing it to mobile devices through the Mobility Platform.
It is an optional component, typically dedicated to each customer. The integration adapter
can be deployed within Appear public and private clouds, as well as in on-premise
deployments embedded as OEM component to software products.
Mobile app container
The mobile app container is a native application installed on mobile devices. It is responsible
for securely managing data, applications and policies configured in the Mobility Platform. It
also includes a user interface, from which mobile users can access their enterprise application
portfolio.
5. SECURITYPOSITIONINGWHITEPAPER
4
User Authentication and Authorization
Any user that needs to access enterprise data must be authenticated and authorized.
The Mobility Platform integrates with enterprise directory services to authenticate mobile and
back-office users as well as extract profile information that can be used to define permissions
on resources3
within the deployment.
Table 1 below lists the supported directory services.
Supported Directory Service Notes
Microsoft Active Directory Windows 2008 Server and later.
Generic LDAP Directory Support for LDAP v3 directory servers.
Internal Directory User directory available within the Mobility
Platform.
Custom Directory Developers can develop custom plugins to
integrate with other directory services as of
Q4 2014.
TABLE 1 - LIST OF SUPPORTED DIRECTORY SERVICES
User authentication and profile extraction
The Mobility Platform can authenticate mobile users against enterprise directory services and
extract relevant profile information. Upon successful authentication, this profile information
can be stored in the platform to alleviate further administrative activities (ie. user group
management, fine grained permissions management).
User and profile synchronization
The Mobility Platform can be configured to replicate a sub-part of an enterprise directory
service in order to alleviate administrative activities. This allows the pre-loading of mobile and
back-office users in the platform prior to their initial enrolment. In this case, the user
authentication remains delegated to the enterprise directory service.
User authorization
The Mobility Platform allows authorized administrators to define user roles and link them to
permissions on system resources.
Roles can be assigned to user groups or individual users. Permissions define the accessibility
of resources within the deployment.
3
A resource can be a component ie. mobile, administrative user interface; or a
functionality ie. mobile application, sub-part of the platform's administrative
user interface.
6. SECURITYPOSITIONINGWHITEPAPER
5
Secure Application Management
Over recent years, the consumerization of enterprise mobility trend has led to a proliferation
of new applications that increasingly need to access enterprise data. This is adding
tremendous pressure on IT departments to standardize and support new applications,
guarantee their compliance as well as make them easily available to employees.
Mobile application management
The Appear IQ platform includes Mobile Application Management (MAM), which simplifies
the unified management of standalone and legacy applications as well as the development
and integration of new ones. This provides IT departments with full control over the lifecycle
of their chosen applications, avoiding the unreliable, lengthy and distracting approval
processes from public consumer app stores.
Role-based application distribution
The platform allows for role-based application distribution. Applications are distributed and
made available only to authorized users, defined through the Appear IQ platform. Access is
granted to all applications that match the users' assigned roles, either based on their group
membership or their individual assignment.
From there on, employees no longer need to look for the relevant applications, they are made
easily discoverable through the Appear Click&Run® technology.
Enabling in-application permissions
Lastly, the platform exposes users' permissions as well as context information to applications,
which can adjust their behavior accordingly.
Data Confidentiality and Integrity
For any business, confidentiality and integrity of enterprise data is critical. For that reason, the
Appear IQ mobility platform ensures the encryption of the data end to end.
Secure data on devices
Data at rest on the device is sandboxed within the Mobile App Container. All enterprise data
and HTML5 applications are managed by the Mobile App Container and held securely in a
database residing within it.
The Mobile App Container makes sure that enterprise data is available to authorized
applications only. The container ensures the isolation of enterprise data and restricts access
of HTML5 applications to the subset on which they have the rights. The sandbox also ensures
that data stored on the file systems is not directly accessible to unauthorized applications.
In addition, the Mobile App Container can be configured to add an additional layer of 256-bit
AES encryption of the database files. When enabled, cryptographic keys are stored in the
operating system's secure KeyChain and KeyStore.
7. SECURITYPOSITIONINGWHITEPAPER
6
The Mobile App Container makes use of the Address Space Layout Randomization (ASLR)
functionality that protects against malicious access to data loaded in memory4
.
Lastly, Mobile App Containers for Android and Windows Phone can be configured to use
external storage. In this case, it can be configured to automatically encrypt data stored at this
location. With that said, Appear recommend against storing sensitive data on these media.
Secure data in motion
Data in motion between the device and the mobility platform, or between the mobility
platform and the backend (possibly represented by the Integration Adapter) are transferred
over HTTPS. The Appear IQ Mobility Platform requires by default TLS v1.2 for encrypted
communications with both mobile (128-bit key) and backend components (128-bit or 256-bit
key).
Besides, the Appear IQ Public and Private clouds can host dedicated JVM-based Integration
Adapters (IA), on behalf of the businesses. Assuming the IA requires connectivity with
businesses' enterprise systems, communications can be encrypted using TLS v1.2.
Alternatively, a dedicated SSL tunnel can be established between the IA and the businesses'
datacenter.
Secure data in the platform
The platform allows businesses to keep full control over what data will be stored in the
Mobility Platform, and what data shall only securely transit through it.
Data at rest in the Mobility Platform is stored in a central database, which has access
restricted to the Mobility Platform at the network level.
The central database is provided by our cloud hosting partner. Please refer to the section
Cloud Compliance for a list of the certifications and attestations of our hosting partner. Both
the default Appear IQ Public and Private clouds are hosted within the EU zone and fall under
EU data privacy regulations. Alternative locations are possible for setting up Appear IQ Private
clouds.
In addition, when using the Appear IQ Private cloud, businesses can decide to enable SSL
encryption between the Mobility Platform and the database.
Lastly, the Appear IQ Mobility Platform is security hardened. Our security experts are
continuously monitoring and addressing possible security risks found or publicly announced in
underlying components.
4
ASLR is available on all supported iOS devices, Android devices running
Android 4.0 and later.
8. SECURITYPOSITIONINGWHITEPAPER
7
Cloud Compliance
At time of writing, the Appear IQ Public and Private Clouds are deployed in Amazon AWS. The
default Appear IQ Public and Private clouds are hosted in Ireland. Alternative locations are
possible for setting up Appear IQ Private clouds.
The Amazon AWS infrastructure has been designed and is managed in alignment with industry
regulations, standards and best practices. Table 2 lists the third party attestations, reports and
certifications that have been officially granted to the infrastructure. Please contact your
Appear representative to access the official attestations.
Certifications Notes
HIPAA For entities and their business associates subject to the U.S.
Health Insurance Portability and Accountability Act (HIPAA).
SOC 1/SSAE 16/ISAE 3402
(formerly SAS70)
The SOC 1 report audit attests that the control objectives are
appropriately designed and that the controls safeguarding
customer data are operating effectively.
SOC 2 The SOC 2 is an evaluation of the design and operating
effectiveness of controls that meet the criteria for the security
principle set forth in the AICPA’s Trust Services Principles
criteria. This report provides additional transparency into the
security based on a defined industry standard and further
demonstrates AWS’ commitment to protecting customer data.
SOC 3 The SOC 3 report is a publically-available summary of the SOC
2 report and provides the AICPA SysTrust Security Seal. The
report includes the external auditor’s opinion of the operation
of controls (based on the AICPA’s Security Trust Principles
included in the SOC 2 report).
PCI DSS Level 1 The attestation confirms that the infrastructure has been
successfully validated against standards applicable to a Level 1
service provider under PCI DSS Version 2.0.
ISO 27001 ISO 27001 is a widely-adopted global security standard that
outlines the requirements for information security
management systems. It provides a systematic approach to
managing company and customer information that’s based on
periodic risk assessments.
TABLE 2 - LIST OF CERTIFICATIONS AND ATTESTATIONS OF OUR PUBLIC AND PRIVATE CLOUDS