Whitepaper: How to survive BYOD and mobile networks1. The Best Way
To Protect
Private
Information,
Is to have
No Information
To protect
Enterprise Mobile Strategies
- how to survive BYOD And mobile networks
PING PAL The Secure Communication and Positioning Service
Ephemeral | Anonymous | No data stored | Military grade encryption
2. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
BitSight has put together a report detailing the security effectiveness of different companies in the US
(http://blog.bitsighttech.com/how-strong-is-the-cyber-health-of-the-us-economy). Some high level findings:
• During 2013, at any given time, between 68% and 82% of the S&P 500 companies had been
compromised with an externally observable event
• Only 18% of companies had strong SSL certificates, the remainder sent data across the Internet
without proper encryption
Perhaps this is an unavoidable reaction to the pressures organizations are under – is it feasible to
deliver a product more rapidly while still remaining secure? In the name of lean everyone is trying roll out
minimum viable products to test a business hypothesis. This is something inevitable when corporations
try to operate faster and yet at lower cost, while trying to innovate products for an always faster moving
market. Not only quality but more critically security issues are set aside. “We will fix this when we know
that the product is viable and go for version 2, the real product.”
The same mentality is spreading in the internal IT departments maintaining and developing the business
systems under the mantra of ever increasing cost efficiency.
And then comes BYOD, Bring Your Own Device. A
lot of the traffic, internal corporate and with customers
and market, will be outside firewalls to mobile devices
owned by the employees, on public networks. A lot of
sensitive corporate data must be stored locally in the
device to ensure that for instance sales people has
updated and correct CRM data when visiting customers.
Employees will communicate internally on consumer
tools like WhatsApp. This is not the safest environment,
rather more or less a ticking bomb.
To unlock the full potential of enterprise mobility, IT needs to allow people the freedom to seamlessly
access all their apps and data from any device, company owned or private.
What was right in the past decade is now an emerging problem
For ten, or so, years companies have “webified” their desktop applications for all the good reasons, a
simple unified platform-independent interface to the corporate data. But the challenges of mobile app
development are way too different from what it took to move from the green screens of IBM mainframes to
a browser based UI front-end.
HTTP and browser is not a secure and effective mobile environment, especially for the 82% of the
corporation without a secure SSL certificate. It is estimated that in 2017 over 67% of all integration flows
will extend outside the enterprise firewall.
Being mobile also means that you need to communicate. The users discuss and share restricted
corporate data on their BYO devices, on open public networks. When using “traditional” telecoms like
voice call or SMS, your security is in the hands of the operators. When using Gmail, we know that
Google scans all user mails for keywords for their business purposes. When using Instant Messaging
your users will use the same tools as they do privately, for instance WhatsApp, now owned by Facebook.
Gartner expects that by 2017, “40% of enterprise contact information will have leaked on to Facebook
via employees’ increased use of mobile device collaboration applications.” And mobile devices are more
easily lost or stolen with all that restricted data still in the device.
It is now time to recover lost grounds and include secure mobility in your IT strategy.
3. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
9 Important aspects to consider
You need a well-defined mobile strategy for your enterprise, no matter what size you are. This is the
necessary foundation for your important decisions on various mobile frameworks, development tools to
use, devices to support and mobile development providers. Listen to the app agencies promoting their
favorite tools, but decide on what’s best for you long term, not the cheapest offer today.
1. Security and Privacy Outside
the Firewall
Have a common framework for authentication
and authorization of your mobile apps as they
are more vulnerable than desktop or web based
applications protected by the company firewall.
Consider the whole transport mechanism for all
your applications, internal messaging, etc. You
need a secure “pipe” for everything.
The most common solutions for this are VPN’s
and Mobile VPN’s. A VPN provides an encrypted
tunnel through the Internet between your device
and a VPN server. This is called a tunnel, because
unlike other encrypted traffic, like https, it hides all
services, protocols, and contents.
Depending on the actual network state (coverage,
signal strength, etc), there might be problems
since the mobile networks response time can
be high and VPN connections are very sensitive
regarding response time. This is due to security
concerns but it means that a slow response might
interrupt a VPN connection, making it very difficult
to work on the corporate network from a mobile
device.
A VPN connection is set up once, and only
terminates when you decide, but the tunnel
is disconnected if the client loses network
connectivity or due to inactivity. This makes it a
good solution for a more permanent or continuous
connection to the corporate network, as long as
you have a good enough Internet connection. But
it is highly impractical for e.g. messaging that is
more sporadic in its nature.
When using VPN from a mobile device all Internet
traffic, disregarding if it is corporate or private, will
have to pass through the company firewall.
You will also have to take into account
management of temporary (e.g. consultants)
users, letting people participate in secure
discussions without connecting them to restricted
services inside the firewall.
4. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
2. Device and local data
Management and Monitoring
Mobile devices are used anywhere, often over
untrusted networks, with a significant potential for
loss or theft You must be able to remotely lock a
lost device and wipe off selected corporate data as
well as emails, chat conversations, etc.
The same goes for employees leaving the
company and consultants/sub-contractors that
bring their own devices.
The solution must reduce the risk of leaking
data by mistake or by theft and it is here that the
auto-deleting, or ephemeral, mechanisms come
in. Snapchat has popularized the auto-deleting
images for casual communication. The same
kind of mechanism can be used for any type of
messaging or corporate data when it is controlled
by a specific app.
Possible ephemeral triggers are, for instance,
deleting after a set number of views, or at a set
time, or by using a geofence; “this information
must not leave this building”.
You should also be able to push newer apps
or versions of apps to every employee so that
everyone runs the same version, as you have the
app store update mechanisms for commercial
apps.
3. Device Independence
Your IT infrastructure must be built with device
independence in mind. You have to protect
sensitive information wherever and however
it’s used and stored—even when business and
personal apps live side-by-side on the same
device.
Support for various current and future mobile
platforms and form factors should not pose too
big a challenge and a fortune to implement and
support.
Do not try to throw in every feature of an existing
web app or desktop app into your mobile app.
This will only increase bulkiness and development
and maintenance cost. Build smaller apps that
only take care of a handful of features, that are
easy to replace when your organization or IT
implementation changes.
Provide a suite of such apps and let customers,
partners and employees pick and choose what
may be the best fit for them. Remember the high
interoperability and ease with which mobile apps
can kick off another mobile app based on user’s
inputs and preferences.
Also keep in mind, the integration possibilities
with independent productivity apps like Evernote,
Email clients, Document and Image editing and
management tools.
5. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
4. Server side implementation
A mobile application isn’t the same as a desktop
application, and while the difference starts in the
device, it’s the server side of the mobile equation
that will make the difference between productivity
gains and losses.
If you do not already have an enterprise bus
infrastructure in place or your current infrastructure
is too old to handle mobile requirements, consider
revisiting the brokering and routing requirements.
An optimum server-side mobility solution will
consider state control in transactions, presentation
of information and management of mobile data
flows.
You also need to analyze and minimize data
volumes. Mobile applications rely on a relatively
low-speed link to the devices, and available mobile
bandwidth may vary considerably, depending on
the user’s location and the local cellular traffic
load. In many cases there may be usage charges
applied, which could make mobile applications
expensive to run if data volumes are high.
5. Data synchronization
Database synchronization presents one of
the toughest hurdles in deploying distributed
mobile solutions. You need to set up advanced
synchronization and filtering between each mobile
device and the central system, deciding what
data they share, and the manipulation rules. The
complexity grows exponentially with the amount of
shared data so it is necessary to select good tools
to manage this.
The data in the app should be stored in a
secure local database in the device with strong
encryption. There should also be an automatic
self-delete (ephemeral) mechanism implemented
in the app to automatically remove data in
accordance with the internal business processes,
as well as a complete wipe through a remote
command.
The synchronization mechanism should also take
into account the mobile network characteristics
of everything from high to low speed data
connections, dropped connections in the middle of
processing and even complete off-line situations.
The data synchronization should be done partially
on connection losses, giving clients the opportunity
to continue synchronization where it was when
the connection got lost. It should also handle
multi-user conflicts, primary-key changes and
other problems usually associated with database
synchronization.
6. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
6. Offline behavior of app
Employees must be able to download corporate
data in their device. It could be as simple as
Excel and PowerPoint files, but also for instance
all CRM, customer support, order delivery, etc
data related to a specific customer for a meeting.
People need access to important and sensitive
data to perform their job even when traveling on
an airplane or visiting a remote site with poor data
network coverage.
Partners and associates might also need to
download offline data, like actionable items,
messages and reports. For your customers you
might want to offer the ability to download receipts,
order status, and special offers even when they
are off the network.
The highly sensitive nature of this data makes
it critical to develop security mechanisms, like
database encryption and the ability to remotely
wipe everything from lost or stolen devices.
There might also be privacy or other regulatory
compliances needed to investigate.
7. Scalability
Mobile customers’ attention span is shorter than
that of desktop and webapps. Customers use
devices everywhere and at any time of day. Mobile
app infrastructure has to be scalable as once
an app becomes a big hit, it becomes extremely
important to scale up the back end within hours or
days. Otherwise you will end up having a short-
lived success and by the time you scale up the
customers will be all gone.
The simple way is to apply vertical scaling by
adding more resources to your server. This
might be OK for a small niche app but will not be
sufficient for massive scaling. Design your app and
backend solution for horizontal scaling where you
distribute data and route messages over several
servers.
This is especially important if your app is customer
facing.
7. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
8. Prioritize user experience
Mobile apps are setting the stage for what users
expect from their working environment. People
expect the same look, feel and power from your
internal apps as they expect from commercial
apps. This has raised the stakes for IT.
As you work to deliver a superior user experience,
look for ways to give people more than they expect
and provide useful capabilities they might not have
thought of yet. For example:
• Think mobile first!
• The design and layout of the app is at least as
important as the functional task it is intended
for.
• Compare your intended app with similar
commercial consumer apps. Is your app
looking as good or better? It should, if you
want your users to love the app.
• Allow people to access their apps and data
on any device they use, complete with their
personalized settings, so they can get to work
right away.
• Automate controls on data sharing and
management, such as the ability to copy data
between applications, so people don’t have to
remember specific policies.
• Define allowed device functionality on an
app-by-app basis, so people can still use
functions such as printing, camera and local
data storage on some of their apps even if IT
needs to turn them off for other apps.
• Make it simple for people to share data with
colleagues by for instance sending a link.
• You should measure and analyze usage of
various features to decide future development
of the app.
9. Customer facing apps
The app will reflect on your brand and you as a
supplier and it’s important that the app feels and
behaves as good, or better, than a commercial
app.
Social networking is increasingly becoming an
important aspect of mobile app development.
It could mean as simple as enabling app
authorization using customers social IDs, for
instance signing on with the users Facebook ID.
If implemented correctly it will also offer insights
into demographics of customers as well as help
manage your company’s online reputation and
address customer concerns before it is too late, all
important aspects for developing your products,
offering and brand.
The app has to be appealing and will need regular
facelifts to keep competition at bay unlike the
previous generation webapps wherein functionality
alone was enough to keep customers engaged.
8. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
Services Tier Design for Mobile
Applications
The mobile aspects brought up in this whitepaper shows that the old three-tier architecture has to be
updated. Many vendors have started promoting a new four-tier model to assist in solving key challenges
associated with current delivery systems, where new dynamic apps with cache solutions will be able to
effectively adapt and scale with changing demand.
The four-tier model is brought forward, and explained in much more detail, by Forrester Research Inc:
http://www.forrester.com/Mobile+Needs+A+FourTier+Engagement+Platform/fulltext/-/E-RES100161
Client tier
• Mobile clients
• Wearables
• Internet of things
• Responsible for experience delivery
Delivery tier
• Optimizes content for proper display on device
• Caches content for performant delivery
• Drives personalization by using analytics to monitor user behavior
Aggregation tier
• Aggregates and federates services tier data
• Provides discovery for the underlying service library
• Performs data protocol translation (e.g. SOAP to JSON)
Services tier
• Existing on-premises systems of record, services and data
• External third-party services (e.g. Box, Twilio)
1. The client tier is all about the user experience.
It separates the unique capabilities of each app and
device — wearable, desktop or mobile, browser or
dedicated app, platforms and HW devices, Internet
of Things, etc — from the services that back-end
applications deliver. This frees developers from
having to customize development to each device
and platform, which allows them instead to focus on
building out a single application, increasing productivity,
and decreasing maintenance load. It also means the
possibility to more freely chose tools and vendors.
2. The delivery tier takes the app- and device-specific
information from the client tier to optimize content and
delivery method for each device. It queues and caches
content both locally and on servers so that in the event
of lost service while using the application they would
still be able to have a smooth working experience.
3. The aggregation tier is the API layer that has two
brokerage roles, providing discoverability between app
requests and services and bidirectional translation
between client requests and back-end or third-party
services. By applying business intelligence, analytics,
and role-based access the dynamics of the service
increases.
4. The services tier contains your legacy systems.
It’s the many systems you have within the firewall AND
third-party services in the cloud. Each of these services
has a different interface with its own specifications for
how to access functionality and data. Data is provided
to the layers above without concern for how that
data is consumed, creating maximum flexibility in the
consumption and dynamic composition of services.
9. pals@pingpal.io | pingpal.io | © 2014 PingPal AB | All Rights Reserved
Reports show that 40% of all employees rely on mobile devices every day during the workweek, with 37%
of the employees use their mobile devices to work for more than 60 minutes a day.
Early mobile implementations in enterprise systems have mostly tried to mimic the desktop and browser
implementations, but this provides a poor solution and experience. The tools market is a mixture of the
old giants that tries to raise themselves to mobility and app development tools targeting consumer apps.
Choosing the best tools for security, user experience, content, platforms and devices they wish to deliver
will be increasingly critical.
Try to think ahead where you want to be in a couple of years and chose tools and develop strategies with
future flexibility. Don’t go for the latest buzz if it cannot be thrown out again if it fails or gets out of fashion.
Mobility is here to stay but devices and technology will change. Quickly.
Final Notes
About PingPal
PingPal is a platform for military grade encrypted privacy protected self-destructing (“ephemeral”)
communication and positioning. Like Snapchat or WhatsApp on steroids for ANY app developer or
organization. Simple implementation and low cost traffic subscriptions means great ROI.
In reality this means that we are re-creating the casual off-the-record conversation, like for instance a
tête-à-tête, on Internet and mobile communications. We protect all private or corporate communication,
chats, image sharing, video calls, positioning, etc. Communication and positioning are supposed to be a
dialog between two people, not something that is stored and mined for marketing, competition or political
reasons.
This is also most important for companies that need to communicate with people in the field even though
they bring their own devices and communicate over public networks. PingPal runs outside the standard
VPN providing even higher security and convenience to messaging, positioning services and app data
transport, making it the perfect tool for BYOD or outside firewall communication.
We invite ALL apps, platforms, devices and “things” to use this technology to protect their users.
We are not only revolutionizing how developers build communication into their apps, we are
revolutionizing in the way we make mobile and Internet communication private again. We bring back the
control of the app user data to the user. We don’t know anything about anyone communicating on the
PingPal service. And that’s the best way to protect user privacy; to not have any data to protect.