Bring Your Own Data: Looking to the Past Helps IT Execs Securely Leverage Devices
Establishing policies for the use of mobile devices, whether they are personal or government provided, can seem like a big undertaking. Getting it right the first time is important. But those who know the history of government IT may recognize history repeating itself from the troublesome client-server days. By applying lessons learned from this time period, IT policy makers can avoid repeating problems that consumed large amounts of IT resources.
Government data must be secured and access limited according to policies established by executives in the agency. This applies to mobile devices as well. Compromised data – whether it’s considered secret, “For Official Use Only,” or less sensitive – can have an adverse impact. Mobile data challenges have resulted in a repeat of the temporarily popular client-server model that peaked in the 1990’s, followed by the subsequent migration to web-enabled apps.
While client-server architecture was a significant improvement over 3270 and vt100 terminals and terminal emulators, it eventually turned out to be very expensive for most applications. It was one thing to maintain two or three servers that stored the data, but quite another to manage client software apps installed on potentially thousands of desktops. This proved costly and inefficient as expensive development, QA, and support teams were established to build and deploy the client applications that were deployed on many desktop PCs.
While the client-server model still works well for some applications, the subsequent migration of most applications from client-server to web-based was a huge boost to government IT. The long term migration removed much of the expensive work of installing, maintaining and updating the applications. Indeed, the “client-side application” for web-based apps is simply any industry standard web browser. With web-based applications, there are no client applications to install and maintain – only the servers themselves and applications on them.
Today’s smart phones and tablets are really just a new incarnation of the “client computer.” Desktop computers, laptops, tablets or smart phones – all are really client-side computers, some more mobile than others.
An “app” installed on a mobile device follows a “client-server” computing model. And we know what happens when you install lots of client-side apps on a single client device – it becomes slow, unstable and unreliable, with subsequent high labor costs to troubleshoot problems. Eventually, people will get burned rom installing apps on their devices and have the same problems that older client-server computing models suffered.
Fortunately, today’s smart phones and tablets have very capable browsers built into them, and it’s common for most web applications to have a “mobile-browser-friendly” version. The smart way to move forward is to avoid client-server apps on mobile devices in favor of mobile optimized web applications.
Web apps (including those that are mobile-optimized) provide many benefits and should be considered the default model by agencies seeking to move forward with a more secure and manageable mobile strategy. Unlike client-server apps that must be tested and supported on many devices and OS’s, mobile-optimized web apps are designed to run well and uniformly across all mobile devices, regardless of operating system, providing users with consistent experience.
Perhaps most importantly, web apps are also far easier to maintain, manage and operate. In fact, government IT managers can apply many of the same tactics they would when monitoring any other piece of software that runs on their networks to the management of mobile web apps. These include:
#1 Server and application monitoring – In an effort to monitor the server side (rather than the thousands of individual devices), IT administrators can use server and application monitoring tools to keep track of mobile web apps. This allows them to monitor the performance of these apps and receive alerts when something is amiss so they may react quickly, which could be of paramount importance in, for example, a military situation that calls for immediate access to data.
#2 Analyze network traffic – Network analysis tools can provide perspective on which apps are consuming the most network resources and adversely impacting performance of the network for all.
#3 Monitor web app performance – Mobile optimized websites and apps can be monitored with synthetic transactions much like traditional websites and should be checked periodically to ensure optimal performance. This cannot easily be done with client-server apps, but there are tools to do this for web-based apps.
#4 Security management – Government administrators must implement security measures, such as log and event analysis, that allow them to monitor suspicious activity. The automated review of firewall rules is also important to ensure critical data is protected from unauthorized access. Most IT operations are already doing this for the monitoring of web apps,anddoing this for mobile-optimized web apps uses the same technologies.
Still, there remains the question of how data is accessed on mobile devices, and by whom. Some parameters that should be considered as data access policies are established include:
#1 Who is authorized to access the data?
c. No access
#2 What devices are authorized?
d. Desktops, laptops, tablets, smart phones?
e. Government devices only?
f. Personal devices?
#3 From what authorized locations are those devices allowed to access the data?
g. Internal wired networks only?
h. Internal Wi-Fi networks
i. Public internet?
j. Public internet via VPN?
#4 Which application architecture?
m. Web-based optimized for mobile devices and small screens?
There will always be some applications that are best implemented with the client-server computing model. For example, Microsoft Outlook is a popular client-server application on laptops and desktops. And most mobile devices include a powerful email client application.
Still, if history has taught us anything, it’s that size, shape and type of device are largely irrelevant. Rather, it’s data that is the potential enemy. Thankfully, IT managers already have the necessary tools at their disposal to fight that battle successfully. It is up to policy makers to establish policies that can efficiently leverage existing capabilities to manage the appropriate access to data from mobile devices.