Mobile UC and Business Applications Security

April 18, 2008

Will Security Hold Up Mobile UC Applications For The Enterprise?

Art Rosenberg, The Unified-View

Two recent articles on the web caught my attention because they focused on a key concern of IT management about security as it affects business communications in the enterprise. The first article, by Michael Ybarra, reports on the negative reaction of IT management to end user demand for mobile smart phones, where security concerns are given as reasons for limiting support for such devices that will be essential to UC.

Part of the reluctance to allow the use of smartphones by business users seems to be simply because IT thinks it has to fund the purchase, complete user support of the device, as well as the security of any enterprise information that is accessed by the device. In effect, they view the mobile devices just like premise-based, wired desktop PC and telephones. However, because end user demand for mobile “smartphones” has heated up significantly, IT is caught in the middle of changing needs that will also be critical for maximizing UC benefits.

When enterprise-oriented RIM Blackberries, supported by secure enterprise servers, were the only game in town for “push” enterprise email and application messaging, enterprise IT had control over pretty much everything that end users did with those devices. Adding telephony access to the RIM devices “glued” the voice and data pieces together at the mobile device level, although not necessarily in a fully integrated “UC” manner. When Apple jumped into the mobile communications market with its innovative iPhone, the battle for the hearts and minds of both consumers and business users began.

According to the article, one CIO said that a big challenge is keeping up with the latest mobile devices that end users want. “I can’t tell you how many people have come up to me wanting an iPhone. It’s not what we support. WE give them the tools to support their job and environment.”

Those tools could become simpler to manage if they were software based and controllable for enterprise use, both from a security perspective as well as from an interoperability perspective. Apple is now playing catch-up with RIM with its iPhone upgrades for controlling device usage and working with Microsoft’s Exchange software. So, it is just a matter of time that the client and server software will handle the basic enterprise messaging requirements for iPhone users.

The other side of the UC coin however has to do with using the same device for business process applications, and that’s where the second article addresses the need to change enterprise security from the network level to the application software servers.

Where Will The Information Access Security Be Enforced?

The second article, an interview with Internet security expert Ted Schlein, makes the point that enterprise security responsibilities really belong at the application software level to protect proprietary company information, not at the network hardware level. The article claims that the biggest obstacle in pursuing this software approach to network security is simply” inertia.”

Just like business communications are no longer just location based, business information, accessible through business process applications, is also no longer restricted to a single type of network access or just to internal, intra-enterprise staff. To preserve both device and access flexibility for different types of end users, enterprise security has to be selectively enforced at the information source level.

According to Schlein, “ We need to change who is providing the defenses and how we provide the defenses. In the past, the “who” part was the network operations guys, and they basically put in a box to stop malicious data packets….In (the) future, software engineers have to be responsible for security. Engineering principles have to be built into security and applied by the people creating the software.”

Such an approach, which is done from the “inside out,” could eliminate the need for firewalls and intrusion detection systems, etc., and allow business process applications to selectively and consistently secure their content to different types of users and different modes of access.

As enterprise business applications become more distributed and “virtual” with the likes of software implementation frameworks like SAAS and SOA, the enterprise network “walls” will not be adequate to control the security of information that must flow directly to people outside of the business organization, i.e., supply side partners, sales channels, and, most importantly, customers. So, although legacy application software is not yet ready to take on this responsibility, it is yet another area of software changes that the vision of UC will require.

What Do You Think?

You can contact me at: artr@ix.netcom.com or .

Confused About Implementing “UC?”

The experts at UCStrategies.com just published a comprehensive UC eBook that focuses very heavily on defining the various components of UC and how to systematically migrate current business communications to UC. Take a look and see if it answers your questions!