Insights Quarterly – Focus on Applications and Security in Australia

 Applications and Security

 

 

 

 

 

 

 

 

 

 

 

 

The latest edition of Insights Quarterly, a joint research initiative between Fujitsu and Microsoft, focuses on the much discussed topic of Application Security. The research, which is the result of surveying over 100 Australian CIOs confirms that security is no longer a second-level issue for CIOs – it is now well and truly top of mind. This concern is largely in the light of increased mobility.  Many organisations are having trouble addressing security issues and accommodating requirements such as support for Bring Your Own Device (BYOD) strategies.

Interestingly, despite strong concerns about all aspects of security, many user organisations are having difficulty addressing the issues. This is often because security only becomes a pressing concern once systems are compromised, and because many classes of security threats are comparatively new and there is a low level of awareness about how to deal with them.

Other findings of the report are that cloud computing is now considered ‘mainstream’, applications are migrating very quickly to mobile platforms and the cloud, and packaged software is becoming the norm.

The research is published on the Insights Quarterly Website: http://www.insightsquarterly.com.au, which contains the current and past reports as well as supporting research notes and PowerPoint presentations.

Testing Enterprise Mobility

ipadOne challenge for any IT project is to ensure that testing is performed efficiently and effectively. As with many things the goal is to try to find a happy balance. In this case ensuring quality without spending forever on the testing cycle. Before I go any further my intention here is not to dwell on V charts, and testing frameworks but rather to talk specifically about testing enterprise mobile applications.

 Key Considerations

  • Graphical User Interface (GUI)
  • Screen flow/workflows
  • Integration
  • Mobile device/s
  • Communications
  • Infrastructure
  • Security
  • Roll-out

GUI, Screens, & Integration

Certainly a lot of the focus when testing enterprise mobility should be the application, its screens, and integration. Involving end users early (when managed correctly) can really help to ensure that the screen flows work under real use scenarios. Often functions can be tested independently during the development cycle. Device Emulators/simulators on a desktop can help rapidly test while waiting for the infrastructure and comms to be put in place. If the mobile application works in an offline way then ensure to test for data conflicts, locks, and test the resolution process. How can the solution recover from an integration error?

 Mobile Devices

An important consideration that is sometimes overlooked is the wide variety of Mobile devices, models, operating systems, screen sizes, peripherals, and input methods that are being used in the solution. Don’t assume that everything that works on Model X will automatically work on Model Y.

Battery life – does your shiny new mobile application drain the battery flat in minutes? Is it using lots of CPU when decompressing or encrypting data? Does it constantly require communications or gps? Schedule some tests to simulate different levels of usage.

Communications

Communications (or lack there of) should be checked. What happens when halfway through a transaction the comms is lost. What happens if comms is slow or poor? I’ve seen some creative ways to test this. For example underground car parks, driving through dead spots, or using a Faraday chamber. When projects first move from simulators to devices they are often cradled or connected via Wi-fi. Ensure at some point to factor in tests based on real world communication scenarios.

Infrastructure

With infrastructure it’s often not possible to directly replicate the production environment. However it’s definitely worth looking at simulating traffic. Try running functional tests while ramping up the load and find out at what point problems occur. MEAPs often come with tools for capturing, simulating, and amplifying traffic.

Authentication & Security

Its obviously important to test the authentication and security mechanisms. Consider carefully how the authentication works and schedule appropriate testing. What happens when passwords expire or the user enters it wrong too many times. Some companies hire in specialists to attempt to compromise the system.

Roll-out

As part of the overall strategy consider using a technical go-live where the mobile application is put into production and tested without being used for real business. This may require assistance from the business to run through some transactions and then back them out. Once the technical solution is confirmed then one or two key users can be introduced to the solution. At this stage monitor the system thoroughly and adapt any changes as necessary. Once proven expand the user base gradually and ensure that performance is managed. On some projects it’s necessary to initially throttle the performance so that the first user group does not feel negatively impacted once the entire community is live.

Please let me know your thoughts and any addtional lessons learnt from testing enterprise mobile applications…

How to Select a Device for Enterprise Mobility

Over the last few years consumer devices have overtaken enterprise devices in a lot of ways. Many of the features originally developed for the enterprise are now leveraged in mobile phones that we all have. Does this mean it’s a no-brainer when it comes to choosing a device for an enterprise mobility project? Far from it, more choice brings more debate and more confusion. While BYOD may suit many organisations and mobile solutions it’s worth looking carefully at your own situation to determine which devices are appropriate.

Obviously amongst the fields of consumer and enterprise mobile devices there is a lot of variety and the technology is changing rapidly. What does stay more or less constant is that businesses want to get value for money. I’ll cover some of the key points to help you make up your own mind about what is right for your initiative. I’d suggest making a decision based on a good understanding of the current and future requirements. A good way to do this is by using a discovery, questionnaire, and/or workshop process. Try to ascertain what you can in the following areas:

Who are the mobile users?
When formulating a strategy for device selection I normally start with the user roles. For example:

  • Executives
  • Sales People
  • Customers
  • Subcontractors
  • Service Staff
  • IT personnel
  • Consumers
What will each user group do with the device?
You might find a 1:1 match between use cases and users but normally there is some cross over, so it’s important to understand what will be done with the devices. Here’s some examples:
  • Click through work flows
  • Create content or enter lots of text
  • Scan goods with a bar code or RFID
  • Capture a customer’s signature
  • View large documents
  • Take photographs of problems
  • Search on the Internet for information
  • Use mapping or Geo location services
 Where and when will they use the device?
Of course the environment may vary within a user group. This might be the time when you determine sub-groups with slightly different needs. Thinking about the following use profiles may help you determine battery life, or IP rating requirements.
  • In and around the city
  • In rural areas
  • Underground
  • In a vehicle or forklift
  • In wet areas, in the desert, in high temperatures
  • With chemicals or explosives
  • Occasional phone calls
  • All day data entry

What are the needs of the software?
You may have covered this stuff when evaluating the use cases, however its good to cross check and consider any technical requirements that you will have for the devices:

  • Particular operating system or version
  • Browser that supports HTML5
  • Anti Virus
  • Offline Database
  • Storage capacity
  • CPU type
  • Connectivity (Bluetooth, serial, usb)
  • Printing

OK that’s a lot of questions but once you have a handle on these areas you can map user groups, use cases, and form factors to help identify which device styles suit your business.  Often I do that in a spread-sheet format and if necessary you can apply weighting values to certain characteristics. So out of this work you should be able to determine the base requirements list for each device. Something like the following:

What are the device requirements?

  • Screen Size
  • Input Method
  • Peripherals
  • Battery Life
  • 4G/LTE/Wifi
  • Ruggedized or not

Let’s not forget the non-functional, procurement, and policy type requirements you may have in your organisation. For example: Continue reading

Is it time to BYOD?

ipadShould you allow employees bring their own device (BYOD) into the enterprise? It’s a question that raises many others. Is the business data going to be at risk? Can the business save thousands of dollars per year through not buying devices? Will the employees finally get the latest gadget they want?

The idea of employees using their own equipment at work is not new. Using private vehicles for sales representatives, couriers, and truck drivers has a long history in industry. Likewise enterprise mobility is not new. Companies like Intermec and Motorola have developed fit for purpose mobile devices since the 1970s. What has changed and continues to advance rapidly is the sophistication of consumer mobile devices. These are now more powerful and feature rich than ever before. With the explosion of mobile device technology early adopters immediately brought the latest devices into the workplace. Before the iPad was released in Australia, it was being used in Aussie workplaces to show videos, take notes, and access email. Therefore the big question for enterprises isn’t “should we allow BYOD,” but “how do we allow BYOD”?

the big question for enterprises isn’t “should we allow BYOD,” but “how do we allow BYOD”?

BYOD strategy success factors
If we further explore the analogy of vehicles in the workplace you will see some governing factors that ensure their successful use. Firstly there are situations (dare I say applications) where it may not be appropriate to use a private vehicle. For specialist fields like mining, police, and health or where there is a need for branding a company vehicle may be a better fit. Secondly there are mature policies that outline how a private vehicle can be used. For example bicycle couriers may get a fee per delivery whereas taxi drivers must prepare and service their vehicle following strict guidelines. Another challenge to consider is that employees expect to be able to use their private vehicle in their own time for their own purposes. So what should the Enterprise do to prepare for the BYOD that is already happening? A useful technique is to develop a BYOD strategy that encompasses the requirements, risks, policies, and technology.

Current usage of mobile technology
The first factor to consider is how your enterprise currently uses mobile technology. The most common answers are phone calls, emails and associated attachments, calendar, internet, and map services. These features maybe low risk for most, however consider the specific risk to your enterprise and data. If a phone was found by a competitor what data could they get access to? Could a malicious user release commercially sensitive information or compromise a government regulation? Increasingly, enterprises already use or are planning to use mobile technology to access the corporate network and back-end systems. These features of mobility warrant a closer review of the requirements and risks. Typically these applications fall into the category of either Web Based or Rich/Native applications. Consider carefully what data and features the mobile applications enable? Could a malicious user download all of the customer data? Some rich mobile applications are akin to the police car in the vehicle analogy and require specific equipment to run properly (e.g. bar code scanning, a specific Operating System, or utilise a printer). It may help to document each type of user and the features and applications they require.

Managing other risks and factors
While loss of IP and corporate data is of paramount importance there are a range of other factors your enterprise should consider for BYOD including:

  • Cost of support – how will you handle problems on BYOD devices?
  • Personal data – what if employee data is wiped or accessed?
  • Who’s paying – for the device, data, calls, and support?
  • Short lifespan – with models changing every 6 months how will you upgrade?
  • Employees leaving – clean up the Enterprise data?

The right policies for your enterprise
This is a real “horses for courses” question. I’ve worked with small businesses that love technology and utilise every feature including geo-fencing and remote control of devices for support, but don’t require strict regulations on their data. At the other end of the spectrum government regulated industries that only use technology when they have to and every feature needs to be encrypted and locked down. In my opinion sensible polices should protect the Enterprise without hamstringing productivity and innovation. When you have a good picture of your requirements, data, and risks think about the policies that your enterprise would want to include in relation to mobile devices. These policies may in fact be appropriate for both BYOD and corporate devices. Most Enterprises have an acceptable use policy for their desktops and/or the internet and these may be a good starting point. Don’t just consider the technical policies (for example security, authentication, password strength, and data segregation) also think about the commercial (that is who pays for the data, calls, and support).

Managing the mobile fleet
I’ve seen a number of organisations where the mobile fleet is out of control and monthly fees are paid for dormant SIM cards sitting on a shelf. Consider all the device models, brands, and operating systems that you have out in the field. Do you have a mixture of old and new devices, iPhones for executives and ruggedized devices in the field? Just because your enterprise will support BYOD doesn’t mean it needs support every type of consumer device. Look at the popular consumer device models and consider your enterprise requirements and policies. You can create a whitelist of devices that are suitable.

Supporting tools and solutions
Once you have a handle on the BYOD requirements and policies you may need to consider a toolset like Mobile Device Management (MDM) to assist with the implementation of your strategy. Typical MDM features include:

  • Application management
  • Asset & lifecycle management
  • Authentication, policy & security management.

An MDM can help segregate personal and corporate data, establish a standard operating environment (SOE), and support fleets of devices more easily. However MDMs are reliant on the features provided by the operating system or hardware manufacturer. For example you may be able to remotely view the screen on a Windows mobile device but an Apple device might not support this feature. Likewise some MDM products are offered as a hosted service and others must be installed on your own hardware. Investigate the toolsets; a good starting point is Gartner’s magic quadrant for MDM. If you’re thinking about IOS a great public resource is the Department of Defence IOS hardening guide. Employees always want to utilise the best tools and mobile technology is an area that continues to evolve. Be prepared so that your enterprise can cost effectively leverage the benefits of mobility. Develop a BYOD strategy that considers the requirements, risks, policies and technology. Consider that BYOD is happening but may not be suitable for every mobile enterprise need. Continue reading