Mobile Apps: Productivity Godsend, Compliance Headache

The premium version of Documents to Go—the top-selling business app in Apple's App Store—lets you create, edit, and view Word, Excel, and PowerPoint files stored in the cloud, making it a fantastic productivity tool and extending the power once available only on desktop PCs  and laptops to handheld devices and tablet computers.  It's also a compliance problem waiting to happen.

Not to pick on DataViz, the software's developer.  Similar products such as Quickoffice, Office Suite Pro, and Smart Office are equally problematic. As a group, they embody two of the three major types of compliance risks inherent in ultramobile computing: vulnerability to hacking, poor auditability, and shaky data security.

Hackability

First, hackability. Since users generally control what apps they download onto smartphones and tablets, rather than the IT department, they are much less vigilant and are more susceptible to downloading apps with hidden malware and viruses. True, mobile business software hasn't been a big hacking target yet, fortunately, but that doesn't mean it's completely safe either.

Susceptibility to attack, it turns out, depends more on the device than the app. BlackBerry is considered the most secure, says Mark McCreary, a partner at law firm Fox Rothschild who specializes in compliance with privacy-related laws. BlackBerry's maker, Research in Motion, tightly controls its App World, and BlackBerry data transmission is encrypted. Apple's recent efforts to improve the policing of its App Store to maintain a minimum standard of quality have had compliance benefits also, he adds. A rogue app is unlikely to sneak through.

Android Market's open doors have been more welcoming to hackers. In March, more than 50 Android apps—ranging from “Super GuitarSolo” to “Scientific Calculator”—came tainted with code designed to cull data from elsewhere on the phone and send it to a remote user. The apps had been downloaded thousands of times. Lookout Mobile Security reports that 320 malware-infected Android apps appeared in the first half of 2011 alone.

“In the situations I've seen where clients will allow Android, there's a layer that separates sensitive data from the Wild Wild West,” McCreary says. “But it's a cumbersome solution.”

Paul Bedi, managing partner at identity and access management consultancy IDMworks, adds that while “big brother” technologies exist, working with sensitive data on smartphones is still too risky.

“In the situations I've seen where clients will allow Android, there's a layer that separates sensitive data from the Wild Wild West, but it's a cumbersome solution.”

—Mark McCreary,

Partner,

Fox Rothschild

Auditability

Second, auditability. It's “absolutely an issue,” says Greg Bell, a KPMG principal who leads the firm's information protection practice. The bottom line here is proving adherence to controls—controls themselves usually developed with regulatory compliance in mind. The rub is that detection, monitoring, usability, and access controls designed even a few years ago have been left in the technological dust by the latest devices. There's more data sharing, there's the cloud, there's svelte mobile devices—often “BYOD” (bring your own device) hardware owned by employees, not the company—replacing fat clients at a furious pace.

“Look at Sarbanes-Oxley controls,” Bell says. “Processes and technologies have evolved, but the controls really haven't. Things are out of alignment.”

Bell says emerging compliance-focused technologies will help. Gatekeeper software regulating network access depending on location and device is one example; enterprise versions of Dropbox and SugarSync—with data encryption and secure check-in and check-out of files—is another. Cisco AnyConnect is among several VPN client apps for iPhone, Android, and Blackberry, which provides for encrypted corporate access on the go. Citrix Receiver, also available on many devices, provides Citrix customers a way to access files on home or cloud servers.

DROPBOX

Click on the graphic below to access Android Market's Dropbox application.

But the biggest change, Bell says, must happen between employees' ears. Every member of the team must consider the security and compliance implications of their mobile-computing habits.

“It's really more of a cultural challenge rather than a technical challenge,” Bell says.

Data Security

The third type of risk, data security, is the thorniest of smartphone-computing problems. Data may be safe in the cloud itself, but the mobile apps that feed off the cloud represent vulnerable endpoints. Your third-quarter sales spreadsheet may be locked down with 256-bit SSL encryption on Box.net. It may be password-protected on Box's mobile app, too. But if you forget to close the app and leave your phone on the counter at Starbucks, well, so much for compliance.

The handy form factor is both a blessing and a curse, says Kevin Johnson, a security consultant with Secure Ideas. The problem is, he says, is “convenience and access, but in a form factor that is trivial to lose,” he says.

“How many phones have you lost in your life?” he asks.

SUGARSYNC

Click on the graphic below to access the SugarSync application.

A recent survey by IT security firm Sophos found that 22 percent of mobile phone owners had lost a device at some point, and that 70 percent of users failed to password-protect their phones. Gartner expects 95 million smartphones to sell in the United States in 2011 alone. More than a few will contain Evernote business ideas or even “photos of whiteboards,” as the Evernote App Store description puts it; or Sales Tracker, whose Android Market entry describes as able to “export/send report[s] in CSV format”; or SuiteDroid, on which you can “create, edit, search, and view sales orders, quotes, opportunities, purchase orders,” among other things.

With apps, smartphones have become tiny laptops. But a laptop is less likely to slip out of your pocket at the bar or in the back of a taxi. Also, companies have years of experience with laptops, and vendors have produced sophisticated tools to lessen the compliance and business risks of remote computing.

“With laptops, people are comfortable with the security risks,” Johnson says. “But the phones aren't there yet. It's coming, but right now it's ‘put a policy in place and hope.'”

ALL THE RAGE

Below is an excerpt from highlights of the Gartner survey, “Findings: Smartphones Top U.S. Consumers' Intended Purchases for 2011.”

Consumers in the United States are more likely to buy a smartphone in 2011 than PCs, mobile phones, e-readers, media tablets and gaming products, according to a recent survey by Gartner, Inc. U.S. smartphone sales are expected to grow from 67 million units in 2010 to 95 million units in 2011. By comparison, mobile PC shipments are forecast to total 50.9 million in the United States. in 2011, up from 45.6 million from 2010.

In December 2010, Gartner surveyed 1,557 mobile phone users across the United States, China, India, Italy, Japan and the United Kingdom about many topics, including the types of devices consumers are looking to buy within the next 12 months. A total of 256 U.S. consumers participated in the survey. The results of this study represent the views of the respondents. The sample was weighted to be representative of the online population where an online methodology was pursued, and of the total population where computer-assisted or face-to-face interviews were conducted.

Smartphones were followed by laptop computers and desktop computers in rankings of U.S. consumers' average intent to purchase in 2011. Mobile phones ranked fourth in average intent to purchase, followed by e-book readers in the fifth position, and tablet computers ranking sixth.

Click here to purchase the Gartner survey.

Johnson has his own policy. His day job involves white-hat hacking. He uses Evernote on his iPad, he says. But not for everything. He knows his data's “on a third-party server, with no guarantee of privacy,” as he put it.

“I'd never use it for data involved in my penetration tests,” he says. The same goes for Dropbox, he says. He suggests policies that take into account a user's need. Salespeople thrive with mobile apps, doing demos on iPads and the like. But no one in HR should have personnel data on their phone, he adds.

McCreary takes a harder line. He suggests that his clients ban “any online service that allows you to drop a file.”

“It's the whole cloud issue,” he says. “Where does this stuff sit? Who has access? What if they get hacked? We made a decision:  you can't do that.”

KPMG's Bell prefers adaptation to prohibition. Banning rarely works, after all, he says—offices blocking Facebook on work computers found their employees updating away their days via their smartphones. The answer must emerge from understanding business processes and user needs, applying technology where necessary, and educating employees.

“It's about trying to architect the right solution,” he says.