Secure Mobile ERP-Is It Possible?

  • Written By:
  • Published:

The proliferation and increasing power of handheld devices and rising expectations among enterprise resource planning (ERP) and enterprise asset management (EAM) users for constant mobile access to business data is creating new demands and challenges for corporate information technology (IT) departments. With the trend toward bring your own device (BYOD), IT departments are finding it increasingly difficult to dictate the hardware platform used to access enterprise data, which presents new security challenges and forces a more collaborative relationship between IT departments and end users.

There are legitimate reasons for end users to need always-on access to ERP on their handheld device. ERP is transitioning from a purely transactional system into one that facilitates real-time business decisions based on enterprise data. In a time when business is moving more rapidly than ever before, relevant data must be available to an executive anytime, anywhere. But mobile access is not just essential for those in the C suite. More knowledge workers and managers are working remotely or while traveling. And our consumer-driven culture also dictates that the attractive devices and user-friendly interfaces will spur an increased demand for enterprise data in the palm of the hand. This is not a matter of junior employees going rogue and using non-sanctioned hardware. Senior executives who are in a position to disregard IT directives are perhaps the most likely to be involved. The consumerization of enterprise IT is under way.

One of the most daunting challenges posed by this mobile revolution is data security. When mobile devices are used to access financial data, customer records, and other sensitive files, how can an IT department ensure that data is secure?

Not a New Problem
Mobile data security is not a new problem. It was not so long ago that all data was disseminated on paper, and we had the same problem. Executives carried sensitive customer information on paper in their briefcases, which were also easily lost, stolen, or compromised. More recently, laptops with huge hard drives full of corporate information have posed an even greater data security threat. This is an old problem with new technological challenges. What is different is the rate of change. Management of laptops evolved along with the use of those laptops, allowing IT to (more or less) keep up. Not so with the mobile revolution; the technology is evolving faster than IT can keep pace.

As we entered the digital age, traditional IT organizations were built around servers and conventional workstations, which are now well-managed and mature technologies. Laptops also are typically well managed, even though they are mobile devices. When laptops initially became mainstream corporate devices, they were costly and complex to network, and as a result, IT departments had to drive the rollout of these devices. But smart phones, smart devices, and tablets are comparatively low-cost devices and consumer-oriented, which means it does not require a skilled IT staff to get them into users’ hands. Some early smart phones such as BlackBerry included corporate control mechanisms, but these devices are rapidly being supplanted by iPhones and Android devices, which due to their consumer-oriented nature are less secure. These newer devices can be made secure, but the rapid rate of adoption of these devices has IT staff scrambling. Android devices can be secure, but they are vulnerable in part because of their openness and because of the wide variation in the devices.

Different technologies can be used to access data in the mobile world. From a security standpoint, a browser-based application may be most desirable. A browser-based interface is preferred because data is not stored on the mobile device. But browser-based apps lack the optimization for mobile devices that native apps provide, often because they are not designed for the small screen and tend to have a keyboard-centric approach. Native apps—those that reside on the phone or tablet itself—require some distribution of enterprise data. But they can offer a highly optimized user experience and are easier to use on mobile devices. Native apps can take full advantage of the device’s capabilities, including cameras and global positioning system (GPS) services. Finally, native apps tend to work better on mobile networks, which can be slow or spotty, than browser-based apps do. From a usability standpoint, the preferred approach is to use native apps with data that has been distributed to the device.

The IT department has some choice in how it manages the details. But it has little choice but to address the challenge head on or risk alienating its user community.

From the viewpoint of a chief information officer (CIO), this is a sea change in terms of the basic security model and who has access to what. If the company owns the servers and the data is on the servers, the company has pretty good control. But when mobility is introduced, the data is distributed across multiple devices that may not even be controlled or owned by the company. The CIO has just lost his or her single point of control. Proprietary and potentially valuable customer information is now being carried around on devices that are easily lost, hijacked, or stolen.

Striking a Balance
These facts dictate that the relationship between the IT department and end users can no longer be a command and control affair. It must evolve into a collaborative relationship that strikes a balance between access and security. This collaboration can start with shared decisions as to the types of applications to use to support the enterprise, the data that ends up on these devices, and the management policy for mobile devices.

It is apparent that mobile applications are used very differently than traditional business applications. An individual will not sit down and churn through long jobs on a mobile device. Mobile applications are characterized by support for very lightweight tasks—what is increasingly referred to as information grazing. A user approves things, rejects things, and defers things; mobility is not about heavy usage of deep application functionality. The mobile application needs to avoid application bloat and focus on the key lean features that need to be accessible at all times to support the business, while minimizing the data that ends up on a handheld device.

The realities of the mobile device user experience and connectivity means that native apps are the most intuitive and desirable way to work on mobile devices. The rate at which native apps are being produced specifically for the different mobile platforms versus traditional Web applications being optimized for mobile devices makes it apparent that this is the way enterprise application end users will be working.

While IT may have to relinquish some control over which mobile devices are used to access enterprise data, it still must track—and demand an appropriate level of administrative control over—mobile assets that have access to corporate data. Fostering a collaborative, rather than a dictatorial relationship between IT and users is key to making this happen. If IT implements and documents best practices around mobile security, and makes sure end users understand and adhere to them, most end users will cooperate. Policies must cover basic practices, such as the need to lock devices or wipe the data on them when they are lost. A collaborative decision as to what apps are to be used to access enterprise data can also help minimize vulnerability and achieve the business agility users are demanding.

Work with Your ERP Vendor
Most organizations need only a fairly limited set of apps to drive business value, and until recently most organizations had their own IT departments build their business apps. Homegrown apps can be difficult to support and maintain, and may not be as elegant as something developed for a broad community of users. Further, homegrown apps tend to tunnel in directly to an ERP or other enterprise solution, which can create security issues. Fortunately, today increasing numbers of vendors of ERP, EAM, or field service solutions are delivering packaged mobile applications.

The approach we have taken at IFS is to offer a series of native mobile apps with built-in provisions for device security, encryption for data that is on the device, and basic user management features, for users to manage elements such as user IDs and personal identification numbers (PINs). These applications are also designed to limit the amount of data that is on the device to the minimum necessary to accomplish specific lightweight tasks. Our focus is on understanding what mobile tasks drive business value, building the apps that are sufficient for these tasks and the types of users, and then securing that data, particularly in the event the device is lost.

The cloud can also play a role in reducing both IT management cost and security vulnerabilities. With many homegrown mobile apps, mobile devices have direct connections into an ERP or EAM solution or database. An IT department must then deal with a number of firewall-related questions, which adds complexity. Of course, the need to navigate a firewall can result in a connection that is finicky and still expose security vulnerabilities.

Figure 1

Our approach has been to use a cloud-based intermediary between the mobile device and a customer’s enterprise environment. This approach implements a secure connection between the cloud and a customer’s enterprise servers, and between the cloud and users’ mobile devices (Figure 1). No data is stored in the cloud, and no mobile device connects directly to the customer’s enterprise servers. This yields a secure method of mobile access, but also greatly reduces connectivity and provisioning overhead. Users obtain their apps from the usual sources, including iTunes or the Android market, so users manage their own devices and use their credentials to connect to the cloud, which in turn acts as a broker to talk to the back-office application. Meanwhile, our customer’s IT department uses a cloud portal to control which users are allowed to use various apps, and to disable access quickly in the event a device is lost or an employee is terminated.

Mobile apps—not just Web-based apps, but native mobile apps—are here to stay. They are the workstation of the future—the new normal. Increasing out-of-office productivity by allowing mobile access to enterprise data and systems can drive business value by taking non–value-added time out of business processes. Today’s organizations need to support mobile devices, whether this means adapting current enterprise solutions or evaluating new enterprise solutions. A CIO and IT department of an organization of any size must plan to allow for BYOD and the growing consumerization of enterprise IT. Because if they don’t, users will find a way to circumvent whatever controls are put in place. IT departments must collaborate with end users to find a balance between control and access, and then look to enterprise software vendors for a technology platform that meets business needs and user expectations while mitigating security concerns.

About the Author
Rick Veague is chief technology officer with IFS North America and is based in the Itasca, IL headquarters. In this role, Veague provides direction for IFS' use of service-oriented architecture (SOA) and works with IFS' leading customers to leverage SOA to provide state-of-the-art ERP.

comments powered by Disqus