Blog Post

BYOD security and the importance of covering your backend

Last year I declared in a post on this site that resistance to the enterprise BYOD movement was futile. Fourteen months later, the statistics certainly bear that out. Most enterprise IT groups have moved out of the denial stage, and are busy figuring out how to deal with the operational complexity created by employee-owned, multi-platform mobile devices connected to their networks.

On the bright side, these same enterprises are able to provide productive apps to their captive employee audience. As I outlined in last year’s article, there is an emerging mobile backend that powers those apps which now presents a new security perimeter for the enterprise. The next realization for these companies is the need to focus on enabling and securing this mobile backend if they want to be successful with BYOD.

Get your rear in gear

I work with a lot of mobile app development companies and I find their definition of “the cloud” delightfully simple. While enterprise architects debate public vs. hybrid vs. private in the halls of the ivory tower, mobile developers consider anything they can access on the network to be the cloud. Popular network-based services they look for include caching, social media integration, user authentication and business integration. These services can be run on SaaS intermediaries, in Amazon, or on enterprise servers. The cloud concept abstracts these services in the minds of app developers, so they will take them wherever they can find them.

Since your company needs to deal with mobile apps, it is important to take control of the data and applications that feed them.  If you don’t, the mobile app tail will start wagging the enterprise IT dog, which is a recipe for disaster. For instance, I know large companies whose first foray into Amazon Web Services was through the implementation of an off-the-shelf mobile app whose proprietary cloud services were an unknown part of the package. AWS and other cloud providers are great platforms for enterprise mobility, but service placement needs to be determined by the enterprise itself.

A useful approach is to look at these data and application services collectively as your enterprise’s Mobile Backend. Mapping out your company’s mobile backend services will allow you to determine which ones can be re-usesd across apps, and where you should run them.

Who owns your data?

Apps get value from data. The big data revolution sweeping the enterprise landscape (in parallel with mobile and cloud) allows more enterprise data to be accessed and analyzed in real-time. Backend APIs provide a gateway to this data. However, if you don’t know how this data is being accessed and fail to put the right access control in place, those pragmatic app developers will take the shortest path to what they need and potentially expose the wrong information to the wrong end user. That’s a potentially disastrous situation.

Aside from the rudimentary risks around data security, BYOD complicates data ownership. Company employees using data on their mobile devices have dual personalities ([email protected] vs. [email protected]), personal devices and cloud platforms that transport the data are outside the enterprise boundaries, and the data itself is subject to increasing privacy and compliance restrictions. If you factor the burgeoning Internet of Things trend into your enterprise mobility plans – which you should – then you also have the prospect of automated endpoints producing and consuming this data. That’s a lot of moving pieces, and all of these identities and their relationships to the data are key considerations for protecting your backend data.

As an example, consider an energy company that is providing smart meters to consumers, smartphone apps for these consumers to control and monitor their power consumption, and tablet-based apps for their technicians to service the smart grid. Privacy rules dictate that only the consumer can see the detailed data around their power consumption – as otherwise strangers could determine when people are at home. Yet practicality dictates that more intrusive functions on the smart meter should only be made available to the service technicians. So how can this company ensure these restrictions are enforced?

Back to basics, back to front

A number of solutions come into play when addressing security for BYOD, from device level MDM security to containerized app specific MAM technology. While these approaches secure data on the device, how can you secure the data from the device to the data center? Your mobile backend security strategy also needs to ensure that appropriate security and integrity is in place before the data reaches the app. Looking at things from the backend perspective will allow you to address these requirements, whether your data resides in an on-premise data center or in the cloud.

Since an app accesses enterprise data through an API, protecting the API while managing how it shares data is essential to a backend security strategy (Disclosure: The author’s firm, Layer 7 Technologies, markets an API gateway product). So as you work on addressing device and app security for your BYOD strategy, make sure you don’t leave your backend exposed. If you do, you’ll sure feel it when it gets bitten.

Matt McLarty is vice president of client solutions for Layer 7 Technologies, a CA Technologies company, and is a provider of API management products and solutions. Follow him on Twitter @mattmclartybc.

Have an idea for a post you’d like to contribute to GigaOm? Click here for our guidelines and contact info.

Photo courtesy of Maksim Kabakou/

5 Responses to “BYOD security and the importance of covering your backend”

  1. Nice story — thanks for posting. One area you touched on that I think will be very relevant is “app-specific” mechanisms where the security is managed on an ad hoc basis. The technique basically has the application itself manage its own security (with or without OS level container support), and is closely tied to the ability of tying bandwidth provisioning to each app as well (in the context of BYOD — “BYOB” — bring your own bandwidth). In the latter, the bandwidth is provisioned via each app where the app creator pre-loads bandwidth rules and payment mechanisms inside each app, and the results are sent back OTT to the billing system (avoiding any complexities to the carrier OSS/BSS). Bottom line, an app-centric approach to security, bandwidth provisioning, etc. is a much cleaner and scalable solution for new use mobile cases whether enterprise related on not.

  2. Adam Greenblum

    An alternative to MDM or containerization for securing BYOD is to use virtualization and HTML5 technologies to keep data and applications separate from personal devices. One such solution is Ericom AccessNow, an HTML5 RDP client that enables users to connect from most types of devices to any RDP hosts (such as VDI virtual desktops or Windows Remote Desktop Services) and run full Windows desktops or applications in a browser tab.

    There’s nothing to install on the end user devices, as you only need an HTML5-compatible browser. That protects corporate data by keeping it off the device, and also reduces IT support costs, since IT staff don’t need to spend time installing software on so many different platforms. All they need to do is give employees a URL and login credentials.

    For an online, interactive demo visit:

    Please note that I work for Ericom

  3. Malware is running rampant on Androids, and everyone just seems to ignore the fact that compromised devices render MDM and data containers obsolete. Malware can, for example, log keystrokes and screenshots.

    So why does everyone conveniently ignore this fact? Because there is seemingly nothing to do about it, since smartphones don’t have the CPUs and batteries to run constant AV processes.

    But now there is a company called Clutch Mobile that scrubs all the data going in and out of BYOD computers, like Barracuda, IronPort and others do inside the enterprise. Clutch runs in the cloud, so it’s easy to deploy and manage.

    DIsclosure: I am so impressed with Clutch that I invested in them.

    • Matt McLarty

      I didn’t mean to gloss over MAM. In fact, MAM is part of the overall BYOD security and operational picture. Just focusing on the backend here. Thanks for your comment! …Matt