Security

12:05 PM
Evan McDonnell
Evan McDonnell
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

5 Enterprise Mobile Security Tips for Financial Firms

With all financial firms rolling out mobile apps for customers and internal employees, here are five security requirements every firms must follow.

Financial firms are increasingly using the mobile environment for applications to serve their clientele better. Modern work platforms enable financial applications to be developed quickly for optimal collaboration and peak customer experience.

For example, CME Group, the world's leading derivatives marketplace, needed to automate workflows, improve end-to-end visibility, and enable continuous improvement. It applied a modern work platform to create applications, consolidating processes while leveraging mobile for improved access and shorter response times.

At a more local level, the Bank of Tennessee has created mobile applications to enable its loan officers to process mortgages wherever it's most convenient for its customers -- enabling this community bank to level the playing field with the big boys.

As useful as mobile-enabled applications can be for the financial services industry, adding mobility can pose serious concerns for enterprise IT, particularly in terms of security.

Financial industry leaders must ensure their mobile-enhanced applications comply with a variety of security requirements. The five most important requirements are:

  1. Secure network communication
  2. Secure local data storage
  3. Protection against malware
  4. Secure authentication
  5. Remote disablement

Let's look in closer detail at each requirement and what you need to keep in mind.

Secure network communication
Make certain that all communication between client devices and servers is transmitted over HTTPS with SSL encryption. HTTPS/SSL is the industry standard for secure web communication between devices. Limiting connection to servers with trusted SSL certification ensures unauthorized users cannot gain access. Address any vulnerabilities to the Heartbleed bug; fortunately, the virus is limited to OpenSSL version 1.01 and the beta version 1.02.

Also, consider configuring mobile applications to work with a secure virtual private network (VPN) connection from the mobile device. This will allow clients to establish a secure connection to systems behind the enterprise firewall, and it ensures that your servers will not be directly accessible from the public Internet.

Secure authentication
Authentication from mobile devices must be handled on the server side to ensure that a central administrator maintains control of this aspect of security. Authentication architecture must be easily integrated with your corporate LDAP or SSO authentication servers.

Secure local data storage
It goes almost without saying that server location and user ID information on each mobile device must be encrypted. Documents downloaded to the mobile device must also be stored locally in an encrypted format.

Don't allow enterprise data to be stored on mobile devices; instead, make it deliverable on demand to the user via a secure network communication. By storing only the minimum amount of data required for local processing, using local encryption, and using secure network communication for all other data, you maximize enterprise data security.

Protection against malware
Native mobile applications -- as opposed to mobile-optimized web interfaces -- offer a superior user experience and protect against malware on mobile platforms.

Malicious applications steal information and infect devices, using common web attack techniques such as JavaScript injection (XSS) or SQL injection. These malicious apps concentrate on browser security holes as a primary means of attack.

Because mobile browsers are less mature than desktop browsers, staying with native mobile applications, rather than web interfaces, provides an immediate security layer for enterprise data.

Remote disablement
By some analysts' estimates, mobile device loss and theft can be as much as 50% higher than laptop computers. If a mobile device is lost or stolen, it is common practice to disable that device remotely to prevent information theft or unauthorized software access. Mobile device platforms provide varying levels of support for remote disablement. Evaluate each individually for its merits and issues.

Native mobile client application makes it easy to disable features remotely, including removal of the application or locking its access.

With the rapid adoption of mobile devices in business, financial services IT experts must make data security the cornerstone of their mobile device strategy. Network encryption, secure authentication, minimal data storage, and passcode locking ensure your enterprise data can be securely transmitted to your mobile users. Today's modern work platform offers solutions to mobile-enable your enterprise applications and processes while maintaining a high level of security and access control.

Evan McDonnell is Appian's Vice President of Industry Practices and is responsible for guiding the company to meet the needs of specific industries. Evan has an extensive background in enterprise and SaaS software. He was most recently Vice President of Marketing at CodeRyte, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
KBurger
50%
50%
KBurger,
User Rank: Author
6/10/2014 | 1:54:11 PM
Don't Take for Granted
Evan, this is a useful checklist. It's interesting that just a few years ago, concerns about mobile security held back many banks and other FIs from moving aggressively into mobile offerings; some firms undoubtedly lost "first mover" advantage. Now it seems that banks for the most part have overcome the earlier concerns -- if nothing else,competitive concerns require that. Customers and employees want to interact on mobile platforms. However, that doesn't mean the security risks were overstated or have diminished.
Jonathan_Camhi
100%
0%
Jonathan_Camhi,
User Rank: Author
6/10/2014 | 2:54:48 PM
Re: Don't Take for Granted
Good point Kathy. Reminds of the way some firms have moved applications to the cloud even though they still have security concerns about doing so. For financial services institutionsa hacker getting into their network is such a huge threat. And all points connected to the network -- vendor partners and employee mobile devices -- have to be secured.
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 1:38:26 PM
Re: Don't Take for Granted
Even the smaller players have to bite the bullet and take the leap into mobile and cloud or risk falling way, way, way behind on the tech innovation curve. Security, while important, can not be a roadblock. Their customers expect similar levels of service and capabilities, and they have a real opportunity to secure their market with cutting edge offerings.
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/30/2014 | 3:23:52 PM
Re: Don't Take for Granted
True, mobile offerings have evolved from nice-to-have to essential for today's businesses. The potential for security issues is troubling, but companies are better off taking the right security precautions instead of ignoring the mobile trend. This is a helpful list for those trying to build up their mobile security strategy.  
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 10:00:50 PM
Re: Don't Take for Granted
I agree, these mobile security tips are extremely helpful for companies that are seeking to innovate and not fall behind. Bank of Tennessee is a good example of a small player that was able to leap forward by adopting mobile application so that its officers could process mortgages. Customers are demanding these applications and with bring your own device (BYOD) to work becoming mainstream, companies need to implement these security practices  rather than avoid mobile delivery which would be a competitive disadvantage.
More Commentary
Data Integrity: A Necessity, Not an Option
Financial institutions that have taken on the data integrity task in the past now have to spend more money on hardware, software, and people just to keep up with the demand.
What Colombia’s New IT Campaign Means for Latin American Tech Investment
Colombia’s campaign is the latest example of how Latin America is trying to edge into the global technology space.
Initial Margin: When Does More Turn Out to Be Less?
Changing margin regulations are set to affect the OTC derivative market, including initial margin risk models for non-cleared OTCs.
The Mainframe Innovation Drag
It may be time for a consortium of firms motivated around the objective of eliminating the mainframe. What if every self-clearing firm decided to participate in building a modern, back-office system as an open-source, cloud-based project?
Big Data DIY
Now that we have passed the initial hype phase of big data, companies are searching for real business value from their investments. Consultants can play a part, but only if financial firms insist on a new partnership model.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video