Handbook VIRTUALIZATION CLOUD DEVELOPMENT APPLICATION NETWORKING ARCHITECTURE STORAGE CENTER MANAGEMENT DATA INTELLIGENCE/APPLICATIONS BUSINESS RECOVERY/COMPLIANCE DISASTER SECURITY

1 EDITOR’S NOTE Mobile Application Delivery: 2 CREATING A SECURE FOUNDATION The Next Frontier FOR MOBILE APPLICATIONS With the influx of mobile devices and applications entering enterprises, IT departments have a new mandate: how to securely and efficiently deliver 3 FOUR APPLICATION reliable applications to end users. DELIVERY OPTIONS 4 DELIVERING CLOUD-BASED MOBILE APPS ENTERPRISES EDITOR’S NOTE 1 Delivering Secure Apps Is No Small Feat

As technology trends like bring your own device mobile devices have prompted IT departments to think Home gather steam, they have introduced a host of new bless- more efficiently about app delivery and how users can ings and curses for IT departments. On the upside, end get access to existing apps without re-architecting ap- Editor’s Note users are more savvy consumers, with knowledge and plications for a mobile environment, which can be a preferences about IT. They may know quite a bit about time-consuming and costly prospect. In our second Mobile App Droids and Dropbox. On the downside, though, end piece, Lisa Phifer explores some of the trends in mobile Virtualization Eases Deployment Headaches users are more savvy consumers, with knowledge and device management and security and outlines how IT preferences about IT. But that know-how introduces departments can think about ensuring data security—

Creating a Secure issues of control, security and management for IT even when they manage a variety of devices and operat- Foundation for Mobile departments. ing systems. Applications This package of articles looks at the consequences Next, Robert Sheldon maps out four methods of de- of trends like BYOD, virtualization and the cloud on livering applications and weighs the pros and cons of Four Application Delivery Options application delivery. How have application delivery each. All three contributors consider mobile devices in approaches like Software as a Service and desktop terms of the key elements that have come to define en- virtualization as well as BYOD ushered in new ways terprise IT: control, security and flexibility. Finally, this of delivering applications to users, and what benefits package offers approaches and tactics to give users what and challenges arise? And how can IT satisfy user they want while also delivering applications more effi- needs while preventing data breaches and address- ciently and securely. ing usability concerns? This series of articles turns over these questions and offers some tactics to Lauren Horwitz address them. Executive Editor, In the first article, James Furbush explores how Data Center and Virtualization Media Group

2 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER VIRTUALIZATION 2 Mobile App Virtualization Eases Deployment Headaches

IT pros have begun to recognize that enabling mo- long-term solution to enable a mobile workforce either, Home bility isn’t as easy as setting up an email account on an and makes sense from a cost perspective only if organi- iPad and calling it a day. If IT doesn’t provide a way to zations have already virtualized applications. Editor’s Note access corporate applications and data on mobile de- The second takes an existing application and turns it vices, end users will simply circumvent IT and seek out into a cross-platform mobile app. The third decouples Mobile App their own applications. the data from the application and picks the appropri- Virtualization Eases Deployment Headaches But with careful planning and understanding of em- ate application for the platform or device being used. ployees’ needs, IT can deliver apps without incurring Then IT can pipe the data from a data center into an

Creating a Secure the cost of re-architecting apps for a mobile environ- application. Foundation for Mobile ment—a process that can take months of development “The first two don’t respect the benefit of the mobile Applications work—which can cost tens of thousands of dollars. device,” Ramji said. “The third is really hard to achieve with the realities IT departments face.” Ultimately, Four Application Delivery Options he said, while mobile forces organizations to rethink THE THREE PHASES OF MOBILE APP DEPLOYMENT how they deploy applications, there are still too many There are three phases of enterprise mobile application limitations for organizations to create an environment deployment, according to Sam Ramji, director of strat- where the device doesn’t matter, but the access and use egy at Apigee, an application programming interface of data does. platform company in Palo Alto, Calif. The first is using virtualization to deliver existing apps to mobile devices. IT shops have insisted, in fact, MOBILITY CATALYZES CHANGE that application virtualization is a mobility play; this Mobile has forced organizations to rethink existing “bridge technology” can assist with organizational in- systems and how employees access those systems, said vestments in Windows 7 and applications not built for J. Schwan, founder of Solstice Consulting, a Chicago- a mobile environment. Many also acknowledge it’s not a based enterprise mobility consulting firm, which

3 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER VIRTUALIZATION 2 released App Launcher, a previously internal-only mo- mobile app is great for swiping quickly through results bile application lifecycle tool, this past summer. on an iPad,” Hendrick said. Rather than choosing one “Mobile is a great catalyst for change,” he said. “Orga- application delivery method over the other, IT must of- nizations don’t have to do everything with mobile, but fer doctors the flexibility to use whichever version of we’re reaching a tipping point that it is the device plat- the electronic medical record app they need at any given form of the future.” moment, he added. At the University of California at Irvine’s Medical Home Center, doctors and administrators insisted on using their own iPads for work, which caused the IT depart- “Mobile is a great catalyst for Editor’s Note ment to react seemingly overnight. change. ... We’re reaching a IT set up a combination of AirWatch’s mobile de- tipping point that it is the Mobile App vice management and Bradford Networks’ network ac- Virtualization Eases Deployment Headaches cess control to provide a level of control over devices device platform­ of the future.” flooding the network, said Curtis Hendrick, manager of —J. SCHWAN, Creating a Secure emerging technologies and support services for the uni- founder, Solstice Consulting Foundation for Mobile versity’s IT department. The organization pushed users Applications toward iOS devices (approximately 1,000 iOS devices are now enrolled in an officially supported capacity at Other organizations have migrated legacy applica- Four Application Delivery Options the hospital) because most of the organization’s appli- tions to the cloud as a result of mobile, while using cation vendors have released iOS versions of their apps, virtual desktop infrastructure technology to deliver Hendrick said. homegrown apps in the process. For applications that didn’t have a mobile version to Two years ago, Quality Distribution Inc. (QDI), a exploit, the IT department used its existing desktop Tampa, Fla.-based bulk-transport company, reduced its virtualization technology, Citrix Systems XenApp, to dependence on Microsoft products, said Cliff Dixon, push virtualized applications to iPads through Citrix vice president of IT at QDI. The plan was to adopt Receiver. In the case of the hospital’s electronic medi- Software as a Service applications, such as Google cal records application, doctors can use the traditional Apps, when possible and then use Ericom’s PowerTerm Windows version of the app and an iOS version. WebConnect, which acts as a gateway to turn back-end “The interface isn’t great on Citrix, but doctors data and applications into HTML5 Web apps for legacy have more functionality for entering patient data. The applications.

4 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER VIRTUALIZATION 2 Then, the company gave employees in regional offices Google Chromebooks to access the new application environment. The employees love it because they have access to all their applications and data even on a home computer, Dixon said. “Because trucking happens in the middle of the night, it’s a 24/7 type of employee,” Dixon said. “If they Home need to start a process at home, they used to fire up their computer, create a VPN tunnel and hope things Editor’s Note went smoothly. Now, they just grab their smartphone or iPad off the bed stand or anything with a modern Web Mobile App browser, and get the job done in half the time.” Virtualization Eases Deployment Headaches The ultimate goal for QDI is to eliminate the com- pany’s data center footprint and legacy applications by

Creating a Secure 2015. Foundation for Mobile “We’ve taken that challenge to adjust our applica- Applications tions to fit the BYOD [bring-your-own-device] mold and choose app vendors that understand we operate in Four Application Delivery Options [the] mobile world,” Dixon said. Dixon envisions an IT department that is less about troubleshooting problems and more about delivering services. Going mobile and shedding legacy platforms is part of that vision. —James Furbush

5 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER SECURITY 3 Creating a Secure Foundation for Mobile Applications

Ultimately, mobile applications can be only as can be said for laptops, users lose smartphones and tab- Home secure as the foundation on which they are built—that lets far more often. They almost always contain saved is, the mobile devices and operating systems on which passwords and are less likely to verify user identity Editor’s Note they run. So it’s imperative to understand the inherent with two-factor authentication. risks associated with mobile devices, the native secu- These data and network risks are exacerbated by Mobile App rity measures built into mobile operating systems, and mobile malware. According to Nielsen, the average U.S. Virtualization Eases Deployment Headaches best practices for mitigating risks. smartphone has 41 user-downloaded apps. While most apps come from reputable sites such as Apple’s App

Creating a Secure Store and Google’s Play Store, mobile malware is grow- Foundation for Mobile UNDERSTANDING MOBILE RISKS ing fast—especially for the open source Android OS. Applications Lost or stolen smartphones and tablets pose significant Even legitimate apps often have access to sensitive data risk. Phone theft is rampant, representing 14% of ma- and services such as contacts and location. A device Four Application Delivery Options jor crimes in New York City last year, as well as 38% of running a malicious or overly inquisitive app, combined robberies in Washington, D.C. Employers are right to be with access to corporate data, networks, or services, concerned, since forensic analysis of resold devices can poses substantial business risk. often recover some of a previous user’s data. If no secu- In fact, malware spreads by exploiting mobile OS and rity is applied, a lost or stolen device can easily lead to application vulnerabilities. Mobile ecosystems lag well a breach of stored business data, including email mes- behind established desktop/laptop patch infrastructure. sages, contacts, customer records, passwords and more. When malware writers find a new Android bug to ex- Moreover, missing mobile devices enable intrusion ploit, a fix must work its way first through Google, then into corporate networks and services. A smartphone device manufacturers, and then cellular network opera- configured for corporate email, Wi-Fi or VPN access tors, before being offered to mobile users. As a result, can be an unlocked back door into otherwise secure IT has little insight into and no effective control over systems, bypassing perimeter security. While the same mobile vulnerability management.

6 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER SECURITY 3 Finally, perhaps the biggest risk of all is the human n PIN or passcode. The first line of defense against the hand holding a smartphone or tablet. End users often unauthorized use of a lost or stolen device is a robust ignore suggested updates, permission warnings and PIN or passcode. All four OSes support numeric PINs passcode prompts. According to the Information De- and alphanumeric passcodes; so the primary challenge fense Corporation, 71% of chief information security is enforcing long, complex passcodes that users must officers say that mobile devices have contributed to se- re-enter frequently. Pairing shorter passcodes with curity incidents, largely due to careless employees who secondary user authentication to open every sensitive Home lack security awareness. User behavior poses an even business application is a practical way to reduce risk. greater risk given the undersecured, mixed-use bring Editor’s Note your own device (BYOD) trend. n Remote find and wipe. Most employers also want the ability to remotely locate a lost or stolen device and, Mobile App when warranted, wipe all corporate data. Again, all four Virtualization Eases Deployment Headaches BEST PRACTICES FOR SECURING MOBILE DEVICES OSes support remote find and wipe, but wipe effective- Fortunately, many of these risks can be managed by ness varies.

Creating a Secure instituting best practices and native security mea- For example, wiping an iOS device renders all en- Foundation for Mobile sures. When smartphones first emerged, they offered crypted data (personal or corporate) inaccessible. In Applications little built-in security. With its native encryption and contrast, wiping an Android device simply resets it to over-the-air device management, RIM BlackBerry was factory default settings, which in many cases leaves Four Application Delivery Options a noteworthy exception and fostered broad business recoverable data behind. Pairing remote wipe with adoption, leading to emulation by other manufacturers. applications that rigorously encrypt their own data When the Apple iPhone launched, for example, it makes remote wipe more effective. had no encryption or IT management hooks. Today, every Apple iPhone and iPad comes with an encrypted n Stored data encryption. As noted, stored data encryp- file system, can be locked with a long, complex pass- tion has become an enterprise must for mobile devices code, and supports more than 150 IT-configurable poli- that store business data, including temporary files, mes- cies. Although such native capabilities vary by device sage attachments, screen snapshots, cached Web pages, make and model, all four major mobile OSes (i.e., Apple and other data that “leaky” applications generate. Full iOS, Google Android, RIM BlackBerry, Microsoft device encryption is widely supported, though notewor- Windows Phone 8) support those best practices and thy exceptions include Android 2.x and Windows Phone more. 7. Further, some devices can’t encrypt everything, even

7 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER SECURITY 3 if the OS supports it. And even an encrypted device ex- accessible to all applications, for example. In addition, poses data to a thief with a cracked PIN. mobile OSes “sandbox” applications to insulate them Here best practices pair full-device encryption with from one another and require users to grant each ap- software encryption by each application. To avoid plication permission to access device features or shared leaks, application developers must be careful to rigor- data. Unfortunately, users often accept those requests ously encrypt everything written to flash storage and without understanding the consequences. While Ap- to safeguard their encryption keys. Emerging trends ple’s App Store policies have deterred iOS malware, the Home include sandboxed applications that create their own same can’t be said for Google or Microsoft stores. Even safe (authenticated, encrypted) operating environment, BlackBerry users can install applications from less- Editor’s Note and secure data containers that safely store IT-managed trustworthy sources (a risky behavior known as “side documents for offline access. loading”). Mobile App Best practices to deter mobile malware are still Virtualization Eases Deployment Headaches n Over-the-air encryption. Employers also worry emerging, but they include monitoring for blacklisted about data in motion: that continuous stream of traf- applications or compromise, routing mobile traffic

Creating a Secure fic to and from always-connected wireless mobile through cloud services that scan for malware, and run- Foundation for Mobile devices. All four OSes natively support Transport ning malware scanners on mobile devices. Application Applications Layer Security (TLS)-encrypted email and Web traffic, development best practices include self-protection WPA2-encrypted Wi-Fi traffic, and virtual private net- of data, testing for exploitable vulnerabilities, and re- Four Application Delivery Options work-encrypted network access. Unfortunately, related questing only essential permissions. settings and certificates are too complicated to rely on end-user configuration. In addition, requiring secure n Mobile device management. IT can gain visibility into Wi-Fi on-site doesn’t prevent users from exposing data and control over smartphones and tablets with mobile at public Wi-Fi hotspots, and VPN configurability var- device management (MDM). Methods include using ies by device make and model. As a result, application Microsoft Exchange ActiveSync to require a PIN and developers should use TLS to encrypt their own traffic, encryption to using third-party MDM tools to config- independent of network or VPN security. ure and continuously enforce security policies. Sup- portable security policies vary by mobile OS/version, n Anti-malware. The above practices focus on data, device make/model, and MDM tool, but centralized but they can also deter malware—preventing Android security policy management is necessary to implement malware from grabbing files on removable storage other practices such as PIN/passcode, remote find/wipe,

8 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER SECURITY 3 encryption, and even anti-malware, without depending backups wherever possible, and preventing business on compliant end users to always do the right thing. data from being backed up to personal storage areas. Mobile application developers may want to take advan- n Mobile application management. Increasingly, MDM tage of native backup capabilities, but they also need to tools also provide mobile application management, let- consider the security implications of doing so. ting IT inventory, deliver, install, update and remove applications. However, application developers need to As indicated, many mobile security best practices use Home understand how applications can be packaged, deployed, native mobile device and OS capabilities as a starting and updated for each mobile OS, as well as the distribu- point, strengthened by combining those with applica- Editor’s Note tion rules imposed by each manufacturer and app store. tion-specific security measures. Building security into Those rules have security implications—all four mobile each mobile application not only reduces risk but also Mobile App OSes require applications to be signed, for example— levels the still-uneven playing field of mobile platforms. Virtualization Eases Deployment Headaches but differ as to who issues the signing certificate and Mobile OS security and management hooks will con- how that affects application permissions. The best tinue to improve, and new mobile devices will emerge

Creating a Secure practice here is developer education. with new vulnerabilities. Foundation for Mobile Further, although we have focused here on mobile Applications n Data backup. To ensure that data can be restored af- device and OS security, mobility involves many other ter a device is damaged, wiped or lost, take advantage components that must also be secured by IT, including Four Application Delivery Options of data backup capabilities supported by each mobile the wireless networks, mobile messaging servers and OS. Native backup capabilities typically include writing cloud storage accessed by mobile users. Understanding backup files to a laptop or desktop and routinely back- all of these mobile risks and looking for ways to offset ing up data to cloud storage (e.g., Apple iCloud, Google them during mobile application development is an in- Drive). Best practices include passcode-protecting ac- vestment that will pay dividends for years to come. cess to backup files and cloud storage, encrypting those —Lisa Phifer

9 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER DELIVERY 4 Four Mobile Application Delivery Options

As more employees bring mobile devices and apps controlling which versions workers use. Implement- Home into the workplace, IT has several delivery and manage- ing and maintaining such a system requires a sig- ment options to consider. nificant investment in resources. Editor’s Note As the consumerization of IT takes hold, one of Organizations can tie into some commercial app the biggest risks is that mobile device users exchange stores, such as Apple’s, but there are limitations to Mobile App and store sensitive enterprise data without the neces- these programs. For example, the App Store pro- Virtualization Eases Deployment Headaches sary oversight. IT can limit these risks by controlling vides only mobile app delivery to iOS devices, and mobile app delivery, management and security. There doesn’t provide the same degree of control that is

Creating a Secure are four approaches worth considering: enterprise app available from a homegrown system. Foundation for Mobile stores, Web-based apps, cloud-based apps and desktop Applications virtualization. 2. Web Apps Until recently, Web-based apps for mobile devices Four Application Delivery Options 1. Enterprise App Stores were considered an unrealistic mobile application Enterprise app stores provide a platform that en- strategy for app delivery. Better processors, faster ables users to browse and download IT-approved connectivity and the move toward HTML5, the apps. Enterprise app stores give IT control over newest revision to Hypertext Markup Language, are issues related to compliance, data governance, bulk opening up the possibility for a greater number of purchasing and licensing, and they also provide a devices. forum for user feedback and quality control, much Unlike native mobile apps, which require a mech- like Apple’s App Store or Google’s Android Market. anism for app distribution and regulation, Web apps But creating an app store is no small task. A store simply run in browsers, making the apps more com- must be able to control and monitor the entire ap- patible across a variety of devices. IT can easily de- plication lifecycle, which includes mobile app de- liver, maintain and upgrade Web apps, without the livery, usage tracking, removing outdated apps and need for multiple versions or a distribution system.

10 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER DELIVERY 4 Web apps still pose many hurdles for IT. For in- To implement cloud-based mobile apps at the stance, whenever application state data—the data enterprise level, organizations must develop their stored in memory during a session—must be up- own offerings or pay for existing cloud storage dated, a screen refresh is required. If the user’s con- services. Either option could require a significant nection is less than optimal, this refresh can affect investment. Existing services are easier in terms of performance. When it comes to functionality, mo- getting them up and running, but relying on those bile device browsers are also limited. Pop-ups and services can mean losing control over how and Home multiple windows, for example, are not available where sensitive corporate data is stored. Develop- on mobile devices, which makes displaying alerts ing an in-house service offers IT more control, but Editor’s Note and error messages more difficult. And unlike na- it also means that the enterprise will need to invest tive mobile apps, Web apps can’t take full advantage in the resources necessary to develop, implement, Mobile App of device features, such as cameras, messaging and house and maintain that system across multiple Virtualization Eases Deployment Headaches scanning. But with the push toward HTML5, mobile mobile platforms. Web apps are in a period of transition and, going Either way, cloud apps offer a great degree of

Creating a Secure forward, may prove to be an effective strategy. flexibility and can help simplify mobile app deliv- Foundation for Mobile ery and maintenance because they provide a central Applications 3. App Delivery via the Cloud access point from which to conduct and manage If your workers use a service such as Dropbox for business. Four Application Delivery Options cloud-based file sharing and collaboration, your organization already relies on mobile cloud apps. 4. Mobile Desktop Virtualization These apps facilitate the exchange of data and are Desktop virtualization delivers a traditional PC en- available anytime from any location on a variety of vironment to any endpoint, from a desktop or lap- devices. top to a smartphone or tablet. With mobile desktop

If your workers use a service such as Dropbox for cloud-based file sharing and collaboration, your organization already relies on mobile cloud apps.

11 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER DELIVERY 4 virtualization, users connect to secure in-house smartphones because of their limited screen sizes. servers that run the operating systems and applica- And any app that relies on intensive keyboard input tions needed to conduct business, and a thin client and mouse actions can be a challenge for mobile on the mobile device connects to those network re- workers. sources and renders the virtual desktop. Native apps are unlikely to disappear anytime This approach stores all sensitive data within the soon, which makes app stores useful alternatives for organization’s secure data center and never on the controlling mobile app delivery. Web- and cloud- Home device itself. Desktop virtualization also makes it based apps, along with virtual desktops, provide easier for IT to manage applications and control and flexible alternatives that can only improve as those Editor’s Note monitor usage. technologies mature. For desktop virtualization on mobile devices to Determining which mobile app delivery method Mobile App work, the user must have consistent, reliable net- to use is no easy choice, and the options are chang- Virtualization Eases Deployment Headaches work connectivity. Some products support offline ing rapidly. New products and technologies come desktops, but consistent connectivity is the key along frequently, and old ones are evolving quickly.

Creating a Secure to an effective user experience. In addition, apps Whatever you decide, flexibility and a willingness to Foundation for Mobile that are delivered virtually don’t always translate shift strategies as new technologies emerge are key. Applications well to mobile devices. This is particularly true on —Robert Sheldon

Four Application Delivery Options

12 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER AUTHOR BIOS JAMES FURBUSH is a news reporter for SearchConsumeriza- tion.com and also covers desktop, virtualization and cloud topics.

LISA PHIFER owns Core Competence Inc., a consulting firm specializing in business use of emerging Internet technolo- gies. Phifer has advised many companies about safe net- Mobile Application Delivery: The Next Frontier is a SearchConsumerization.com e-publication. Home working requirements, technologies and best practices, and has written extensively about these topics for various Margie Semilof | Editorial Director publications. Editor’s Note Lauren Horwitz | Executive Editor

Christine Cignoli | Senior Features Editor Mobile App ROBERT SHELDON is a technical consultant and freelance Virtualization Eases technology writer. Phil Sweeney | Managing Editor Deployment Headaches Eugene Demaitre | Associate Managing Editor

Laura Aberle | Associate Features Editor Creating a Secure Foundation for Mobile Linda Koury | Director of Online Design Applications Neva Maniscalco | Graphic Designer

Four Application Rebecca Kitchens | Publisher Delivery Options [email protected]

TechTarget 275 Grove Street, Newton, MA 02466 www.techtarget.com

© 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technol- ogy professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Ex- change, our social community, you can get advice and share solutions with peers and experts.

13 MOBILE APPLICATION DELIVERY: THE NEXT FRONTIER