IBM Makes Enterprise Mobile Security MoveIBM Makes Enterprise Mobile Security Move

Samsung Galaxy S 4: 11 Clever Tricks

Since purchasing Worklight in January 2012, IBM has quickly made the app-building platform the centerpiece of its enterprise mobility catalog, now one of the most comprehensive on the market. Big Blue continued that trend Monday, partnering with mobile security vendor Arxan Technologies to make apps created with Worklight more impervious to malware and other attacks.

As a standalone news item, the deal adds another ostensibly attractive piece to IBM's offerings. Perhaps just as significantly, it also adds a new fork to the increasingly complicated path businesses must weave as they attempt to integrate smartphones, tablets and the bring-your-own-device (BYOD) phenomenon into the workplace.

For Worklight developers, the new product -- tongue-twistingly called Arxan Mobile Application Integrity Protection for IBM Worklight Apps -- adds beefed-up mobile app security without disrupting existing workflows. Though iOS's centralized app store gives it a security advantage over Android's looser rules and malware-prone unofficial marketplaces, Arxan VP of business development Jukka Alanen said in an interview that virtually any mobile app can be cracked in just a few minutes. Virus-injected versions of popular apps are freely available, and blithely installed by users, he said, from sources throughout cyberspace.

The IBM-Arxan union seeks to protect Worklight apps from these threats via a variety of defenses. Apps can detect illicit behavior, for example, and both shut themselves down if they observe a problem and also issue alerts.

[ Unpatched devices are often security risks. Read why Android Smartphone Sellers Should Patch, Refund Or Perish. ]

In addition to thwarting attacks while they happen, the product is also designed to make apps tougher to crack in the first place. Alanen said that even unskilled hackers can make progress against unfortified apps thanks to rootkits and other black market malware tools. But with the randomization applied by the Arxan-infused Worklight, he said, the task of decompiling and cracking apps turns into an intense and time-consuming technical challenge that few malware authors can manage.

This protection is applied via "guards" in the binary code that obfuscate the app's programming, apply extra encryption and otherwise make it more difficult for hackers to see how the app can be exploited. Hundreds of these guards can be implemented into a single app, if the developer chooses, with each one occupying a small, seemingly innocuous footprint that is difficult to detect within the overall body of code. The fact that each guard can independently apply obfuscation only extends this effect; each one can disguise itself in thousands of ways, meaning multi-guard networks can offer millions of permutations of defense.

To businesses such as financial institutions, whose apps transmit particularly sensitive data, products such as Worklight have an obvious place. But is this sort of proactive security a necessity for all enterprises? That's the urgent, and potentially expensive, question many businesses face as they attempt to turn smartphones and tablets from employee-friendly endpoints into productivity-enabling business devices.

The decisions are numerous. For a company whose mobile needs involve mostly document-sharing or light collaboration, Worklight represents a particularly costly and complicated solution. Depending on the sensitivity of the data, Dropbox, Teambox, Office 365 and other cloud-based approaches might be a better investment. When mobility plans start to include more complicated apps that need to hook into varied corporate backends, however, the challenges multiply. Are off-the-shelf apps adequate? If they need to be independently developed, is it better to work in-house or to hire a contractor? Should the apps be native, or is it practical to avoid OS fragmentation by relying on HTML5? As though the above weren't enough, the extent to which sensitive content will be accessed is another consideration. IT admins might need no more than remote-wipe capabilities for employees who use smartphones to view low-level docs. But users whose on-the-go work involves streaming valuable data or running a variety of business apps might necessitate not only remote wipe, but a fleet of additional mobile device management (MDM) and mobile application management (MAM) capabilities. Those might include geo-fencing, which restricts a device's access if it leaves a pre-defined area; app containers, which separate corporate data from the user's personal data; corporate storefronts for the secure deployment of line-of-business apps; secure browsers for accessing the corporate Intranet; and micro-VPNs for securely linking apps to a business's data center, among others.

The complexity has exploded over the last year. When BYOD forces thrust iPhones and Android tablets into environments more accustomed to BlackBerry phones and Windows PCs, IT vendors scrambled to simply secure the devices, and an MDM industry sprang up to accommodate. Businesses quickly learned that mobility can be as much about boosting productivity or changing workflows as meeting employee preference, however, which pushed the focus toward apps. Companies also became more aware that devices are usually less valuable than the information they access, prompting MDM to morph into MAM. With cloud technology, antivirus software and virtualization also in the mix, and with the BYOD market packed with an increasing number of operating systems, businesses have had to juggle more and more as they enact mobility initiatives.

At the same time, MDM and MAM vendors have been forced to add differentiating features. Essential functions such as remote wipe became ubiquitous as enterprise mobility exploded, so with the bare minimums effectively commoditized, startups had to innovate, hope for a buyout from a big company, or fold. Established PC players were similarly forced to make moves to accommodate the growing diversity of enterprise computing devices.

Recent examples of this trend have been numerous and varied. Earlier this month, Symantec updated its mobile suite to include not only its trademark malware protection but also a unified MDM/MAM console, a secure email client and single sign-on capabilities. Last week, Dell touted how its numerous software acquisitions now constitute an end-to-end BYOD-enablement platform.

Absolute Software, whose Computrace technology is already built into the firmware of many PCs, has expanded its end-point management tools to include single-console control of iOS, Android and Windows Phone devices. The company also introduced a certificate-based authentication method that allows users to access the corporate network without repeatedly entering passwords. It also partnered with Samsung, bolstering the South Korean giant's Knox platform, which is intended to make its smartphones and tablets enterprise ready. MDM vendor AirWatch also signed on with Samsung Knox, and notable mobility players Zenprise and IonGrid were snapped up by Citrix and NetApp, respectively.

The enterprise mobility industry, in other words, looks a lot different today than it did even a year ago. Navigating this landscape is increasingly challenging, and it's become clear that companies need to plan before entering the changing terrain. The key to making mobility a good investment, as information's Chris Murphy recently suggested, is to define the opportunities and problems at the start, and establish a strategy before heading in.