Skip to Main Content
Access your saved content
Improving security with mobile application lifecycle management
Some federal agencies have begun to pilot processes and controls to secure mobile applications. This reflects the growing importance of mobile app security as federal agencies provide more mobile-enabled digital government solutions to the workforce and to citizens.
With sensitive data at risk, agencies must address mobile security early and often as part of their mobile technology strategy. Mobile app lifecycle management is a proactive and systematic approach to build in protection and address risks up front. Why? While enterprise provisioned security policy can harden the device, mobile devices are only as good—and as secure—as the apps installed on them are.
The White House Digital Government Strategy requires agencies to adopt mobile technology to improve citizen service. This mandate—and the fact that citizens and federal employees demand the same mobile access from government that they enjoy in their daily lives—has spurred momentum for mobile adoption among federal agencies.
Already, initiatives have involved identifying secured devices and addressing mobile device management and mobile application management. Today, agencies are also focusing on building secure mobile apps. In fact, the CIO Council reports that typical federal agencies are using between five and 20 apps. Deploying mobile apps to unlock workforce productivity is a logical next step.
Without actionable plans to address security issues, agencies may struggle to elicit leaders’ investment in mobile apps. What’s needed is a mobile app lifecycle management approach that accounts for app security at every phase of the software development lifecycle—from planning and designing to testing and operations. Consider five critical steps:
Make a business caseContrary to popular belief, free apps are never really free. Determining whether to make, buy or adopt mobile apps and introduce them into the enterprise network requires agencies to gather a strong business case—to outline the business need, the available options and projected benefits. The business case must also be supported by comprehensive vulnerability and risk analysis.
Select the right development platformFrom the earliest stages, agencies must select the right mobile development platform that supports agencies’ business models and enterprise IT and security architecture. Agencies should take the long view, considering both immediate mobile needs and the broader mobile technology strategy over time.
Build security from the beginningAgencies must account for security from the outset, starting with requirements gathering and app design. They should establish a Mobile Center of Excellence to promote secured development methodology and best practices. The use of standard, secured APIs and libraries and conducting app security training programs are also key to success.
Apply effective app security testingBoth the Defense Information Systems Agency and the General Services Administration established mobile app security requirements relevant for federal government agencies. These security controls are published and provide guidance on mobile security, helping to protect against threats that can be introduced by insecure mobile apps. These requirements should be built into apps and verified through a sound security vetting process.
Manage and monitor app useIT teams must control and monitor apps by distributing them through private app stores (when possible), configuring mobile apps with appropriate access and privileges, addressing processes for software patches and updates, monitoring application usage, scanning apps for vulnerabilities, and installing new security tools as they become available.
Mobile apps are consumer-driven and abundant. They are also an important part of the future of the federal government, so getting security right is essential. Agencies must take action—starting from day one with a comprehensive mobile app lifecycle management approach. They must address mobile app security holistically and with the mindset that the work is never truly done because the threats are constantly evolving with the technology. Keeping pace demands continuous security monitoring and control with the right tools and process governance. True enterprise security is impossible without mobile app security.
February 24, 2014
Skip Footer Links