1 B2E and B2B Mobile Apps: Capturing opportunities while avoiding traps Executive Summary The rapid adoption and evolution of mobile and cloud technology has disrupted the traditional IT model. Under the traditional model, an organization owns, controls, and manages its IT assets from the physical data centers, to the server hardware, to the software powering its operations. Adoption of mobile and cloud technology has enabled operational and organizational flexibility that result in increasingly soft boundaries between organizations. Consequently, the mobility of data and applications has fostered the emergence of extensive networks of partner and contractor organizations, collaborating as needed on common business objectives a virtual extended workforce. Unfortunately, this flexibility has also introduced significant risk of data loss and increased the challenges organizations face to govern how their data and applications are used, where, on which devices, and by whom. Enterprise mobility management solutions, such as mobile device and application management (MDM/MAM), have entered the market to help address these challenges, especially as end-user demand increases for more mobility. However, the device-centric approach falls short on managing the security and lifecycle of applications, data, and user access, especially in the increasingly common extended workforce scenario described above. MAM solutions provide a more granular, app-level approach to security with containerization and application management via SDK. However, these require rebuilding existing applications in the best case, and significant, expensive code modifications in the worst case. In addition, the evolution of these technologies has proceeded so rapidly that organizations have found it difficult to create a stable, long-term strategy around mobility. However, mobile web technologies and HTML5 have gained widespread support, especially on mobile platforms, and promise to provide cross-platform mobility without the degradation of performance or user experience usually associated with web applications. With this growing support, a new generation of mobility management solutions are coming to market to help provide the long-term stability organizations require. Combining HTML5 and next-generation management, it becomes possible to reduce mobile development and
2 management costs, without sacrificing the platform coverage and rich user experience end-users demand. Road to Enterprise Mobility: Technology Trends and Risks Organizations have struggled in recent years to cope with the rapid evolution and adoption of both mobile and cloud technologies. These technologies have resulted in a pervasive consumerization of IT and the Bring Your Own Device (BYOD) phenomenon. BYOD, in particular, has complicated organizations efforts to implement a mobile strategy for Businessto-Employee (B2E) application delivery. Just as cloud has disrupted the way organizations approach IT, the rapid proliferation of networkconnected, consumer mobile devices, such as smart phones and tablets, has transformed the way people use computing technology in both their personal and professional lives. The ever expanding set of supported mobile OS and device platforms further compounds these complications for the increasingly common extended enterprise. In the extended enterprise, an organization s partners and contractors are required to collaborate with badged employees as members of a virtual team. In one real-world case, a large consumer goods company we consulted engages with a global network of independent distributors. They require the ability to securely exchange data and provide common applications to operate effectively, but cannot mandate certain IT governance policies because they do not own their partners IT assets; a BYOD strategy is the solution they are pursuing with strong interest in HTML5 for cross-platform support. In another case, a large nationwide retailer with a highly seasonal business supplements its workforce during the winter holiday season with thousands of additional workers. Enabling these seasonal employees to access business-critical applications and data on employee-owned devices through a BYOD program would help this retailer to minimize its IT capital expenses. The retailer is searching for additional expense reductions by leveraging cross-platform HTML5 technology for application development. Cloud computing services allow organizations to operate more cost-effectively, and with greater flexibility, agility, and speed by delivering IT as a service. In the process, they have also upended the traditional IT model, which required organizations to own, manage, and maintain all IT assets from data center and employee computing hardware to all software applications. Cloud offerings range from computation capacity rented as-needed on an hourly basis, to scalable, enterprise-grade application platforms delivered as a service, to fully-developed software applications for a wide variety of personal and business purposes. All of these cloud services require no capital investment, little to no on-premises IT infrastructure, and minimal overhead to deploy, configure, and maintain. In most cases, these cloud services require only reliable network connectivity and a web browser. This model helps to decentralize IT and make business applications and services available from any internet-capable device. Just as cloud has disrupted the way organizations approach IT, the rapid proliferation of network-connected, consumer mobile devices, such as smart phones and Visit us at sencha.com/space to learn more and evaluate our products for free. 1700 Seaport Blvd. Suite 400, Redwood City, CA 94063 1 (800) 212 2802 www.sencha.com @sencha #senchaspace
3 tablets, has transformed the way people use computing technology in both their personal and professional lives. In particular, BYOD has emerged out of employee desire to use personal devices for professional purposes in order to benefit from mobile technology while limiting the number of devices they need to use every day. Although the adoption of mobile technology has resulted in productivity gains for many organizations, unmanaged BYOD combined with consumer cloud services, which often do not secure user data sufficiently for business use, can expose an organization to greater risk. In particular, organizations face data loss as proprietary data travels across arbitrary untrusted networks like public Wifi hotspots and unencrypted network connections. In addition, as data moves across devices, it can easily be copied and stored on multiple devices, all of which are subject to loss or theft. However, the potential benefits from cloud and the use of non-corporate-owned mobile devices for business purposes far out-weigh the potential pitfalls if a BYOD program can be managed to optimize flexibility and productivity for the end-user, while minimizing the organization s risk exposure. This challenge requires a thoughtful end-to-end approach with respect to the mobile application lifecycle, management of sensitive, proprietary data, and minimization of costs. However, by navigating these challenges, organizations can boost efficiency and productivity by delivering applications and data as needed for business purposes to the most convenient device for the end-user to accomplish their goals. One helpful technology trend that continues to progress, especially on mobile devices, is HTML5. HTML5 refers to a set of additions to the HTML specification that greatly enhance native support for multimedia and client-side interactivity. As web browser vendors and mobile technology vendors add support for these features to their products, application developers and IT organizations gain access to the possibility of true cross-platform development without sacrificing a rich user experience in the process. Until recently, HTML5 support was not sufficiently advanced or pervasive across browser and mobile device platforms, leading organizations and developers to prefer other methods of mobile application development, such as native and hybrid apps. However, HTML5 features are quickly becoming prevalent on all major browser platforms, as well as a standard feature of most mobile OS SDKs. This trend helps to simplify cross-platform development and reduce the cost of maintaining and delivering mobile apps, greatly easing the pain of enterprise mobility management. Aside from managing the lifecycle of mobile applications, going mobile has other security risks, with which managers and executives of IT-driven organizations must contend. Unfortunately, many existing mobility management and security solutions have been optimized for the world prior to the emergence of BYOD and mainstream HTML5 availability. The two predominant approaches Mobile Device Management (MDM) and Mobile Application Management (MAM) require extensive administrative overhead, add complexity to the IT environment, and lack the granularity of policy enforcement that meets business needs while protecting the privacy of users and their personal data from loss, reducing the return on investment from going mobile. Going Mobile: The Opportunities and Challenges Many organizations start their journey to the mobile enterprise by simply making the business applications currently in use on laptops and workstations available on mobile devices. Although this approach is a good place to start, it does not embrace the full opportunity that mobile technology represents. Mobile devices are integrated,
4 feature-rich, multimedia computing platforms with a myriad of sensors for everything from location and orientation, to sound, images, and video. By integrating these capabilities as needed into elegant, cross-platform mobile applications, organizations can capture the full value of mobile technology. Some forward-thinking organizations are already starting to leverage these capabilities to get more out of their mobile application strategy. For example, some organizations are employing mobile devices for payment processing and point-of-sale functions, as opposed to buying purpose-built hardware and software for these purposes. The GPS feature common on many devices can be used for logistics planning, inventory tracking, fleet management, and field services applications. A large industrial inspection firm we spoke to is investigating integrating the GPS feature into its future applications and is building a longterm mobility strategy around HTML5 technology. Similarly, the cameras and microphone in these devices can be used to capture information for attachment to e-mail or electronic form-capture, creating a seamless, single-device workflow that can streamline execution of critical business processes, improving efficiency on a wide scale. For example, one European city government we consulted is investigating the use of mobile devices and HTML5 applications to overhaul its cumbersome, paper-based building inspection process. The rich media capabilities of modern mobile devices represent a major currently untapped opportunity to improve productivity and reduce the required time for certain business processes. Realizing the value of these opportunities requires disciplined management of the application lifecycle and security of mobile apps and data. The application lifecycle includes not only the design and development of applications, but also the testing, deployment, and on-going maintenance of the applications. By reducing the resources required in each of these phases, organizations can realize significant cost savings. The ideal scenario of mobile application development for BYOD and B2E use cases is to write a business application once and to be able to provision the app to any user on any device whenever needed. When the user no longer has a business need to access that app or its associated data, an administrator should be able to deprovision the user s access to both the application and data without adversely affecting other data on the device. Realizing the value of these opportunities requires disciplined management of the application lifecycle and security of mobile apps and data...by reducing the resources required in each of these phases, organizations can realize significant cost savings. Organizations that want to go mobile will need to understand and manage the security risks, to which application and data mobility exposes them. These risks include data loss through careless or insecure transmission and storage of data across devices and networks. Organizations should ensure that the network channels used to transmit proprietary data are encrypted to protect data confidentiality. Similarly, whenever sensitive data is stored, either on a mobile device or in the cloud, it should be encrypted and IT organizations should be able to remotely backup and delete the data as needed. For example, if employees or partners leave the organization or change roles and no longer have a business need to access certain data, the data should be deleted from their devices. Data encryption as well as strong authentication mechanisms can help to protect data and applications from unauthorized Visit us at sencha.com/space to learn more and evaluate our products for free. 1700 Seaport Blvd. Suite 400, Redwood City, CA 94063 1 (800) 212 2802 www.sencha.com @sencha #senchaspace
5 access and disclosure. These can also help protect the data in the event of loss or theft of the device before an administrator can remotely delete the sensitive data. App-level encryption of data can help both to separate sensitive professional data from private personal data on a device and protect it from attackers. An additional consideration is the management of users digital identities across the different devices, applications, and services, with which the user interacts. Ideally, a user would log in once through a business application workspace on their device and be automatically authenticated to all their applications. This single sign-on mechanism would limit the number of accounts and passwords a user must remember, as well as saving the time and tedium that multiple logins on a touch-screen device would entail. For many organizations, in addition to the business security considerations, they must also comply with strict regulations and face penalties for failing their regular audits. In these cases, having an effective enterprise mobility strategy requires a system that aligns and reinforces a central governance policy and provides an audit trail for certain activities. Avoiding solution sprawl and containing costs As you can probably already see, managing the many business, security, and end-user requirements around mobile technology and BYOD can quickly become an expensive and complex exercise. Just managing the tradeoffs between application development methodologies can be a major challenge. Should your organization pick native, hybrid, or pure HTML5 for its mobile app strategy? On one hand, developing native applications to support the top three mobile OS providers, for example, could potentially entail writing the same code three times, testing and certifying numerous device types, and maintaining three separate code bases for the lifetime of the application. On the other, an organization could eliminate the need for multiple code-bases by writing the app in HTML5 and using a native packaging tool to distribute the application like its native counterpart; this is known as a hybrid app. However, predominant packaging tools do not always provide consistent API bindings to native device features across platforms or devices, making true cross-platform development impossible. Also, the hybrid approach still requires testing the packaged binaries on multiple devices and distributing the app to end-users through each platform s mobile application store, delaying the release of the latest application updates to end-users. After examining the common approaches to mobile application development, we now turn to mobility management and security solutions. Starting in 2009, when smart mobile devices started to penetrate IT environments in large numbers, several new vendors arose to help manage and secure enterprise mobility. The first wave of these Mobile Device Management (MDM) vendors provide solutions that essentially require the user to cede control of their entire device to the organization for enforcement of a business security compliance policy. These policies typically include longer PIN codes to unlock the device, restrictions against jailbroken devices, and application white and black lists. In addition, if a device were lost or stolen, an MDM solution could erase the entire device, including all personal data, because MDM solutions do not separate business and personal data. These solutions are a reasonable fit for corporateowneddevices, but many users hesitate to subject their personal devices to such invasive and coarsegrained restrictions, making the solutions less ideal for BYOD use cases. In addition, MDM solutions do
6 little to directly manage the security and lifecycle of business applications and data, especially on devices belonging to non-employee collaborators such as partners, consultants, and contractors. Realizing the need for a more precise approach to mobility management, a new crop of technology solutions soon came to market in what has come to be known as the Mobile Application Management (MAM) segment. These solutions take a fine-grained approach to mobility management and security with solutions that provide management capabilities at the application level. These solutions typically offer two different ways to achieve this application-level management and security: containerization and the use of proprietary SDKs. With containerization an organization takes an existing native app and wraps it in a thin container layer that provides network transport and data security. Although this method requires no modification of an existing app, unfortunately it is highly controversial because re-distributing a wrapped application could violate the copyrights of the app s original authors. This technique comes with the risk that operators of the major mobile application stores could disallow containerized applications from the store, rendering this technique effectively useless. On the other hand, using a MAM vendor s proprietary SDK does not run afoul of App Store policies, but requires significant re-coding of existing apps and results in locking the developer into a particular MAM vendor s solution, without reducing the app s dev time, platform support requirements, or any of the other application development pain points we have already identified. The Enterprise Application Stores many MAM vendors include in their solutions can help to simplify the distribution of these apps to their eventual users, but also add another component to the IT environment to be managed and maintained. Given the drawbacks of native and hybrid mobile app development and the limitations of MDM and MAM solutions, you would be forgiven for asking why you should bother going mobile if you can expect such cost and complexity? As it turns out, a new wave of next-generation mobile application platforms aim to reduce or eliminate much of this complexity and its associated costs, complementing existing MAM and MDM solutions. These new solutions are making it possible both to write and distribute HTML5 apps and to deploy them to a dedicated business application workspace on the device, giving the user a secure place for interacting with their business apps and data. MDM solutions do little to directly manage the security and lifecycle of business applications and data, especially on devices belonging to non-employee collaborators such as partners, consultants, and contractors. IT managers can centrally author and enforce policy for these business workspace apps to minimize their security risks, while maintaining a strict separation between the business and personal use of the device. This central management capability includes the ability to easily manage provisioning and deprovisioning for users, applications, and devices, instantly allowing or denying access as the circumstances require. These platforms allow organizations to quickly deploy any existing web application, including those that require HTML5 features, to a dedicated app platform on the device with no code modification. This platform provides secure app-level connectivity to your data center assets using per Visit us at sencha.com/space to learn more and evaluate our products for free. 1700 Seaport Blvd. Suite 400, Redwood City, CA 94063 1 (800) 212 2802 www.sencha.com @sencha #senchaspace
7 application VPNs, which obviate the need for a devicewide VPN policy that might place the corporate IT network at risk from personal apps or malware on the device. Ideally, these next-generation mobility solutions would, in addition, provide a developer API in order to leverage the native capabilities of the underlying OS and device. This feature would enable a pure HTML5 app to run across devices, provide a modern, rich user experience, and eliminate the need for multiple code bases, native packaging, and app store distribution of mobile apps. How much time and IT investment would your organization save by reducing or eliminating these aspects of mobile application development? The technology around mobility management is evolving almost as quickly as the mobile devices themselves. Organizations planning their business-to-employee mobility and BYOD strategy should seriously consider HTML5 for cross-platform mobile development. This is especially true for virtualized organizations, in which an ecosystem of employees, partners, and contractors need to collaborate as one team, even when they are officially employed by different organizations. In conjunction with the providers of next-generation HTML5-focused mobility platforms, organizations should select a solution that helps to facilitate both the application development, test, and deployment process by providing an easy way to deploy apps to users. In addition, the solution should provide a scalable, centralized management console to manage the lifecycles of user identities, applications, and data. Your chosen solution should also be able to help your app development teams provide a modern, rich user experience by exposing native OS and device APIs consistently across platforms. These capabilities will help you to achieve your goal: managing your business applications, users, and data securely across any mobile device at minimal risk and cost.