Mobile computing is primarily defined by the use of mobile devices at the edge of the network. Whereas traditional computing would often involve the use of static devices connected to a secure network while protected by a layer of physical security, mobile computing involves using mobile devices such as smartphones which are connected to a potentially insecure network, with no physical security. In some cases, mobile computing also involves transferring responsibilities that were previously analogue or manual, and digitalising them in the process. For example, the process of recording a biological sample might require recording the name of the sample, along with taking a photo. In a non mobile computing system, the photo and name would be recorded on separate mediums, and collated together after the photo has been developed. In a mobile computing system, the photo could be taken digitally, and associated with the name of the sample (and any other records) immediately. While this might seem tangential to mobile computing and data management, it is representative of how improved data collection through mobile computing can impact Data Quality, along with other data management concerns.
The primary impact of mobile computing on data management is with regard to Data Integrity. The lack of physical security, which is often a large component of the Data Integrity strategy in non mobile computing situations, requires organisations to implement additional controls on the devices. While in traditional computing issues of authentication and confidentiality can be controlled via access to privileged networks secured via physical means, mobile computing requires trust in the device, without control for its location, necessitating developments such as trusted computing hardware, full device encryption, and strong authentication. In addition, the communication between edge devices and datastores must travel over third party networks, necessitating a greater degree of transport security than might be required on an internal or first party network. All of these factors require large changes to both the scope and implementation strategy of the organisation’s Data Governance function.
The article is primarily concerned with Data Integrity issues introduced by the Bring Your Own Device [BYOD] policies that many organisations have adopted as part of mobile computing. While BYOD the main target of the article, it is important to point out that the article is not intrinsically linked to BYOD, with many of the problems the article is attempting to address being issues of mobile computing. For example, the article states “Storing very sensitive information a smart device is considered risky because the device could be lost or stolen any time”. This is a mobile computing issue.
Overlooking the terminology used, the problem tackled is one of authentication. The authors are concerned that the common approach of using a username and password pair “is not secure enough, because there are many software programs capable of cracking passwords”. This claim, uncited, is highly questionable as while weak passwords that are exposed directly to malicious users may be a concern, strong passwords that are not stored locally and are transmitted over a secure connection are not usually a concern. However, with a generous reading the claim can be seen as an argument for security in depth. The authors are correct in that password authentication is not perfect, with issues of password reuse and password policy enforcement. So, the problem the authors are tackling is how to improve the level of trust organisations can have in mobile devices authenticating to their systems.
The paper tackles this in potentially the most obvious way possible. Instead of having the mobile application connect directly to the service containing privileged information, the application first connects to an intermediate service that performs additional checks before forwarding the request. I’ll refer to this kind of service as an authenticating reverse proxy [ARP]. The ARP in this instance will determine “whether the user trying to access the enterprise cloud is an employee of the enterprise or not”. While the details of how exactly that will work are left as an exercise for the reader, the basic idea is not ridiculous. By adding another layer which can add additional checks, services exposing sensitive data can avoid the need for changes to handle requests from mobile computing devices. This is actually a very common pattern in the enterprise, where mobile devices are provisioned with certificates in their trusted compute units. This certificate is then used to authenticate to an authenticating reverse proxy, which then forwards the request to a legacy application that was not designed with mobile computing needs in mind.