With great technology comes great responsibility, to tweak an old comic book phrase. Now mobile computing -- and, by extension, mobile ERP -- is extending that responsibility far beyond the home office. Smartphones and tablets provide unprecedented access to corporate data, but it’s creating a host of new security risks and challenges.
Industry experts say the most important step in securing mobile ERP is to institute procedures for proper use. “Most IT departments really haven’t developed policies and procedures for how these devices should be managed. Companies have procedures around internal company IT resources -- computers, servers, Internet, et cetera, but they should also be spelling that out for mobile ERP,” said Steve Phillips, ERP industry expert and author of the Street Smart ERP blog. “Part of it is cultural. Within IT, if it’s outside of the building, it’s often out of sight, out of mind. They need to start to look at anything outside the building that is connecting to their networks.”
Running a company-wide program like mobile ERP on mobile devices means security procedures must be in place to keep all data safe, not just emails. “The concern [around mobile ERP] is similar to when smartphones first came about,” said Eric Kimberling, president of Centennial, Colo.-based Panorama Consulting Solutions. “People were concerned about emails leaving the four walls of a company, but I think most companies now have security to manage that email access. This time, you’re talking about BI [business intelligence] and company data, and companies should be putting processes in place to control these security issues.”
Mobile device management extends to applications
According to Charles Brett, vice president and principal analyst for San Francisco Bay area-based Constellation Research Inc., IT managers should take a two-pronged approach to mobile security: First secure the physical devices, and then secure the applications they’re running.
“In most cases, mobile devices are really little different from enterprise PCs as far as security is concerned,” Brett said. “People may have bought their own phones or tablets, in which case the enterprise does not have control in the way that it had had with enterprise-bought laptops. On the other hand, what security applies to enterprise laptops? In practical terms, security with laptops is pretty lax.”
Manufacturers can try to minimize security issues -- and save money -- by not buying mobile devices for employees in the first place. However, allowing them use devices they’ve purchased on their own to run mobile ERP alongside apps that haven’t been screened by IT also poses some danger.
“With employee-purchased devices, there is a need to separate personal data or apps and enterprise data or apps,” Brett said. “It is necessary to understand that [Apple's] iOS and [Google's] Android changed the nature of applications and data, which once lived separately, to a model where the two go together, with data saved within the app. Possibly the most interesting [new feature from mobile ERP vendors] is the encapsulation of apps and their data in an enterprise security ‘container,’ by which personal user apps are distributed by the enterprise but are clearly differentiated on the smartphone or tablet.”
Phillips also points to the problem of managing mobile devices that aren’t company-owned. “When it comes to tools to manage it, one of the biggest holes is the ability to control these devices,” he said. “You have people in the organization who want to buy the mobile phone they want to buy. Usually IT is the last to know until employees want help connecting to the servers. You need to decide which types of devices you will support, so they aren’t being treated as much as strictly personal devices. And if an employee loses a phone, there needs to be a way to locate that phone and erase that company data.”
Once IT knows which types of devices are being used by employees, further safeguards can be put into place, Phillips said. “Systems admin tools can help manage the apps you can download, or create a blacklist of apps that are not allowed. But even if you provide the devices, people may still download apps that could connect to the server, and hackers could reach company data. And even device tracking apps can take data off your phone and send it to other servers,” he said.
Mobile ERP vendors stepping up security offerings
To successfully secure a mobile device network, it’s critical to understand what type of data will be moving through the mobile ERP system and which parts of it are especially sensitive, according to Phillips. “Every company has its hot buttons as far as the type of data you need covered,” he said. “For manufacturers, they’re product cost and pricing, engineering info, product materials data and release dates.”
Kimberling suggests that manufacturers look to password encryption and user security profiles to safeguard a mobile ERP network and that they immediately cut off network access for lost or stolen devices. “Access to data should be based on need and ROI [return on investment],” he said. “It’s a lot of the same rules you apply to standard ERP, but you need to understand that now there’s more risk.”
“Fortunately for ERP systems, their security profiles, user roles and definitions are already part of the core package,” Kimberling continued. “Vendors are doing a better job in general with locking down the system. I think the tier 1 mobile ERP vendors like Oracle and SAP have built out that mobile capability in a more robust fashion, but tier 2 isn’t far behind.”
Brett reiterates that both vendors and IT managers need to look not only at devices but apps when building a secure infrastructure. “Look at laptops. What is secure for laptops is a good model for what should be secure for tablets or smartphones,” he said. “You have to make sure that there is a way to safely get data out, to extract it. You could say everything has to be done through a browser, but increasingly, people want to be able to access the data through apps and not have to rely on an Internet connection.
“What it really comes down to, if you don’t put the infrastructure down right away, you’re always trying to catch up, but you never will,” Brett said. “Think about what your two-year scenario will look like. Put in place security measures that will work for that, not just what you think will work for today.”