Security is Not Negotiable: Gaps in the Mobile First Mindset

Late last week, it was reported that security researchers had uncovered a flaw in the way thousands of mobile apps store data online, leaving billions of pieces of personal user information vulnerable to hackers. This is unfortunately just another article in a long string of disappointing announcements related to cyber security and hacking.  But, more importantly, this particular flaw demonstrates the profound gap many development platforms and solutions create in the world of enterprise app creation. 

While the article highlights Amazon Web Services and Facebook’s mobile backend service Parse, they are not alone and not totally to blame. Developers want and need as many ‘easy buttons’ as they can find. The game of mobile first, after all, is about getting to market fast. The problem lies in the mindset. Parse, Amazon and others provide a mechanism to lock down the data but, they are designed to not lock things down by default. It’s easier, it’s less coding and less engineering. That means the app hits the masses faster, and that’s rewarded. For large enterprises, this means huge risks (cyber, financial and legal) are presented to the organization in a very hidden way. 

As a developer myself, I doubt the vast majority of my peers had malicious intent. I surmise their decisions were made in haste while solving the larger development issues and managing timelines. We’ve all been there. But for enterprise, this doesn’t cut it. 

Perhaps the best way to bring out the difference in platforms is to be a bit transparent in how we architected the ClearBlade platform. Like I stated prior, I’ve been the developer faced with the choice of locking down or getting it done. But when we crafted ClearBlade, we were shooting for enterprise first – not just mobile first. So, we took the opposite approach, in turn creating a much more secure state. Default access is turned off, rather than on. Encryption is end to end by default. All users are tracked by tokens, anonymous or otherwise. And of critical importance, through our microservices engine, we encourage application layer control of data as well as permissions on data, to protect access. Another step was not forcing our customers into a public cloud, but rather allowing our platform to run where our customers have their trusted environment - on premise or otherwise.  Thorough, even extreme testing is mandatory in our culture. Vulnerabilities will be exploited, you have to count on it. Your backend engineering should reflect that mindset, not work against it. It's no surprise that ClearBlade choose the  trademark “Mainframe to Mobile”, not “Mobile to Mainframe".

Simple platform decisions can make a world of difference – and the culture of security needs to be reinforced by CIOs, CTOs and architects. This isn’t a new story and unfortunately one we will see again. We need to do better.