Mobile security model flawed, says Mobile Helix

Many companies are embracing mobile devices wrongly because the current security model is flawed, says security startup Mobile Helix

The way many companies are embracing mobile devices is fundamentally wrong because the current security model is flawed, says New York-based security startup Mobile Helix.

Most mobile device management (MDM) systems, and other mobile platforms and technologies, are aimed at making mobile devices safe before giving them permission to access to corporate networks.

“It is not possible to make devices secure, because they can be stolen or lost and they are easy to hack," said Matt Bancroft, co-founder, chief operating officer (COO) and president at Mobile Helix. "Security should be about securing the data, not the device.

“Securing the device also means you have to put some pretty heavy restrictions on what people are able to do with their own mobile devices before they can use them for work,” he told Computer Weekly.

Data-centric approach

A data-centric approach to security means that users can do whatever they like with the device, but when they want to work and access corporate data, it needs to be secure, said Bancroft.

Mobile Helix also believes that it is wrong to rewrite corporate applications and recreate application development, delivery, support and security models for the mobile world.

Read more on mobile security

"The enterprise and the IT world has spent the last 20 years standardising around the web and the web application delivery environment for corporate IT," said Bancroft.

“So we believe the right approach is to extend that existing standards-based world out to the mobile device, rather than creating a parallel, independent framework,” he said.

This approach allows people to get access to the same data and tools when they are working on the device of their choice without having to download apps from an app store and continually update them.

“Fortunately, HTML5 allows you to do that and Mobile Helix has built a web-based system that enables users to access corporate data securely through any device that can run a browser,” said Bancroft.

This approach means that, at the back-end companies can use the same application development tools, code, delivery infrastructure and frameworks they are familiar with.

It also means businesses do not have to create different versions of their applications for each kind of mobile device because browsers work across all platforms.

Bancroft believes the latest version of the HTML standard is sufficiently mature and established enough to make the vision of cross-platform capability a reality so that one application will run across a range of devices.

“It has taken a while to get to that point, but we are there now because all the major browsers now support HTML5,” he said.

Importantly from a security point of view, HTML5 enables browsers to deliver functionality without the need for plug-ins which have typically been exploited by hackers.

Combining device independence with data security

Mobile Helix’s recently launched Link platform is based on this approach to enable businesses to access application securely from PCs, laptops and mobile devices running Apple’s iOS and Google’s Android.

The company plans to extend support to Windows 8, Mac OS X and BlackBerry 10 later this year.

The enterprise and the IT world has spent the last 20 years standardising around the web and the web application delivery environment for corporate IT

Matt Bancroft, Mobile Helix

“Link is the first product on the market to combine the benefits of device-independent applications built using HTML5, with a data security platform that ensures data is safe on any device,” said Seth Hallem, co-founder and chief executive officer (CEO) at Mobile Helix.

At the core of Link’s security platform is the use of a secure container on the device and fully device-independent encryption of all data in motion or at rest.

This is coupled with an encryption key management architecture that ensures encrypted data remains safe and a comprehensive policy engine that allows IT to enforce policies on data and applications.

For real-time access, encryption keys are created for a specific user for a specific data session, they are stored off the device and they are fully encrypted themselves.  

Link also includes enhancements to the HTML5 standard such as support of offline access so that users can keep working even if the device does not have a connection.

Switching to Link would require organisations to deploy a secure container on each of their mobile devices and the Mobile Helix gateway by installing it in their datacentre or linking to the cloud version.

Link uses a cloud-based management platform that enables organisations to set up users, provision devices and set security policies.

Applications that can already be accessed using a browser will work on mobile devices right away, while legacy applications can be modified using a Mobile Helix toolkit for creating web user interfaces.

Read more on Endpoint security