Maksim Kabakou - Fotolia

Security Think Tank: Use policy and guidance to help secure messaging apps

What criteria should organisations use to assess the security of smartphone messaging apps and how can they ensure only approved apps are used by employees?

Over the past few years, messaging apps have become more popular. They are starting to take over from SMS [text messages] and email in the consumer environment because they are seen as more convenient and productive than email. 

Some companies have adopted their own messaging applications, but where employees do not have this option, surveys show that they are increasingly turning to their personal apps for company purposes. 

This gives rise to a number of security and regulatory issues around the protection of company-sensitive information and individual’s private information. It may also be a sign that company tools are not keeping pace with group messaging apps in terms of enabling productivity in the workforce.

The issue around the use of messaging apps clearly needs to be addressed, whether by providing an internal alternative to uncontrolled commercial apps, or through clear policy on the use of personal messaging apps on bring your own device (BYOD) and corporate devices. In either case, the security considerations around these apps are similar.

Messaging apps typically offer near instantaneous secure messaging, with end-to-end encryption between smartphones. However, end-to-end often means between the sender and the server and then between the server and recipient. 

Messages will therefore be processed and stored for a short time on the provider’s servers, raising issues around confidentiality, privacy and export control. Even if there is true end-to-end encryption, the provider may have access to the encryption keys. 

For a corporate solution you should therefore be looking for true end-to-end encryption and control of the encryption keys.

The other reason this may be important is if your user messaging is going through your corporate system, for example by using a virtual private network (VPN) back into the network and then out to the internet. In this case, you will probably want the option to monitor the traffic. 

Any end-to-end encryption from the internet to a host in your enterprise network makes this impossible unless you can decrypt the traffic, and so it provides a hidden route into your network. 

Read more from Computer Weekly’s Security Think Tank about securing messaging apps

Where organisations have a BYOD policy, the risks depend on the policy itself. Ideally, there would be a shortlist of platforms which provide separate, compartmented environments for work and personal information and apps. 

As with a company-provided device, the work compartment can then have a controlled app store offering only approved apps, and prevent installation from other sources. 

The device should also be configured to prevent cut and paste between work and personal environments and, as mentioned above, have internet access only through a VPN into the corporate environment.

If you have a BYOD policy that allows any device to be used, then your only technical option is to add monitoring software which can range from app control, to full social network monitoring and logging – which involves privacy implications.

Whatever approach you take needs to be backed up by an acceptable use policy and guidance to your employees on the risks associated with, and proper usage of, messaging systems.

Read more on Hackers and cybercrime prevention