As smartphones and tablets continue to embed ever-deeper into our lives, the importance of mobile device security keeps growing even faster. From e-mail communication, through personal banking details, to business data that provides the essential competitive advantage – mobile devices today easily contain volumes of sensitive information comparable to any computer. In fact, probably even exceeding traditional computers, if we take also the health & fitness-related data and smart home control features into account. All while risks of misplacing a mobile device are much higher than with a desktop or laptop.
Hence, Device Security Management has become quintessential. Businesses invest millions in sophisticated ways of protecting their information systems, however, when it comes to mobility the vast majority still relies on standard Mobile Device Management (MDM) tools (e.g. Air Watch, Intune, Mobile Iron, etc.). These are not built-in to the business applications themselves which can expose more weak spots than many system admins are willing to admit.
Firstly, with a booming bring-your-own-device (BYOD) culture, companies must assure that MDM tools will be running on all kinds of devices that might be used to access confidential corporate information. And of course, ensure that these tools will be installed on users’ devices.
Secondly, as we mentioned, the MDM applications aren’t built directly into the productivity apps they protect, which limits the depth of user actions and processes that can be monitored. This means, specifying advanced security measures for particular parts of a mobile solution is often next to impossible.
And then there’s offline. Yes, somewhat ironically, one of the most sought-after capabilities can become a loophole, if not secured properly. The problem is, standard MDM tools can protect the device as long as they are connected to the internet. However once there’s no Wi-Fi, cellular reception, or other form of Internet connectivity, the device is left in the dark. And what companies tend to forget is that having a proper offline functionality in their Mobile CRM app, means copying a significant amount of data from their CRM server to the device’s local storage. This valuable data shouldn’t be unsecured at any time – even more so that it can be spread across hundreds (or even thousands) of phones and tablets.
So how do we protect your information about customers, orders, invoices, new opportunities, or else from prying eyes? Let’s take it step-by-step.
How is Resco Mobile CRM secured?
The most common security token for the Resco Mobile CRM application is the user password. This is the password used for authentication with the CRM server you use– be it Microsoft Dynamics, Salesforce, or Resco’s own CRM server. The app can store the password in the device’s secured storage, require the user to enter their password each time it is launched or resumed, or require the user to enter the password after X minutes of inactivity – you decide.
In addition to making Resco Mobile CRM compatible with Air Watch, Intune, Mobile Iron and Symantec, back in 2013 we’ve integrated our own Enterprise Security module into the solution – a combination of app features and our own mobile device management tools, which ensure airtight security even without the need to install separate third-party tools. And since these are entwined deeply within the app, our built-in Enterprise Security can offer much more granular MDM capabilities. For example, you may allow for user to create a new opportunity in Resco Mobile CRM, but the app won’t show him/her other opportunities created earlier.
Overview and management of mobile devices using the app is also part Resco Mobile CRM’s Enterprise Security features. Index all your mobile devices in one structured list. This view shows you the details on each device: its model, ID, running OS, currently installed version of the Mobile CRM app and date of the last synchronization. Leveraging the GPS modules of devices, you can see where the user was located when initiating an interaction with the app. If you want to make sure employees use only devices you have previously approved, you can automatically block new devices. Or remotely wipe/lock the app on any of the connected devices.
In Offline mode, the locally stored database on the device (used for offline capability and faster performance of Resco Mobile CRM) is encrypted by default. The data encryption is based on an application key. The application key is randomly generated when the database is created and protected by the user password. The key is stored in an encrypted form in the device’s file system and decrypted when required.
Many think that a similarly responsible approach to securing offline data is standard practice across the industry, however, the opposite proves to be true. Even Microsoft’s Dynamics 365 for phones & tablets app (known until very recently as MoCA) does not encrypt the locally stored database it creates. Quite surprising, don’t you think? Especially when considering the importance of business data that is at stake.
But that’s not all. For Resco Mobile CRM you can also predefine security profiles for users (e.g. wipe application data when an incorrect password is entered three times). And to make the app even more bulletproof, take advantage of fingerprint login and multi-factor authentication using the OAuth2 authentication standard.
Additionally, with the Resco LoginTag technology we offer advanced sign-in via NFC tags or QR codes. Businesses can use these forms of advance sign-ins to provide effortless login to Mobile CRM (e.g. an NFC tag attached to a uniform or equipment of a service technician) without revealing any access credentials. Furthermore, the LoginTag can be also used as an extra access token in a multifactor authentication process.
Resco Mobile CRM boasts a broad palette of security features, which we will be further strengthening and expanding in the upcoming months. We plan to introduce security profiles based on users’ interactions with the app, which can be processed for behavioral patterns and irregularities: For example, if the user has created an appointment in London (based on the GPS position of the device in that moment) and just a couple of minutes later he or she is updating an account from an address in New York, there is a good chance that security has been compromised. The solution will be able to notify the administrator via a security threats dashboard about the incident and even automatically perform a restrictive security measure straight away – based on your settings. Moreover, similar data sets can be used to enable geo-fencing – allowing certain actions only in certain areas and respond to the user’s actions in real-time.
To confirm that our mobile app is secure and that there aren’t any hidden threats, we are going to provide the source code of our application to an independent security authority for audit and certification. The application has already been revised for security concerns by a 3rd party, but an additional validation by another certified authority is always welcome, so we can provide further proof of Resco Mobile CRM’s top-notch security.