Why mobile ERP security must differ from standard security practices

Large-scale data communications processes have come a long way from PROFFS, and 80s ‘Distributed Computing.’ Today, nearly everyone operates some kind of mobile ‘smart device’; whether it’s a laptop, tablet, or hybridized voice system; and each of those components harbor their own levels of ‘smartness.’

These advantages have been further enhanced by ‘baked-in’ utilities within mobile networks, supported by extended switching/gateway systems; that actively direct, and manage communications from point-to-multipoint. While these technologies are amazingly efficient, there’s an elephant in the utopian room, since today’s systems are both promoted, and limited, by people who design and operate them.

This relates to concerns associated with mobile ERP security, since it is generally accepted that the majority of today’s threat vectors are not usually driven by failures of hardware or software, but wetware. Consequently, the question becomes ‘what tools are available to help mobile ERP operators protect themselves from their own weaknesses?’

Back to basics

To clearly fathom this question, you first have to start at the beginning, or in more direct terms, how do mobile devices operate in the first place? Well, in simplest terms, there are three primary tiers associated with a mobility process.

Find the right software for your company with our comprehensive ERP vendor directory

Assuming an outbound activity as an example, in the case of a smartphone connected to a receiving ERP module, the mobile user first generates a data-stream, sometimes referred to as a bit stream; this is tier 1.

The data complex is then pushed across a transmission infrastructure using either Cell, or WiFi protocols; in parallel with a series of Switched/Gateway components; this is tier 2.

From there, the stream is ultimately directed to what can be referred to as ‘home base’, where the steam is received by the final tier, i.e. the ERP module, and acted upon accordingly.

Threat levels across different tiers

Now, here’s the rub. With the exception of tier 2, where some kind of active monitoring is typically implicit; at an enterprise level, tiers 1 and 3 are usually un-manned, or only periodically monitored, when it comes to data security. As a result, these tiers are rife with security threats, as exhibited repeatedly during the near-past.

It should be said, that this assertion is not a criticism, so much as it is a cautionary admonition. People are people, and growth of the Internet of Things (IoT) as a core principle has exacerbated this kind of problem exponentially. Nevertheless, at the enterprise level, there are some things that you can do reduce the chance of a data breach created by your own mobile ERP complex.

However, I want to offer a clear caveat before we look at the shortlist. The most ‘effective’ way to identify threats is to focus on yourself and your people first. Statistically speaking, mobile threat vectors nearly always involve some kind of ‘man in the loop’ event, whether it relates to poor password/policy control, a failure to safeguard data at the individual device level, or simply being in the wrong time at the wrong place, while executing some wireless, data-centric, transaction in public.

Useful resources

The hard truth is that there’s no such thing as a ‘completely safe’ system infrastructure. But on the other hand, just because you’re likely to become more paranoid after reading this, it also doesn’t mean that the bad guy’s aren’t actually trying to hack your data either. Trust me; they’re out there, so pay attention, and be smart.     

Here’s a couple of mobile security and test tools. They’re ‘Plain Jane’; meaning that you can not only test your mobile ERP systems but you can extend your investigations to the enterprise-infrastructure level as well.  

• OWASP Mobile Security Project: According to OWASP.org; “The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.”
• Android Debug Bridge (ADB): According to Android, the ADB is a “…versatile command-line tool that lets you communicate with a device (an emulator or a connected Android device). The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”