This post also appeared on LinkedIn.
Enterprises are embracing mobile and cloud technology benefits in order to foster company-wide digital transformation. But with this movement comes a new set of issues: how do you cost-effectively push core business processes and applications to a mobile and remote workforce without compromising security?
CIOs at banking, financial services, and insurance (BFSI) companies increasingly manage large projects that extend primary business functions such as core banking systems (CBS) and insurance policy admin systems (PAS) to mobile workers through app extensions. The “APPification” of these core banking functions aims to provide field employees with a simple, speedy, and secure method of helping customers make decisions and engage in services remotely.
But do they? Already-taxed dev teams must now create, manage, and maintain multiple systems instead of just one. Is the APPification of core services helping or hindering business objectives?
Users need mobile access
Most banks and insurers have employees in the field selling retail products such as loans, credit cards, and insurance policies to new customers, or assisting current customers with new product options or opportunities. To provide and collect the best information for quotes, policies, coverage details, terms and conditions, and other data, field staff need access to core banking and insurance systems.
Establishing and maintaining secure remote connections to core business applications is a major headache for enterprise security teams: remote connections not only require extra security infrastructure, but also that employees follow the security policies. Virtual private networks (VPNs) are one option. But VPNs require user traffic to cross a stack of appliances such as load balancers, DDoS, firewalls, and VPN concentrators—each adding latency to the transaction. Field reps, seeking faster connectivity speed, could “go rogue,” and bypass VPN controls, which could open the corporate network to bad actors.
One solution to the remote access challenge is creating mobile apps for loan origination and policy quote engines, packaging them inside a mobile device manager (MDM) container, and using real-time webservices or APIs that connect to core systems. But “APPification” creates new headaches for IT leads.
Apps: tighter security, but higher price
While appification may solve immediate end-user access problems, using mobile apps to extend existing CBS or PAS services can lead to complications:
- Increased development overhead: Creating a set of mobile apps, often for both the Android and iOS platforms, can be taxing for development teams. Ensuring compatibility and service quality across different OS versions, device screen sizes, and new mobile device models can be a nightmare for your dev teams.
- Frequent change requests: New workflows must be designed, maintained, tested, and rolled out for processing app change requests.
- Higher demand for end-user support: Supporting apps across multiple devices and platforms can become a full-time endeavor. Often, additional monitoring tools are needed to detect app crashes or performance issues.
- Lack of development resources: Developing mobile apps is a competence in and of itself, and quite distinct from the skill sets needed to develop core apps. Enterprise IT is often short-staffed of good mobile app design and development talent. Often mobile-app development gets outsourced to vendors, which increases IT spend, adds third-party management administration responsibilities, and introduces new security issues.
- Poor field adoption and ROI: If the mobile-app user experience is bad, user adoption will lag. Mobile-app user workflows must be simple and easy to learn. If mobile applications aren’t used, the efforts and resources spent developing them are wasted. And alternative access could compromise enterprise network security by extending the corporate-network threat surface.
A better way
So the key question is not “how do we build better mobile apps?” Instead, IT leads must ask “Are mobile apps worth the effort?” and “Is there a better way to give field staff secure access to core business processes?” The answer to both is “yes.”
Ubiquitous mobile broadband access, increasing cellular speeds over LTE (now moving to 5G), and public Wi-Fi hotspots facilitate remote work from anywhere (like customers’ homes, hotels, or coffee shops). Allowing employees access to CBS and PAS applications from the field with the same ease as access from HQ or a branch office means there is no need for mobile-app extensions.
However, legacy connectivity models can impede progress. VPNs—intended to secure workers—can introduce lag: More employees contend for limited bandwidth to connect to the corporate data center while data is backhauled via bottlenecked security gateways. Worse, hardware security costs can skyrocket with the need to scale up remote access. The “castle-and-moat” security model isn’t built for the way enterprise business networks are evolving, with thousands of remote workers trying to access applications that are increasingly moving from private data centers into public clouds.
Zero trust architectures are a better way
Inline, cloud-based security services can connect users to applications seamlessly and with all security controls in place and inline. A zero trust architecture typically employs a cloud-security model to support fundamental principles of default-deny posture and follow-the-user policy controls. In this way, zero trust extends security protection to mobile devices so that field staff can access core applications with the same level of security controls as HQ-based workers.
Gartner says that by 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust architectures.
A zero trust architecture cloud service allows:
- Close proximity to users wherever they are: Effective remote access requires a global, cloud-delivered, edge-computing service with points of presence close to all users.
- Continually-secured access: Users should never be placed “on the network,” and instead connect only to applications as allowed by configured business policies. (Contrast that with VPN access which tenuously extends the corporate network beyond the limits of its effective control.)
- Authentication based on users and applications: Users and devices are authenticated first before access to an application is provided (unlike VPN, where users get access to the network first).
- Direct access to applications: Users go directly to applications, wherever they reside: in data centers, in the public clouds, etc. Zero Trust allows access to the fastest path between the user location and application hosted location without backhauling through the corporate security structure, thereby considerably improving application performance and user experience.
- Users access only to necessary applications: Authenticating users and access to applications based on set policies means that those users only have access to what they need, not the whole network. (This reduces “east/west” vulnerability: In the old model, if a threat actor breaches a network, the threat actor can move within the perimeter.)
Zero trust services also provide cost avoidance for enterprises:
- Less security infrastructure: With zero trust, companies can scale back and reduce spending on the security appliance stack for managing inbound data center traffic from remote users. This includes VPN gateways, load balancers, and DDoS services.
- Less spending for mobile app development: Allowing access to core business apps eliminates the need for developing duplicate mobile application equivalents. It frees up resources or budgets that would be dedicated to creating, rolling out, managing, and maintaining mobile apps.
Secure zero trust access to core business applications eliminates “APPification”
With a zero trust architecture, enterprises with large numbers of remote employees using core business applications can optimize that access with better security and performance. They leverage the power of digital transformation by using the internet to access applications both in data centers and in the cloud, without exposing corporate network information to bad actors looking for breach opportunities.
Zero trust architectures create:
- Access that is adaptive and identity-aware
- Access to applications anywhere, anytime, by any authorized user
- “Virtual perimeters” around user, device and application so that company asset security is assured
Zero trust architectures provide secure connections between remote field employees and the applications they need, removing the need for costly security stacks protecting core business apps, VPNs, or any efforts to “APPify” crucial business processes.