IT’s job is straightforward – or so you’d think. That is, it’s simple until the wider business takes IT matters into its own hands.
It is often at this point where problems and opportunities co-exist. Both the business and the IT department strive to increase productivity, yet the tug-of-war between them often introduces more complexity and challenges for both teams.
Rogue projects launched by business teams, rather than the IT department – known as ‘shadow IT’ – are a growing trend. Increasingly these projects involve mobile app development, and they cause headaches for IT management even as businesses seek to boost their own productivity.
Often, IT teams and business teams both have compelling arguments to support application development from their own perspectives. But what steps can IT teams take to ensure that businesses select the right mobile development tools to enable them to build mobile applications with an IT-aligned, lifecycle-driven development approach?
It starts with empathy
First, both teams need to develop a better appreciation of the challenges either party is responsible for. This can help them find common areas of understanding, so that the solutions developed will satisfy both teams and support their productivity.
From an IT perspective, shadow IT projects often create new services without understanding the data that they are exposing, or whether they are doing so securely. And while these projects may use data securely when they’re running within the enterprise, mobility presents new challenges. Too often, business line developers fail to appreciate that data on a mobile device is likely to leave the enterprise, creating significant security risks. And it’s not just the data on the device that’s at risk. These ‘shadow apps’ might also expose insecure APIs or create redundant APIs that increase the organisation’s overall threat surface.
In addition, businesses usually employ third parties to develop apps without thinking about the apps’ lifecycles. When they deploy a new API into their network, who is going to track its lifecycle or that of the application itself? If an app cannot be mapped back to a set of APIs, there is a significant chance the APIs could be sunset and become unusable. Worse, the APIs may never be sunset, leaving a ghost point for hackers to attack.
Furthermore, how is the business testing security across its target platforms? Mobile apps and mobile platforms have different security models with different attack vectors. Testing security from the API to the device is important, but testing the client app on the device is also critical and is something shadow IT projects frequently neglect.
For their part, IT teams need to consider that the most often-cited reason why business teams take app development into their own hands is because they perceive traditional IT as slow, expensive and ineffective. This is a perception that IT can and must change, by building the right APIs and selecting the right mobile backend as a service (MBaaS tool) for the task.
The right API for the job
IT needs to deploy lightweight mobile APIs. It needs to track who is using these APIs and promote the reuse of common mobile services across the enterprise’s mobile environment. This is typically where MBaaS can provide a strong foundation for the security and control desired by IT, while meeting the needs of the business to deliver new mobile functionality quickly.
The right tool for the job
Typically, an MBaaS architecture should comprise a number of elements which meet business and IT needs. These include:
- API Management. This provides the ability to easily create new APIs and then test them, version them, publish them to target environments, and track which applications are using them. From a security perspective, API management provides a common framework for exposing your APIs to a variety of clients, and it also enables enterprise governance over who is using an API, where it is exposed, and how it is deployed.
- Identity Management. Today’s apps may leverage internal identities using LDAP, Active Directory or SAML, while also ingesting external identities such as Facebook, Google or LinkedIn. MBaaS solutions help alleviate the confusion of managing multiple identities within an application, reducing the risk of exposing internal security tokens to external clients. Managing identities within the MBaaS also allows IT to change identity providers without having to recompile the application.
- Mobile service standardisation. Lack of standardisation of mobile app services such as messaging, synchronisation and identity creates an undue burden on IT to manage security for multiple platforms. Standardising services through an MBaaS solution allows developers to familiarise themselves with a single approach, increasing their agility while simultaneously making the environment easier to secure.
- App performance monitoring. A good MBaaS architecture should provide a central means to monitor app performance, detect client crashes, and review service uses by apps and devices.
The tug-of-war between business and IT will never go away.Businesses and the people within them will evolve and continually challenge the status quo.
The challenge for IT and business teams is to work together to identify ways in which they deliver technology, applications, and solutions to deliver the productivity gains modern enterprises need.
Matt Trevathan, Director of Platform Product Management and Lab Innovation, Kony