Home /All Articles /Articles /Feeling Secure About Mobile Capture

A press release in the first week of March described a new solution for embedding QR codes in invoices, billing statements and letters in order to facilitate the collection of consumer payments via smartphone. A week later, a vendor announced the imminent availability of an app that allows a smartphone user to utilize his or her device's built-in camera like the scanner on the multi-function printer back in the office.

Are either of these concepts new? No, not really. However, the proximity of their announcement — and the relatively few eyebrows they raised — clearly indicates just how mainstream mobile capture is becoming and just how radically important it is to think about security in this new context.

In mobile terms, capture security comes in three basic flavors: of the device, of the network and information infrastructure and of the content itself. Let's take these one at a time.

Securing the device begins with ensuring only the person who is supposed to be using that device actually gets to do so. Smartphones and tablets today now regularly include the means to enter a password in order to gain access; sometimes these passwords are numeric, but they also can be based upon swiping a finger across the screen in a particular predefined manner. In the not-so-very-distant future, it is likely that we will see voice and facial recognition come into play as the built-in capabilities of the smart devices are leveraged in this new way.

These same techniques are also applicable to the next step in the process, which involves permitting the user — who is now able to utilize the device — to access the organization's network and the information systems that lie beyond. This frequently involves logging into the VPN and often raises the specter of single sign-on, which allows a user to authenticate once to gain access to everything he or she may need to use without having to enter any additional passwords. This is fairly routine, especially for users who work internally, but it raises real potential risks in the mobile context because any evil-doer who manages to gain access to the device now suddenly may get free access to everything on the other end of the connection as well. So, there definitely is a balance to be struck here, one that is probably different than in a non-mobile environment.

The last line of defense, and potentially the ultimate mitigator of the risk just articulated, involves authorization, which grants the user permission to use the services available via the information infrastructure. Gaining access to your network is one thing, but gaining access to your information is quite another. Here is where we enter the more traditional realm of content, records and information management where access control, digital rights management and other policy-based techniques are, or should be, de rigeur.

If all of this sounds relatively straightforward, that's because it generally is. However, there are a couple of wrinkles that are endemic to mobile capture that may not arise in traditional tethered situations.

For one thing, mobile devices tend to be smaller than even the smallest of PCs, so they are more prone to being lost, stolen or even put through the wash than their computing cousins. This isn't to say that netbooks and notebooks never develop legs and walk off, but smartphones, designed to fit in pockets and purses, and tablets have so low a profile that they easily can be buried in a pile of file folders. As an information professional, therefore, you must take steps to encourage reporting of loss or theft by employees, to permit the ability to locate missing devices by using their built-in GPS capabilities and/or to automatically or remotely lock, or even destroy, the content contained in devices that have wandered away.

Another significant point of potential failure is that the initial connection is made via a network over which you have no control, i.e., the one operated by your cellular carrier of choice. This doesn't mean there aren't workarounds to this — using SSL for encryption is one simple solution — but it does mean you need to think about and enable your solution before you embark down the mobile capture path.

At the end of the day, mobile capture is nothing but a new way to accomplish "regular" capture, using a new-fangled device in the field at the front-end in precisely the same way we use the old-fangled scanner at the front-end in the office. From this perspective, this is simply the next step in a logical evolution that has already taken us through networked multi-function devices as the latest-and-greatest innovation. Yet, the very fact that these new devices were designed to be used out of the office is bringing important security differences to the fore, and you need to consider them every time a new-style application is introduced.


STEVE WEISSMAN provides expert guidance and professional training in content, process and information management. President of the AIIM New England Chapter, he is principal consultant at Holly Group, where he advises, teaches, writes and speaks regularly on project planning, vendor selection, user adoption and obtaining maximum total value from information technology. For more, email sweissman@hollygroup.com.