Apps on a Plane concept nothing new, and potentially insecure

Back in the day when I was covering enterprise applications for Network Computing I routinely talked to and evaluated CRM (Customer Relationship Management) software.

SAP. Siebel. Oracle. Microsoft. Entellium. Salesforce. NetSuite. SugarCRM. Installed. Hosted. SaaS.

If it was a CRM system, I've probably either evaluated it or heard about it. Nuff said.

Now, one of the issues with CRM systems is that they are often used by the sales force to track prospects, right? So a mobile sales force needs to take certain data sets on the road with them for use when the Internet is not available. This not only happens on planes, but in corporate environments mindful of security issues with allowing outsiders access to their network. We used to call this phenomenon "occasionally connected" computing.

Now comes CRM 2.0. That's essentially CRM that's making use of Web 2.0 technology, something that in reality these companies have been doing for quite some time, they just marketed the functionality under cute marketing names instead.

Etelos Systems is touting its technology as "Apps on a Plane", playing to the popularity of Samuel L. Jackson's Snakes on a Plane, to get its messaging out to potential customers. The big deal with Etelos is its ability to cache its own applications when disconnected (on a plane) and synchronize with the back-end server when a connection is available. The Web 2.0 startup recently released its own CRM system specifically targeting Google applications. (Interesting. Google and Salesforce. AppExchange. GoogleApps. Hmm...)

Apps on a Plane is a program that you install locally on your machine and using a configuration file with an initial synchronization with the server, it retrieves the relative information and settings to work offline and sync when you are back online. Put simply, your computer becomes a temporary server for the Etelos Application that you are running.

I happened to see Etelos at the Web 2.0 Expo last week, and perhaps I'm jaded by too many years in technology but I don't see a huge leap forward in technology here. CRM vendors have been offering this type of technology for years now, taking advantage of desktop versions of Oracle, Microsoft SQL, and IBM DB2 databases to provide a complete occasionally connected application experience. They just weren't coupling it with inherently insecure Web 2.0 technology.

So let's look at the statement your computer becomes a temporary server for the Etelos Application that you are running from a security perspective.

Aha! It certainly sounds like a locally installed version of their application server is installed on the client and the application simply points to it instead of the "real" one while you are offline. From a security perspective, this scares the crap out of me. There's likely a database in the equation here, just as there are with legacy CRM systems, and that has always had an element of insecurity to it. At least in a SaaS environment the data is secured at a remote location, and isn't hanging around on the desktop asking to be stolen like a Ben Franklin dangling from the back pocket of a six year old.

The ability of a user to synchronize data is controllable by an easy-to-use interface. The administrator can create maps that determine the data that employees are able to synchronize. This keeps multiple users from updating the same data and also keeps sensitive information secure.

Okay, but how does it keep it secure? Secure from what? Don't worry, Etelos answers your security-minded questions.

This technology is very promising for the enterprise that wants to keep their data secure. The central administration controls who is allowed to sync and what data they have access to. Therefore, as employees leave, you can make sure they don't take the data with them. Additionally, you can configure file structure as read only adding in another layer of security.

Very promising? Configuring read-only security on file structures? The operative word there is read, isn't it? If the laptop is stolen...well, read only access isn't going to stop someone from gaining access to that sensitive data. And let's not even discuss the distribution of a temporary server without the benefit of the security infrastructure typically in place within the data center that protects malicious code from compromising data. Where's the firewall? The Web Application Firewall? The access controls? The data integrity filters? What kind of access control is placed on this temporary server? Are the ports open to the world? How are you preventing the introduction of compromised data? What about the database extrusion system? The IPS? The IDS? What about the integration with the corporate identity store? Are you replicating that locally as well?

Remember, 70% of all breaches occur from the inside of an organization, not the outside, and you've just put not only the application, but its server, in the hands of someone who might not be as trustworthy as you'd like. Inside isn't referring to a location in this case, it's describing a relationship to the organization.  

Someone needs to take a deeper look at this very promising technology in terms of security before it's deployed. Moving an application server from the server to the client and out of a secured infrastructure is a risk, and one that may be more trouble than disconnected computing is truly worth.

I'm just not comfortable with very promising when it comes to security of my data. Not as a technologist, and certainly not as a potential customer.

Imbibing: Coffee

Technorati tags: , , ,