As more and more businesses embrace consumerisation, allowing employees to access business apps on their mobile devices, CIOs are beginning to think about the best infrastructure to deliver these apps. Although some mobile apps reside on the device, they tend to have limited functionality, and there are obvious difficulties with allowing users to store data on personal devices.

An increasingly popular alternative is to use cloud-based mobile apps: user’s access the apps via a web browser on their mobile phone or tablet, but processing and data storage are carried out on the cloud. The analyst firm Juniper Research has predicted that the market for cloud-based mobile applications and services will hit $9.5 billion by 2014, and that most of the revenue will come from enterprise apps.

For enterprises, there are several advantages to moving to a cloud-based infrastructure for mobile apps. One is that users have access to more sophisticated and powerful applications, including ones that allow them to collaborate, because they are run in the cloud, not on the device. Secondly, the use of a web interface makes it easier to deliver the same app on different platforms. (This is particularly true since the advent of HTML 5, which has simplified cross-platform development.) Finally, it gives enterprises greater control over how data is accessed and used.

Creating a private mobile cloud has technical challenges, however, particularly in terms of making sure that data held in the cloud is kept secure. Employees who have become accustomed to accessing applications for personal use from their mobile devices expect to be able to access corporate applications with the same ease. The balance that CIOs have to achieve is to make access as secure as possible with the minimum of inconvenience to users. As David Bradshaw, a research manager for analyst IDC said: “You can never be sure data is completely secure – it’s a matter of taking proportionate measures to secure the data is to you or how valuable it might be to somebody else.”

Kate Craig-Wood, CEO of cloud provider Memset and a spokesperson for BCS, the Chartered Institute for IT, recommends that CIOs should “keep it simple”. Memset runs all its business management systems over the web, and users can access them from any browser. “You don't need complex VPNs,” she said. “They are invariably a pain and actually your office network is probably vastly less secure than your data centre or cloud provider.” Instead, she says, organisations are better off using HTTPS over the public internet, as its encryption levels are more than adequate for almost all business purposes. “You should be using at least 128-bit encryption and get your SSL certificate from a trusted provider – the only weakness is in some rogue providers issuing flawed certificates,” she added.

While this ensures that data is secure while being transferred over the public network, there is still a risk that data accessed in the cloud may be stored on the device so that users can work on it offline, immediately putting the data at risk.

Some CIOs will want to consider adopting mobile device management (MDM) so that secure virtual areas can be created on the device, allowing corporate data to be kept separate from personal data and encrypted. Not all devices allow local encryption, but MDM can also be used to wipe data remotely once a device is reported lost or stolen. In the case of email, it is possible to use PGP encryption for sensitive emails, so that the messages themselves are encrypted.

Even if the data is never stored locally, however, a device that is lost or stolen could be used to gain access to corporate data. The most obvious way to deal with this is to make sure that mobile phones and tablets are used only to access applications that do not contain sensitive data. It is worth making a rigorous classification of corporate data from most sensitive (financial data, for example) to least sensitive (personal calendar information, perhaps) and restricting access accordingly.

It is also possible to make sure that users can only access a few records at a time. This is a useful strategy, even if data is only ever accessed from desktop PCs. “The greatest threat to corporate security is people copying things to CDs and flash sticks,” says Craig-Wood. Designing interfaces so that no-one can “scrape” the entire database offers a powerful security advantage. Craig-Wood argues that restricting access to data in this way is more effective than using MDM, which users will often try to circumvent.

Alternatively, organisations can make sure that there is strong security on the device, so that users have to use two-factor authentication to gain access to corporate applications. This can be complex to provide across multiple devices, is time-consuming for users and can potentially cause work for the help desk, but it may be necessary if users are allowed access to sensitive data.

A related concern, says Peter Bevan, market development manager for Intel, is “making sure you can track where data is and the integrity of that data.” Data downloaded to a mobile device can be altered, but if it isn’t then uploaded back to the cloud, it can create a discrepancy. Making sure that users understand the need to sync back to the cloud should be part of the enterprise’s mobile usage policy. Craig-Wood also recommends that every action carried out on corporate data should automatically be tracked and logged, and attributed to the member of staff making the change or accessing the records.

Finally, when moving to a mobile cloud, CIOs will need to consider the issue of network availability ­– mobile networks are notoriously unreliable. Multiple users accessing the same data will also put a strain on network resources. This will be partly addressed by HTML 5, which has local caching, so that users can carry on working when the network connection drops. The availability of 4G LTE compatible devices will improve bandwidth availability and, as mobile cloud becomes more popular, telecom operators moving into the space will provide better broadband speeds and guaranteed uptime.

Although there are both management and technical challenges of moving to a mobile cloud architecture, they are not insurmountable, and careful consideration of issues such as how to protect sensitive data will mitigate many of the risks.