We traditionally think of Mobile Backend as a Service (MBaaS) as a public cloud service where mobile app developers tap into backend resources like databases and reusable code for common application features. I recently spoke with Burley Kawasaki, senior vice president, platform for Kony, a leading MBaaS platform provider about the more hybrid and secure future we will see for MBaaS that will support more stringent security requirements brought by compliance programs including the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS) and other industry demands.

Hybrid MBaaS: The second wave

“Well, I think one of the other things, from an MBaaS perspective, you’re seeing is that hybrid MBaaS are becoming very common,” Kawasaki said. “A lot of the early wave MBaaS were purely public early adopters refined that. I think as MBaaS becomes more mainstream a lot of the more conservative financial institutions or healthcare institutions they’re going to want to have some data that they always have down behind their firewall for a number of reasons.”

“Our MBaaS deployment is nearly always hybrid. It’s not technically security, but it is related to security of certain types of data, certain types of mobile applications. You want that control of where you put it,” Kawasaki said. “The things that need to be secured, and a lot of times it’s very limited data in certain key back-end systems, we’re seeing that they’ll deploy a small instance of MobileFabric close to the data for security, but then when they want to take advantage of some of the richer cloud-based services maybe it’s pulling in other analytics. It’ll pulling in social and other SaaS data already in the cloud. People are a little bit more open minded.”

Kawasaki’s look forward into the evolution of MBaaS fits the natural evolution we are seeing across other platforms powering enterprise mobility and Bring Your Own Device (BYOD).

“I’ll use an analogy that will date me a little bit, bear with me, you think about the expansion of first there were app servers as the backend of the web,” he said. “There were app servers and you saw these portal servers, and you saw integration servers, and you saw content management servers. Then what happened was they all sort of consolidated and a lot of this was IBM and Oracle. They rolled these up into these middleware suites, but they were all still really built and architected around the web, as sort of the platform.”

Richer mobile middleware

“I think we’re going through the same shift with a new generation of middleware that’s really targeting these mobile and edge devices,” he said. “There’s different styles of architecture that you need that I believe, and there’s Kony’s bias, but we believe that you can’t stick your legacy WebSphere or WebLogic, middleware and slap mobile on it. You have to re-architect it differently.”

Kawasaki said, “I think what we’re seeing is the equivalent in that all these separate distinct applications that are consolidating into this new breed of middleware, that’s part of why we picked the name MobileFabric for ours was we see a lot of these things being stitched together into a connected middle tier that then you can build your applications against.”

“Our point of view is that it’s going to continue to evolve as the mobile middleware starts to get richer and richer,” Kawasaki said. “I think it will start to get bigger from a functional capability standpoint.”

MBaaS and improved mobile app security

Part of my recent writing and research around what I see as the upcoming DIY mobile app war showed me that security was a definite area of improvement for many of the solutions I found. Kawasaki pointed out to me some upcoming security improvements we can expect to see in MBaaS platforms.

“A lot of the MBaaS players started off with basic security being able to secure the application in the back-end that you were building,” Kawasaki said. “It is no longer differentiated at that level. What we’re seeing is that, especially as these get more into enterprise scenarios, the mapping of credentials into a very heterogeneous range of back-ends, most enterprises have their own existing identity mechanisms.”

Kony’s MobileFabric solution federates different identity providers in a single token to accommodate customers standardized on Active Directory (AD), application-based identity, or even a home built ID solution.

“The mobile device doesn’t know anything about how many different back-end identities you have,” he said. “It’s doing all the mapping of the user token, as well as then it handle the role permissions as well, it’s doing the authorization and authentication. It’s all token-based so that at no time do you ever pass any of your secure identity information back and forth to the mobile device.”

Kawasaki also sees the potential of MBaaS and mobile app management (MAM) converging. People want to add very intelligent app policy according to Kawasaki. He gives the use case of a sales app with sensitive information and you want to add access to different categories of users.

“Maybe my standard sales reps when they open the app they can see sales pipeline data for their region, but you start giving access to sales VP, or to the CFO, or to other user groups, turn on or off features in the application normally you’d have to put a lot of application logic into your app, so you get convoluted, or you might have to have different apps, one for each different audience,” he said. This story comes from a Kony customer that uses their Mobile Fabric solution for controlling dynamically app behavior via policy. It’s an intriguing alternative to standard mobile app management (MAM) solutions.

“It’s not a developer change, but it’s linking the application one-time behavior with the IT admin or security control policy,” Kawasaki said. “That’s all at an application level. It’s not that you have to enroll your device or it’s not an MDM heavyweight type of solution.”

“You can have particular apps that you can turn them on or off-based on I’m in the office turn it on so that I’ve got greater access or if I’m entering into a branch enable certain features or not based on who I am and the kind of work that I do,” he said.

Final thoughts

A more secure and hybrid MBaaS future is already happening as I write this article. I could see this more secure and hybrid future giving MBaaS a decided edge in the DIY mobile app war because the platform can find a home in industries where app security is a must have requirement.

See also: