The ever more frequent use of mobile devices and the use of private mobile devices in the professional environment (BYOD—“Bring Your Own Device”) is a challenge to security mechanisms with respect to the use of such devices. Today's IT-security mechanisms are usually platform-, device-, user- or application oriented. IT-platforms are usually centrally managed and their operating systems hardened. Safety criteria of applications are usually defined by the provider, e.g. for web applications the access (http) is implemented as simple or secure (https), the maximum encryption used is set via the browser or the service. The access to the IT applications for users is usually set via a user account or domain name registration, in case of existing PKI infrastructure or domain controllers if appropriate also via single-sign-on-mechanism. That is to say, in a managed environment therefore largely security can be implemented. In case of mobile applications a problem arises that users can intentionally bypass security mechanisms to overcome possible related hurdles. The use of an application or information retrieval on the mobile device often receives priority over the security aspect. It would be desirable to achieve comparable security for such uses as in managed environments.
It is well known that security solutions based on authentication and authorization of the user or device and encryption technology are being developed. Secure access can be granted for the legitimate user for a certain period of time (e.g. operating system login or the duration of a session of an application). Often the user in the specific case is not aware if IT applications and information are being used in secure or insecure modus.
So-called security assessment checklists are intended to contribute to secure IT systems and in particular mobile access to these systems according to the current state of security technology. An absolute security cannot be achieved, however a decision has to be made between the effort it will take to attack the security of a system, and the to be assumed probable cost and degree of damage. Certain security requirements also arise from legal procedures or rules.