It wasn't that long ago when enterprises bought mobile devices, loaded them with software and security tools, and handed them out dutifully to company employees. Then along came a tidal wave of change known as the "consumerization of IT" to uptight business types and as bring-your-own-device (BYOD) to the more casual, younger worker set.
No matter the preferred moniker, the challenge remains the same: how to manage mobile devices to keep the enterprise secure when the enterprise has no say in the choice or use of personal devices.
The answer has proved elusive to more than a few companies.
"Consumer products are evolving into viable businesses tools but the majority of companies do not have a proper strategy in place to manage these devices which opens them up to serious security risks," warned Diane Hagglund, senior research analyst for Dimensional Research.
Hagglund is the author of a recent survey commissioned by Dell KACE on the state of consumerization. Almost 90 percent of respondents to that survey said their employees are using their own gadgets on work networks, but 62 percent of IT managers feel they lack the necessary tools to properly manage these devices and keep their networks safe.
The rest of the survey results were no more reassuring:
- 88 percent of survey respondents want to have a policy in place regarding personal devices;
- 82 percent are concerned about the use of personal devices for work purposes;
- 64 percent are not confident that they know of all personal devices being used for work purposes;
- 60 percent reported a greater demand for support of Mac OS X since the introduction of the Apple iPad and iPhone;
- 59 percent reported that personal devices have created the need for organizations to support multiple operating systems; and
- 32 percent admit that employees use unauthorized personal devices and applications to connect to their network.
Fortunately, a number of new tactics have risen to give hope to frustrated IT workers stuck with the task of managing the heretofore unmanageables.
The network over device tactic
In this security tactic, it is the data rather than the device that is protected. The thinking goes that if nothing is stored on the end point device, then nothing is at risk -- as long as the network itself successfully prevents unauthorized entries.
"Enforcing policy pertaining to access to key applications and data via software as a service models or Web services, without local storage of the data, goes a long way toward mitigating the impact of a stolen or lost device," said Nicholas Arvanitis, principal security consultant at Dimension Data Americas.
The most significant problem companies run into with this tactic is the temptation to lock everything down rather than sift and sort the priorities.
"To lock down the device can be seen as aggressively controlling and shows a lack of trust management has with its employees," said Carl Thompson, co-founder of Mobstr Group.
If you give in to the lock-everything-down temptation, you could also make it too difficult and time consuming for users to follow through on security protocols. They'll soon look for work-arounds instead and that will open even more vulnerabilities.
"Security can never be perfect, but should be tailored to provide the correct amount of security in accordance with the sensitivity of the data to be protected," advised Arvanitis.
How much tailoring you do depends on what data your company considers critical and how far you want to drill down to apply protections. In any case, a data classification system with applied sensitivity labels and a policy to match are required.
"Depending on the organization in question this may be more comprehensive in some cases, or perhaps a less formal program, but the principles should be applied regardless," explained Arvanitis.
Herding cats … err… devices
Mobile device management (MDM) is an emerging field and many gaps in coverage remain. Still, these solutions offer enterprises the best means with which to actually control individual devices. Most of the big brands in enterprise computing and security have an agent-based offering but there are independent brands too such as Mobile Iron and Zenprise.
Most are capable of inventory, configuration, an ability to push apps and control app installations, and perform other management tasks. Each solution takes a somewhat different approach to this, of course, so all bear close inspection prior to selection. But, one drawback to an agent-based approach is that it relies on the integrity of the device.
"A key differentiator between the current products is the ability to identify when a system is jailbroken or rooted, and to execute policy controls immediately as a result," explained Mike Weber, managing director at Coalfire, an independent information technology governance, risk and compliance firm. "This capability enables a business to trust the integrity of the devices and limit potential impact to their environment when bad things happen."
Most security experts agree that the MDM space is a long way from maturity and there is plenty of room for improvement. Therefore, the better approach is to deploy several tactics, with MDM among them, to provide security for your company.
Sum betters the parts
A good place to begin in building a multi-faceted device management strategy is with the tools that exist in the systems your company already owns.
For example, by "leveraging Microsoft Exchange ActiveSync (EAS) policies, companies can implement basic policies such as password standard, forcing encryption, disabling attachments and the camera and more for iOS, Android and Windows Mobile," said Andrew Hoog, computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, and author of security books. "More sophisticated policies are exposed in Enterprise Client Access Licenses."
Look to carrier networks to aid you in your security quest, as well. While many CIOs are aware of RIM's superior security protection in its Blackberry Enterprise Server (despite its recent service failures), most are unaware that carriers now offer additional enterprise security, too. Also, make sure device security is enabled on all devices and educate your workers on its importance.
But the latest threat to enterprise lies in the proliferation of mobile apps. While some of the MDM solutions will help in managing these, it is a mistake to rely solely on them for complete protection. For the most part, your protection against malware infested mobile apps on employee devices will lie in the policies you make and enforce and in the education you give your workers. Make staffers aware of the security risks and what needs to be done to thwart them. If all employees become your crime fighting partners, you will have one of the best security programs ever invented at your disposal.
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).