Making sense of mobile-device, app, and information management

FREE

Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CITEworld, CSO, Computerworld, InfoWorld, ITworld and Network World. Learn more.

As BYOD moves out of basic email access, IT seeks control over apps and data on users' devices. What can IT actually get?

Smartphones, tablets, social networks, and cloud services are all popular, incredibly useful -- and a security risk. These days, the security focus is on mobile devices, as they tend to be used a lot to work with corporate information, but the variety of platforms, the fact many are employee-owned, and uneven security capabilities all add up to a real -- sometimes impossible -- challenge to manage them in the same way as the corporate PC.

The issue is not so much hacking; outside of malware easily available in the Android Market, mobile devices are safer than PCs from hackers. Instead, the issue is inappropriate information usage, where employees inadvertently spill the beans about contacts, embarrass people, violate any number of privacy regulations, and neglect compliance obligations. Most people do it by mistake, while some people do it deliberately; what matters is that they do it.

That puts organizations in an uncomfortable position. Survey after survey shows that technologically empowered users are happier and more productive, so businesses want to tap into that benefit. But they also have to safeguard their secrets and comply with regulations. The good news is that although the methods and tools are still new, there are known, proven approaches to reducing those risks without disabling the benefit of consumerization.

For mobile devices, these tools fall into several broad categories: data loss prevention, mobile data management, and mobile application management. This guide walks you through each category and explains the key issues and providers.

Data loss prevention

Mobile device management

If 2010 was the year that the bring-your-own-device (BYOD) phenomenon became legitimate, 2011 was the year that mobile device management (MDM) tools were accepted as a way to allow safe BYOD. It's no surprise that dozens of vendors now offer MDM tools.

Today, MDM tools are deployed in financial services, defense, government, and medical environments -- the very industries most concerned about information security. But MDM is not new; enterprises have been using it for years in the form of the BlackBerry Enterprise Server (BES) to manage the access rights and device permissions of BlackBerry messaging devices. Microsoft Exchange, the most-used email server, also supports a modest set of policies through its Exchange ActiveSync (EAS) protocol.

[ Subscribe to InfoWorld's Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. ]

EAS policies can require a device be encrypted, have a complex password, or disable its camera. IT manages those policies in Exchange or the corporate version of Google Apps; the same capabilities will soon be available in Microsoft's System Center 2012. That email server ties into a corporate identity server (usually Microsoft's Active Directory) to determine which policies apply to which user. If a device doesn't comply with the rules associated to its user, that device is denied some or all access. These servers also let IT remotely lock or wipe the contents of a lost or stolen device.

(The feature continues after the following table.)

Major vendors for key mobile management needs

Mobile data loss prevention

Mobile device management

Mobile application management

Traffic monitoring

Managed online storage

App distribution

Secure app development and management

App content management

Secure app containers

InterGuard Software

Symantec

Accellion

Box.net

Dropbox

YouSendIt

Zenprise

AirWatch

BoxTone

Centrify

Fiberlink

Good Technology

Intel McAfee

Microsoft

MobileIron

Research in Motion

SAP Sybase

Symantec

Tangoe

Wyse Trellia

Zenprise

Apperian

App47

Apple

Good Technology

MobileIron

Odyssey Software (Symantec)

SAP Sybase

Partnerpedia

Zenprise

AppCentral

Good Technology

MobileIron

SAP Sybase

Veracode

Verivo

AppCentral

Good Technology

MobileIron

Mocana

Nukona (Symantec)

Antenna Software

Cellrox

Enterproid

Fixmo

NitroDesk

Open Kernel Labs

Mobile application management

The least established area for controlling mobile information access is mobile application management (MAM), which currently encompasses several types of services:

  • App distribution, such as through corporate app stores. These typically focus on managing distribution of and permission for homegrown Web and native apps, but can also provide users links to recommended apps in public app stores. Some can also manage native iOS apps created by the business for internal use.
  • Secure app development, to add security and permissions control for homegrown apps' content and access to corporate network resources. There's typically a management console allowing IT to act on those embedded controls.
  • App content management, such as to restrict apps' abilities to share authorized content with other apps. These too are focused on homegrown apps, though in some cases can also be used by commercial app developers in conjunction with a management tool. Two vendors in this category, Mocana and Nukona, take an unusual approach of wrapping permissions around apps, rather than requiring the apps' internal code to implement policies -- it's sort of a DLP wrapper. The other providers rely on policies being specified within the apps' code.
  • Secure app containers, which create a separate partition, app container, or virtual machine to segregate at least some corporate apps and data from personal apps and data. This approach allows freer use of content across apps in a container than techniques that secure data within just specific apps. This approach differs from the use of virtual desktop infrastructure (VDI) to present a remote application in a window; such applications (Citrix Receiver and VMware View are examples) have little to no access to information or capabilities on the mobile device itself, beyond keyboard and emulated mouse access. A related approach is to create separate partitions on the mobile device -- one for personal apps and data, and the other for IT-managed business apps and data.

The difficulty in current MAM approaches is that they're usually application-specific. That favors their use for apps developed in-house, but a variety of vendors are working with commercial developers to embed their technology. Over time we may see more user-installed apps supporting such app and content management capabilities, for access via an MDM or other tool the business has in place or can connect to. But commercial developers still need to pick one API and thus one vendor, or use multiple APIs in their apps, with the complexity that brings.

What's really needed, of course, is a common set of content management APIs that all apps can use with any management tool -- analogous to the all-but-standard Microsoft EAS protocol in device management today. As in the case of EAS, vendors could augment the core policies with enhancements for specialty application needs, and commercial developers could decide when to use these extended capabilities, such as to reach high-security markets.

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies