Smartphones, tablets, social networks, and cloud services are all popular, incredibly useful -- and a security risk. These days, the security focus is on mobile devices, as they tend to be used a lot to work with corporate information, but the variety of platforms, the fact many are employee-owned, and uneven security capabilities all add up to a real -- sometimes impossible -- challenge to manage them in the same way as the corporate PC.
The issue is not so much hacking; outside of malware easily available in the Android Market, mobile devices are safer than PCs from hackers. Instead, the issue is inappropriate information usage, where employees inadvertently spill the beans about contacts, embarrass people, violate any number of privacy regulations, and neglect compliance obligations. Most people do it by mistake, while some people do it deliberately; what matters is that they do it.
That puts organizations in an uncomfortable position. Survey after survey shows that technologically empowered users are happier and more productive, so businesses want to tap into that benefit. But they also have to safeguard their secrets and comply with regulations. The good news is that although the methods and tools are still new, there are known, proven approaches to reducing those risks without disabling the benefit of consumerization.
For mobile devices, these tools fall into several broad categories: data loss prevention, mobile data management, and mobile application management. This guide walks you through each category and explains the key issues and providers.
Mobile device management
If 2010 was the year that the bring-your-own-device (BYOD) phenomenon became legitimate, 2011 was the year that mobile device management (MDM) tools were accepted as a way to allow safe BYOD. It's no surprise that dozens of vendors now offer MDM tools.
Today, MDM tools are deployed in financial services, defense, government, and medical environments -- the very industries most concerned about information security. But MDM is not new; enterprises have been using it for years in the form of the BlackBerry Enterprise Server (BES) to manage the access rights and device permissions of BlackBerry messaging devices. Microsoft Exchange, the most-used email server, also supports a modest set of policies through its Exchange ActiveSync (EAS) protocol.
[ Subscribe to InfoWorld's Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. ]
EAS policies can require a device be encrypted, have a complex password, or disable its camera. IT manages those policies in Exchange or the corporate version of Google Apps; the same capabilities will soon be available in Microsoft's System Center 2012. That email server ties into a corporate identity server (usually Microsoft's Active Directory) to determine which policies apply to which user. If a device doesn't comply with the rules associated to its user, that device is denied some or all access. These servers also let IT remotely lock or wipe the contents of a lost or stolen device.
(The feature continues after the following table.)
Major vendors for key mobile management needs
Mobile data loss prevention
Mobile device management
Mobile application management
Managed online storage
Secure app development and management
App content management
Secure app containers
Research in Motion
Odyssey Software (Symantec)
Open Kernel Labs
Mobile application management
The least established area for controlling mobile information access is mobile application management (MAM), which currently encompasses several types of services:
- App distribution, such as through corporate app stores. These typically focus on managing distribution of and permission for homegrown Web and native apps, but can also provide users links to recommended apps in public app stores. Some can also manage native iOS apps created by the business for internal use.
- Secure app development, to add security and permissions control for homegrown apps' content and access to corporate network resources. There's typically a management console allowing IT to act on those embedded controls.
- App content management, such as to restrict apps' abilities to share authorized content with other apps. These too are focused on homegrown apps, though in some cases can also be used by commercial app developers in conjunction with a management tool. Two vendors in this category, Mocana and Nukona, take an unusual approach of wrapping permissions around apps, rather than requiring the apps' internal code to implement policies -- it's sort of a DLP wrapper. The other providers rely on policies being specified within the apps' code.
- Secure app containers, which create a separate partition, app container, or virtual machine to segregate at least some corporate apps and data from personal apps and data. This approach allows freer use of content across apps in a container than techniques that secure data within just specific apps. This approach differs from the use of virtual desktop infrastructure (VDI) to present a remote application in a window; such applications (Citrix Receiver and VMware View are examples) have little to no access to information or capabilities on the mobile device itself, beyond keyboard and emulated mouse access. A related approach is to create separate partitions on the mobile device -- one for personal apps and data, and the other for IT-managed business apps and data.
The difficulty in current MAM approaches is that they're usually application-specific. That favors their use for apps developed in-house, but a variety of vendors are working with commercial developers to embed their technology. Over time we may see more user-installed apps supporting such app and content management capabilities, for access via an MDM or other tool the business has in place or can connect to. But commercial developers still need to pick one API and thus one vendor, or use multiple APIs in their apps, with the complexity that brings.
What's really needed, of course, is a common set of content management APIs that all apps can use with any management tool -- analogous to the all-but-standard Microsoft EAS protocol in device management today. As in the case of EAS, vendors could augment the core policies with enhancements for specialty application needs, and commercial developers could decide when to use these extended capabilities, such as to reach high-security markets.