Deploy MDM. Companies that have rolled out Android broadly agree with the MDM recommendation. "Android devices should not be deployed in any enterprise without robust MDM," says Abhi Beniwal, senior vice president of global IT at Daymon Worldwide's Interactions subsidiary, a provider of in-store product demonstrations for retailers and manufacturers. With an MDM platform in place, enterprise IT has the visibility it needs into mobile devices and can proactively manage security vulnerabilities and threats, Beniwal says.
Interactions has deployed Android-based tablets and mobile apps in more than 1,000 stores in North America. Most of its workforce is field-based, and mobile technology allows users to share real-time information, Beniwal says.
The company implemented an MDM platform from AirWatch before deploying any Android device in the company, and it hasn't experienced any security-related problems with the devices, Beniwal says. "At the same time, we take it very seriously and are always monitoring and proactively managing any potential security threat to our devices," he adds.
Also relying heavily on MDM is the Center for Young Professionals in Banking (CYP), a training center in Zurich that has rolled out 1,400 Android tablets that students use to access CYP's learning management system. CYP uses MobileIron's platform for enterprise mobility management. The platform ensures that only approved apps are installed on devices, and it reports any breaches.
Among CYP's concerns about Android security and management are data loss prevention, malware, OS version control, and data on lost devices. The MobileIron platform addresses each of these and other concerns, says Thomas Fahrni, deputy general manager of CYP, as do most serious MDM systems.
Create a compliance policy. Aberdeen strongly recommends that companies create a compliance policy for BYOD units, so that not every smartphone or tablet is acceptable for use within the work environment.
"Organizations should test the vulnerability of the most popular platforms and versions and verify that they can be managed securely" before granting those devices access to the corporate network, Aberdeen's Borg says. "This is a BYOD policy with constraints. An unbridled BYOD policy is very problematic" because it invites access to the network by devices that might not be secure.
This effort shouldn't be too much of a hindrance for many organizations, Borg says, because many of the latest versions of Samsung Android smartphones are likely to be compliant with a company's security requirements. "If you stay in the Samsung universe, there are viable, robust security solutions [that] work with the MDM tools," he says.
Stop supporting old Android versions. Enterprises should set a specific stop date for older OS support, to ensure that users have up-to-date versions of Android, Sepharim Group's Egan says. He also recommends that companies not use Android for much more than email, "and then only on 'safe' devices."
New security efforts will make Android more secure
Within the Android ecosystem, efforts are being made to improve Android security.
For example, Samsung offers Knox, a containerization technology for higher-end Samsung Android devices that's designed to create a virtual partition on the devices that would insulate corporate-managed apps and data from attack. "Samsung Knox is the first real security solution coming out for Android," Egan says. However, Knox is no cure-all, given several limitations: It currently works with just a handful of Samsung devices and only a small number of MDM tools, and it requires a monthly per-user fee in addition to the normal MDM fees.