Mobile Security Featured Article

What IT Needs to Know When Developing a Mobile Device Strategy

One of the largest tasks that IT departments currently face is ensuring that the transition to a mobile enterprise is secure and managed. Bring-your-own-device (BYOD) has been a boon for employees in many cases but a nightmare for IT departments that need visibility into employee computing behavior and both the setup and enforcement of proper security practices. Vendors are often not helpful, unleashing a cluttering amount of new terms and conflicting advice.

IBM’s (News - Alert) lead mobile security strategist, Vijay Dheap, recently outlined key factors IT departments should consider when trying to develop a coherent and comprehensive mobile strategy for their organization. 

Getting a sense of scope for the challenges that must be addressed is an important initial step, noted Dheap. This includes surveying the devices used, knowing the backend systems that they must connect with, and discovering the security holes in the mobile devices being used.

“While there are different solutions to safeguard each of three main pillars and to gain oversight across them, the next step is to understand what the mobile enablement goals of the organization are so that the security and management requirements match the use cases that need to be supported,” Dheap wrote. “This enables prioritization and selection of capabilities when making a vendor decision.”

For gaining visibility and control, Dheap recommends that issuing mobile devices should not be overlooked despite the BYOD trend. And where BYOD is practiced, mobile device management (MDM) solutions are best suited for providing device-level reach for enforcing corporate policies. Through MDM, passcode settings, VPN configuration, device encryption, remote lock/wipe, blocking external data sharing, blacklisting apps and certificate management can be specified and controlled. MDMs also reduce administrative costs by creating a single management infrastructure despite a plethora of different devices and types.

E-mail, calendars and contacts are the three most important business tools employees will need access to on their mobile devices, according to Dheap, and protecting this key corporate data can happen through mobile email management (MEM), secure dedicated email, and secure calendar and contacts apps for business.

“The objective is to guarantee that the emails are encrypted, avert data leakage due to attachment viewing on the device, prevent malware from accessing business directory, and segregate work email from the personal inbox,” noted Dheap. “Some MDM solutions employ OS capabilities (i.e. iOS’ managed profiles) and E-mail syncing protocols (i.e. Microsoft (News - Alert) ActiveSync) to provide E-mail management but support is not consistent across platforms and without app-level controls it is hard to prevent data leakage of E-mail attachments.”

Secure mobile browsers for connecting with a corporate intranet act as another method.

Mobile apps are gaining currency both for ease of use and as a good way to manage field deployment. Dheap recommends incorporating security as early as possible in the app lifecycle for businesses that develop apps. A mobile application platform (MAP) can provide disparate mobile development teams core security features and capabilities that can be reused in each app without requiring the developers to have significant security expertise.

For collaboration, secure containers should be considered. Secure containers encapsulate all the enterprise apps including E-mail, calendar, contacts and secure browser.

“Data from the work zone is prevented from leaking into the personal zone and content from the personal zone is inhibited from diffusing into the work zone,” wrote Dheap. These containers are referred to as mobile application management (MAM) solutions.

“MAM solutions allow for policy based governance of specific apps or subsets of enterprise apps. There are parallels to MDM features, but in the case of MAM those features only apply to the container and not the whole device,” he added.

Finally, mobile access control should not be overlooked by IT departments working on a full mobile strategy. Risk should be computed every time a mobile interaction is initiated because the context may be different, according to Dheap. The risk can influence the authentication scheme to employ the features of an app that are authorized for a specific user in a specific context.

“With granular mobile access control, an organization can more effectively convey to the user the reason for added security and inculcate security best practices in its users,” he wrote.