Mobile Device Management: Balancing Business Agility and its Risk
With two dedicated tracks on mobile security at the RSA Conference, it’s clear that mobile devices are one of the most challenging technologies facing IT and security organizations. The network and the endpoint is changing at a rapid pace and organizations are adopting the technology without fully understanding the risks.
The manifestation of mobile devices in the workplace is reminiscent of the endpoint control challenges caused by the move to laptops. Challenges include unauthorized applications, distribution of unauthorized apps, lack of device control, changing device configuration and the ability to jailbreak a device. The ultimate challenge, however, is not knowing what information is going to the endpoint and what type of protection exists to protect the data.
Key issues in mobile device management include:
- Business Need. Organizations need to determine the business need. This, in turn, will drive what type of information is needed at the mobile device. Ultimately, security organizations will need to make the business case for security of the device.
- Device Ownership. Organizations considering a BYOD program will need to determine whether the device will be a corporate device that they employee is allowed to use for personal reasons, or an employee-owned device. The type of ownership can affect the type of control over the device. Corporate management of personal devices requires permission to take action and is a policy issue. Typical actions include wipe remotely if lost, perform digital forensics and re-image device upon termination of employment. One way to implement the waiver is to have a pop-up when the employee is downloading a corporate app requiring the user to accept the security actions. While the rescinding of waiver of rights has yet to be tested in court, this gives trail of user acceptance.
- Next-generation Expectations. HR departments are expressing concern that they won't be able to recruit next-generation workers if the acceptance policies are stringent. The expectation of the upcoming generations to have whatever device they want and unfettered access to Facebook while in the corporate environment may not be an accurate picture. Work with HR to determine the real business case and employee expectations.
- Network Access. Whether the device just connects through the external perimeter controls and has access to the internet or is allowed on the network, executives expect to have the same experience at home or at work. Security organizations will be challenged by their organizations to provide the same user experience. Technologies range from mobile device management, mobile service management and sandboxing technologies. Virtual Desktop Infrastructure and Citrix are options, but they have adoption problems regarding user acceptance. The user may not be able to get full functionality, which results in user dissatisfaction.
|