The BYOD discussion may have dragged on for years, but the mobile management challenge hasn’t been overcome yet. If anything, managing the mobile environment needs a far greater focus this year. Tracy Burrows investigates.
Mobile is mainstream
Businesses of all sizes are now mobile, and will become increasingly so in the years to come. This raises a number of challenges for enterprises as they seek to manage and secure a proliferation of device types, operating systems and mobile applications.
It’s an issue analysts around the world have focused on in their forecasts for the year to come. Ovum says in its 2015 Trends to Watch: Enterprise Mobility report that while the rate of BYOD behaviour is growing among employees, enterprises’ IT is not embracing BYOD at the same rate. Ovum sees enterprises moving slowly towards framing enterprise mobility management as part of a wider workspace strategy that encompasses all endpoints and applications.
IDC’s FutureScape: Worldwide Mobile Enterprise Applications and Solutions 2015 Predictions paper sees IT organisations dedicating at least 25% of their software budgets to mobile application development, deployment and management by 2017. Among other things, IDC predicts that the number of enterprise applications optimised for mobility will quadruple by 2016. Additionally, more than 50% of large organisations will invest in enhanced enterprise mobility management (EMM) capabilities to secure apps and data in 2015. IDC also notes that by the end of 2015, only 15% of large organisations will have adequate mobile security governance for process and policy. Furthermore, according to Gartner, by 2017, 40% of organisations will integrate their mobile device management (MDM) tools with their IT service desks, up from fewer than 5% today.
Doros Hadjizenonos, Sales Manager, Check Point South Africa
Mischief managed
Doros Hadjizenonos, Check Point South Africa sales manager, says South African companies are increasingly concerned about managing the mobile environment. “We are seeing a lot of interest from companies seeking to enable productivity for a mobile workforce, but to secure company data at the same time,” he says. Mobile application management tools, which allow the enterprise to manage and secure corporate data in a BYOD environment, are the big focus for local companies, he says.
Fred Mitchell, Software Division Manager at Drive Control Corporation, agrees. “Locally, company-issued mobile devices are becoming the exception rather than the norm. Employees want a choice in the devices they use and companies don’t necessarily want to issue standard devices to staff. So mobile application management is becoming the norm, where the device itself is not managed so much as the access to the corporate data is controlled.”
Simon Campbell-Young, CEO of Phoenix Distribution, points out that not all businesses need the same level of security when it comes to mobile device management. He says any initiatives to secure the mobile environment must be built around the business goals. “MDM has long been grey area, which consists of multiple tasks including mobile asset inventory, security, software distribution and similar. It is a challenge to address all these factors in one go, but doing them bit by bit without an ‘umbrella’ plan, can result in separate silos that bring more trouble than MDM can solve.”
He recommends taking a good look at business processes and mobility plans, and use these to put a thorough set of MDM requirements in place according to priorities. “Start with identifying all the all mobile devices, tablets, cellphones and similar that will be used for business purposes, and keep this list in a single dashboard or data store that can be used by all other MDM functions. This is a good base, and will make it simpler to define policies for affective devices, instead of adopting a mud against the wall approach that is ineffective. From here, bear in mind that any MDM solution must be able to allow the technology department to secure and manage mobile devices across different operating systems, offer secure business communications, configure devices automatically, and have the ability to remotely wipe data should the need arise.”
Fred Mitchell, Software Division Manager, Drive Control Corporation
Don’t slow me down
A key challenge in securing and managing this mobile environment is to do so in a way that is not too onerous and that does not hamper productivity.
Mitchell notes that personal use of a personally-owned device cannot be controlled by the company. At the same time, enterprise data must be protected, and the measures to secure that data should not be so cumbersome that they hamper productivity or tempt staff to seek ways to bypass them. “So what’s needed is the ability to control the device only in so far as work is concerned - controlling a section of the device as long as the employee is on the company network, without hampering private use.”
Hadjizenonos says CheckPoint research carried out last year found that the number of mobile security incidents is rising. “Companies are right to be concerned. But with most mobile devices owned by individuals – aside from specialized enterprise devices such as handheld scanners and tracking devices –
BYOD users don’t want interference from their companies on their personal devices. Mobile application management offers a fair compromise in that it creates a secure environment for enterprise use on the device, but everything else on the ‘phone belongs to the user.” He says the ideal solution provides good access control and secures data on the mobile device, as well as securing the traffic between the device and the enterprise network.
Simon Campbell-Young, CEO, Phoenix Distribution
Confusion option
According to Gartner, its research indicates that enterprises are confused by the array of options to apply mobile app security controls and policies between enterprise mobility management (EMM), mobile application management (MAM) and mobile application development platform (MADP) products. Gartner recommends using an ‘app wrapping’ approach when developer resources are limited and security controls and policies are reusable across apps, but using a software development kit (SDK) approach for more custom and complex security requirements and applying app-level data containment policies to mitigate data leaks.
Gartner also recommends ensuring that all users have the most recent and secure version of the mobile app, but understanding the technical limitations, especially when publishing apps in commercial app stores. It advises encryption of app data at rest and extending protection to data in motion to the back-end, but recognizing VPN on-demand mechanisms are still maturing; and enforcing seamless and secure authorisation and authentication to the back-end systems, but recognising that it will require customisation and might not always be feasible using a single product.
“We recommend that enterprises adopt and maintain flexible app security practices and not use a one-size-fits-all approach,” Gartner concluded.
___________________________________________________________________
MAJOR MOBILE RISKS
● Loss, theft or misuse of a mobile device with enterprise network access or containing enterprise data
● Vulnerabilities when using unsecured public WiFi
● Lack of security awareness on the part of users
___________________________________________________________________
Gartner South Africa
Key points for effective Enterprise Mobility Management:
● Understand the rate of mobile change and re-evaluate mobile solutions every 6 – 12 months. Investments in mobile management and security frameworks can have life spans of only 18 months or less in this rapidly changing environment.
● Accept that BYOD is here to stay and draft policies accordingly. Around 50% of users engaged in BYOD have done so without their company noticing, or in violation of the rules.
● Engage users, HR and legal teams when implementing policies and solutions. IT must work with users to document their workflows and to ensure that policies, tools and practices make sense.
● Implement the right solutions for enterprise needs. If an organisation requires access only to email, calendar and contacts with basic policy control and has a limited device landscape, then Exchange ActiveSync (EAS) may be good enough, and a full EMM/MDM solution isn't needed. However, if there's a need to deploy applications, share documents, stop employees from saving corporate data into cloud services and have device jailbreak protection or any of the other hundreds of device policies, then an EMM/MDM is required.