Business Issues -> Security & Risk
By: Rob Bamforth, Principal Analyst, Quocirca
Published: 18th March 2013
Copyright Quocirca © 2013
Technology vendors and industry pundits take great delight in announcing that “this time it’s different!”. There are paradigm shifts, unstoppable trends, ground-breaking changes and disruptive innovations.
Mobile technologies are no exception, yet a short look back in time tells us that things are not always as revolutionary as first perceived. For a while, mobile email was something special. There were dozens of software vendors, although not typically the major email players, offering email on the move. Then there was the BlackBerry—the must-have email gadget for former-Yuppy executives looking to replace their Filofaxes. In fact, mobile email itself was so special that senior folk demanded special exceptions must be made to security policies but that only they should have it.
Now the edge has worn off, it turns out that email is just email, but you can also access it on the move i.e. while mobile. BlackBerry has lost some of its shine and the need for dedicated mobile email software vendors has evaporated. There are certain things that make mobile email more complicated—such as being careful how much is downloaded to keep data costs down and watching out for the risk of loss or theft if private attachments are on the mobile device—but these are management challenges, not reasons to say that mobile email is so radically different.
The broader needs of complete mobile working also seem to be following similar lines.
What started out as a special tool for certain roles and only with certain devices has exploded into a consumer-led boom of a huge diversity of smartphones and tablets. These devices might be operated differently with touchscreens instead of keyboards and connect over public wireless rather than private fixed networks, but they are essentially doing the same job—allowing their users to communicate and interact with data.
Extra risks occur because of the use of open and public networks, a greater variety of devices and increasingly that employees want to be told ‘you can bring your own devices’ (BYOD) and use them for work. These things are not necessarily unique to mobile devices and some businesses will have had employees connecting in from domestic desktop computers over the last couple of decades, but the consumer mind-set towards IT has really gathered most of its momentum from mobile devices.
The risks this varied mobile usage brings do need managing, but it is not enough to think it is simply about mobile device management (MDM), because actually the things that need protecting are sensitive assets that belong to the employer and the employees’ ability to get their work done efficiently without incurring considerable extra costs.
There are several areas beyond the devices themselves that could do with further attention.
First to consider is applications. How will these be deployed, installed and correctly configured now that the concept of a standard corporate build on a standard corporate device is out of the window? It needs to be done in a simple, flexible, self-service manner, delivered over the air with enforcement to ensure critical apps are installed, and unapproved ones are not, or are at least contained. Application versions and configurations need to be managed over the complete usage lifecycle and secured for access control and data leakage prevention. The whole thing needs wrapping with tracking and monitoring of performance, usage and compliance.
The next area that most companies consider is data. The knee-jerk reaction of the most paranoid security manager will be to lock everything down and encrypt everything. Most users will rebel against this at some level if it makes work too complex or difficult, and most especially if their own BYOD phone or tablet is the device the data is on. An organisation—and it is the line of business, not IT’s responsibility—has to determine value and risk of data in order to decide how much security to apply. Access controls based on users, roles and the capabilities or risks of classes of device might be applied; some data may be ‘geo-fenced’ to ensure it can only be accessed in certain locations, others may be only accessible from a cloud service and never residing on the device. The important thing is to ensure that the right controls can be exerted on data of known value or risk, without removing the flexibility that mobile brings—otherwise employees will work around the issue, bringing potentially great risks.
Beyond protecting those tangible digital assets, the next question is what are employees doing? For managing the mobile enterprise, this breaks into two areas of interest—behaviour and expenses. These areas might often be related and both are greatly challenged by the move to BYOD. However the relationship between employers and employees with communications technologies—desk phones, internet access etc.—has always been one of trust and consequences. And if that seems to be failing, monitor what employees are doing and block things that are not allowed. Little changes.
Altogether, effective IT management requires an enterprise to consider all aspects—devices, applications, data and users—and apply suitable controls based on the risks. These might be elevated by mobile, but should be assessed based on value and risk to the business.
While all sorts of powerful tools can be readily deployed, it should always be remembered that their goal is to automate the hopefully sensible procedures and policies that an organisation has put in place to support its strategy. This is still true of mobile, just as it is with other technologies. Disruptive? Yes, but ultimately not that different to other innovations in that its implementation needs to fit with the business.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.