Published: 01 Feb 2013
When developing an enterprise mobility program, an organization needs to determine the appropriate level of security, evaluate how workers use their mobile devices and make sure the proper infrastructure is in place.
Vendors push an alphabet soup of mobile device security products they say are necessary --MDM (mobile device management), MAM (mobile application management), MIM (mobile information management), IAM (identity access management) and NAC (network access control), for example -- but depending on a variety of organizational factors, it could be overkill to deploy any or all of those products, said Chris Hazelton, a mobile analyst at 451 Research, an enterprise research firm based in Boston, Mass.
A combination of management techniques, whether it's on the device level or at the application and information level, is necessary for supporting mobile devices, Hazelton said, but the chosen management product depends on the unique factors of the organization.
Take control of enterprise mobility
Part 1: Getting the most out of your enterprise mobility program
Part 2: Deciphering the alphabet soup of mobile device security products
Part 3: Enterprise mobility and BYOD cost challenges plague organizations
Choosing mobile device security products
Hadassah Medical Center, which operates two university hospitals in Jerusalem, Israel, needed a way to securely deliver a medical records application to more than 3,000 doctors using mostly personal Android and iOS devices. The tricky part was finding the appropriate balance between security and privacy, said Barak Shrefler, CISO of the hospital system.
The IT department only needed to deliver one mission-critical application to doctors and nurses that would allow them to access patient medical records in real time and collaborate with other medical professionals in a different wing of the building. Since most of the doctors already owned their preferred mobile device, Shrefler consulted with the legal department to determine how much control and security they need to implement over those devices.
One thing was clear: Doctors didn't want to install mobile device security products that could be perceived as a client allowing the IT staff access to their personal lives.
"We thought deeply about MDM and at the end of day, mobile device management gives you lots of capabilities that you shouldn't activate when the device is not yours," Shrefler said. "The doctors understand that to work with our application it needs to be monitored and they know we're not looking at their messages."
The hospital decided to adopt a network access control product from ForeScout that could push the medical records app to doctors and provide that application access to secured data under specific conditions. As an added security measure, if the mobile device isn't connected to the network, then the application can't access the sensitive data. "We don't want too many policies on the user, but we don't want to jeopardize our security either," Shrefler said.
Make way for legacy apps
Hadassah Medical Center was in the fortunate position of only needing to deliver one mission-critical application to employee mobile devices. Even better, the application vendor had already released a mobile version of the on-premises medical record app, saving the IT and DevOps teams from the costly and time-consuming process of doing that themselves. Other organizations should be so lucky. When companies move beyond supporting just a single application is when all these security, management and app deployment complications come into play, said 451's Hazelton.
"Who owns the device and the device type don't matter as much as identity, data and application," he said. In other words, IT departments don't need to fret so much over whether the device is owned by the company or employee as much as they need to think about the applications and data being used on a mobile device and how to extend that employee's corporate identity to the device for those apps.
Mobile experts are often quick to point out this approach to enabling mobile productivity is merely a bridge technology or doesn't take advantage of mobile's full capabilities. But for many IT departments, it's the only way, since they can't simply rip and replace a legacy application because it doesn't play nice on a mobile device. Other organizations have found a middle ground. Three years ago, QDI Transportation made the decision to phase out as much legacy infrastructure as possible. That meant initially replacing Microsoft Exchange and Office in favor of Google Apps, along with using a private cloud for its data centers before ultimately replacing its entire Microsoft Windows desktop environment in favor of Google's Chrome OS.
"We really wanted a true anywhere, anytime work environment," said Cliff Dixon, vice president of IT for the Tampa, Fla.-headquartered transportation and shipping company. The company had one major problem, though.
"Our major software package for transportation management systems is not built for the Internet. It's built to run on a Windows OS and terminal services," he said.
QDI deployed Ericom's AccessNow, which turned the legacy Windows application into a Web app that can be accessed from any HTML5-compliant browser on any computing device—including mobile devices.
Now, the company has transformed its infrastructure to be more flexible and truly mobile, with applications and data accessed in a similar way regardless of the computing device.
"We've taken that challenge to adjust our services to fit a BYOD mold and if we plan for that first, then it should be easy to deliver services in a normal office desktop environment," Dixon said.
One problem QDI's IT department didn't foresee was the effect mobile devices would have on the company's networking infrastructure. They aren't alone. Wireless networks designed to handle one device per employee will be crushed under heavy bandwidth constraints.
IT pros run into wireless network bandwidth performance problems in part because a single Wi-Fi connection can really only support 15 to 20 devices. Any more than that, and the connection signal strength begins to deteriorate, said Perry Correll, senior technologist for Xirrus, a Wi-Fi technology company based in Thousand Oaks, Calif.
Mobile devices create a scenario where organizations have to support an average of three devices per employee on the wireless network. Not only that, other Wi-Fi-enabled devices such as projectors, scanners and printers could cause similar network problems if businesses don't plan accordingly.
By 2015, 80% of recently installed corporate wireless networks will become obsolete because of poor infrastructure planning, according to a February 2012 study by Gartner, Inc. The same report suggests that enterprises will have to deliver 300% more wireless access points to provide performance that is similar to performance in the pre-mobile era.
Organizations should consider a few possible changes: upgrading to the wireless N standard, establishing a guest network for personal devices alongside the corporate network and increasing bandwidth but also access points and available coverage, said David Goff, CTO for Emulex, a network solutions provider based in Costa Mesa, Calif.
Implementing a guest network also allows employees' personal devices Internet access even if they don't meet the security and policy requirements to connect to the corporate network. Simultaneously, it also helps prevent overloading the corporate network with too many connected devices, Goff said.