This article is part two of a series. Read part one: Mobile cloud brings user convenience -- at a cost.
The two approaches to mobile data protection are to publish policies and trust that users will abide by them or implement systems that ensure that compliance. Those same enterprise mobility management (EMM) security systems will be key in enforcing security for cloud-based storage, but they can be implemented in a variety of ways based on the organization's requirements.
The initial focus of mobile device management (MDM) and EMM was to ensure that policies regarding passwords and on-device encryption were being followed. The technologies also provided IT with the capability to lock and wipe devices that were lost or stolen and to clear corporate data from devices when users left the company. As the industry matured, mobility managers found there were other aspects of mobile work that needed to be managed.
One thing that can help with managing cloud storage is the mobile application management (MAM) capability offered with many MDM and EMM systems. MAM allows applications to be whitelisted, blacklisted or defined as "mandatory."
If an organization is concerned about mobile data protection in the consumer cloud, you can simply blacklist those applications. However, that introduces a problem for user-owned devices under bring your own device (BYOD) programs, because if the Dropbox app is blacklisted, users may not be able to use other services such as iCloud for their personal files, either.
Apple's iCloud is a slightly different matter because the capability is essentially embedded in the device and so doesn't have a specific app that can be blacklisted. However, Apple does provide the "hooks" so that EMM systems can allow or disallow use of iCloud, just as you can with Siri, the camera, Bluetooth and other features on the device. Note that disallowing iCloud makes it unavailable for personal as well as business use.
Getting more granular control over cloud storage requires a secure container or "sandbox" capability. A secure container is an isolated section defined on the device where corporate information could be stored in encrypted form. Mobility management vendors have been offering them for some time.
Samsung also offers its own secure container, Knox, an EMM security option for its Android devices. Knox still requires an enterprise mobility or mobile device management system to operate.
Along with those corporate files, the secure container can also contain its own email client, browser and other corporate apps. Any data downloaded to that container or those apps is marked as such, and you can set granular controls over what users can do with it.
Files can be marked so that they cannot be forwarded to personal email accounts or to cloud storage services. File access could also be limited to "read only," and printing or sharing could be nixed. There can also be protections against copying and pasting information to other apps.
If there is a camera app in the secure container, the photos taken by it could be subject to the same protections. This is a useful function, because taking a picture of the whiteboard has become a popular mechanism for recording what took place at a meeting.
The secure container exists as part of the mobility management client that runs on the user's device. As a result, all of the corporate data within it is deleted if a user leaves the organization and the client is uninstalled.
Beyond EMM security
Another approach to maintaining control over sensitive files is to use Microsoft Exchange ActiveSync's Information Rights Management (IRM) capability. As with the secure container approach, admins can set specific controls over what users can do with files protected by IRM.
IRM support is native on Windows Phone 8.1 devices, and third-party tools such as Secure Islands' AD RMS Enabler or Gigatrust's Mobility Server provide the capability for iOS, Android and BlackBerry devices to open IRM-protected files.
Of course, any security program involves some degree of inconvenience, and organizations must weigh the tradeoffs between security and the "privilege" of mobile access to corporate email and other systems. IT has been getting more pushback from users under BYOD, even as it requires EMM clients on their personal phones.
IT shops should write clear policies describing the details of their mobility programs. Users must read and formally accept these policies before receiving mobile access to corporate systems and data, and the requirement for an EMM client and password-protected access must be clearly spelled out.
Continue to part three: How to choose an EFSS provider