IT's balancing act between mobile security and privacy

IT continues to walk a fine line between securing employee devices and allowing them a level of privacy.

ATLANTA – Securely managing employee mobile devices is necessary, but to do so while respecting their privacy and not overstepping boundaries is also important.

While enterprise mobility management (EMM) has become a necessity in corporate mobile environments, AirWatch acknowledges that privacy fears can be a barrier in adoption as some employees may view IT managing their phones as big brother watching their every move.

"We have a right to keep our devices secure, we have a right to keep our data secure but nobody has the right to infringe on our users’ privacy," said Noah Wasmer, vice president of strategy and CTO of end-user computing at VMware, during a keynote at AirWatch Connect here this week.

Through its Privacy First initiative, AirWatch will release new tools and educational resources that are baked into the platform in the fourth quarter of this year, aimed at greater transparency.

Employees will be able to onboard their own personal and corporate devices into the corporate management platform without the help of an IT admin, and can dynamically see what is and what is not being pulled from their device. They will not have to read through an entire terms of use policy notice, as the information will be clearly presented to them as they go step-by-step through the onboarding process.

AirWatch will also support two-factor authentication to track an employee's GPS. This means there will need to be two passwords by two IT admins entered to track that information, so two admins will have to know what command was given. This will be logged into the corporate system for record, and the employee will know that their GPS is being tracked by IT. These features are not available today, and will be available by the end of the year. 

AirWatch shared some of its privacy best practice tips that it urges admins to follow. One example is to keep personal information on a user’s device separate from corporate data. This way, IT does not wipe a user’s personal content in the event that an employee leaves the company or the device becomes compromised. IT will also not be able to see personal information about the employee that is not work related, such as information that suggests an employee's political views, religious beliefs or sexual orientation.

Another best practice tip is to not track GPS locations of employees to avoid invading the user’s privacy when they are not at work.

"We allow user-owned personal devices," said Brian Holt, ARMS IT analyst for Southern Company, an energy and utilities company with over 10,000 employees based in Atlanta. "The devices have their personal emails and other content on there, but it’s enrolled in AirWatch, so the company email and company information is separate from personal content. The company can’t see their personal information."

If an employee leaves the company, IT can remote wipe the corporate information from their device without wiping personal information, Holt said.

 Employees are informed that if their devices have company information on it, they have to allow some level of knowledge into the device in order to manage it. The employees are given a choice between using their own personal device or one given to them by the company for corporate use.

While many admins have a strict EMM policy in place, other companies admit that they are still working on their plan.

"Our policy is sort of non-existent," said an IT administrator for an American utilities company under the condition of anonymity. "It’s an unspoken policy, and we are constantly trying to write it and figure it out."

While the company does not fully embrace BYOD, it has grown from a handful of corporate devices to over 1,200, the admin said. Despite this boom in managed devices, the admin noted that his company currently has more than 600 devices that are still not being managed.

Employees are allowed to use their native email client, which IT does not have any control over, the admin said. This is something he hopes changes, in addition to adopting a secure browser, and a corporate app store configuration.

"Security as well as privacy are definitely important, and we know we have to do something about it," the admin said. "AirWatch is definitely helping us think about what we need to do going forward."

While the balance of mobility management and privacy can be tricky, so is the balance between security and productivity. Depending on the companies' line of work, it may be more beneficial to have stringent security protocols ignored to access corporate apps and data, while other businesses can afford an authentication system with less complexity.

"We’re a power utility company that also operates nuclear plants, so security is a huge thing for us," Holt said. "Sometimes our security is so tight that we can’t get business things done because we have to log into so many different things just to get to onto the app we need in order to do our jobs."

The strict security protocol is understandable, Holt said, despite employees wanting it to be easier.

"In our case, erring on the side of too secure than not enough is probably for the best," he said. "I think AirWatch is doing a good job of allowing security to be configured to the level of deemed appropriate, and Not just throwing out a level of security that you have to live with."

Ramin Edmond is a news writer with TechTarget's End User Computing Media Group. Contact him at [email protected].

Dig Deeper on Enterprise mobile security