Sergey Nivens - Fotolia
No matter what an organization's method is for developing and deploying mobile applications, IT has to stay attentive to threats such as malicious breaches and potential loss of intellectual property.
Every mobile operating system has faults, and careless employees and malware can endanger networks and sensitive data. A user can easily leave an endpoint device unattended in a public place without enabling a screen lock, and hackers are constantly looking for unauthorized ways into corporate systems.
IT can avoid breaches of enterprise data with data loss prevention tools that secure employees’ mobile devices.
Stay ahead of malware attacks
Each mobile OS comes with its own vulnerabilities and reputation for security. The Google Android OS, for instance, includes several security features, and vendors offer add-ons such as Samsung’s Safe and Knox environments. But just as there are many Android users, there is also a large population of would-be attackers.
Even though iOS and BlackBerry have reputations for being the safest mobile OSes, some security features can get in the way of what the consumers and the enterprise want to do with their devices. Mobile security depends on the device, the apps on it and the mobile device management (MDM) system. Good mobility policies also cover proper usage, antimalware protections and authorization schemes.
Not long ago, relatively few organizations found the value of putting antivirus software on mobile devices. Sure, there were several tools from providers such as Symantec, McAfee and Lookout, yet most mobile security experts thought these were just security blankets to appease information security teams.
However, real security risks have emerged in Android. For example, recently millions of users downloaded a Trojan horse embedded in a few apps in the Google Play store. It’s a good idea to invest in antimalware and antivirus software and enforce a mobile security policy through MDM to ensure that it is installed on mobile devices and that your malware library is up to date.
Containerization is key
Although the term containerization makes some end users cringe, this application security mechanism is one of the best data loss prevention tools for admins to deliver individualized apps to a mobile device and still feel comfortable about security.
Enterprises can use MDM and mobile application management (MAM) tools to enforce and manage security containers. MDM can require mobile users to enable device-level locks and device-level encryption, and IT can define application-level security policies. For example, these management tools can require end users to authenticate with Lightweight Directory Access Protocol credentials.
Also, MAM can enforce encryption at the app and content levels. As for network connectivity, IT can dictate that employees can only use an approved virtual private network tunnel to connect a specific app to the corporate network. With these app-level security measures in place, the application itself becomes a secured container.
App-level containerization done properly should provide a similar user experience to consumer applications, but then there's the question of how to deploy those apps. The studies on this topic are mixed, but you can expect that roughly half your user base wants to feel like there are no restrictions on how they manage apps, and the other half prefers a separate place on their mobile devices specifically for work apps.
For those who prefer fewer restrictions, MDM tools also provide for federation among corporately managed apps. When a user authenticates to one, he or she can easily access other apps while still maintaining a standard set of data loss prevention policies.
Split BYOD devices into dual personas
Many individuals -- and even more companies -- prefer there to be a complete separation of work and personal apps and data. This is especially important for bring your own device (BYOD) initiatives, in which users own their mobile devices and IT implements a containerized work environment.
BlackBerry and Samsung have both implemented this dual-persona approach into their device management software. The best way to think about this method is that the corporate apps reside in a secure, virtual box on devices. End users cannot put unmanaged applications in this box, nor can they move corporately managed apps out of it.
Users store their personal content in the device’s file system, which is separate from the content inside the box. Furthermore, the corporate data in the box can’t be shared with applications outside the box.
Keep data on premises with VDI
Note that there is a variant to the dual-persona method. Virtual desktop infrastructure (VDI) involves simulating a desktop environment on an endpoint device. Citrix and VMware are the leading vendors of desktop virtualization products that can present virtualized applications or full desktops on a mobile device.
Contractors Need Standalone MAM
Most of this discussion has been around mobile device management products with an integrated mobile application management component. But what if you want to put an app on a device that is not under MDM?
For example, your company may have just signed a contract with another service provider to deliver products in a geographic location that would be too costly for you to set up your own presence. Your delivery service employees have an order-tracking app and devices that you manage via MDM, and you want the contractor to use that same app.
But, in most cases, the contractor already has MDM and won’t let you manage devices directly. To maintain compliance with mobile security policies, you’ll need a standalone MAM strategy. This alternative allows your company to enforce security, approved usage and network connectivity polices for that specific app, regardless of the contractor’s MDM system.
With this method, all the applications and content remains on internal network servers in the company’s data center, so users are merely opening a virtualized portal to access these services. This is great for security-conscious organizations because nothing leaves the company premises.
On the other hand, performance problems are quite common on virtual desktops. They can be very slow and tend to crash when the services consume too much device processing power to render the virtualized desktop screens. VDI is at best a stopgap measure until companies can develop and deploy mobile-specific apps.
Document sharing and open-in management
If workers need to share data between work and personal apps, MAM and MDM tools include policy management services to dictate which applications can share content and mitigate the risk of data compromise.
Before enterprise mobility management, if an employee wanted to work remotely on his mobile device but needed to access a Word document on his desktop at the office, he would likely email the document to his personal email account and then work on the doc in an unmanaged and unsecured application.
Plus, enterprises now expect employees to get their work completed as soon as possible -- no matter where they are -- and that sometimes makes it difficult not to violate corporate policies.
Thanks to increasingly sophisticated MAM and MDM products, there are ways to ensure security and productivity at the same time. For example, most users can now have secured email on their smartphones, which means IT or employees can deliver content to mobile devices safely and it can reside there safely.
Through MAM and device policies, enterprises can provide end users with managed applications to edit or update corporate content securely. Organizations can also maintain control by setting an open-in policy so only approved and containerized applications can share content with one another.
Employees will be more productive if IT can deliver the apps they need, maintain security and enable them to use multiple devices while still complying with corporate policies.
Learn how data loss prevention tools work
Preventing data leakage on mobile devices
Three popular methods of containerization
The basics of dual-persona technology