BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Personal devices shouldn't be treated like any other company machine, so business and personal data, applications and settings should be separate. There usually isn't an elegant way to address this need with the default tools.
Take, for example, ActiveSync, the default mobile device control for many organizations that use Microsoft Exchange. Once a user adds Exchange mail to his device, he will be forced to accept the endpoint management and security policies set up at the server. This is fine for company-owned devices, but if an employee leaves or the device is lost, the only option for protecting sensitive information is to send a remote wipe command, destroying all data on the device.
More in this series on endpoint management
There are different approaches to mobile device management (MDM). MDM concentrates on how a device's management capabilities can allow for greater control. These include accessing Global Positioning System (GPS) capabilities, specifying passcode and timeout requirements and requiring certificates for access to Web services or a virtual private network (VPN).
The centralized nature of MDM often integrates into other areas of IT, such as help desk processes and usage reporting. Note that IT will need to get user approval. People should be aware that administrators could block access to certain functions of their devices, track their movements and control the fate of their personal data. You can ask employees to sign off for this kind of endpoint management, but you'll likely upset people if you end up erasing pictures from their child's birthday party.
Look at MDM products that can respect the separation between a personal device and work applications and data, such as BlackBerry Enterprise Service.
Other software, such as Samsung's Knox and VMware Horizon Mobile, provide firewalls through virtualization or separation of the work environment from the personal with dual-persona technology.
Data is king
IT needs to come to terms with the fact that centralized data protection via the internal perimeter is no longer the best approach. Even before the smartphone revolution, sensitive data at rest leaked via laptops, USB keys and lost tapes. Enterprise administrators tightened controls at the server, implemented audit controls and used endpoint management tools such as whole-disk encryption.
Now those files will be moving across multiple devices and networks. You can't necessarily force an iPad or personal Mac laptop to have encryption. Instead, make those assets available in new ways. Making data accessible via the Internet is a way to ease access, but data and mobile application security must be paramount.
Any tool needs to integrate into your authentication system and support role-based access through existing directory services. Luckily, Active Directory and other Lightweight Directory Access Protocol services support federation that allows you to extend authentication into the Internet. These technologies often use third-party cloud services for centralization and compatibility with as many cloud apps as possible.
Deciding how to deliver data to an endpoint is a key challenge. A mobile application management system can put corporate access into a wrapper controlled at the application level on a device. You could, for example, provide a fully managed email app on an iPhone that requires its own authentication and its own encryption and that can be disabled easily without affecting the device itself or any personal data.
There is a danger of confusing the mobile device's built-in apps with those of the organization. IT can specify approved applications that allow data on any device in an encrypted, managed manner.
Data access controls should account for cloud storage such as Box and other Software as a Service (SaaS) applications such as Salesforce.com. That data is easily accessible through dedicated apps and websites, but it also offers application programming interfaces to plug into custom apps or other SaaS use cases. Unless you provide a safe place to put the data, you can bet that users will find a way to put data where it shouldn't be.
If you need to lock down network interaction even further, consider a VPN or proxy to control Web filtering, prevent hacking and protect against malware. This is an old-school solution that still works across platforms. In fact, major network vendors make their VPN software available as apps for mobile devices. Because platforms such as Android and Java have become prime targets for malware, organizations may want to require VPN use.
Take advantage of security remediation before allowing a complete connection to an internal network, and trust outside devices less than you do fully managed devices on your internal network. Cloud-based security options for proxies and VPN have become popular alternatives for on-premises tools and are worth a look.
Desktop virtualization can also help with securing data. The latest hypervisor releases use techniques such as putting anti-malware into the host stack instead of on each virtual machine.
It's the user, not the device
Endpoint management has become a multiheaded monster, so try looking at endpoints from the perspective of the user instead of the device. This will help you understand what you need to do to ensure usability and protection of data from any device or service.
Remember to enforce passcodes and PINs, timeouts and any other standard security feature that you'd enforce on a Windows PC. Ensure that users understand that, when they carry corporate data, their device could be tracked using its built-in GPS or they could end up with no data if IT needs to remotely wipe their phone. Provide easy ways to connect and sign up through a Web portal or other self-service initiative.
Reporting is key to managing remote devices. Have a system that will alert you to usage as well as indicate problems such as rooted tablets and smartphones that can no longer be trusted even with encrypted data.
If you will be providing data through smartphones, think about providing apps that handle authentication and encryption regardless of the platform. Perhaps you can create your own storefront that contains corporate-approved apps. Ensure that business data does not sit on a users' personal device at rest unencrypted.
When you realize that everyone will have their work desktop, their home laptop, a smartphone, a tablet and whatever else is coming next, you'll be able to provide ways to work productively from anywhere with consistency and security.