Since the arrival of the first consumer-bought smartphones, enterprise security has been under threat. That all-important chain of defense against security risks has been undermined by its weakest link, people, in this case by using non-standard devices to conduct business and therefore making corporate data vulnerable to attack.
The alternative, to roll out company-issued mobile devices, has not been an easy path to follow. When historical market leader Blackberry lost its leading position in the market to Apple and Google’s Android, companies also lost a significant part of the ability to control corporate messaging and applications from a central point.
From the perspective of the IT shop, the consequence has been fragmentation, which has undermined the ability to deliver a coherent response in security terms. While solutions such as Mobile Device Management have existed, they have been seen as onerous; also, some devices (in particular those based on Android) have been seen as less secure.
Looking more broadly, many organisations have ended up adopting an approach in which corporate devices are used alongside personal equipment for business use. The genie of consumerisation is out of the bottle, say the pundits. But now devices exist that can deliver on an organisation’s mobile security needs, the question is, can it be put back?
The answer lies in addressing the source of the challenge, which is not the device but the person using it. Human beings assess risk all the time, and indeed, we are very good at it. In the case of a mobile device for example, we are prepared to put up with a small amount of discomfort if it will get us the result we want: sending a message, say.
If the discomfort is too great, we will assess other risks, such as, “What happens if I get caught using my personal phone?” If the answer is nothing, then the chances are that the behavior will continue. With this in mind, anyone deploying a mobile solution needs to consider two variables: the discomfort it causes, and the cost of avoiding the discomfort.
Considering the discomfort first, the point of any mobile solution is to enable productivity. Different security features — such as encrypted data storage, separation of apps and so on — may be applicable to different business scenarios.
Defining a solution appropriate for an organisation or group requires familiarity with the security features available on a device and the risks they mitigate. Better knowledge makes for more flexibility, reduced operational overhead and therefore increased probability of a successful deployment.
An equal partner to product knowledge should be an understanding of the organisation concerned, the data assets to be protected and what constitutes their acceptable use. If a policy is in place, this may need to be reviewed: note that it needs to be signed off at the top of the organisation to be effective.
Once a standard configuration has been defined, it will require testing. Too often, enterprise mobile security can fail “for want of a nail” — insufficient licenses on the RADIUS server for example, or lack of WiFi cover in areas where authentication takes place. Users need a solution that works from day one, or they will immediately lose confidence in it.
Putting all these measures in place can help minimize discomfort, but the need to go hand in hand with measures to ensure that the capabilities cannot be circumvented. Note that we are talking about the organisation’s most important asset — it’s people — who will respond far better to inclusionary tactics than draconian tactics.
At the same time as understanding why secure mobile working technologies are being deployed however, employees need to know that they need to act as a strong link in the chain, not a weak one. An Acceptable Use Policy should be enforceable, in that a staffer at any level’s card will be marked if they attempt to circumvent it.
In addition, the genie should be given a clear timescale for getting back in the bottle. For example, in an ‘anything goes’ environment which mixes personal and corporate mobile equipment, individuals should be given a cut-off date following which corporate data access will only be possible via a secure device.
A final question is about sustainability, that is, how to keep it all going? Reporting is important, with deprovisioning perhaps the most critical — it is one thing to know that resources have been allocated to the right people, but even more so is to know that any rights — and indeed devices — have been returned on change of role or exit from the company.
The bottom line, and the most fundamental challenge, is that any shiny new corporate devices deliver on what they are supposed to do — in this case enabling mobile users to stay productive without compromising on corporate risk. Provide people with usable security they will not try to circumvent, and you avoid consigning devices to the desk drawer.