While Marissa Mayer may have abolished the remote worker policy at Yahoo, the vast majority of employers, including the federal government, are expanding theirs. With the increased expectation that your data ̶ whether it’s email, files, documents, or processes ̶ will be available to you wherever you are, at work, at home, or on the go. While access via laptops is common and many companies have established use policies for them, the mobile device space is much less mature. Concerns about lost devices, embedded encryption, containerization, secure communications, and even malware disguised as apps are growing. While we hear quite a bit about losing customer information such as credit card numbers and passwords, there is an increasing concern about losing intellectual property, proprietary processes that provide competitive advantages, and even documents around a legal action or acquisition that provides leverage in a negotiation. Additionally, because these devices may have access to the internal network, CIOs are looking at ways to control and manage them to ensure confidential information does not accidentally leak out through these mobile channels.
While certainly a security concern, mobile devices can increase productivity when on the road or after hours, and overall they seem like a net positive for most organizations. This doesn’t mean a mobile strategy is right for every organization, and you have to weigh the pros and cons carefully. If you do think mobile devices will be helpful, the question becomes how to both support and protect these devices that are being brought into the organization, without being overly onerous. Mobile device management (MDM) solutions can be one piece of the solutions, providing more control, visibility, and management of the bring your own device (BYOD) movement.
MDM solutions help IT administrators wrangle the various devices brought in by employees and can provide granular control and security to many aspects of a device. For specific app security, the app may need to be designed to around the particular MDM, where the app only runs if it can be verified by the MDM. When running an MDM-integrated app, the request goes through the MDM solution, which could be an on-premises server or a cloud service, and the MDM may enforce policies with additional security restrictions. To leverage the full MDM security policies, apps often have to incorporate code from the MDM provider’s software development kit (SDK). MDM solutions also have monitoring and reporting capabilities that could include dashboards and analytics. But even if apps are not designed around an MDM, the MDM solution does add additional security through containerization, remote wiping, and white lists and black lists that allow or disallow various apps. Some even offer their own secure versions of common apps such as a mail client and browser. Again, be careful about implementing overly rigid policies as it may slow or even prevent user adoption.
One of the major threats for phones is in the apps themselves. With the hundreds of thousands of apps out there, and the mixed business and personal usage of devices, there is quite a bit of concern about apps that may be malware. You could download a flashlight app, and while it may actually work as a flashlight, it may also harbor a Trojan horse that records your key strokes and captures passwords, transmitting them to a faraway server. While users are still susceptible to phishing attacks and social engineering attempts, apps will pose an even greater problem as device owners may assume apps are vetted when they appear in an app store. While app reviews can be stringent, especially with the Apple app store, the thousands of apps uploaded for review means some malicious apps will inevitably get through.
One last caveat: watch out for unmanaged and unknown devices that connect to your network – even a child who comes to visit his or her parent at work may be bringing in a networked gaming device and tapping into the company’s wireless network. And since we’ve seen several cases of hacked game networks, these unconventional networked devices could pose a threat.
The task of managing the avalanche of smart phones and tablets will surely get more complex as the market continues to grow. MDM solutions may be able to stem the tide of security concerns, but it should not be looked at as a silver bullet – it requires training, adoption, good policies, and proper enforcement. It is also somewhat heavy-handed in providing security. And because it typically operates at a device level, users may be annoyed by having to jump through the security hoops when they’re using their devices in a personal use setting. With all the new opportunities for data leaks and exfiltration of corporate data that comes with supporting mobile devices, MDM may not solve the problem entirely, but it may be able to give your CIO some peace of mind.
Bill Ho, President, Biscom
Bill Ho brings more than 20 years of Internet and software experience in the technology field to his position as president at Biscom. Bill received a BS from Stanford University and an MS from Harvard University, both in the field of Computer Science.