Supporting BYOD with Strong Mobile Device Management Policies
How to make mobile device management a core part of your security management strategy.
By Mark Gentile, President and Chief Executive Officer, Odyssey Software Inc.
Due to the explosion of mobile devices in the enterprise, the number of workers requesting access to corporate data and applications from their own tablets and smartphones instead of from corporate issued equipment is rapidly increasing. This new trend, commonly referred to as bring-your-own-device (BYOD), is quickly becoming popular in the workplace.
Although BYOD offers the benefit of allowing users to select a device of their own choosing, from a security standpoint it has IT personnel pulling their hair out over compliance challenges.
Mobile workers have raised an alarm for IT security ever since the early days of PDAs and notebooks. Now, as the BYOD trend increases, an absence of strong and comprehensive mobile device management (MDM) strategies and policies is resulting in many companies finding themselves more vulnerable to security breaches and malicious content then expected.
While some organizations have chosen to limit the security risk by prohibiting employees’ use of their personal devices for work-related activities, the overall enterprise trend is moving in the opposite direction.
Research shows that 70 percent or more of large businesses now have a BYOD policy of some kind in place. Alternately, in an InformationWeek Analytics 2011 Strategic Security Survey, 70 percent of the more than 1,000 respondents indicated smartphones and tablets threaten their companies’ security, and in many cases, legislated compliance.
Within that same study, results showed that only one in three respondents deploy MDM as part of a comprehensive security policy. These numbers were reinforced by Forrester Research’s recently released report detailing the best practices in mobile device management.
IT management’s biggest challenge in adopting BYOD is how to adequately protect corporate and customer data while still allowing enough flexibility to permit personal device use. Choosing which mobile security policies to implement and enforce is imperative if you are to successfully implement BYOD in your organization.
A company’s mobile security policies should coincide with its overall security profile. With regards to the organization, different polices to secure corporate data, such as the utilization of simple or complex pass codes, encrypting data while the device is not in use, and specifying the maximum amount of inactivity time and failed access attempts, should generally be applied to mobile security.
Managing MDM Policies
Today, many companies have not yet set up specific security policies for employee-owned devices, or if they have, the policies are bare-boned and lack the necessary stringency to be effective. What’s required for employee-liable devices is a set of well-thought-out, comprehensive, and properly applied MDM policies.
Such security solutions must account for the varying service needs of BYOD workers using their own equipment, as well as employees using corporate devices, all while providing protection to mission-critical data and applications.
Often, organizations will first use Microsoft Exchange ActiveSync to deploy policies to employee-owned devices, but security policy capabilities of this solution are limited. An MDM solution with an agent resident on the device is required to implement secure and compliant polices. This can accommodate features such as in-house deployment of comprehensive hardware, software and health reporting, as well as enterprise documents, applications, and media in order to control user access to enterprise data.
Although most MDM solutions are rooted in standalone technology, a few leverage industry-standard platforms that are already in use by the enterprise. Selecting the correct solution right out of the gate is important because changing MDM policies frequently has proven itself to be costly and cumbersome to manage.
An organization should ask vendors the following questions when evaluating MDM solutions:
- Does the solution integrate with industry-standard management platforms?
- How does the end user obtain the MDM device agent for the device?
- Can employee-owned devices be readily identified and grouped to assign policies?
- Are there compliance reports available?
- How are policies applied to the device and how are conflicts resolved?
- How is locking/wiping confirmation handled and reported for lost or stolen devices?
- Are there mechanisms for IT to control which BYOD users are allowed to enroll the device in MDM?
Several solutions exist to help an organization successfully adopt a reasonable and reliable BYOD model that has the security measures to protect corporate data.
Companies that establish strong MDM policies and ensure that only authenticated devices are allowed to connect to the network will have the most successful results when integrating employee-owned devices into the network.
As BYOD continues to grow in popularity, IT management will need to make MDM a core part of its management strategy, on par with other assets of the organization. Some enterprises are adding custom, mobile versions of internal applications to their MDM platforms for finding other employees, scheduling meetings, or establishing an internal page where users can download corporate applications.
Of course, the continual proliferation of BYOD requires implementing a sound MDM policy. It should be acknowledged that these policies must be responsive to and accommodate the productivity capabilities and needs of the workforce.
Mark Gentile is founder, president, and CEO of Odyssey Software Inc. and has led the design, development, and implementation of mobile enterprise solutions for many Fortune 500 companies across North America. Odyssey Software is the creator of Athena, an enterprise-class mobile and embedded device management product for today’s most popular device platforms, including the Windows Embedded CE operating system. You can contact the author at firstname.lastname@example.org