Most discussions about mobile security in the enterprise focus on Mobile Device Management (MDM) these days. Some vendors may call it Enterprise Mobility Management (EMM) instead, but the point is the same: invest in an expensive, multi-featured, centralized security suite, and you’ll be able to manage and secure a Bring Your Own Device (BYOD) environment.
(Those acronyms sure are stacking up, aren’t they?)
The trouble is that this is not true. MDM tools are indeed necessary, but they are tools, not a complete solution. MDM is a good place to start, and for MDM buying tips, refer to this story, but it is not a be-all –and-end-all solution.
A complete solution, as with any other real network security, requires layers. Moreover, this challenge is new enough that it’s probably not wise to trust any one vendor for the entire solution. Some will be better at application management. Others will be good at partitioning enterprise data from personal data. Still others will excel at enforcing policies.
As you start to piece together the mobile endpoint security strategy that makes the most sense for your organization, here are five important considerations:
Intellectual property, customer credit card information, sales leads – none of this should be shared freely to personal mobile devices. In the old BlackBerry model (corporate-owned, tightly managed), the enterprise had more control because it owned the device and because of the robust policy features in BlackBerry Enterprise Server (BES).
Completely wiping a device wasn’t a problem. It was the enterprise’s device, after all.
Today, even if you make employees sign waivers allowing you to wipe data, don’t be surprised if they push back if you wipe their data. Better to avoid this trap all together.
“We wanted to share content internally and externally, but be able to maintain complete control over it so it couldn’t be saved, forwarded, or otherwise misused,” said Jeff Fotta, CEO of Gryphon Networks, which provides cloud-based consumer contact preference solutions for the financial services industry.
“We deal with a lot of sensitive information such as pipeline, deals, revenue and strategic directions, and we definitely do not want our competitors to see any of it,” he said. “We also wanted to be able to deliver this information to mobile devices of employees in the field, while retaining the ability to terminate access to it at any time, in case it fell into the wrong hands.”
To accomplish this, Gryphon began investigating document and content protection solutions from Brainloop, WatchDox and Content Raven.
“Content Raven was really the only one on the market that fit all our criteria. They deploy through the cloud, so it was really easy to get started, and they allowed us to keep our content in our own infrastructure,” he said. Fotta placed a premium on the fact that Content Raven did not make him move content into their cloud. “Instead, we can point their solution to our content where it currently resides. That’s huge for us.”
Other factors that helped tip the scales to Content Raven included the ability to handle mobile content and support of rich media and video, as well as analytics and tracking capabilities.
Which BYOD model you choose can be just as important as the technologies you adopt to support it. Even if you embrace the IL BYOD model (individually liable) versus the CL (corporate-liable) one, there will be plenty of times when your employees will expect you to pay for mobile activities.
If they’re traveling overseas, for instance, and need to download a critical presentation to a smartphone or tablet, they’ll expect, rightly, that the company will reimburse them for those expensive data roaming minutes.
In fact, trying to push mobile expenses onto employees may backfire. Companies that just provide subsidies and allow employees to pick whatever device they want will face support problems and will lose out on volume discounts for both devices and plans.
This doesn’t mean, though, that one model has to blanket the whole company. For instance, a sales team has very valid reasons to not have to worry about expensing every single mobile cost. And if they do, you’ll probably spend more money processing expense reports than paying for the devices and services outright.
On the other hand, employees who did little work on the go may not even need to be granted mobile access, let along given devices.