MDM: Putting the Cat Back in the Bag
Smartphones hold huge promise for the enterprise space, allowing employees to be more efficient, get on-the-go access to important information and leverage cutting-edge consumer technology. But they're also a huge headache for IT administrators struggling to get a grasp on the bring-your-own-device trend.
Take a recent Dell KACE survey of 741 IT professionals. To the survey's estimated 87 percent of employees who use their smartphones and tablets for work purposes, the consumerization of IT – as it’s known in industry circles – is a convenience.
But to IT administrators, the use of unsecure personal devices to access sensitive work-related data is a major security threat. About one-third of respondents in the Dell survey said employees used unauthorized devices and apps to connect to the corporate network, and another third conceded that it might be happening without their knowledge.
"If active sync is available, employees are just going ahead and using it or putting auto forward on their e-mail - and they're doing it without IT's knowledge or blessing," says Christian Kane with Forrester Research. "We see a lot of firms challenged by C-level executives in the organization who go out and buy an iPad and say 'Support me.' That puts IT between a rock and a hard place. They don't have the tools to support it, but they can't say no."
IT administrators let the cat out of the bag by allowing employees to use unprovisioned devices for work in the first place. If those phones and tablets go missing, there’s little to nothing IT can do to protect the information on them.
Now it's time for them to put the cat back in the bag - and banning mobile devices altogether isn't much of an option.
The fact that administrators are dealing with personal devices, not computers over which they have total control, means management of smartphones and tablets is going to look a bit different than it did in the PC world.
Take the oft-cited issue of dealing with lost smartphones that contain both personal and corporate data. The devices need to be wiped, but that could mean deleting cherished pictures of grandchildren along with sensitive information about the business. For devices that are both personal- and corporate-liable, a total wipe is the wireless equivalent of the nuclear option.
This issue has driven interest in compartmentalizing personal and corporate data onto separate sections of the device, a process known in industry jargon as virtualization.
Red Bend bought virtualization company VirtualLogix in September 2010 to make it easier to isolate enterprise data on mobile devices. Red Bend thinks virtualization is so important that it has made it a cornerstone of its mobile device management strategy.
“It prevents attacks on the applications environment that’s running corporate data,” says Richard Kinder, vice president of technology for Red Bend’s European operations. “It gives corporations a greater degree of confidence that information from their phones in the wild is going to be protected, and gives a good separation between a user’s corporate life and their personal life.”
Virtualization allows administrators to wipe only enterprise data off missing devices, while leaving personal information intact. But since this is the mobile environment we're talking about, remote wipe isn't foolproof and shouldn’t be the only line of defense for sensitive information.
The determined information thief can thwart remote wipe technology by removing the device’s battery and placing it in an RF-proof facility so that it can’t receive the command to delete information, and then remove its data. This brings up the need for encryption, another fundamental of mobile management and security. If data is encrypted, there’s a good chance no one will ever be able to make heads or tails of it even if it can be obtained from the device – and IT administrators can sleep at night.
Beyond encryption and remote wipe, there are other tools administrators can leverage, like blacklisted applications deemed too insecure for corporate use and expense management solutions that automatically move employees to the cheapest Internet connection.
One of the biggest challenges with the bring-your-own-device trend is the plethora of different platforms and devices in use by employees. No longer can administrators provision a bunch of BlackBerries and hand them out to senior management – at a minimum, they’re under pressure to support Android and iOS as well.
The shift away from BlackBerry smartphones in the workplace has been so pronounced that the devices’ own manufacturer, Research In Motion, recently came out with a mobile device management solution for Android and iOS.
“Customers were asking us for an all-encompassing solution,” says David Heit, RIM’s director of enterprise product management. “To use a car analogy, it used to be anything you want as long as it’s a black Ford. Now, people select completely different makes and models. That’s just going to be part of the equation.”
Its Mobile Fusion platform, spawned from its acquisition of Ubitexx earlier this year, expands the technology currently available through the BlackBerry Enterprise Server to Android and iOS devices. Mobile Fusion’s capabilities include asset management; user- and group-based administration; application and software management; and functions to help protect lost devices like remote wipe.
Mobile Fusion isn’t yet commercially available, but is slated for commercial distribution in March of next year.
Addressing the Human Element
For all the technological fixes mobile device management vendors have to offer, some of the most important parts of mobile device management boils down to basics like education and using a device's preinstalled security features, such as password protection.
If employees don't understand why mobile security is important, they'll find ways to circumvent the controls administrators put in place to prevent information leaks - like auto-forwarding their e-mail or installing Microsoft Active Sync without permission.
"There's some consciousness raising that has to be done," says Craig Mathias, a principal with the Fairpoint Group advisory firm. Mathias works with corporations and government agencies to control the flow of data to mobile devices.
In the past, IT administrators could dictate policies for company-owned computers. But unlike desktop computers, mobile devices are a lot harder to corral, making employee cooperation much more important than in the past.
“Even with all the controls in the world, it is usually not possible to tell if sensitive information is being misappropriated,” Mathias said in an e-mail response. “And, of course, once it's out, it's out forever (e.g., WikiLeaks). So, then, we call this a "Challenger" problem, after the space shuttle Challenger disaster - the problem must simply be avoided as the consequences of an error are simply unrecoverable.”
Talking to employees about the need to maintain the security and integrity of corporate data is a crucial first step. If they understand why a policy is in place, they're more likely to comply with it. Getting legal agreements in place to enforce corporate policies about the use of personal devices can also help - there's nothing like signing a contract laying out the penalties for violating company policy to drive the point home.
If you really want to see an effective mobile device management strategy, look at organizations that have to comply with regulations like Sarbanes-Oxley and HIPAA, or federal agencies like the Defense Department. Violations of federal regulations over financial transactions and privacy can get employees in trouble with the law, not just the IT department, and could have serious consequences like compromising national security.
These organizations live and die by information management, and don’t allow senior executives to dictate which devices can be used in the workplace. Either devices are compliant, or they’re not used. Those are rules that are missing in many enterprise environments today.
The MDM Marketplace
Even factoring in the importance of the human element, technology still remains a key part of the equation and the market for mobile device management solutions is booming.
A flood of vendors have come out with mobile device management products over the past year - a recent Gartner report looked initially at more than 60 vendors before narrowing the list to 13 - and many of their products are similar.
Analysts expect considerable consolidation over the next few years as established IT vendors look at acquiring technology to add mobile device management capabilities to their desktop computer platforms. As the market matures, mobile device management will move from being a niche product to technology that is integrated directly with administrators’ controls for computers.
At least for now, however, awareness is ahead of implementation in the workplace. Many IT departments saw their staff and budgets slashed after the 2008 financial crisis and are not in a rush to adopt expensive new platforms.
Ford Motors’ employee wireless strategy is a good example of the frugality induced by the country’s economic malaise. The auto maker decided to steer clear of more technologically advanced solutions like virtualization for its wireless strategy in favor of limited access to e-mail, calendar information, contacts and task lists. Ford doesn’t even provide technical support to employees using personal devices to access work e-mail with technical support; workers experiencing problems with the technology are directed to a company website where employees trade advice.
"It wasn't like they were overstaffed and underworked before this trend. They're coming to this game with one hand tied behind their back because of cuts during the recession," says Reid Lewis, president of GroupLogic and a founding member of the Enterprise Device Alliance. The group was first formed to help IT administrators deal with Macintosh computers and eventually expanded its focus to include iOS and Android devices.
Administrators want to get policies in place, but many are still in the process of evaluating their options and figuring out the best path forward with an incredibly fast-moving technology.
For instance, a recent survey from the Enterprise Device Alliance found that more than half of IT departments saw consumer applications like Gmail as a security threat, but nearly one-third of organizations tolerated the apps because they couldn’t provide a secure alternative.
The October survey interviewed 277 IT administrators in commercial, government and educational organizations with more than 100 employees. More than two-thirds of respondents were from organizations with more than 500 employees.
Of those large firms, just 16 percent currently used mobile device management solutions. By the end of next year, that number is forecast to more than triple to 50 percent.
Reid describes the IT industry as being in a “transition period.”
"Nobody anticipated the impact of the iPhone and iPad, so people aren't quite sure what to do yet," he says.