It's complicated. It's expensive and we don’t have the budget for it. There are no unifying standards. The apps are complex. Did we say it was complicated?
These are some of the reasons why a lot of companies do not secure the enterprise's mobile operations are fully — or even at all — as they should. (You can find the complete list in Part 1.
There is a measure of truth in these reasons but still not shoring up the mobile piece of the enterprise promises nothing but trouble.
What to Do
There are, in fact, steps even the smallest and resource-constrained company can take. If nothing else start with the basics: get complete visibility of your mobile environment to understand what you are dealing with.
Understand what mobile devices are accessing the network now, Steve Lowing, director of product management for Promisec, told CMSWire.com. Note the file-sharing applications that are in use on desktops and laptops since they are likely being used on personal devices, as well as what corporate systems are required to be accessed by which end-users. Include the Software-as-a-Service (SaaS) solutions they might need to do their job.
"With this knowledge you can then form a decision on what technology to bring in to solve your security problems," he said. Some possible solutions that may emerge from this analysis: an application level VPN for accessing corporate data from a file share or web application.
Also, if the app on the phone processes data or allows manipulation of the data, the company will likely require an app container technology. Encryption technologies could be needed to protect data in a cloud-file sharing environment once it leaves the premises or phone and goes into the cloud.
Evaluate the Data
"If it’s a highly sensitive or mission-critical app to which employees need access, by all means secure it — but if it’s in an area where security isn’t a key need, go ahead and let people use whatever app they like, however they choose, so IT can focus their attention and resources more strategically," Phil Redman, vice president of Mobile Solutions and Strategy at Citrix, said.
He offers the following two common use cases:
- An investment banker uses a personally owned tablet to access confidential corporate data on a mobile device. These apps tend to be quite complicated in terms of the amount and structure of information they access in backend repositories, and they also face strict compliance and security requirements. Clearly, this calls for a high level of protection.
- Now consider an expense management app—the kind found in any public app store. IT could make it enterprise-ready by wrapping the app to secure it, but might also decide that even this basic protection isn’t really necessary for the organization. After all, no credit card numbers, personally identifiable information or other sensitive data is being transmitted, just a list of expenses and vendors – as displayed on a discarded receipt.
Maintaining strong IT security in businesses of any size is a challenge, largely due to the perception that IT policies get in the way of doing real work, Sam Liu, vice president of marketing at Soonr, explained.
"For instance, in a BYOD workplace, IT may restrict how employees can send files to external partners or what kind of networks they can connect to on their smartphones," he told CMSWire.com.
"These may be reasonable security concerns, but in companies where employees are on the road or at offsite meetings on a regular basis, the workflow can't halt until they're back in the office, it would sacrifice revenue. So many users find workarounds and effectively shrug off IT so they can do their jobs."
Fortunately, for mobile in particular, there are also better tools than can balance end-user productivity with IT control, he continues. "For example, secure file sync and sharing services that allow users to access and share company documents, while giving IT control over security policies such as device approval, data loss prevention, and authorized access."
When all else fails, set up a separate network. It's a favored trick by IT admins who feel forced into allowing personal devices on the corporate networks, said Dodi Glenn, senior director of Security Intelligence and Research Labs at ThreatTrack Security.
"Employees want to be able to access corporate resources, but don’t want their IT admins having access to their own device," he said.
"Since an IT admin has little to no control over the employee's device, they typically will set up a secondary network, which doesn’t have direct access into the main corporate network."