Mobile working has brought new challenges for IT departments, but the fundamentals of managing them remain the same. Many new technologies appear to be completely different and disruptive to the status quo, suggesting they need to be considered and managed in an entirely new way; but as reality bites, it turns out that the fundamentals of management change very little.
Mobile technologies are no exception. What started out as a special tool for certain roles and only with certain devices has exploded into a consumer-led boom of a huge diversity of smartphones and tablets.
These devices might be operated with touchscreens instead of keyboards and connect over public wireless rather than private fixed networks, but they are essentially doing the same job – allowing their users to communicate and interact with data. Extra risks occur because of the use of open and public networks, a greater variety of devices and, increasingly, that employees want to be allowed to bring their own devices and use them for work.
These things are not necessarily unique to mobile devices and some businesses will have had employees connecting in from domestic desktop computers over the last couple of decades, but the consumer mind-set towards IT has really gathered most of its momentum from mobile devices.
The risks of varied mobile usage need managing and this is where various categories of mobile enterprise management tools have sprung up to address the challenge.
The first area to address is typically the device itself through mobile device management (MDM) and there are several solutions that deliver the basic MDM secure functionality, which many IT managers first saw in the BlackBerry Enterprise Server (BES).
The basic controls revolve around ensuring users secure their devices, so enforce the setting of access passcodes. Then check the status of any given device – assuming it connects to the network – and apply remote control to set and reset settings. If it has been lost or stolen, the final sanction is to remote lock and wipe the device of all its contents. However, the growth of bring your own device (BYOD) complicates this last stage.
Whether an employee breaks a device, loses it or is fired, there needs to be a procedure in place to ensure the process is simple and easily repeatable.
Long-term players in the mobile market include Fiberlink, Mformation, the iAnywhere subsidiary of Sybase (now SAP) and Good Technology – the latter two having evolved as a result of significant acquisitions and mergers as the mobile industry matured. Other mobile management specialists such as Airwatch, Mobile Iron and Zenprise (now part of Citrix) have also been quick to build a strong presence in MDM.
Beyond basic operational security controls, the next step is to look at the deployment lifecycle of mobile devices and ensure that they fit with the wider strategy for IT. Compared with fixed desktop PCs, mobile devices bring additional challenges which increase their management overheads, but they should still be regarded as part of the total IT estate.
There are two ways to address this; either seek out solutions from suppliers that offer a “single pane of glass” which encompasses all devices – desktops, laptops, tablets and smartphones – such as those from Fiberlink and Kaseya; or look to outsource the more complex mobile management to a managed service provider.
Whichever way, it is vital to manage the entire lifecycle as mobile devices have a history of being put forward by employees for upgrade more frequently than is strictly necessary – and the devices walk out of the door when someone leaves the business. BYOD might soothe this particular issue, but many will bring their own devices in addition to devices provided by their employers.
Keeping track of who has what and who paid for it has become a necessary part of MDM. Lifecycle management starts with configuration, settings and activation but needs to run to the end of use, with asset tracking, replacement, upgrade, decommissioning and disposal. Whether an employee breaks a device, loses it or is fired, there needs to be a procedure in place to ensure the process is simple and easily repeatable.
This should be automated where possible, especially during commissioning with selfservice, portals and corporate app stores, as the increasing prevalence of BYOD makes this fraught with difficulties. A key feature for all MDM tools is to be able to set a variety of policies and controls and then interface appropriately to HR processes and systems.
The most extreme reaction of the most paranoid manager to data security might be to go beyond managing the device and encrypting everything, but most users will rebel against this at some level if it makes their work or life harder. They will definitely object if it is expected that data stored on their own BYOD phone or tablet has to be encrypted.
Each organisation needs to determine the value and risk of data to decide how much security is appropriate. This might include access controls that need to be applied, based on users, roles and the capabilities or risks of classes of device. Some data may need to be geo-fenced to ensure it can only be accessed in certain locations or have access controls and constraints based on time or date.
Corporate data may be kept and managed centrally, only accessible from a cloud service and never residing on a device. The important thing is to ensure that the right controls can be exerted on data of known value or risk, without removing the flexibility that mobile brings – otherwise employees will just work around the issue, bringing potentially greater risks.
Some MDM suppliers extend their solutions to include the management of content or its access and use. This is largely a security issue to avoid problems if a device is lost or stolen, but also includes the need to prevent accidental (or deliberate) data leakage while the device is still in the hands of its rightful owner.
The issues are more complex for mobile, especially as users will often be storing and accessing a mix of their own and work content and will generally need to share the information with colleagues or onto other legitimate devices of their own. Hence the two areas that need most attention are email, in particular the use of attachments, and how to manage external, shared storage in the cloud. Email can be addressed through selective encryption and/or data leakage prevention (DLP).
There are suppliers who have added mobile capabilities to existing email management, such as Mimecast, or MDM companies such as Good Technology who provide email access tools with the controls built in. Cloud storage control is a bigger challenge due to the growth in the numbers of easy to use and often free services, most of which are aimed at consumers. There are many enterprise-grade cloud storage tools and services that support collaboration such as Microsoft Sharepoint, Huddle or Intralinks, which provide high levels of security. There is still a user adoption challenge if usability does not match consumer options for mobile users, but mobile specific apps are starting to appear.
An increasingly important area to consider is mobile application management (MAM). How will these be deployed, installed and correctly configured now that, thanks to BYOD, the concept of a standard corporate build on a standard corporate device is out of the window?
Applications that are required for work need to be made available in a simple, flexible, self-service manner, delivered over the air with some enforcement to ensure critical apps are installed, and unapproved ones are not, or are at least contained. Versions and special variants of applications need to be managed over the complete usage lifecycle and secured via access control and data leakage prevention. The entire process is then completed with tracking and monitoring of performance, usage and compliance.
This approach to managing the mobile applications themselves and how they are used sidesteps the issue of BYOD versus corporate deployment and shifts the focus from the devices to the user. It treats every device as insecure, and then distributes and manages the applications that are required for enterprise usage on a set of supported platforms. While many MDM suppliers already offer some form of MAM, it is central to the messaging of companies such as Airwatch and Fiberlink and has encouraged the emergence of new entrants such as Apperian.
There are solutions adopting a “container” approach with a number of mobile enterprise application platforms that incorporate MAM into their solution, such as Kony and Antenna. These might be useful to consider for those organisations where bespoke or in-house developed mobile applications fulfil a significant role.
There are others where the focus of MAM is enterprise app stores and for many individuals and organisations, this provides a familiar, yet manageable framework for mobile application deployment. Enterprise app stores are only starting to gather momentum but with the continued growth of BYOD it would appear to be an important market development to track.
The reality is that it is not really the device that needs to be managed, but what the user does with it and the data they use it to access. It is about managing the process of mobile working not the raw components – whoever owns them.