While there is a lot of research about the sudden growth of mobile business usage, much of it being driven by the explosion in ‘Bring Your Own Device’ (BYOD), a trend that while understandable from the user’s perspective, is giving IT departments the world over the shivers.
Protecting the organisation from security breaches – which are often caused inadvertently by the users – has long been a big challenge and it has suddenly taken on a whole new dimension with employees and contractors introducing their own tablets and smartphones into the workplace, in effect blurring the lines between personal and business computing devices.
Ninety percent of enterprises have already deployed mobile devices, with smartphones being most widely deployed, according to a survey by Gartner [User Survey Analysis: Impact of Mobile Devices on Network and Data Center Infrastructure, May 2012].
A further 86% of enterprises surveyed said that they plan to deploy media tablets this year. With the proliferation of BYOD, there are many security issues for enterprises to consider before they invest in mobile computing. According to the survey, the top issues were “use of privately owned devices” and “deployment of new enterprise mobile platforms”.
So it is hardly surprising that IT directors and managers in many organisations – both large and small – are hesitating before taking the plunge into truly embracing the concept of the mobile enterprise. However, the genie is well and truly out of the bottle, so like it or not, enterprises are going to have to face this problem head on and sooner rather than later.
Also, another way to look at the exponential growing of business mobile usage is whether it could actually be good news, helping to improve productivity by making better use of existing applications and services in which organisations have already invested. However, as they are traditionally hard to access on mobile devices, companies are not making maximum use of them.
That all changes with the latest wave of mobile applications or services that have been adapted or developed to deal with the BYOD wave. A good example of this is Microsoft SharePoint, which has until recently been cumbersome to access on mobile devices, yet has represented a massive investment for organisations the world over. New products have removed this barrier, making SharePoint simple and secure to access, thus helping CIOs and IT directors to recoup better return-on-investment and improve user engagement.
Of course, that does not negate the security challenge, so before enterprises can truly exploit BYOD to their own advantage, what needs to happen? Mobile security is a hugely complex and oft-debated topic, and there is also the challenge of balancing accessibility and flexibility against strong security measures. Make security too tough and employees will encounter usability problems.
So what does work? At my company we’ve invested a lot of time and effort working out what constitutes mobile security best practice and have had that independently validated. So, here are my top pieces of advice in what to look for in a secure BYOD app.
CIOs need to realise that an employee using a mobile device to access corporate systems is essentially an external user, as far as authenticating securely across the firewall is concerned. Make sure that your mobile applications vendor is able to support (or recommend) the authentication regime that works best for your organisation, whether that is using federated profiles, token-based authentication, 2-factor or forms-based authentication, for example.
It is advisable to minimise the amount of content or data stored on the mobile device, but if it has to be so, ensure that it is properly encrypted. 256-bit SSL encryption should be the standard to aim for.
3. Zero footprint
Let’s face facts, people are always going to leave their devices lying around. So, inisist on ‘zero footprint’: in other words, no corporate data or content is left on a smartphone or tablet.
4. Single sign-on
Something that vendors often struggle to achieve, but something that enterprises should be demanding. For instance, if SharePoint users have single sign-on to multiple SharePoint sites, then they only need to remember one user-name and password to access their mobile SharePoint world.
5. Don’t go native
Some of the world’s leading analysts have begun to query the sense of native apps. If you choose mobile web apps, then they can still act like a native app to keep users happy, but they support ‘zero footprint’ and also make it a lot easier to manage user and administration rights (which is vital for efficient security strategies).
Purchasing, deploying and ensuring that users have downloaded the latest software version are all challenges that CIOs will face with native apps in the enterprise. Some mobile web applications are able to incorporate device features previously only available through native apps, like accessing the device’s GPS functions, camera, alerts and notifications and placing an application badge/icon on the device home screen.
If IT departments can get their workforce using applications like SharePoint better on mobile devices, then the mobile security headache could actually be a saving grace. Of course, that depends on having extremely robust security measures, without limiting access or usability, but the technology and techniques are all there: it’s just a question of researching the best fit for the organisation in question.