CIOs have been dealing with mobile device security for a decade. First, there were BlackBerry devices. Then more smartphones emerged, followed by netbooks, and now Apple Inc. has made the tablet famous with the iPad
So what are the biggest concerns for CIOs with embracing a mobility strategy? What are the risks and pain points you need to account for? Here are four major areas to watch when developing your mobile device security strategy.
- Updates: When managing a fleet of smartphones, tablets, netbooks and more, the most
challenging thing is keeping them updated and secure. New threats emerge on almost a daily basis
while new functionality is released by device and OS manufacturers and (in more limited cases) the
carriers themselves. Tools are available -- including Microsoft’s System Center Configuration Manager and Mobile Device
Manager -- which can alleviate some of this pain, but for popular
consumer devices like the iPhone, Android and iPad, beware. There’s no central way to update
these devices -- you’re at the mercy of your users and Apple.
- Provisioning: Do you permit users to purchase their own devices and connect them to your
network? Do you standardize, centrally provision and distribute one or two handsets to your users?
Do certain tiers of employees need more access via their mobile devices than others? Do classes of
users have access to more sensitive information on the go, which would require a lost or stolen
device to be wiped clean remotely? Will you absorb, subsidize or pass on the cost of handsets to
your users? What implications does that choice have on your right to cleanse data from the device
if it were to potentially fall into the wrong hands? How will you manage the shipment and
transmission of devices and credentials to your users upon rollout? A comprehensive mobile strategy
needs to answer all of these questions.
- Contracts and lock-in: Just like anything in the technology world, smartphones and
mobile devices are always changing -- the greatest device today will be obsolesced by something
better way before you have time to adjust your strategy.
In this regard, mobile providers in the United States aren’t really your friends -- their main goals are to increase the amount you spend per user consistently and to get you to spend that much -- or more -- money over one, two and sometimes three years by locking you in via service agreements and contracts. Drive a hard bargain when you’re bringing a massive quantity of users to a provider. You can consider dividing your users among providers and staggering their agreements so that changes don’t sting you all at once. Avoid lock-in and contracts if at all possible, and ensure that any contract you do sign isn’t completely tiled in the carrier’s favor.
- Control: The first line of defense for mobile device security involves sanctioning supported devices and controlling which devices are allowed entry to your company's network and resources. For many companies, this comes down to a question of ownership: Does your company purchase phones and devices and distribute them only to authorized users? Is your organization set up so that users purchase their own devices and, at their option, can connect to your mail servers and network resources on the go? Some companies manage mobile email through a platform server tied into a specific type of device, like the BlackBerry Enterprise Server product, which provides a midmarket business with a clear line of supported and nonsupported activity. In these cases, it’s a policy that's tough to ignore since IT registers devices with the platform server -- no registration, no access.
Jonathan Hassell is president of The Sun Valley Group Inc. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at firstname.lastname@example.org.
This was first published in April 2011