Seven steps to enterprise mobility securityDate: Nov 14, 2013
Mobility management is a big concern nowadays in firms small and large. In this three-part webcast, Jack Gold, president and principal analyst at J. Gold Associates LLC, discusses the weakest links in endpoint security. In part one, Gold looks at the importance of securing today's many endpoints. Part two examines BYOD and security, providing advice on mobile democratization and deployment. Here, in part three, Gold provides a checklist for enterprise mobility security management that can benefit organizations of any size.
Jack Gold: Now, that said, what you can do? What are some steps that you can take? Well, here are seven steps to enterprise-class mobile security. This is condensed from a white paper we put out a little while ago. If you contact me, we can probably get you a copy.
No. 1: You need to formulate a sustainable and flexible [policy], because things change dramatically in mobility. Flexibility is key. So formulate a sustainable, flexible strategy by, No. 1, assessing IT's role in mobility. What is IT's role? Is it the driver? Is it the chauffeur? Is it sitting in the back seat? There are different roles within different organizations and many organizations, lines of business, drive the adoption of applications, in effect. From the surveys we've done, about two-thirds of mobile applications, mobile solutions, are paid for and driven by line of business and not by IT. That's not to say they're not involved. But assess your role.
No. 2: As we talked about earlier, identify classes of users. Identify their needs, identify their wants, and try to fulfill them as best you can. But just because somebody wants something doesn't mean they necessarily get it if it's at odds with your strategy or at a corporate strategy. So identify the classes of users, identify their needs, identify their wants, and then try to fulfill them. If you can't, let them you know you can't, and let them know why. Users are pretty good at being rejected, if you will, or their demands being rejected, if they understand why and there's a valid concern, valid reason behind it.
No. 3: Define classes of devices. Look at their capabilities and, honestly, look at their shortcomings, and then build a strategy around that. Even Android devices -- which of the major platforms in mobility right now probably have the least secure environment -- can be used in certain situations if you do the right things. So perhaps it's putting a container in place or allowing lower-level access to systems. Maybe it's just messaging an email, and that might be okay for your organization. It depends on what business you're in. If you're in healthcare or government, security level is one level. If you're in, perhaps, manufacturing or retail food distribution, it's different, so define those classes.
No. 4, and this is critical: Create and enforce, and that's the difference between what many companies successfully do or don't do around policies. Enforce effective policies to users and devices. This should be done in an automated fashion and as transparently to the end user as possible. If the end user needs to get involved in enforcing the policies, they'll bypass them, and you just don't want to have to deal with them. So enforce them as best you can with the proper tools in place.
No. 5: Understand your mobile risk profile, as we talked about in the previous chart. Not all applications, not all devices, not all companies are created equal. Build a risk profile just as you would a profile for your organization in business plans. You decide what's important, what isn't so important, what you can today, maybe you can put off to next week -- same thing here.
No. 6: Create and implement a strategic plan. This is critical. In fact, the majority of companies we talk to don't have a mobile strategic plan in place. If you don't have a plan, how do you know what you're doing? I urge you to put together a strategic plan and do it on a regular basis. That doesn't mean you have to spend months and months and months doing this. Put together a plan, and then update it perhaps quarterly, perhaps semiannually, and get all of the constituencies involved in providing input to the strategic plan.
No. 7: Deploy the right supplementary products. Whether this is MDM [mobile device management] or mobile application management or mobile infrastructure management or cloud tools or whatever it happens to be, decide what they're going to be, decide what you're going to implement, decide what you have to supplement for various products, and just do it. It's a relatively low-cost and important way to secure mobile devices within your organization.
So what's the bottom line? Corporate governance over diversification of devices won't come automatically. You have to work at it; you have to plan for it. But if you don't make it happen, you're going to be at a really high risk.
This chart I won't go through in any great detail, but most organizations need to think about what the next level of mobile management is going to look like, what's the next generation. In the past, we focused on device assets. In the future, now and in the future, we need to focus on app and policy management.
More on enterprise mobility security
Advice on mobile device security policies
Video: Build a better enterprise mobility policy
[That means] less focus on malware and more focus on app integrations. Less focus on the specific OS that you're implementing and more focus on the data and content and how that interacts with the OS. Less focus on user operations and more focus on policy enforcement. These are the kinds of things that will up the game, so to speak, in your organization for mobile security. It will allow you to get ahead of the curve. And frankly, new mobile technology is coming all the time. New user models really require that a new breed of management be deployed. That's what you're going to have to be looking at longer term.
So, we're coming to a wrap-up slide here. I know I went through a lot of this very quickly, but let me bottom line this for you. You need to think about a strategy based on diversification, and you need to implement that strategy. Think apps and think devices. Also think policy and end users. And then supplement the strategy as needed. If things change -- this is a very fluid environment -- go for it. Just do what you have to do now, and then let it change later.
Evaluate based on multiple factors. You need to look at security, but you also need to think about manageability, governance, ROI, TCO [total cost of ownership], support. There are a lot of issues here, and this is not done very effectively in many organizations that I consult with.
Not all devices or apps or users are created equal. You need to think about classifying each one. That's the only way to really get control and prevent anarchy. Think about managing and governance. These are key issues, and then communicate with the end users to overcome any resistance they may have if they don't understand what you're doing. If they understand what you're doing, they'll be on your side and help.
And finally, expect change and create organizations that embrace it. Mobile complexity is not slowing down any soon. It's going to continue, and you're going to have to deal with it.
Let us know what you think of this webcast; email firstname.lastname@example.org.