After years of managing mobile devices that are synced to centralized servers and governed by company policy, many...
CIOs don't worry much about IT disaster recovery and business continuity plans for mobile devices. Those days are over -- or will be soon.
The proliferation and ever-increasing diversity of workplace mobile devices -- company-issued and employee-owned -- will push CIOs to reconsider their IT disaster recovery and business continuity plans, experts say. Reducing the risks associated with workplace mobility also will drive technology purchases, from mobile device management (MDM) tools to desktop virtualization.
"Executives are dragging documents through iTunes and onto their iPads. They are editing them with something like QuickOffice or Documents To Go, or Apple's Keynote and Pages products. The documents are being modified and shared, and the data stores completely cache-forwarded out there into the field; nobody is thinking about how to get them back," said Bill French, a Denver-based IT consultant and software developer. "So, the cart is definitely in front of the horse on this one for most organizations."
Mobility in the workplace is a top concern for CIOs, with good reason. An average 44% of employees are carrying a company-owned mobile device, according to The Nemertes Research Group Inc.'s latest IT Benchmark, an annual study of more than 200 organizations spanning 18 vertical industries. That number is projected to go to 70% by 2012. Moreover, at 11% of the organizations studied, employees rely 100% on smart devices for communications -- and that's just the company-issued devices.
Add to this new reality the growing trend of allowing employees to use their own smart devices, and suddenly mobility is not only a Tier 1 service for IT departments, but also wildly out of IT departments' control.
"Now you have the risk of corporate data leaking out into the personal side of the device. And if you do implement backup and recovery for the smartphone, what do you do when it is a personal device?" said Ted Ritter, senior research analyst at The Nemertes Research Group Inc. in Mokena, Ill."The employee certainly doesn't want you to back up their personal data to the corporate server," he said. Or wipe out three years of family photos, if the device is lost.
Companies that have dealt effectively with this conundrum work with their lawyers to craft an acceptable use policy for employees to sign; that's a legal process that can take as long as a year, Ritter said. Such policies typically state that if a company needs to wipe the device clean or confiscate it for reasons of e-discovery or an employee action, it has the right to do so, even with employee-owned devices, he said. But these policies don't fly in Europe, where personal data privacy laws are stronger.
IT disaster recovery in the age of mobility
So far, however, mobile devices are not really factoring into a CIO's IT disaster recovery and business continuity strategy, experts say.
"We don't have any real data on mobile devices and disaster recovery, because it is an area that no one is paying attention to," Ritter said. "We are not seeing people thinking it through to the step where they recognize that these devices are becoming walking computers."
A disaster recovery plan for mobile devices is not on most CIOs' radar, IT consultant French said. "I don't think too much about mobile devices and DR, because CIOs are not worrying about it," he said.
The same goes for players in the fast-growing MDM market. "The intersection of DR and mobile hasn't yet been a big topic I have heard from enterprise customers, although I think it is right around the corner," said Bob Tinker, president and CEO of Mountain View, Calif.-based MobileIron Inc.
The mobile industry tends to focus on the device rather than on the management and security of the applications on the smartphone, Tinker said. "The key thing for CIOs is that it's not about the device, it's about the data."
Top-down management of mobile devices a thing of the past
The lack of awareness is understandable. When company-issued laptops, BlackBerrys and yesterday's cell phones represented the bulk of mobile devices in use at companies, CIOs could confidently say that IT disaster recovery and business continuity for their mobile arsenals was no big deal -- provided, of course, they had solid plans. Research In Motion Ltd. offered decent disaster recovery with its BlackBerry Enterprise Server. With other so-called ruggedized devices (a Windows phone for instance), the data typically was synced to some centralized server. When a cell phone got lost or stolen, it didn't much matter, except for the pain of rekeying in phone contacts.
Not so long ago, when the issue of disaster recovery and mobile devices came up, the conversation was assumed to be about how organizations could take advantage of employee cell phones and the handful of executive not-so-smartphones to instruct and inform personnel in the event of a disaster. The advent of the iPad and other mobile devices that not only access data but also can be used to generate and store data, means that disaster recovery plans now have to consider them as endpoints.
Consider the caseload of Atlanta-based MDM vendor, AirWatch LLC, which supports the spectrum of mobile platforms, from the Apple iOS to Symbian. In January alone, the company worked on three cases involving business executives losing a personal iPad that held sensitive corporate data and lacked the security software to wipe it clean. One iPad, left behind by a CEO in a backseat pocket on an airplane, contained notes on a top-secret acquisition.
"This is not a classic example of disaster recovery, where a catastrophe brings down a data center. But let me tell you, this is a disaster that has to be dealt with," said AirWatch Chairman Alan Dabbiere.
Enterprise mobility driving desktop virtualization
One of the ways companies are dealing with IT disaster recovery and business continuity for mobile devices is by investing heavily in desktop virtualization, Nemertes Research's Ritter said. "You can still get to the desktop and even edit a Word doc on the device; but technically, all that is going on in the data center. The device is only a remote client."
Another approach is focusing on "secure containers," products offered by such MDM vendors as AirWatch, Good Technology Inc. and BoxTone that address the security issues posed by the errant iPad.
"This is not disaster recovery in the way we usually talk about it, but security. Security is the biggest risk factor in deciding which mobile devices to allow onto the corporate network," Ritter said.
Bill FrenchIT consultant and software developer
"Rather than focusing on trying to back up mobile devices, what we have seen organizations do is restrict the amount of data that can be downloaded as much as possible," Ritter said. So, if the device supports Microsoft's ActiveSync, for example, the employee can access email but will be blocked from accessing SharePoint and other servers holding corporate data, he said.
That is pretty much the approach taken by The Vanguard Group Inc., the Valley Forge, Pa.-based investment firm, said Abha Kumar, its principal for IT. Employees are given the option of using a company-issued BlackBerry or the smartphone of their choice.
Nothing is stored on the personal device, Kumar said. "We provide a pipe [using software from Good Technology] into our email and calendar at this point, so the device is secure from that point of view," she said. "There might be something on the cache that holds data, but as soon as we find that a person has lost the device, we can zap the application."
With their company-provided BlackBerry, Vanguard crew members, as they are called, can access their work email, calendars and some business applications, such as Vanguard's Siebel customer relationship management application and the company intranet.
"If a crew member submits an expense report, I can approve it on my BlackBerry," Kumar said.
And, being a regulated business where security is paramount, client data is off-limits to mobile devices. Vanguard client service reps, who routinely deal with client information, do not have BlackBerrys because Vanguard does not want client information to go outside its four walls. "So, even as we talk about new technologies and being more flexible and being more mobile, the thing we protect above all is client information," Kumar said.
Brownlee Thomas, principal analyst at Cambridge, Mass.-based Forrester Research Inc., agrees that most companies do not have a formal mobility policy, never mind a disaster recovery plan for mobile devices.
"They have lots of policies, because mobile, fortunately or unfortunately, is not a centralized provisioning at most companies. It is either provisioned at the division level or through corporate procurement, the same people buying and dispensing your staplers," Thomas said.
"The CIO doesn't necessarily have a lot of control."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
CIOs need a mobile application strategy, but crafting one isn't easy
Outsourcing trends: Mobile business applications for a business edge
Meditating on Harvard's mobile strategy, Eric Schmidt and 'Lost'
- The Desktop Admin's Guide to BYOD: Pros and Cons of BYOD –SearchSecurity.com
- Weighing the Options for an Enterprise Mobility Strategy –SearchSecurity.com
- EssentialEnterprise Mobile Device Security Controls and Policies –SearchSecurity.com
- CW ANZ: Riding the wave of enterprise mobility –ComputerWeekly.com
Dig Deeper on Enterprise mobile strategy
Benefits of wireless networks extend to disaster recovery plansBy: Craig Mathias
Delta outage sparks disaster recovery concerns
Data provenance and the profitability of well-governed information
Top 2015 compliance stories: Data challenges and security issues