CIOs have been dealing with mobile device security for a decade. First, there were BlackBerry devices. Then more smartphones emerged, followed by netbooks, and now Apple Inc. has made the tablet famous with the iPad and iPad 2. Now that their form and functionality have been adopted by the consumer outside of the IT shop, CIOs must address not only how devices fit inside their IT shops, but also how their users are connecting to (and putting at risk) the network with their own personal devices.
So what are the biggest concerns for CIOs with embracing a mobility strategy? What are the risks and pain points you need to account for? Here are four major areas to watch when developing your mobile device security strategy.
- Updates: When managing a fleet of smartphones, tablets, netbooks and more, the most challenging thing is keeping them updated and secure. New threats emerge on almost a daily basis while new functionality is released by device and OS manufacturers and (in more limited cases) the carriers themselves. Tools are available -- including Microsoft’s System Center Configuration Manager and Mobile Device Manager -- which can alleviate some of this pain, but for popular consumer devices like the iPhone, Android and iPad, beware. There’s no central way to update these devices -- you’re at the mercy of your users and Apple.
- Provisioning: Do you permit users to purchase their own devices and connect them to your network? Do you standardize, centrally provision and distribute one or two handsets to your users? Do certain tiers of employees need more access via their mobile devices than others? Do classes of users have access to more sensitive information on the go, which would require a lost or stolen device to be wiped clean remotely? Will you absorb, subsidize or pass on the cost of handsets to your users? What implications does that choice have on your right to cleanse data from the device if it were to potentially fall into the wrong hands? How will you manage the shipment and transmission of devices and credentials to your users upon rollout? A comprehensive mobile strategy needs to answer all of these questions.
- Contracts and lock-in: Just like anything in the technology world, smartphones and mobile devices are always changing -- the greatest device today will be obsolesced by something better way before you have time to adjust your strategy.
In this regard, mobile providers in the United States aren’t really your friends -- their main goals are to increase the amount you spend per user consistently and to get you to spend that much -- or more -- money over one, two and sometimes three years by locking you in via service agreements and contracts. Drive a hard bargain when you’re bringing a massive quantity of users to a provider. You can consider dividing your users among providers and staggering their agreements so that changes don’t sting you all at once. Avoid lock-in and contracts if at all possible, and ensure that any contract you do sign isn’t completely tiled in the carrier’s favor.
- Control: The first line of defense for mobile device security involves sanctioning supported devices and controlling which devices are allowed entry to your company's network and resources. For many companies, this comes down to a question of ownership: Does your company purchase phones and devices and distribute them only to authorized users? Is your organization set up so that users purchase their own devices and, at their option, can connect to your mail servers and network resources on the go? Some companies manage mobile email through a platform server tied into a specific type of device, like the BlackBerry Enterprise Server product, which provides a midmarket business with a clear line of supported and nonsupported activity. In these cases, it’s a policy that's tough to ignore since IT registers devices with the platform server -- no registration, no access.
Jonathan Hassell is president of The Sun Valley Group Inc. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at firstname.lastname@example.org.