Informed CIO: Mobile Device Security

Jan 28, 2011


Reducing Mobile Device Risks to Enterprise Data

Smartphones and now pad, slate and tablet devices, which create their share of mobile security concerns, are growing like mad. Infonetics reports that smartphones accounted for 46% of global mobile phone revenue in the second quarter of last year, and the firm estimates that two out of three mobile subscribers in developed countries will be using smartphones by 2014. Tablets are also taking off and will add to these numbers. Mass-market smartphone ownership is creating new expectations from employees. Apple’s and Google’s offerings trump the BlackBerry platform, an enterprise standard, because people think they can be both serious (for business) and fun (for me). At the same time, the megatrend in mobile computing is the shift beyond simple e-mail to apps as the new frontier.

CIOs can try to lock down employees to only company-issued devices, but the trend is swinging toward allowing some corporate access through employee-owned devices. IT must figure out how to secure that environment. We offer a framework of four possible strategies to do so:
> Basic device management: Use Microsoft ActiveSync for simple policy management.
> Enhanced device management: Use mobile device management software for more sophisticated control of policies and devices. Enhanced options vary widely depending on the MDM vendor and the platforms you intend to control, but all offer finer device control settings than one gets with the platform basics.
> Walled garden: Allow corporate access from personal devices, but wall it off from the device’s personal content. The walled garden approach is cut and dried in defining what’s yours and what’s mine, but may be too limiting for some organizations.
> Risk based management: Set policies that restrict corporate access from phones with high risk factors, like unauthorized apps or out-of-date policies.

This risk-based approach seems to be more flexible than the walled garden, in part because of the rise of customized and specialty apps. The risk-based approach doesn’t change how the phone operates, and it permits the installation of specialty apps, whether they’re generally available or available only from an enterprise’s own private app store. Being able to allow installation is highly valuable if you have custom apps, since they don’t need to integrate with the walled garden. Also, if a user exceeds the device risk standard by changing a setting, the custom app can be prevented from working until the user reverses the change. As our perimeters become more difficult to define, innovative CIOs will turn the mobile device management challenge into a business opportunity—and show that IT can help people be more connected and collaborative, regardless of location. (C2490211)

Research Report