With data breaches and system break-ins making the headlines daily, IT staff has recognized that absolute security will always remain a theoretical concept. Add in the broad diversity of wireless networks and user-owned smartphones and tablets, and security challenges multiply.
Establishing an overall security policy is, of course, a prerequisite, but organizations can also take the following steps toward minimizing risk.
1. Limit supported device/operating system combinations.
Note that bring your own device (BYOD) isn’t the same as “bring any device” — the acronym BAD would indeed be appropriate. IT organizations can’t be expected to support every conceivable model of smartphone or tablet and OS platform, to say nothing of the apps and management services required for each combination.
Consider dropping support for older and less popular devices and operating systems altogether. Evaluate candidate devices and operating systems carefully for security and manageability under real-world operating conditions before granting approval.
2. Require authentication based on (at a minimum) passwords and/or PINs.
Many users find it inconvenient to have to log in to a personal device, but they need to be reminded of the importance of protecting the security and integrity of sensitive information. Passwords and PINs, in many cases, drive local data encryption — so the benefits are significant and the burden really not all that onerous. Two-factor authentication solutions are relatively uncommon, but they do provide additional protection that can be justified on the basis of risk in many cases.
3. Apply MDM, but understand its limitations.
Mobile device management can encompass literally hundreds of functions, but the most important among these are configuration-related. Use MDM capabilities to apply policy-compliant firewall settings; enable automated firmware and software updates; implement anti-virus/anti-malware as required; and ensure the backup of device settings and critical enterprise data.
Finally, while contemporary MDM solutions often implement remediation functions via self-service on the part of users, help desk and other support must be in place. After all, end-user productivity is only slightly less important than information, device and network security.
4. Secure critical data and mobile applications.
While MDM can be used for general device management, securing sensitive enterprise data and protecting against unauthorized applications is even more critical. Mobile application management (MAM) and mobile data/information/content management (MCM) solutions fill that need.
MAM implements application white lists and blacklists, and MCM containerizes sensitive information in an encrypted location under organizational control, so brute-force device wiping is no longer necessary. When evaluating mobile security solutions, seek out strong functionality and easy-to-use management consoles.
5. Implement an identity management solution.
Finally, every IT shop should deploy an identity management solution that recognizes specific device/user combinations and enables a high degree of customization with respect to access and security. This includes the ability to enable access based on time of day, day of the week and even location within a given building.
Look for solutions that allow the definition of broad classes of access (for instance, “marketing” or “senior management”), as well as self-service onboarding to simplify user administration.
While management solutions will eventually integrate multiple functions, current solutions do involve a degree of mix and match, so select a solution set with minimal overlap and no potential for conflict.
IT staff will indeed never be done when it comes to security, but IT organizations can at least stay ahead of the game with effective, appropriate solutions that boost productivity across the board while minimizing organizational exposure.