Embrace freedom: Forget about securing your employees' smartphones

Credit: iStock

Mobile device management or MDM was a hot topic a year or two ago, but IT pros are beginning to recognize there's more to mobile security than the device. 

You need basic device-level control like password resetting, VPN support, and perhaps even remote wiping capability, but that is only part of the mobile security equation -- and as employees increasingly bring their own devices, they don't necessarily want IT having that much control over their phones. 

Perhaps that's why, last week when I was hosting a Twitter chat on mobile security, an interesting point came up about MDM. Brian Katz, who is a frequent contributor to these chats and head of mobility engineering at Sanofi, came straight out and said MDM as a product is dead and it's become just a feature set -- part of a broader mobile security strategy.

Tim Crawford, a former CIO who advises CIOs for Avoa, agreed, saying we needed to get beyond the device. The security paradigm has to start with the data.

Walter Paley, who is marketing manager at Bitzer Mobile, makers of a secure workspace for mobile devices, says that device management is part of an overall security approach now, and suggests we look at the mobile security issue more comprehensively. To him, enterprise mobile management (EMM) starts with the data and works its way up to apps and finally the device.

In this context the device is the least important. As a phone owner, you probably want to be able to track your phone if you lose it or somebody steals it. You also want to be able to be able to prevent people from accessing any content stored on the phone, but what you probably don't want is IT wiping your device and all your personal content in the name of enterprise security --Ah, excuse me, but you just wiped out my vacation pictures from last summer.

But users are accessing work content on that phone. So how do companies secure that content and ensure that outsiders can't gain entry to the work-related content on your phone?

That would mean securing the apps themselves and you can see that would involve a comprehensive strategy that moves beyond the device.

Let's look briefly at the components of a mobile security strategy in order of importance.

Data Security

There seems to be near universal acceptance now that the device is the least important part of the equation. What you want to make sure is that your data is secure at the back end. If you do that, it doesn't matter what device a user has: It could be a tablet, smartphone, wearable, or something we haven't considered yet. If you secure your enterprise data, you are protecting the most important piece of the equation from the enterprise perspective.

Traditional MDM vendors like AirWatch are working on this problem. AirWatch encrypts the data on the way to the app. You can only unencrypt the data inside the app by providing proper credentials in the form of a user name and password.

Another angle is relying on the companies who provide cloud-based data storage and sharing to encrypt and protect the data stored in those services. For instance, Box encrypts the data in transit and at rest using SSL encryption on transit and 256-bit AES encryption at rest, while cloud storage vendor Copy.com provides 256-bit AES encryption at rest and in motion. Some providers, like Watchdox, go even farther, wrapping files in encryption that travels with the file regardless of where it ends up -- even if it's taken outside the cloud service. The right solution depends on how you want to balance usability versus data protection.

App Security

The next layer to protect is the app itself. This involves building a container around the app, so that IT can update the app or remove it. In this scenario, if the phone is lost or stolen, or you leave the company with your BYOD phone, your company can simply unplug you from the enterprise by deleting the app or shutting down your access to it.

A lot of MDM vendors have evolved to support app-level security, including Apperian and Good Technology

Another approach with this is containerizing the entire enterprise experience, so all your work apps are in a separate area from your personal one. This the approach BlackBerry has taken with BlackBerry 10 and Samsung has taken with Samsung KNOX. This can cause its own set of usability problems, however, negating the benefits of BYOD in the first place -- if users can't design their own workflows and select the apps that are best for them, they're not going to get as much benefit out of working mobile.

Device Security

This is how we've traditionally thought of mobile security. Of course, you should protect access to the phone by requiring a password, and biometrics such as the fingerprint reader on the new iPhone 5S can add additional security. The idea is to limit access to the device as much as possible, and to give IT traditional back-end control over it, up to and including remote wipe. 

Nearly every MDM vendor offers at least device-level control. A lot of companies also use Microsoft's Exchange ActiveSync technology, which is supported by most mobile platforms, and lets IT departments control devices through policies set on Microsoft Exchange or Google Apps.

In a BYOD age, this kind of control is becoming less attractive to phone owners because they have their personal content on the device along side the enterprise content, and they don't want IT having access to it. In addition, the device is the weakest link here anyway. If you can control access to the data and apps, securing the device becomes less crucial.

The important thing to remember is that security doesn't start at the hardware. It actually ends there and it's more important to secure the data and the apps than it is to secure the device itself. This may seem counterintuitive to IT pros used to a device-first approach, but in the end this means you can protect your enterprise assets regardless of the device and that's the goal here.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies