Mobile Device and Data Security Strategy

Mobility is transforming the way enterprises conduct their business, it’s up to IT to create a good mobile security strategy. With so many solutions and technology available, how do IT make sure they cover all scenarios business require, how do IT ensure they implement a non-intrusive solution on private devices, how do IT ensure compliance, and most importantly how do IT protect confidential information under all these constraints……. How do IT lead?

BYOD and COPE - Most organisations today have a mixed estate of personally owned and corporate owned devices. Regardless, almost all devices carry both corporate and personal applications and data. Separation of personal from corporate assets is critical, regardless of device ownership. It is important to offer solutions for both BYOD (bring your own device) and COPE (corporate owned, personally enabled) devices.
BYOD and COPE also applies to the desktop and laptop world and solutions need to provides secure access to enterprise apps without connecting a user’s Windows, Mac or Linux device directly to the network.

Let's look at some of the technologies available:

MDM – Mobile Device Management predominately secure ports, applications, hardware and have the ability to view and report on the devices full usage and data residing on the device. Some more advanced MDM solutions can track devices, remotely control devices as well as automatically reconfigure the device based on its location.

Containerisation – Secure application/container holding only company information (Email and PIM, File Shares, Intranet and HTML5 Applications such as SharePoint and SAP) and completely separate from private applications and data. True Containerisation does not require any MDM features or solutions. VPN's – Virtual Private Networks allow users access to the company network and users work with the same abilities as though they we on the network.

Multi-Session – solutions that allow users to run a remote session off a backend system.

Data Collaboration – send and collaborate information to both staff and external users such as consultants, customers and business partners. These solutions come in various forms and are mostly public cloud based.

Many companies are implementing MDM solutions for BYOD (privately owned mobile devices), however due to their nature in operation this becomes extremely intrusive and users are very uncomfortable with IT having so much control over their private devices. MDM is better suited for company owned devices as then there is no discussion.

Containerisation is a far better offering as this keeps all business data in the container and prevents any data leakage as the data cannot be moved, copied or saved outside of the container, True containerisations solutions also only allow users to edit and view documents inside the container, offer separate Email and PIM applications and do not use any of the devices native applications. Companies can also allow user's access to Secure Intranets, File Shares and HTML5 Applications such as SharePoint and SAP, all in one container and without the need for additional VPN solutions. Also very important is if a device needs to be wiped, then only the container is wiped and not the whole device thereby not destroying private information.

MDM is now used for what it was initially built for to manage corporate owned devices and applications, however some MDM solutions are week in securing the actual data and cannot prevent Data Leakage as users still use the native email application for business combined with their private email and documents are saved anywhere on the device.

Companies using native custom built business applications would need MDM to secure the application, however due to the high development and maintenance costs of these applications companies should investigate the HTML 5 alternative due to its flexibility and short development time frames

What about BYOPC (privately owned or unmanaged PC's)?

This is the next big hurdle, most people working today use a company provided computer which is configured to provide easy access to all required business systems. Traditionally this has been the only way for employees to work as the desktop or laptop needs to be "trusted" in terms of security.

IT do not feel comfortable offering VPN access to unmanaged and privately owned PC's and Laptops for staff and external consultants as this creates significant risk of Data Leakage and Network compromise. While Multi Session based solutions such as Citrix or SSL VPN can offer remote access from untrusted devices, securing these mobile and remote users is complex and expensive. Multi Session access is traditionally implemented either via IPSec, VPN or Access Gateways in combination with additional products for 2-factor authentication, end-point scanning, network access control, and traffic inspection along with a DMZ infrastructure deploying numerous products from multiple vendors.

"Remote Application Access Management", this is where a Remote Access client runs from within Windows/Mac or USB on an employees' or Contractors' personal PC and presents the user with a menu of applications they are allowed to access.

Providing an end-to-end secure connection users can only work remotely on the application, document(s) in a file share, remote desktop or browser based applications such as SharePoint without data leakage. All data stays within the company network and is not downloaded to the user's local PC or USB drive, and in high security requirements one can use a bootable USB stick and force the local hard drive to stop working.

Lastly what happens when you want to distribute files to staff or external parties who do not require data that is available the container and MDM is out of the question. This is where Data Collaboration takes place, but not through public cloud solutions such as Drop Box, but more private cloud based solutions offer where companies have their own cloud and control their own data. These solutions offer browser access, secure containers on mobile phones and tablets as well as file synchronisation to PC's if required. Companies then have the ability to manage their own data, control how data is used and offer a complete end-to-end secure connection. With the new Data Protection Act companies need to understand that if they store or share confidential information in public cloud solutions then they may fail compliance.