Mobile Security Strategy

Is MDM the right option for BYOD? What about mobile Laptops? And do you want have to use public cloud file sharing solutions

Mobility is transforming the way enterprises conduct their business, it's up to IT to create a good mobile security strategy. With so many solutions and technology available, how do IT make sure they cover all scenarios business require, how do IT ensure they implement a non-intrusive solution on private devices, how do IT ensure compliance, and most importantly how do IT protect confidential information under all these constraints… How do IT lead?

"Many organisations struggle to find suitable solutions in their mobile security strategy for remote PCs and Laptops used by both staff and external contractors/consultants who require access to information hosted in the corporate network, but is IT being forced to use technology that is not entirely best suited and causing conflict with users" Says Sean Glansbeek, managing director of Seven Days Technologies:

Let's look at some of the technologies available:
MDM – Mobile Device Management predominately secure ports, applications, hardware and have the ability to view and report on the devices full usage and data residing on the device. Some more advanced MDM solutions can track devices, remotely control devices as well as automatically reconfigure the device based on its location.

Containerisation – Secure application/container holding only company information (Email and PIM, File Shares, Intranet and HTML5 Applications such as SharePoint and SAP) and completely separate from private applications and data. True Containerisation does not require any MDM features or solutions.
VPN's – Virtual Private Networks allow users access to the company network and users work with the same abilities as though they we on the network.

Multi-Session – solutions that allow users to run a remote session off a backend system.
Data Collaboration – send and collaborate information to both staff and external users such as consultants, customers and business partners. These solutions come in various forms and are mostly public cloud based.

"Many companies are implementing MDM solutions for BYOD (privately owned mobile devices), however due to their nature in operation this becomes extremely intrusive and users are very uncomfortable with IT having so much control over their private devices. MDM is better suited for company owned devices as then there is no discussion" Says Sean Glansbeek.

Containerisation is a far better offering as this keeps all business data in the container and prevents any data leakage as the data cannot be moved, copied or saved outside of the container, True containerisations solutions also only allow users to edit and view documents inside the container, offer separate Email and PIM applications and do not use any of the devices native applications. Companies can also allow user's access to Secure Intranets, File Shares and HTML5 Applications such as SharePoint and SAP, all in one container and without the need for additional VPN solutions. Also very important is if a device needs to be wiped, then only the container is wiped and not the whole device thereby not destroying private information.

MDM is now used for what it was initially built for to manage corporate owned devices and applications, however some MDM solutions are week in securing the actual data and cannot prevent Data Leakage as users still use the native email application for business combined with their private email and documents are saved anywhere on the device.

Companies using native custom built business applications would need MDM to secure the application, however due to the high development and maintenance costs of these applications companies should investigate the HTML 5 alternative due to its flexibility and short development time frames.

"So it makes sense for companies to implement a solution that offers True Containerisation for privately owned devices and MDM for corporate owned devices, this then avoids all conflict and actually offers better information security than just MDM would. Some companies that have implemented MDM are now also adding Containerisation as they have realised the short comings of MDM" Says Sean Glansbeek

What about BYOPC (privately owned or unmanaged PC's)?

This is the next big hurdle, most people working today use a company provided computer which is configured to provide easy access to all required business systems. Traditionally this has been the only way for employees to work as the desktop or laptop needs to be "trusted" in terms of security.

But what happens if you don't have a company laptop and need to work from an "untrusted" device such as a home PC, Internet Café, etc. Or if you require Contractors and Partners to access certain IT resources from their own PC?

IT do not feel comfortable offering VPN access to unmanaged and privately owned PC's and Laptops for staff and external consultants as this creates significant risk of Data Leakage and Network compromise.
While Multi Session based solutions such as Citrix or SSL VPN can offer remote access from untrusted devices, securing these mobile and remote users is complex and expensive. Multi Session access is traditionally implemented either via IPSec, VPN or Access Gateways in combination with additional products for 2-factor authentication, end-point scanning, network access control, and traffic inspection along with a DMZ infrastructure deploying numerous products from multiple vendors.

What if one could conduct "Remote Application Management", this is where a Remote Access client runs from within Windows/Mac or USB on an employees' or Contractors' personal PC and presents the user with a menu of applications they are allowed to access.

Providing an end-to-end secure connection users can only work remotely on the application, document(s) in a file share, remote desktop or browser based applications such as SharePoint without data leakage. All data stays within the company network and is not downloaded to the user's local PC or USB drive, and in high security requirements one can use a bootable USB stick and force the local hard drive to stop working.

Solutions offered by a company called Excitor give customers a platform to secure information on private or company owned mobile phones and PC's or Laptops.

Lastly what happens when you want to distribute files to staff or external parties who do not require data that is available the container and MDM is out of the question. This is where Data Collaboration takes place, but not through public cloud solutions such as Drop Box, but more private cloud based solutions offer where companies have their own cloud and control their own data. These solutions offer browser access, secure containers on mobile phones and tablets as well as file synchronisation to PC's if required. Companies then have the ability to manage their own data, control how data is used and offer a complete end-to-end secure connection. With the new Data Protection Act companies need to understand that if they store or share confidential information in public cloud solutions then they may fail compliance.

Accellion offer secure private cloud data collaboration and file sharing solutions with connections into various Enterprise Content Management (ECM) systems such as SharePoint, Documentum and Windows file shares.

"It goes without saying that if corporates could put a mobile information security plan in place that focusses more on the information and not the device then this will help IT formulate a good security strategy but also get buy in from users" concludes Sean Glansbeek.

Read more