Mobile Enterprise Security in the App Era
We’ve only seen the tip of the iceberg when it comes to mobile applications, according to a forecast IDC released last week. Downloads on phones and tablets will explode from fewer than 11 billion this year to nearly 77 billion in 2014, the market research firm said, driving a market that will exceed $35 billion in revenues. Meanwhile, end users are increasingly choosing which devices they carry for work, forcing IT departments to deal with a wide range of devices running not just BlackBerry OS but also Apple’s iOS, Google’s Android and Microsoft’s Windows Phone 7, among others. Those colliding trends in the consumer and enterprise space present a huge new challenge for businesses already wrestling with mobile device management and security headaches: Not only must they manage the devices their employees carry and the business applications that run on them, they must find ways to keep that hardware safe from consumer apps that staffers can download.
The security concerns surrounding mobile applications are whether employees should bring so-called “rogue devices” into the corporate world or whether they should use handsets and tablets deployed by their colleagues in IT. So as the mobile-app phenomenon accelerates from light speed to ludicrous speed, here are a few key things IT departments should consider:
- Create policies that address application usage. Walking the line between minimizing risk and infuriating your employees is a difficult one in mobile (or anywhere), but having clear-cut rules about mobile applications —and telling your employees exactly what those rules are — is crucial. Determine exactly what kinds of downloadable offerings are acceptable (games? ringtones? fart simulators?), decide whether free apps are worth the risk, and install rules about paying for premium apps (if they’re allowed). Clarify whether location-aware apps are OK, which app stores are acceptable and whether those apps must be downloaded directly from the app store to the handset or whether transferring from a PC is allowed.
- Install an application filter. A new offering from MobileIron includes a feature that gives IT departments the ability to block rogue apps that breach corporate policies or create security holes, and alerts a user who downloads an app that violates policy. (While apps cannot be blocked on iOS, rogue apps can be flagged to alert IT when they have been downloaded.) Fellow device management developer Zenprise recently launched an upgrade to its MobileManager offering that (among other things) controls access to all corporate apps by authenticating users to ensure that they’re authorized to access specific apps. The offering also logs all mobile app traffic for compliance and reporting purposes. These kinds of device management solutions aren’t really all that new, but they have been evolving for years and could prove invaluable as mobile malware evolves from a novel rarity to a very real threat.
- Adopt mobile virtualization. LG Electronics and VMware recently announced a joint venture that will bring virtualization to LG phones running Android in the enterprise. The concept, which has gained substantial traction in the world of desktop computing, enables IT departments to separate personal and enterprise accounts on a single handset, protecting sensitive corporate data even when a personal account is compromised. As Kevin noted in this post, it’s a solution that seems especially relevant for Android given the platform’s open-source and Linux foundation.
- Educate your employees. The weakest link in any security chain is always the end user, and mobile is no exception: Employees download questionable content, leave their phones in taxis and use passwords like, well, “password.” So be sure they know how precious your sensitive data is and how they can best protect it.
Interesting with that perspective I could see a company like RIM enter a new era. With all their security focus and understanding of the corporate market they ought to be able to come up with solutions that would be platform specifics and reinforce their great relationships with IT departments around the world. The only other company out there with those kind of relationships is MS. apple and google would become a conduit for RIM security know how. I mean more than email security. I also mean more than selling a bez server.