After three decades where managing endpoints was synonymous with imposing strict security on laptops, enterprises are about to face a much greater security challenge. IT leaders are asked to protect their enterprise data not just on smartphones and tablets, but while it travels through the Internet of Things (IoT), on connected cars, on smart TVs, and on smart watches and other wearable devices.
The advent of the digital workplace is increasing the speed at which enterprise mobility and security are moving away from each other. Employees have become accustomed to working across multiple devices, to transferring files between devices, and to fast and fluid switching between their personal and professional worlds. In reality, protecting data with traditional endpoint management models is incompatible with mobile operating systems and their application-centric economies.
Three factors need to be addressed to bridge the gap between enterprise mobility and effective security for business information: people, process and technology.
People: Freedom plus accountability
Users bypass the legacy endpoint security models imposed on their mobile devices because they are incompatible with their need to mix business and personal life. The ones that comply feel disarmed and frustrated and simply miss out on the opportunities that the digital workplace can offer.
- Encourage greater user accountability
- Offer enterprise mobile applications with consumer-grade user experiences
Security teams beware: If your potential solution results in a suboptimal user experience, your employees will turn toward privately owned devices and privately managed applications. The latter often leads to silent enterprise leaks: incidents that go unobserved when employees upload enterprise data to third-party clouds. Once leaked, the enterprise can neither track nor retrieve that data.
The way to make enterprise data more secure is to increase the level of user freedom, and at the same time, to hold users accountable and responsible for their actions. To increase accountability, organizations need to make what occurs on mobile devices part of the enterprise conversation, and to set clear security expectations.
- Deploy solutions that increase visibility and monitoring on what occurs on mobile devices. Events are logged and actions can be stopped when they are trying to breach the policy. This might translate to file-level encryption or watermarking files and monitoring their route via proxy.
- Make use of enterprise mobility management (EMM) tools to replace legacy lockdown tools and offer a user-friendly solution: for example, replace a VPN-based password tied to a hardware token with an EMM tool that would seamlessly activate transport security when an application is opened, and deactivate when it is closed.
Process: Organizational and cultural changes
Watch out that you don’t misinterpret risk and maintain organizational structures that are not designed for enterprise mobility.
- Translate technical mobility risks into enterprise risks so the goals are clear
- Think strategically, but act tactically
Typically, the team managing mobility is decoupled from the team that traditionally manages the legacy endpoints. This requires organizational and culture changes.
- The mobile application development team must involve the network and security teams at the time the policy is written, so that the goals are clear and everyone is on board. This should occur before the selection of a mobility tool, and collaboration should be ongoing.
- Think strategically, act tactically: The OS release-cycle for mobile devices and platforms is 12 to 18 months, and every new release offers new enterprise functionality. Plan so you can adjust or replace security solutions and take advantage of new, native features. IT leaders should ask, “In 18 months, can we swap out the solution we are putting in place today?”
Technology: Prevent shadow IT
It is difficult for businesses to impose management and security policies because the endpoint platforms are administered by the employees and are centered on applications, not networks.
- Abandon device-centric security systems in favor of app-centric models
- Identify native solutions in the mid- and long term
Organizations should move away from device lockdown as much as possible, but still treat all endpoints as untrusted ones. To prevent shadow IT by employees, companies including Viet Nam Software services focus on offering the same quality of experience through mobile-based solutions.
- Deploy app containment solutions that can encrypt and isolate enterprise data from personal data, protecting the single app, rather than the device. Aim for flexible solutions such as app wrapping, which can impose app-level policy enforcement on the fly.
- Look to native solutions offered by device manufacturers and app vendors. Examples include an iOS feature that allows the enterprise to select which apps and accounts are used to open documents and attachments, or an app such as Evernote, which offers a personal account in which the enterprise adds a business workspace that is administered and owned by the enterprise.
By focusing your efforts on providing solutions that are tailored for mobile use, looking at security from a tactical standpoint and favoring app-centric models, you can offer your workforce a system that will enable it to take its digital workplace with it, along with enterprise mobile security.