Cake or Death: The Mobile Device Dilemma

CIOs have realized that mobile has moved beyond a messaging platform to a multifaceted platform for application, Web, and messaging usage. Yet Given how many mobile devices go missing, even one unsecured device creates significant exposure. No CIO or company board of directors wants to face a lawsuit because of employees losing the organization's sensitive data. Yet so many smartphones containing sensitive data are lost or stolen each year. Vanson Bourne, an independent technology market research specialist, surveyed 300 IT decision makers in companies of 500 employees or more. What's most concerning is that three-quarters of those surveyed say they are worried that staff will find other ways to access corporate networks through their chosen device, with or without the IT department's help, while nearly 30 percent have experienced a security breach based on the use of an unauthorized device.

So what is a manager to do?  Is managing these devices Mission Impossible? First, address the expense.  

Do we issue phones, or subsidize?

To save money, some have chosen to have a company subsidized program.  This way, they don’t have to deal with a single carrier and monitor their every move to ensure that they are not being cheated.  In addition, this caps the amount of monthly user costs, and addresses the issue of unnoticed cell phones entering the enterprise without some record.

However, moving to an employee owned subsidized program may not save you money, for the issues that rear their ugly head in a companywide managed plan are prevalent in the employee owned plan as well.  For example, when a plan is exceeded, or an employee travels, who pays?  These and many other exceptions seem to plague the company resources trying to sort these items out.  In addition, if you are treating it as an expense, how do you quantify the charges across the enterprise?  This doesn’t even begin with the audit issues.

The answer varies, but if you can cap the usage you are willing to reimburse and your employee’s usage is moderate, then the employee owned program works. 

Now What?

Either way, now that you actually acknowledge that these devices exist in your enterprise, isn’t it time that you start managing what they are doing in your enterprise?  What do I mean by that?  How about tracking, wiping upon termination, security, blah, blah, blah… Impossible?  Perhaps a tool is in order…  You say you don’t need to manage these devices?  Well, actually the bad news is that you already are…

Perhaps, Mobile Device Management (MDM) software, yah, for some this is old news, but for the majority of the Fortune 1000, this is newsworthy.  How does it work? Well MDM software such as MobileIron, Technology, Sybase, AirWatch, McAfee, and Symantec-- is loaded onto mobile Smartphone’s and tablets to allow IT managers to keep track of employee equipment, to remotely wipe these devices and to apply security controls.

Now there are still some hoops to jump through, for example, Apple requires a Apple digital certificate What used to take 30 days and not only gave you an Apple digital certificate, but a title of Apple Developer with the license to create iOS apps, now only takes a few days with no developer license.  "In September, Apple changed the process," says Blake Brandon, technical consultant at AirWatch, who says the older certificate-issuance process with Apple used to cost $300 but the simpler process today is free. He says now the Apple MDM digital-certificate issuance process only takes a few days at most. But what you get now does not include the Apple software developer license but only what's called the Apple Push Notification Service (APNS) certificate. (To get the Apple software developer license, you now have to apply separately and go through what is a more involved registration process.)

Apple does require the APNS digital certificate to use any vendor MDM software with Apple iOS 4.0 and 5.0 devices and getting that certificate signed properly takes a few steps. The MDM enterprise customer first has to digitally generate a certificate on its own, and then get it digitally signed by both the MDM vendor and Apple. This digitally signed certificate process, typically done over the Web, results in a signed certificate that is then loaded into the server associated with the MDM software.

Neither Google Android devices nor devices using other mobile operating systems have to go through this certificate-signing process when managed through the same MDM software, this really only benefits Apple. It’s a way for Apple to have control over what works well on Apple iOS devices in terms of battery and other factors. At any rate, any MDM vendor supporting Apple iOS devices must support these certificates and that means the enterprise customer managing Apple iOS devices has to get an Apple- and MDM-signed certificate.

So what are the best practices for Mobile Device Management?  Here are my Top 10 Things to Consider:

1. As with your employees, segment the groups of devices following the Dept. vernacular to easily manage the p/l.
2. Make sure you allow flexibility in your device enablement, because you’re always going to have "Hip Pocket" rouge devices not on your radar otherwise.
3. Invest in MDM, duuuuuh...
4. For convenience, make sure you get a solution that has a Web-based console for Management and Security, that promotes the anywhere anytime ability.
5. Have a process in place for request, acquire, and terminating devices
6. Include an appropriate use paragraph in you employee handbook (you should already have this...)
7. Clearly define the what constitutes mobile expense, avoid the exception calisthenics
8.  No company logos on devices, electronic or otherwise... security folks...
9. Consider Security policies like lost or stolen call number on lock screen, strong password, and remote wipe after 10 tries encryption.
10. Have a document portal to limit, local storage requirements

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 20 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 333-8394 x 689