Jan 3, 2014
With all those Christmas gifts to add to the existing population of tablets and other mobile devices, the flood of potentially dangerous BYOD shows no sign of letting up. So if you haven’t yet reconfigured your approach to network and data security to meet the mobile challenge, it’s high time that you did.
In the days when the only devices connected to the corporate network were company-owned desktops and laptops, it was fine to treat them all as assets, to be corporately managed, tracked, updated, and defended. But as mobile — and especially privately-owned — devices multiplied, that approach has created frustration for all concerned. A whole sector of Mobile Device Management (MDM) software tools has emerged to add desktop-like management capabilities to smartphones and tablets. But as mobiles come to considerably outnumber desktops, it means we are in effect employing large and expensive hammers to bash round pegs into square holes.
So a mobile-centric approach makes a lot more sense, and that means focusing on the data rather than the device. That is especially true when these devices are increasingly playing the part of remote terminals, accessing data and apps located on a private or public cloud, whether as a modern cloud app or as a webified enterprise CRM or ERP application.
Even where the local app caches data, perhaps to provide offline functionality or in order to handle workflows, a local framework can add encryption. You can also look to develop-once, deploy-anywhere toolkits such as iFactr and Verivo Akula, which allow the same app code to run on any device. Modern smartphones are so powerful that the overhead of the necessary application virtualization layer is far outweighed by the benefits.
The key then becomes good application and data design that takes account of data value but asks and requires nothing of the end-point, apart from solid authentication and a reliably encrypted connection. In a world where mobile devices are so numerous, inconsistent, and, well… mobile, the battle for the integrity of the end-point is one that is no longer worth fighting — especially when there are better ways to win the war.
Sure, there will still be data located on the device itself — addresses and messages in the owner’s corporate email account, say — so the need for MDM will not completely go away. The key, though, is risk assessment: what is the risk of that email account being breached, or of keylogging spy software getting onto the device, and how much needs to be done to prevent that? For any user below CxO level, perhaps using a lightweight web MDM tool to mandate a secure password and device-level data encryption is enough.
The money spent on managing those other hundreds or thousands of devices could then instead be spent on training their owners to resist phishing emails and social engineering hacks, such as official-sounding phone calls “from the IT department”, asking for their passwords. Happy New Year!