- A TechNote on Information Security
- Larry Hettick
- Editorial Director and Senior Research Fellow
- Webtorials
Enterprise mobility has come a long way since I got my first Blackberry over a decade ago, with business BYOD support nearly as commonplace now as the office phone. But while mobility is often essential, too few IT organizations have implemented the tools they need to appropriately manage access to corporate information through employees' mobile devices.
Balancing Employee and Company Needs
Regardless of your organization's BYOD security solution, some employee needs remain constant. An employee's personal privacy is paramount, and employees don't want a corporate big brother looking over their shoulder at who they call or what apps they download on their personal mobile device. Consumers use their personal smartphones for everything from maintaining leisure calendars to paying for their prescriptions at a pharmacy, and they rightfully expect these transactions to remain private.
Likewise, companies have a legal obligation to protect corporate resources and information, so they need mobile security solutions that will protect against device loss, theft or even a rogue employee. For example, internal corporate e-mails may contain anything from financially material intelligence to a patient's health status. Some mobile devices, such as a tablet, may store proprietary company or confidential client information. Because of this obligation, most employers who allow BYOD reserve the right to erase (or wipe) any company data stored on the mobile device in case the device is lost or if the employee leaves the company.
Something that both employees and employers need in a mobile security solution is ease of use. Smartphone apps have spoiled many of us, and as consumers we have come to expect access to our phone and apps with the simplicity of entering a user name and password once apps have been loaded. Companies also insist on ease of deployment and adoption, with a range of solutions that is appropriate for their needs.
A Range of BYOD Solutions and Architectures
Fortunately, emerging mobile security options continue to evolve in ways that balance both employee needs (such as ease of use and personal privacy) with corporate requirements (such as information security and regulatory compliance.) A range of options is a good thing, because employee needs are different and business processes vary from company to company, while BYOD applications or the content accessed can range from the very simple to the very complex.
Both the kind of information made accessible to an employee's device and the kind of device also factor in when choosing between mobile security solutions. At a minimum, Android and Apple operating systems are supported, while support for Microsoft and Blackberry mobile operating systems is less common.
Some mobile device management (MDM) solutions use a "dual persona" or "containerization" approach to separate personal data and business data into two silos. So, for example the MDM app stores contact information, calendaring, e-mails, and content separately from the personal data stored on the device. With this solution, personal data is less likely to be destroyed when business IT organizations remotely wipe clean any business data stored on the device.
The dual persona approach may also include feature options that are designed to enforce complex business policies such as BYOD applications management, location-based access, or third-party authentication. In effect, the IT department assumes some operational management of the mobile device to enable these features. The downside of this solution is that is can be complex to manage, depending on the complexity of the supplier's solution and the number of mobile device aspects managed by the platform.
A second approach apart from dual persona silos avoids storing any company data on the personal device. For example, ZixOne offers a solution that includes an app on the employee's mobile device that enables Microsoft Exchange and Microsoft 365 corporate e-mail, attachments and calendars to be displayed but not stored on the device; the app also allows users to reply to mail and to schedule calendar events. The on-screen display is provided by a connection to Exchange Web Servers (EWS) through the user's login credentials and then protected by a PIN for every day access.
The ZixOne app offers Android users that same look and feel as Gmail, and the same presentation logic applies for Apple devices using native Apple iOS interfaces. The principal advantage of this approach is that because there is no corporate data stored on the mobile device, there is no need to wipe corporate data from the device, thus personal intrusions can be avoided. The downside of ZixOne approach is that it does not include some MDM features such as performance management. However, for users who don't need mobile access except for email and calendaring, this simpler approach is much easier to administer than a full-scale performance management system that stores information on the mobile device.
The Bottom Line
Some organizations may prefer the "dual persona" solution, some may prefer a solution like ZixOne that avoids storing company data on a personal device, and some companies may prefer a mix of the two alternatives. But the bottom line: if your organization supports BYOD, you must have tools in place that offer employees appropriate privacy on their personal devices-- and you must take steps to protect company data and applications accessible from mobile devices.
This TechNote is brought to you in part due to the generous support of:
Bravo to ZixOne!
I have long suggested that the key to secure access to information would be through specific applications that, in turn, would require authentication by each mobile user and encryption for transmission across a public network. This would make mobile devices more "dumb" than "smart" as far as any mobile application is concerned. The only "smarts" would be the basic multimodal access (input, output)and authentication part which would still require input from the authorized end user.
Inasmuch as "mobile first" is taking over both employee and consumer multimodal business communications, online apps, and notifications (CEBP), this kind of simplification will enable "cloud" based selective access to applications and related information to be easily and quickly implemented for the different types of end users (employees, business partners, customers/consumers).