Mitigating the risks of BYOD with mobile application management
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Bring-your-own-device is the latest technology trend nipping at the heels of nearly every CIO and CISO. But make no mistake, it is more than just a buzzword; it is a true movement.
The concept is simple: Allow employees to supply their own devices, thereby increasing employee satisfaction and hopefully reducing capital -- and perhaps even operational -- expenditures. Generally, and especially for the purposes of this article, the "device" in BYOD refers to mobile devices, particularly smartphones and tablets.
IN DEPTH: How BYOD has changed the IT landscape
For all its potential benefits, BYOD is without a doubt not the right mobile strategy for every employee in every organization. For that matter, BYOD might not be the right approach for some organizations altogether; the benefits might simply not exist in certain use cases. Also, BYOD does involve relinquishing at least some control over the devices connecting to corporate networks, resources and data. As always, there are concerns when relinquishing any such control.
That said, the concerns surrounding BYOD are much like those involved with driving a car. Are there potential hazards involved with both? Of course there are, but can those hazards be mitigated? Absolutely! In both cases, preparing for the various hazards by being properly equipped with appropriate protections and tools enables one to reap the benefits of these activities without getting banged up.
Proper training, good tires, headlights and seat belts are a few of the preparations needed to operate a vehicle safely. Similarly, there are specific strategies and technologies that can be employed to avoid the hazards frequently associated with BYOD. Of course, there is also always the option to implement BYOD without any accompanying tools and protections. However, like driving a vehicle off a cliff, the hazards will be hard to avoid.
In particular, mobile application management (MAM) presents an intriguing option for preparing for and avoiding the hazards of BYOD. Before analyzing how MAM can be an effective BYOD accident avoidance technology, it is important to acknowledge the three primary, high-level considerations that must be taken into account when it comes to enterprise BYOD implementations. These are:
* To manage or not to manage: When it comes to BYOD, the first question every enterprise must ask is: How much management of user-owned devices connecting to corporate resources does the company want to be involved in?
This question is critical because the degree to which an enterprise is involved in managing various aspects of user-owned mobile devices has consequences. For example, a key anticipated benefit of implementing BYOD is often no longer having to fully manage employees' mobile devices. In return, support costs are hopefully reduced. However, this aspiration is obviously negated by electing to completely manage user-owned devices.
Also, fully managing user-owned devices often results in intruding on the personal use of those devices that goes beyond the corporate data and resources on them. This might include enforcing device-level authentication and encryption policies and complete device remote locking or wiping, including users' personal content. When faced with these realities, users often become disgruntled, and this can result in additional headaches for IT as they deal with pressure from upper management and users circumventing IT to secretly connect to corporate resources.
* Delivering corporate resources: Next, how will business-related apps and email access be delivered to user-owned devices? After all, without providing BYOD users with adequate access to such apps and corporate resources, having a BYOD program loses its luster quickly. In fact, there is little purpose behind it at all.
Thus, a delivery mechanism for providing corporate apps and resources to BYOD users must be put in place. This issue might seem simple on the surface, but it is actually fairly complex. For example, considerations must be taken around where the apps and resources will be hosted and how the company will ensure only the resources appropriate for each user based on their specific needs and permissions are made accessible to them. These issues are made simpler if user-owned devices are fully managed by an enterprise. But what if they are not?
* Securing corporate resources once they are delivered: Finally, how will the corporate apps, including email access (and especially the potentially sensitive data tied to them), remain secured once they are on user-owned mobile devices and what will happen to them when employees leave the company? This is really the million-dollar question.
In reality, providing access to business-related apps and corporate resources to user-owned devices is only the first part of the equation, and is in fact not the most critical part when it comes down to steering around the hazards of BYOD. The real issue is maintaining the security of those resources and data while not hindering users' experience with their personal devices.
Again, this takes us back to the first consideration -- how involved a company wants to be in managing user-owned devices. If user-owned devices are fully managed by an enterprise, the apps and resources can be made secure, but all the issues associated with the complete management of user-owned devices are brought to the surface.
TECH DEBATE: Mobile security: In the device or in the network?
With these considerations in mind, it should be noted that the most common tool used to implement secure BYOD up to this point has been mobile device management, or MDM, technology. MDM certainly has its place in enterprise mobility. In fact, it is an essential part of a complete enterprise mobility strategy.
MDM is technically a viable method to both deliver applications to user-owned devices and secure the corporate apps and data on them. For example, many MDM solutions feature corporate app store functionality. They also provide the ability to push applications to managed devices. In addition, MDM solutions allow enterprises to enforce security controls on properly prepared corporate-connected user-owned devices. Thus, MDM does address considerations two and three above.
However, using MDM to address these BYOD considerations means enterprises are forced to fully manage user-owned devices because, simply put, that is what the technology does. Thus, all of the concerns and issues associated with complete enterprise management of user-owned devices are fully set in motion.
This is where MAM comes in. MAM, in contrast to MDM, enables enterprises to avoid device-level management and instead implement application-level management on user-owned devices. As a result, MAM completely negates the issues listed above that are associated with fully managing user-owned devices via MDM. At the same time it also addresses considerations two and three above just as well, if not better, than MDM.
It does this by allowing enterprises to "wrap" each of their corporate apps and the data tied to them in their own security and management layers. This gives enterprises complete control of their apps and data while leaving the rest of the user-owned devices they are on and also users' experiences with those devices untouched.
In other words, with MAM controls such as authentication, encryption and expiration -- apps and data can be manually expired or set to automatically remove themselves from devices based on perimeters established by administrators -- can all be applied to corporate apps and other resources on otherwise unmanaged, user-owned devices.
In addition, superior MAM solutions provide app portals that are tailored to each user to deliver the appropriate corporate apps to individual user-owned devices. In this way, the user experience of downloading necessary corporate resources is as simple and streamlined as visiting a public app store, but enterprises can ensure that users are only being given access to the resources they have permission to download.
Remember when air bags did not exist? Now it is hard to imagine driving a car without the safety and protection they offer. At the same time, the safety mechanisms of an airbag-equipped car are built in without ever impeding the productive use of the car itself, versus a car that has no airbags and is thus more risky to use. Likewise, implementing BYOD without the proper tools is also perilous. However, with the proper tools -- MAM being first and foremost -- the secure use of user-owned mobile devices in enterprises without hindering users' experiences with those devices can be a reality.
Read more about anti-malware in Network World's Anti-malware section.