Readying your enterprise for mobile, part 3: Mobile security alphabet soup
Parts 1 and 2 of this series focused on slightly broader aspects of enterprise mobility. Having a general sense of where the different components of mobile fall on the map is a great start, but now it's time to dive into the nitty-gritty.
As one of the most important aspects of mobility, let's start with security and, more specifically, by deciphering the jumble of acronyms associated with securing mobile devices.
COPE or BYOD?
One of the big questions about enterprise mobility is, who is supplying the mobile devices?
In the corporate-owned, personally enabled model (COPE), the enterprise purchases devices in bulk at wholesale prices, and then divvies them out to employees. This is not an unfamiliar model, and in many ways, it harkens back to the days of corporate BlackBerry phones. However, TechTarget contributor Robert Sheldon noted that COPE aims to "loosen the reins a little," which equates to being allowed to use the corporate device as a personal device. The main benefit of COPE is not necessarily greater control over smartphones and tablets, but rather, the ability of the enterprise to have a uniform device and operating system. This can eliminate potential interoperability issues, and make it easier to keep devices secure than it would be in an environment where everyone was using smartphones and tablets of their choosing.
BYOD lets users work on devices they feel comfortable using.
A model in which employees can work from any mobile device they want is referred to as bring your own device (BYOD). The immediate benefit of BYOD is that the enterprise does not have to pay for the hardware. It also means that employees can work on a device they feel comfortable with. Not to mention, with COPE, employees who may prefer a smartphone other than the one offered by the company would need to have a separate device for work and for home, which is somewhat cumbersome considering consolidation is such a key convenience of modern technology.
However, BYOD also means that IT must manage a rainbow of devices and applications, and somehow enforce compliance and best security practices – which is difficult if it means telling employees they can't do something on a device they purchased.
In theory, COPE may be a better option for sectors, such as government and health care, that have stricter compliance codes since securing a singular device running a singular OS is inherently easier than managing an array of platforms. For organizations that do a lot of field work, perhaps not-for-profits or research and consulting firms, it may make more sense to use BYOD, since personnel would be so widely scattered across geographies.
A third option is a hybrid model. Staff who work with high-level, sensitive information might be given corporate devices, while other departments are free to use their own devices.
Device management and security
"The next step is to figure out how to secure these devices."
Once you decide on an enterprise mobility model that makes the most sense for your organization, the next step is to figure out how to secure devices and the data therein. Unfortunately, it's not as simple as handing out a bunch of smartphones and saying go.
This is where we really get into the meat of the acronym-rich world of mobile security:
Enterprise mobility management (EMM): This is sort of a global term for all-encompassing mobile management. To an extent, EMM will differ depending on the needs of the organization, but TechTarget editor Margaret Jones notes that it should "touch on the areas of device, app and information management," within that organization.
Mobile application management (MAM): MAM allows for the restriction, whitelisting and distribution of corporate applications in a mobile environment. This approach is ideal for BYOD because users maintain control of the phone. At the same time, an organization can remotely wipe enterprise data from a device if, for example, a smartphone is lost or stolen.
Mobile device management (MDM): MDM is much stricter than MAM, and allows for comprehensive oversight and control of how a device is being used. It's generally more secure than MAM – an admin would be able to lock down the entire phone if it were lost. It can work in tandem with MAM, and vice versa in BYOD or COPE environments.
Identity access management (IAM): IAM helps admins manage access to certain corporate information, especially in compliant industries. This is essential in cloud and mobile environments, where a single user may attempt to run enterprise applications on multiple devices, and from multiple locations on any given day. Options such as single sign on (SSO) make this more convenient by requiring only one login portal for multiple apps.
Multi-factor authentication (MFA): To that end, MFA is how admins authenticate access by verified digital identities. Rather than using a single, static password, MFA will have a second layer, perhaps through the generation of a one-time-password sent via text. This can present a bigger burden to users though, so while data security is certainly important, finding the right balance with the user experience cannot be ignored.
There may be a fair share of mixing and matching depending on if it's a COPE or BYOD environment, and the level of security that is needed based on compliance and other factors. These all need to be considered and deliberated upon.
And to think, security is only one component of mobile readiness – a very important one – but still only one.