Mobile devices bring so many security risks into networks that governance must move beyond device management to encompass much broader enterprise issues.
It's time to stop talking about mobile device management. Instead, let's start talking about mobile enterprise management.
That may seem like a minor wording change, but refocusing an organization's approach to mobile management can have long-lasting effects on the way it deals with an increasingly mobile workforce.
When MDM first came into vogue, it included many of the standard features of PC management solutions (access control, user permissions and so forth) while adding functionality to address the unique needs of mobile devices such as smart phones and media tablets (bandwidth limits, screen real estate and device compatibility).
Soon, risk management associated with mobile computing became a chief security concern at government agencies. Each new device added to a government network introduces substantial risks. Smart phones essentially bring their own separate network with them into a facility, and data stored on a device can easily leave the facility.
Associated challenges for IT managers include deciding which mobile devices should have access to government internal networks, where device data should be stored and the requisite level of security for devices and connections. IT managers feel torn between protecting security by limiting mobile access and broadening access to meet employee demands and boost productivity.
To respond to these new issues, government IT planners have sought out best practices for mobile computing security, including developing a solid risk management framework for the use of mobile devices in government. To meet the needs of such managers, the mobile enterprise management software market has evolved quite rapidly. These solutions help balance the need for both corporate- and employee-owned mobile devices — and the end-users.
The convergence of enterprise mobile risk management and mobile enterprise management software has helped nudge agencies into the realm of full mobile enterprise management. Frameworks for mobile risk management can start with the following:
- Take a cue from the Defense Department and do a needs assessment to make sure that both wired and wireless transmission capability across the enterprise is sufficiently sized, reliable, available and flexible enough to support the agency's mission needs. In the case of DOD sites, that means doing an assessment of the Net-Centric Capability Portfolio for wired and wireless programs that comply with the DOD Information Environment Architecture (IEA) and net-centric architecture. Ensure that needed upgrades are on schedule.
- Leverage existing authentication and access control solutions. Most can be configured to enable secure connections from mobile devices. Find out what exists, what these systems are capable of and what sort of software or hardware upgrade may be needed to enable mobility.
- Assess the current state of other security solutions within the organization, including virus protection, firewalls, etc. Determine how current security solutions can best be extended to mobile devices. In some cases it may be cheaper to bypass current systems and start over with solutions that are specifically dedicated to mobile device security.
- Define the current security solutions that can't be extended to mobile devices, and determine what additional software or hardware will be needed to make up this gap.
- Ensure that networks can handle dynamic allocation of these resources, from IP addresses to allowed client connections.
- Assess the technical threats and risks that could impact the mobile devices used by workers and the way they interface with corporate networks and systems. Look at the identity and access management systems outlined above. Determine which risks are reduced by these systems and which risks remain.
Based on these findings, organizations can create or enhance policies, standards, guidelines and processes related to the management of mobile technologies. Such policies will need to address long-term enterprise needs. Thus, if there are gaps in current security solutions, polices should include dates when new functions will be available.
Meanwhile, establishing a framework for mobile application management helps set rules by which specific mobile devices can be administered, secured and distributed by IT organizations. Such solutions typically allow for enhanced policies to be applied to individual applications.
All of these issues together — device management, mobile application management and mobile risk management — are starting to merge into to a set of solutions best described as full mobile enterprise management.
Companies such as AirWatch, BoxTone and Fiberlink have stepped into this space, offering enterprise management solutions capable of addressing many of the issues raised above. Then there's Fixmo Inc. Its Sentinel and SafeZone products were developed as part of a Cooperative Research and Development Agreement with the National Security Agency and meet the government and defense agencies' strict security requirements, with a focus on mobile management, security and risk management.
Here's the bottom line. Mobility governance must move beyond device management to encompass much broader enterprise business issues. IT managers must develop a framework to evaluate the mobile security needs of their organizatio, and launch their own enterprisewide security framework focusing on risk management — all while deciding how mobile application management will be handled within their organization.
Any framework for mobility security must also address the risk management aspects of platform-independence, software compatibility (and application management), strategic planning for mobile applications and maintenance and lifecycle management.
Any approach that focuses on the device level is short sighted. Mobile solutions are part of the enterprise, and management of the devices must follow suit.
NEXT STORY: BYOD goes statewide in Virginia