Smart phones in the enterprise: Can't keep them out, so manage them

Unisys program looks to set template for managing the range of employees' personal devices

SAN FRANCISCO — Like it or not, personally owned mobile devices are moving into the enterprise, as employees use smart handhelds to access e-mail and other resources.

Unisys is embracing the inevitable with a pilot program to establish enterprise policies for managing an increasingly diverse range of network tools.

“It’s quite onerous,” Unisys Chief Information Security Officer Patricia Titus said of the management challenge. “Consumers are driving us in the enterprise to think outside the box,” and the CIO is being forced into a customer service role in providing services to workers.


Related coverage:

5 cyber threats to watch out for this year

The workplace will get a lot more mobile, social


The program, informally known as Bring Your Device to Work, has so far enabled limited access to company resources with proper device authentication. Titus said that Unisys has almost completed a critical acceptable use policy for employees, which should enable broader use.

Titus, former CISO for the Transportation Security Administration, described the program Monday in a presentation to the Executive Security Action Forum. ESAF is an association of senior information security executives from Global 1,000 companies and government agencies, which holds a closed meeting each year in conjunction with the RSA Security Conference, being held this week.

Titus told Government Computer News that the program began informally last spring, “when we really started to see the momentum with the iPhone.” The Unisys network lab began researching how to bring the devices securely into the network and what user guidelines were needed for use in the enterprise. Devices currently allowed onto the network must be able to authenticate using company-issued digital certificates so that the network knows not only who is accessing resources but also what platform is being used.

Information security relies on awareness that the platform is in use, Titus said.

“It’s changing the paradigm for how we protect data,” she said. Appropriate controls must be in place not only for who can access data but for what can be done with it depending on the type of device being used and the connection.

Just as important as the technology — and maybe more important — is an acceptable use agreement for anyone using personal mobile devices.

“An acceptable use policy is critical,” Titus said. “It’s like a driver’s license.”

The agreement establishes the rules for how devices can be used and ensures responsibility for compliance for the user. Personal devices often are used casually for accessing e-mail and other online resources, but in a managed environment rules must be applied regarding what can be accessed, how it is accessed, and how data must be protected once it has been accessed. Administrators need to know what tools are being used and must be notified when there is a loss of hardware or data.

“We are close to completion,” Titus said of the agreement. “That is the next step, to get this pushed out.”

Demand for this expanded functionality is high among employees, she said. “It’s not moving fast enough. The horse is out of the barn; they want it yesterday.”

So Unisys has made limited access available for employee-owned devices that can be authenticated, including e-mail and a lightweight app from the company’s travel services provider that formats the travel website for handheld devices. Once policies are in place, the company will expand the apps available to include some critical functions for workers in the field, such as time and attendance reporting. This is an important function for federal contractors, who have to keep a daily record of their work, Titus said.

 “This whole thing has taken on a life of its own,” she said. The more functionality that is made available for personal devices, the more employees are demanding.

 

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • A framework for secure software

Reader Comments

Wed, Feb 16, 2011

Haha. Yeah, but placing security at the feet of the user has never worked in the past, so... And when the user is fired, or takes a job elsewhere, are they going to hand over their personal equipment to Unisys?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group