How ad-hoc mobile security gaps turn into big problems
Over the last five years, mobile adoption has increased dramatically in the U.S. public sector. Some of this was driven by major initiatives, but much was the result of organic end-user demand to use iPhones and Android smartphones at work. This pressure forced IT organizations to respond quickly, many times without a structured security architecture.
That approach might have been manageable for 100 devices running email, but not when the deployments grew to thousands of devices running apps. Ad-hoc security measures cause countless issues downstream. Cracks in the pavement quickly turn into potholes, with major productivity and security implications.
Four cracks-in-the-pavement attitudes we have seen in public-sector mobile deployments include:
“It’s only email”
The problem: Some IT departments don’t take mobile security seriously until they start making business apps available to their users. But email is already a motherlode of confidential information. Agencies that have deployed mobile email without security measures have likely already lost data.
The solution: Don’t wait for an apps strategy to get serious about security. Enroll all devices with email access into a unified endpoint management service. In the UEM console, set controls to prevent business email from being shared with other applications on the device. Create an auto-quarantine policy that automatically deletes work email if the device is compromised or falls out of compliance. If the user unenrolls from the UEM service, automatically delete all work email on the device.
“There’s not much data on a phone”
The problem: Phones contain quite a bit of local data, sometimes as much as a laptop. But they don't seem that way because the phone's file system is not visible to the user. All the data sits in the apps on the device, and most apps (especially email) download a large amount of data to the device so users can keep working even if the network connection is poor. In fact, the phone arguably hosts more data than a laptop because so much application usage on a laptop is done through the browser, while smartphones use device-side apps with stored data. Big data comes in small packages: Don’t underestimate the storage potential of a phone.
The solution: Use a UEM solution to deploy all apps as “managed apps.” This means Android and iOS apps are provisioned into a trusted digital workspace on the device and can be secured and deleted by IT.
“My users won’t install UEM because of privacy”
The problem: Many employees don’t trust their IT departments. They worry about IT spying on them and accessing or deleting their personal data. This concern is greater when it comes to phones because they contain a wealth of daily personal lifestyle information and photos. Some users may remove UEM protections from their devices because they worry about IT invading their privacy.
The solution: Many IT departments struggle with solving this issue, but the key is that transparency drives trust. There is no shortcut for communication. Make simple videos that show employees what actions IT can and can’t take on the device. Some UEM solutions have a mobile privacy screen that tells each user what permissions IT has. Ask the UEM vendor for resources that will help explain how the agency is using UEM to both secure data and protect employee privacy. Give users an incentive to enroll their device in UEM by making compelling work services available only if they do so.
“Lock it down!”
The problem: While lax security increases risk, so too can the reverse approach, in which IT takes an extreme approach to security but ironically creates the same risk. High-security organizations that need to move fast on mobile tend to lock down all their mobile devices. They turn off features and restrict the user, basically turning a powerful smartphone into a circa 2005 BlackBerry. Adoption drops, users get frustrated, and they start using unprotected personal devices with consumer apps to do their work. Shadow IT proliferates, and it is difficult for IT to re-establish relevance. IT managers forget that security must be an invisible enabler of the user experience.
The solution: Design the target user experience first. What applications do users need? In what circumstances will they use them? What devices do they already own? Allow users to install personal apps on a device that keeps business apps in a protected workspace secured by UEM. Enable single sign-on for all business apps on the device, eliminating passwords on trusted devices and creating a fantastic user experience that every user will love, including top executives who need quick access to information. Most importantly, maintain an open channel with the user community to understand what apps employees want so that those can be deployed as managed apps through the UEM solution.
Taking a structured approach to security by enrolling each device, managing each work app, communicating clearly to the user community, and making security invisible to the user allows each public-sector institution to minimize security incidents and provide the appropriate compliance and audit data if there ever is a breach. This is baseline from which agencies can then build their mobile-first smart government strategies.
Ojas Rege is chief strategy officer at MobileIron.