IT executives walk a tightrope to balance the productivity gains afforded by mobile devices against quite real security risks. "Do I have the right to wipe a device clean if it's lost?" is a common conundrum, for example, but it's one that isn't as hard to resolve as some IT executives may think, according to experts in enterprise mobile security.
Because employees want to be able to use their iPads or Android devices to get their jobs done, they're usually very willing to adhere to mobile device protection measures, said John Pescatore, vice president and distinguished analyst at Stamford, Conn.-based consultancy Gartner Inc. That includes signing an acceptable-use agreement, a contract used to give IT the right to wipe their device clean.
"I've had CIOs and CISOs say, 'There is no way that I'll get employees to download a software agent on their mobile device or sign an agreement giving us the ability to wipe their device,' but that is untrue," Pescatore said. "If you give employees the opportunity to use their favorite toy, they are willing to compromise."
One heavy-handed approach is server-based. 'It's very secure and users hate it.'
VP and distinguished analyst, Gartner Inc.
Even the largest enterprises, including a $1 billion "low-tech" manufacturer, have had no problem getting thousands of employees to abide by such bring-your-own-device (BYOD) rules, he added.
Dave Trigo, vice president and corporate CIO at The Hanover Insurance Group, has also found that employees willingly comply with security measures, as long as IT makes it relatively easy to do so. Hanover Insurance Group's bring your own device (BYOD) program supports Blackberrys, iPads and iPhones for business use and has very straightforward rules of engagement for its program. Employees must download a mobile device management (MDM) agent on the device to access email and calendars. If they leave the company, corporate data is wiped clean from that device. "All they have to do is go to a website to request the [MDM agent] download, and security policies are pushed down to the device," said Trigo.
Pescatore said enterprises have four main mobile device protection approaches to consider:
- A heavy-handed approach that is server-based, in which to gain access to company information, the device user must use a Citrix Receiver on his or her device. "It's very secure and users hate it," he said.
- A little less Draconian approach is virtual desktop infrastructure (VDI), wherein users have to run VMware View on their iPads when connecting to work programs, for example. "They have to use a locked-down image that IT controls, but they can at least work offline," he said.
- Then, there is what Pescatore calls the "middle-of-the-road approach," where an MDM agent is loaded onto the device. "Enterprises take on some risk, and employees have to do something, but for the average enterprise, this is a workable approach," he said.
- The final approach is a bit of a free-for-all, where the thinking is, "OK, these devices are secure enough because the mobile device maker has made them secure enough." Pescatore doesn't expect that approach to gain much traction in the enterprise. "It didn't work with Microsoft and Windows," he said. "[Mobile device makers] are driven by consumer -- not business -- demands, so they aren't focusing on security."
His bottom-line advice? The best approach, Pescatore said, is a mix of an MDM agent for access to less-sensitive data and a Citrix Receiver for access to more-sensitive data.
This was first published in November 2012