Once the client has been installed, it can be viewed as a smartphone device agent that can then be appropriately leveraged to enforce the enterprise smartphone policy. The client provides a foothold into every smartphone attaching to the enterprise network, regardless of whether the assets are owned by the enterprise or your end user. The end user is not terribly inconvenienced because the post-authentication download is a fairly transparent process that happens automatically following successful authentication.
A device agent also allows you to actualize the impact of the constantly evolving device and application landscape and translate that into appropriate updates to this network-initiated client download so that you can stay abreast of the security hazards of this rapidly evolving market.
Figure 2-12: An example of how a smartphone device agent works.
Chapter 3
Planning for Mobile Devices in the Enterprise
In This Chapter
Protecting mobile devices from malware
Remotely managing mobile device policies
Enabling application access to mobile users
Adapting your corporate policy for mobile devices
Most corporate mobility policies allow for employee usage of one, or maybe two, approved devices for corporate use. Recent increases in the choices of mobile devices, and their increasing popularity, present challenges with today’s mobility policies.
Enterprises that are used to issuing corporate-approved assets like laptop PCs are tempted to account for smartphones in the same manner, by issuing corporate-approved tablet computers and smartphones. The challenge therein is to qualify and approve these kinds of devices as quickly as they appear in the market.
Other enterprises look to migrate to a “bring-your-own-device” model, where they allow employees to bring their own devices to work, as long as the enterprise policies can be reliably deployed and enforced on these devices.
Such challenges require revisiting your existing corporate mobility policies to account for smartphones and other new mobile devices. It seems obvious that the latest generation will revamp mobility in the enterprise as we knew it. Gone are the days when employees relied solely on their corporate-standard BlackBerry device to check corporate e-mail. Today, employees have more choices for devices, many of which are not approved or, worse, evaluated by their IT departments. It therefore has become important to devise security policies for not just the corporate-approved mobile devices, but also the devices that are owned by employees and bound to be used for corporate access. These devices may include the latest gadgets available in the market.
Some devices in the market are as computationally powerful as laptop computers used to be just a few years ago. The developer platforms available for leading platforms like the iPhone and Android also facilitate a thriving ecosystem of apps, including ones that can be used for corporate access. These apps allow users to not only check e-mail but also use other applications, like client-server applications such as SAP or Oracle. This necessitates creating policies to allow users to access only those applications that they are authorized for.
The latest mobile devices are also vulnerable to viruses, malware, and other types of threats that typically are known to affect Windows PCs. This makes the security of mobile devices just as important as securing regular desktop or laptop computers. Be sure to check out Chapter 6, where we discuss the protection of mobile devices from various threats like malware, viruses and spam.
Managing the New Wave of Mobile Devices
The success of the Apple iPhone set off a trend of similar smartphones from other vendors, including Motorola, Google, LG, Samsung, Nokia, and others. Of course, the erstwhile king of the corporate phone market — the BlackBerry — still remains widely used in workplaces worldwide. Such a plethora of these phones are available in the market that competition is forcing rapid innovation from several vendors; therefore, these devices and the platforms they run on are evolving rapidly.
Just when you thought smartphones were the only hot things in the market, Apple unleashed what appears to be another game-changer: the iPad. And following suit, several other vendors either released their own tablets or announced their intentions to release tablets.
Many enterprises find that employees are abandoning their corporate-standard devices in favor of the latest and greatest new gadgets available in the market. As you can imagine, this wrecks your company’s carefully laid out mobility management and security policies.
Keep in mind these two key ideas regarding the impact of today’s increasing usage of smartphones:
Not all devices are created equal. Smartphones are available from various device manufacturers, including Apple, Google, Nokia, Motorola, RIM, and Samsung. However, these devices are not similar in many respects. They run different operating systems, have vastly different capabilities and features, and present their own unique challenges to being managed or secured for enterprise usage.
Smartphones are very different from regular Windows and Mac computers. Smartphones and tablets are very different from regular computers running Windows, Mac, or Linux operating systems. Mobile operating systems like Apple iOS, Google Android, Nokia Symbian, BlackBerry and Windows Mobile are designed specifically for these smaller and more portable devices. So you’ll need to give them a closer look, because your traditional enterprise policies for managing Windows and Mac systems will most likely not apply to these mobile devices.
Support the cutting-edge devices
Lots of people today are mobile enough that they don’t make a distinction between work and home. Such people are technically savvy and use the newest gadgets for work as well as for personal use. These are the expert users who don’t constrain themselves to using the corporate-assigned BlackBerry devices to check e-mail, but instead bring the latest available tablet or smartphone to work.
Such expert users abound in today’s enterprise environment, representing the employees who buy their own mobile devices, download business apps from the market place or application store, and productively work on these devices. They like to be on the cutting edge of technology, leveraging the latest and best the industry has to offer. IT departments scramble to keep up with these users and their devices because many are simply not equipped to constantly evaluate all the latest mobile devices in the market.
Interestingly, it is difficult to ignore this kind of usage or deem the latest devices as being unsupported. Often these expert users are executives who shop for the latest gadgets and find ways to use them for corporate access. As the mobile market heats up with multiple vendors, prices become competitive, and many of these devices become affordable to mass consumers.
The bottom line is that mobile-savvy users are here to stay, and they are rapidly growing in number. Your enterprise needs to revisit your policies of handing corporate devices to employees, and analyze how you will adapt to this new trend of using personal devices for work. Here are some questions to consider:
How do existing mobile security policies evolve?
Would you allow employees’ personal devices into the network? How would you handle the employees who bring the latest consumer gadgets into the workplace?
How do you manage these personal devices?
Would you continue assigning corporate-approved devices with custom applications and “locked-down” policies? Doing so would necessitate you to stay at the cutting edge of the smartphone market by evaluating the coolest and newest devices available in the market. This requires a lot of time and investment in both devices and personnel.
How can enterprises protect themselves from losing corporate data, such as e-mail, when these devices are lost or stolen?
What type of security software would you consider deploying on these devices to protect them from viruses, malware, and other threats? There are mobile security solutions available in the market today that you need to evaluate and shortlist for deployment.
More than just e-mail
For each
of the leading smartphone platforms available — such as the iOS, Android, Windows Mobile, BlackBerry, and Symbian — there are application stores supporting a variety of business apps.
Smartphone users can now easily access corporate e-mail, with sophisticated integration with Microsoft Exchange servers. They can also access web pages on the intranet using mobile browsers that support SSL encryption. Many business apps found in application stores provide functions such as Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC). Several application vendors have also released client applications that enable users to access server applications in the enterprise data center.
So employees are using these devices not just to check e-mail but also to check the latest company news on the intranet, watch company videos, update blogs on the intranet, and also access server applications like SAP and Oracle. It is therefore not just corporate e-mail that ends up on modern mobile devices, but a lot more content. Mobile devices can establish VPN (virtual private network) tunnels (connections) to your corporate VPN gateway, thereby getting on to the network.
As devices grow more sophisticated in screen resolution and processing, this trend will only grow because application access will become ubiquitous. Although RDP on the small screen of the iPhone is cumbersome to use, it is now an order of magnitude better and more usable on the larger iPad. And if a couple of application vendors have client apps in the App Store, you can rest assured that their competitors will quickly follow them with their own apps.
Most employee mobile usage can broadly be classified into the following types of application access:
E-mail
Web-based applications on the mobile browser
Full network access, including using client-server apps such as Oracle or SAP
When you think of enabling remote access for mobile devices, think of which types of applications you want to enable for access from mobile devices. In many cases, depending upon the user’s role in the company (such as “employee,” or “finance,” or “IT contractor,” or “executive”), a single application type or maybe two might be sufficient.
And so, it goes on. Business applications are growing rapidly in the app stores, and devices are growing more sophisticated for users to do real work on them. If everything seems to collide, take a look at Figure 3-1, which will help you visualize the challenges in the following distinct arenas:
Mobile device choices: What types of devices should be allowed into the workplace and which ones should not?
IT enablement of new applications: How would new applications being developed by IT be enabled access from mobile devices?
Mobile security: What type of security needs to be enforced on the mobile devices, and what types of threats should they be protected from?
Granular access control: What type of VPN access should be enforced on the mobile devices?
Figure 3-1: Mobility challenges in the enterprise.
The BlackBerry also supports an application store, App World, which offers a number of business apps. The BlackBerry Enterprise Server, widely deployed in enterprises, manages the deployment policies of applications on corporate BlackBerry devices. This kind of tightly controlled management model does not exist for many other popular smartphone platforms. As you begin thinking about supporting a heterogeneous mobile environment (an environment that contains devices from different manufacturers), you need to strategize about how you want to restrict or control applications installed on these devices.
Who moved my application?
Along with rapid mobile device innovation, there are changes happening on the application side as well. With an increasing number of applications being developed or used within the corporate workplace, the economics of cloud computing are beginning to resonate with enterprises. It has become cost-effective for many enterprises to move certain applications to the cloud, from earlier deployments on physical servers in their data centers.
It is now common to hear examples of enterprises deploying their applications in private cloud or public cloud infrastructures:
Private cloud: An environment hosted within enterprise premises, but managed and operated by a different vendor, such as a service provider.
Public cloud: An environment that is hosted, managed, and operated in a data center accessible to the general public. Applications such as Gmail, Google Apps, and Amazon S3 are examples of public clouds.
As applications move to the cloud, access to them is often facilitated by simple web browsers. This makes access from smartphones easier, but more challenging for the enterprise. No matter where the application is hosted, you need to secure access to it and allow access to only those users whose roles permit it. Managing access policies when you own the application and the server it runs on is relatively simple. But managing access to publicly hosted applications on employees’ personal mobile devices is a different proposition.
Enforcing access control to applications has to depend upon the user’s privileges and possibly change depending upon what device or location the user is connecting from. You may want to consider limiting the users’ privileges to just e-mail access when they are using that latest new gadget in the market, but grant them full network access — including application access — while connecting from their corporate laptop computers.
Whenever you decide to move a certain application (such as e-mail or maybe an HR application) to the cloud, be sure to think about how this will affect access from mobile devices. For example, consider how mobile users will access the application from their smartphones or tablet devices. And think about whether you will assign different access permissions to the user, depending upon whether they are using their Windows PC to access to the application, versus their shiny new Android tablet.
Updating your mobility policies
To keep up with today’s environment, you need to update your mobility policies as well as think about supporting more than one device platform. Here are some of the areas in which to consider modifying your current mobility policy and ways that you can do it:
Current policy: You have a single-device policy; only one device is corporate-approved.
Solution: Evolve to a multiplatform and multivendor policy, allowing devices of various platforms to access your corporate data. Allow more employee choice, while at the same time protecting your network. Explore mobile device management (MDM) solutions that support multiple mobile platforms, including Apple iOS, Google Android, Windows Mobile, Nokia Symbian, and BlackBerry.
Current policy: Your IT department manually downloads software to each mobile device, thereby increasing the deployment costs of pushing software to mobile devices.
Solution: Explore solutions that allow the user to download software, such as the VPN application, from an app store without needing IT to intervene.
Current policy: You deploy endpoint security only for Windows.
Solution: This is no longer a sufficient security solution. Look for solutions that can protect mobile devices from malware, viruses, and other threats. For more information, be sure to read Chapter 6, which describes the types of threats from which you should protect these devices, and the solutions that offer the appropriate form of protection.
Current policy: You have application policies in place only for Windows.
Solution: Most enterprises have systems in place that can deploy applications to Windows PCs. You need to scale (adapt) this ability to mobile devices as well, to manage and control the apps that are installed on them. Explore solutions that give the ability to restrict apps on mobile devices to a list that you can manage.
Current policy: You have no loss and theft-prevention policy for mobile devices.
Solution: Mobile users are vulnerable to losing valuable data on mobile devices when those devices are lost or stolen. Many enterprises lack the policies to mitigate the risk of losing sensitive data on such devices. Look for solutions that allow you to take immediate preventive action on lost or stolen devices. Action
s include remotely locating a device via GPS, remotely setting off an alarm, or remotely wiping selective device contents, such as personal data or corporate data, or both.
Adapting to the New Challenges of Mobile Devices
Most enterprises today have designed mobility policies centered around the usage of just one type of corporate device, which in many cases happens to be the BlackBerry. Some have recently adapted to include popular Apple devices in their corporate policy as well. As you ponder migrating from this model to a more flexible one, supporting many of the latest devices, here are the aspects of mobility policies you should revisit:
Protecting mobile devices from malware and viruses: This should be the most fundamental requirement for allowing any device to access e-mails, applications, and data on your corporate network. No device running any kind of malware should be allowed onto your corporate network. Protecting the devices is paramount to protecting your own network from attacks originating from such devices.
Part of preparing your network for mobile devices is having the means to protect all the mobile devices on your network from malware, viruses, and other threats. Key items here include installing endpoint security software (software to protect the network when accessed remotely), ensuring that the software remains updated with the latest virus signatures, and ensuring that you can deploy this on the latest devices hitting the market.
Mobile Device Security For Dummies Page 8