Employees increasingly want to use their personal devices for work, so what’s stopping IT from making it happen? In a recent study by IDC, 83 percent of IT professionals reported that security concerns are among their greatest barriers to enabling employee-owned devices. Without a way to provide secure access to data, applications and other network resources, IT departments are often hesitant to allow “bring your own device” (BYOD) programs to get off the launch pad.
Just because your company doesn’t formally support employee-owned devices, it doesn’t mean they aren’t still accessing your network. Ron Gula, CEO of Tenable Network Security in Columbia, Maryland, says it’s a significant issue that a lot of companies don’t have a platform in place to control access and security. “They still have mobile devices accessing the network,” he says.
There are a host of routes open to IT when it comes to managing mobile devices. Here we look at two options for implementing security around personal devices: mobile device management (MDM) and virtualization.
Mobile Device Management
MDM platforms offer a range of features and security levels. These programs are designed to authenticate devices onto the network and control access into various data sets and applications on a per-user and/or per-device basis. Additional layers of security, such as allow/block/quarantine (ABQ) may also be available. “When you have ABQ in place, you can set up the filtering so that only devices that meet certain criteria filters are allowed in,” says Troy Fulton, director of Product Marketing at MDM provider Tangoe Inc., in Orange, Connecticut. That also means that rooted or jailbroken devices, which are increasingly targeted by malware, can be blocked from accessing and potentially compromising the network.
The level of device oversight varies, but MDM platforms, such as those available from Tangoe, allow IT to control which applications users can download onto their devices, they can require that the device be password protected, and they can even track voice, data and SMS usage of the devices in real time. This becomes especially important as mobile carriers ramp up the price of data packages. “Data usage is increasing because these mobile platforms are designed to input and output data in real time and collaboratively,” Fulton explains. Self-service portals are also available in some solutions, a functionality that shifts many of the tasks associated with onboarding and managing device upgrades from IT and puts them in the hands of individual users.
For Philadelphia-based Resources for Human Development, HIPAA compliance requirements factored heavily into the decision to implement an MDM solution. “We knew we had a large number of mobile devices out there, and we didn’t have the room to wait,” says Endre Walls, the company’s CTO. Some of the platforms his team evaluated were “infrastructure heavy,” which often meant additional time would be needed to get everything set up. They eventually selected Fiberlink’s MaaS360 solution, a program that met their requirements and was also within their capabilities to launch. “It gave us the flexibility that we were looking for, and we didn’t have to have a bunch of resources in order to make it happen,” Walls says. He reports that authenticating and de-authenticating devices is simple and straightforward, and says his team has made use of the platform’s remote wipe feature when a device has been stolen or lost. “The process has been as smooth as we expected it to be,” Walls confirms.
Gula says the quality of mobile device users’ experience may be better when using MDM over virtualization if mobile-specific applications are available. This is because purpose-built applications are often easier to use on the relatively small real estate of a smartphone screen than on larger laptops. And when it comes to MDM solutions, Gula says he typically prefers those platforms that force the use of a virtual private network (VPN) back to the company. “Then the IT organization has a chance to leverage other technologies, like firewalls and intrusion detection, to protect the devices,” he says.
In a virtualized environment, mobile devices are granted access to network resources — data, applications, other corporate services — but those assets never truly reside on the device. Instead, the device becomes an endpoint that connects to assets within a secure environment, such as a data center. “Virtualization technology enables those mobile devices to connect to a hosted desktop or hosted application,” says Natalie Lambert, director of Product Marketing at virtualization technology provider Citrix in Santa Clara, Calif. With a virtualization solution, a portal application is downloaded onto a mobile device. The user then enters their login credentials into that portal, thus gaining access to centrally located corporate data and resources based on their credentials.
Various virtualization solutions are available to meet a wide range of needs. Some, like CloudGateway from Citrix, allow for access to more than the conventional desktop application. They also support secure delivery of mobile-specific applications that can then run natively on the device. “We put a small container on the endpoint device, and that is what Citrix controls,” Lambert explains. Instead of trying to manage the entire device, which might be the employee’s personal unit, IT simply controls access through that container. The user can continue to run their personal applications and data outside of the container at their discretion. Lambert says it’s a good solution for companies that want to allow employees to use their personally owned mobile devices, but don’t want to get into what could be a potential problem if non-personal information is removed when the employee leaves the company.
With 80 employees and users spread out over 18 or so different sites, brokerage firm E.K. Riley Investments LLC needed a secure way to allow remote access to highly sensitive financial data. The XenDesktop platform from Citrix offered the group this kind of anytime, anywhere access while still ensuring their information remained inside the safety of the data center. “A few years ago, we decided that virtualization — bringing first applications and later the desktop — into the data center was a better way to protect our information, and also make support a lot easier,” says Christian Moses, CTO of the Seattle-based firm. His team can now be sure that everyone in the environment is using the same software, plus it’s a less expensive way to manage the secure data feeds the company maintains back to its clearing firm. “We were able to consolidate those points to just a couple of secure facilities, and get out of the router-to-router VPNs and other issues like that,” Moses says.
Industries where data is highly sensitive and also highly regulated have been frequent adopters of virtualization. “Where you want to leverage a common desktop environment for things like the banking industry or the insurance industry, where you know you have a high degree of replication, there is a tremendous benefit to that,” Gula says. Other instances where virtualization is popular include those where no mobile application exists, or where the mobile platform doesn’t have adequate resources (Gula points to the use of ActiveX) to be effective.
And remember: the right solution for an enterprise today could require rethinking tomorrow. “Every year these mobile devices get more and more like a laptop, and the laptops get more and more like a mobile device,” Gula says. Application availability, bandwidth requirements and device size are just some of the factors that could push IT departments toward new solutions in the future.