Blog

LiveCirrus Enterprise Mobility Strategies Whitepaper Available for Download

Native Development, HMTL5, and Virtualization: An Overview of Enterprise Mobility Strategies is now available. Please submit your company info here to access a free copy.

“Without question, mobile tablets and smartphones have evolved dramatically in recent years from nice-to-have novelty toys to vital, productivity enhancing business tools. As your company scrambles to integrate mobility into their IT ecosystems, those leading the effort will quickly realize that sophisticated desktop applications often don’t work on the latest smartphones and tablets. Your company’s legacy software may be incompatible with the mobile operating system, or the device simply doesn’t have the computing horsepower to deliver the performance levels your workforce needs. Simple workflows that are hardcoded into the desktop software, such as timesheet inputs or financial data displays, don’t translate or are inaccessible on the mobile device.

But these simple workflows are vital to our corporate mobility strategy!

Your company has already committed to going mobile. All or part of your workforce will be armed with the latest mobile devices by the end of the fiscal year, and they may even be bringing their own devices to work today. Your IT leaders are scrambling to present a cohesive approach that makes sense from a time and cost perspective, but everyone agrees that the solution is more complicated than it may have seemed.

Maybe it’s your customers, not your employees that are eager to realize usability benefits from deploying your software onto their mobile devices. Lots of customer loyalty and revenue are at stake, but what approach to mobility makes the most practical sense?

This whitepaper explores the basics of mobile development alongside the key features and benefits of virtualization."

CIO Challenge : Mobile Device Management (MDM)

For an MDM primer, see Gartner’s Critical Capabilities for Mobile Device Management, including top providers, use cases, and analysis across 10 critical capabilities:

Key Findings

-Not all MDM platforms provide device encryption if it is not supported natively on the device.

-Although containerized approaches offer some of the highest security, restrictions to the user’s experience with mobile email may limit the user’s acceptability and viability on personal devices.

-AirWatch, BoxTone, Fiberlink, MobileIron, Sybase and Zenprise use native Apple iOS 4 management APIs to implement functions such as over-the-air (OTA) software upgrades and certificate-based authentication.

-Good for Enterprise is a mobility suite centered on wireless email; many management and security capabilities are available within their email client only.

Recommendations

-Choose MDM offerings that support a lightweight management approach, with mobile agents and server-side platforms, when your security and management requirements are limited and deep control is not accepted by employees using personal devices. Examples include Zenprise, MobileIron, BoxTone, Fiberlink and AirWatch.

-Choose MDM offerings that support a heavyweight approach to deliver secure and manageable corporate email to consumer and personal devices when strict security and compliance requirements apply. Containers can enforce stronger separation among personal and corporate content. Examples include Good Technology, Excitor and Sybase.

-The iPhone 3GS and later hardware platforms ship with always-on hardware encryption. When iOS 4.2 was introduced, it added a new data protection class that allows third-party applications to manage their own encryption keys, reducing the risk of data leakage on a jailbroken device. The new data protection classes are activated upon the full installation of iOS 4 or later.

CIO Challenge : BYOD + Security

A big thank you to Russell Schmidt, the CEO of Extenda Communications, for his answer to our question on Quora:

What are the most effective security solutions for corporate IT departments managing a BYOD (Bring Your Own Device) mobile tech ecosystem?

“The answer depends on your risk tolerance, budget and size. My answers here are geared towards a small to medium sized business with limited budgets.

To start with, are tablets and smartphones tougher to deal with than securing laptops? Yes, and by a lot. It is easier to lose a phone or tablet, and many apps don’t authenticate. The adoption of cloud storage and SaaS delivered as native apps means that some goober could potentially get into your hosted CRM database by picking up a phone left at a Starbucks.

The major threat vectors I see in the field for a small business are the typical wireless-access-to-your-network issues, plus concerns with data integrity and versioning from devices that are not communicating in real time but are essentially doing batch transfers, and the ‘skeleton key’ issue, where some users have a lot of network access riding around in their pocket. I will lump in app access to cloud infrastructure with this last issue.

If you have higher tolerance for risk, which is to say you value convenience and mobility more than the perceived risk, I would recommend a few steps to mitigate disaster. First, rethink your folder permissions on cloud storage apps. Many of my customers just share everything, or share parent folders so permissions are inherited down the chain. File access to say dropbox from a found phone is a fingertip away. Only share what you are willing to lose, give permissions on a need-to-know, folder-by-folder basis, and give IT control over who has access to what and ideally track the permissions, even if its on a spreadsheet, so when Joe says he lost his phone, you can delete the user account in dropbox and then help management assess what is at risk. Second, enforce a passcode policy for byod-ers and make sure that at least Apple users have the ‘Find My iPhone’ app so you can wipe the devices if they are lost. Third, while wireless network security is a world unto itself, you should be regularly changing strong wifi passwords. IT can dangle the carrot of the new wifi password in exchange for a passcode check on the device if you don’t have Exchange deployed enforcing ActiveSync policies and passcodes under IT control.

Note that if you are sharing Google docs, that presents a different problem as there are a lot of apps that are resident on a phone or tablet that give one touch access to these documents without user authentication. Enforce two step authentication if your company is using Google docs. I would even consider using password authentication on MS Office docs & PDFs you really care about that are in cloud storage.

If your attitude is “trust but verify” like Reagan with the Soviets, the biggest change to make is not deploying cloud file sharing apps that do not have user authentication every time. Also, time out these user authentications. The idea is that in this scenario you are shutting off the ‘always on’ connections into your network or file sharing, but not depriving tablet or smartphone users from the option to access things they would normally be able to. Also consider encrypting your tablets.

If your attitude is, “Get that junk off my network!,” you are a network admin or work in a regulated industry. The steps I would recommend in that case are to use MAC authentication for wireless access at a minimum so IT controls exactly who is on the network. This is absolutely terrible to administer in large networks which is why a lot of large networks will instead segregate the wireless network and stick it in a DMZ so that it is outside the firewall and tablets etc can’t open a port in. Basically, in this scenario, your wireless device is using the internet connection but it is as if you are not on the network. So for devices to get network access, tablets and smartphones would have to use an encrypted VPN app to tunnel back in, and of course they should be required to authenticate every time without an option to auto-populate the password on their device and a short time-out.

An interesting solution is using virtualized desktop apps to give network access. This way, user authentication is enforced, as are timeouts, and the user inherits the same permissions they’d have anyway, as they are just looking at their desktop.

There is a ton I didn’t cover, such as email security and switching firewall security from Stateful Packet Inspection to Deep Packet Inspection (if you have the staff to manage it) but I think taking some basic precautions goes a long way."

©2010-2014 LiveCirrus Inc.