embracing the mobile imperative€¦ · 1) securing corporate data – at the user, device, network...
TRANSCRIPT
Embracing the Mobile Imperative
September 27, 2012
Philadelphia
Joanie Wexler Technology Analyst/Editor
Joanie M. Wexler & Associates [email protected]
The Consumerization of
IT Mobile Devices & Apps ⌃
…and its impact on the enterprise
x
State of the Mobile Union
Employees Increasingly Use Personal Devices at Work
Percentage currently using their own:
35%
LAPTOP
7% 53%
TABLET
Enterprise Mobile Awareness Levels
Survey Says…. • 61% allow staff to bring their own devices
• While just 17% have BYOD security and usage policies • And just 9% of IT professionals feel they are “fully aware” of all the mobile devices running on their networks
Source: The SANS Institute Annual Mobility/BYOD Security Study, March 2012; N=500
State of the Mobile Union
State of the Mobile Union
28% Yes, using a single solution supplier
28% Yes, using 2 or 3
solution suppliers
11% Yes, using 4 or more solution
suppliers
33%
No
Enterprise IT Professionals: Have you implemented a third-party mobile device
management (MDM) system?
Source: CCMI, July 2012
State of the Mobile Union
Android 59%
iOS 23%
BlackBerry 6.4%
Microsoft 2.2%
Symbian 6.8%
Other 2.6%
Worldwide Mobile OS Market Share (Q2 2012)
Source: IDC, May 2012 Note: Android market share not necessarily indicative of enterprise
penetration – yet.
BYOD Challenges
1) Securing corporate data – at the user, device, network and app levels
2) Provisioning and managing mobile apps – both public and enterprise on a single device
3) Managing network performance / user experiences
4) Who pays for what? (ownership models)
•Corporate-Liable (CL). The enterprise procures,
manages and secures all end-user devices and is responsible for
paying all monthly network service plan fees.
•Employee-Liable (EL), a.k.a. Bring Your
Own Device (BYOD). Employees purchase personal
devices, use them at work and are responsible for paying the monthly
network service plan fees. The enterprise might reimburse for
business-related network service costs via a flat monthly stipend in the
user’s paycheck or via expense report.
•Hybrid. A mix of CL and EL/BYOD, likely to be the most common
model in all but the most security-conscious organizations. Enterprises
need automated tools for for top-down control regardless of who buys
the device.
Basic Mobility Lexicon: Ownership Models
Spectrum of Device Ownership Models
Fully Corporate Liable (CL)
Corporate Owned, Personally
Enabled (COPE)
BYOD, managed (agent software
on client)
BYOD, unmanaged
Locked Down Open
Hybrid BYOD and Corporate-Liable (CL)
Decide what kind of “liable” your organization is, then create policies to match
Why the Fuss over BYOD?
Employee Rationale Corporate IT Rationale
• Convenience; carry one device • Compete with other employers sanctioning BYOD
• Blending of personal and work life natural to 20- and 30-somethings; some feeling of entitlement to use the tools they know and love
• Create friendly corporate culture
• Offload capex/device purchase costs to employees (effective?)
• Make IT look heroic instead of being perceived as a roadblock
• If you can’t beat ‘em, join ‘em (how do you keep BYODs out?)
The BYOD and mobile imperatives must be embraced − whether as a necessary evil or as a strategic competitive move
Source: CCMI and Dimension Data/Xigo, “Mobility Temperature Check: Just How Hot Is BYOD?,” July 2012; N= 116
Not all companies are saving $$$ by offloading mobile capex to employees. Respondents gave very similar responses when asked about monthly service fee changes.
Does BYOD Deliver Savings?
What Needs Doing?
① Survey users about wants, concerns – a general best practice ② Make ownership model decisions ③ Set policies (usage and security) at device, application and
network levels; get employees to sign off ④ Evaluate tools to automate the enforcement of those policies ⑤ Decide tools form factor: on-prem hardware, virtualized
software servers or cloud services (or a mix) ⑥ Try for as much user database, interface and feature
integration as possible ⑦ Pay attention to vendor mergers and partnerships (MDM, Wi-
Fi, TEM, endpoint security, networking companies…)
Enterprise Mobility Management
Policy Decisions
Is every mobile OS and hardware platform allowed onto your network? Does IT have to support them all? Is a client agent required to access corporate resources? If BYOD, user pushback? Who pays the monthly bill? How much of the bill? Stipend? Expense report? Can corporate data reside on the device? Who owns the handset phone number? What is your legal liability if you wipe personal data?
Will depend on what kind of ‘liable’ you are
Enterprise Mobility Management (MDM, MAM, Mobile DLP…)
• Network Access Control/Posture Check, including ActiveSync Filtering • URL and App Filtering • On-Device Encryption • OTA Encryption/VPN • Intrusion Prevention/Malware Scans • Remote Wipe – Partial or Full
Performance Management /
Troubleshooting
Mobile Application Management
(MAM) & Security
• Enterprise App Store/ Catalog (App Delivery) • Volume Discounts and Licensing of Public Apps • App Whitelist/Blacklist • App Sandboxing, Containerization, Wrapping, Dual Persona, Virtualization, Per-App VPNs • Dev Tools for Baked-In Per-App Policies
• Remote Diagnostics • Network Coverage Check • Troubleshoot Bad Radio/Antenna • Deep Packet Inspection and Traffic Management
Device Provisioning,
Visibility, Management
• Know What’s on the Network • Track Assets and User Access • Basic Usage Policy Setting, Enforcement • Expense (Usage) Management
“Single Pane of Glass” Administrative Portal
Device and Network Security
2009……………..2010………….2011………………………2012……………………....2013…….
• Corporate-liable (CL) devices: MDM very viable for users
who work for you and are in the enterprise LDAP or Active Directory use profile database. Might be all that’s needed for complete lifecycle management and security.
• Employee-liable (EL) devices (BYOD): If you encounter user
resistance to installing corporate client software on BYODs and want to make some apps available to partners (not in your user DB), consider MAM with app-level DLP. Touches enterprise apps only and leaves user device settings, files, and email intact. Privacy laws differ from country to country, which could affect strategy.
Usage Scenarios: MDM and MAM with Mobile DLP
Mobile Application Management (MAM)
MDM
MAM
Application-layer management and security
Management: Developing/mobilizing, deploying, updating, and patching apps Security: Mobile DLP; partitioning application data
Many MDM vendors include MAM
Enterprise Application Store (EAS)
MAM
EAS
Enterprise & consumer apps • Available from MDM, standalone MAM, ‘storefront’ vendors • Apple Volume Purchase Program • Run it on prem or in cloud • Requires zero end-user training
If you need app control, implement an EAS
Deploying, Updating & Managing Apps
App Security Policies and Issues to Consider
MAM
DLP /Security
Access to app (PIN or password) Geo-fencing Blocking offline use Wiping data/app Encrypting data (including email attachments) Copy / paste OK or not Sharing data on social networks
Sandbox Containerization App Wrapping Dual-Persona Virtualization: ‘Personal’ and ‘Work’ Images & Accounts on One Device Per-App / Inter-App VPN
Emerging App Security Options
Sandbox (One Big Enterprise Apps Container)
Other
Browser
PIM
Sandbox
Mobile Device Puts apps inside protected space
Access by password or PIN
Encrypts all corporate app data
Email, PIM… apps supplied by vendor • Doesn’t use native apps (uses third-party user interface)
Custom apps need to use vendor’s SDK
Whitelist allowed apps/blacklist disallowed apps
App Security Options:
Containers and Wrappers
Public
App
Container
Mobile Device Isolate each app
Access by password or PIN
Encrypt each app’s data or apply other per-app policies
Solutions are built for individual OSs
Can be applied to native apps and individual email accounts
(Most) require no customization • (Might) require app built with SDK
Usually no sharing between containers, unless use encrypted ‘inter-app’ tunnel
Email Account
Container
Enterprise
App
Container
App Security Options:
Virtualization of Device Mobile Device
Works like server virtualization (multiple sw images on one hw device)
Software and hardware in device • Unclear effect on power usage
Two ‘device’ images kept separate • Encrypts data in enterprise’s image
• No sharing between
Different data plans for each image
(2 accounts) • Carriers are very interested as service • Allows data pooling between devices – get your volume discounts!
Uses native apps
Hypervisor
Image of Employee’s
Personal Device
Image of Employee’s
Work Device
Enterprise
App
Enterprise
Personal
App
Personal
App Security Options:
Dual-Persona Mobile Device
Split apps into two versions
One is for corporate use
One is for personal use
Enterprise side is in a container
Two images are kept separate • Encrypts data in enterprise’s image
• No sharing between
Policies on when to use which one
- tricky?
Personal Version
App
Container Enterprise
Version
App
(Public / Native) App
App Security Options:
Closing Comments •Mobility creates the biggest network challenges to date •The mobile environment needs embracing regardless of whether: CL or BYOD or hybrid ownership Motives are strategic or defensive
•Let corporate goals, not peer pressure, drive strategy
Questions & Answers