Embracing the Mobile Imperative

September 27, 2012

Philadelphia

Joanie Wexler Technology Analyst/Editor

Joanie M. Wexler & Associates joanie@jwexler.com

The Consumerization of

IT Mobile Devices & Apps ⌃

…and its impact on the enterprise

x

State of the Mobile Union

Employees Increasingly Use Personal Devices at Work

Percentage currently using their own:

35%

LAPTOP

7% 53%

TABLET

Enterprise Mobile Awareness Levels

Survey Says…. • 61% allow staff to bring their own devices

• While just 17% have BYOD security and usage policies • And just 9% of IT professionals feel they are “fully aware” of all the mobile devices running on their networks

Source: The SANS Institute Annual Mobility/BYOD Security Study, March 2012; N=500

State of the Mobile Union

State of the Mobile Union

28% Yes, using a single solution supplier

28% Yes, using 2 or 3

solution suppliers

11% Yes, using 4 or more solution

suppliers

33%

No

Enterprise IT Professionals: Have you implemented a third-party mobile device

management (MDM) system?

Source: CCMI, July 2012

State of the Mobile Union

Android 59%

iOS 23%

BlackBerry 6.4%

Microsoft 2.2%

Symbian 6.8%

Other 2.6%

Worldwide Mobile OS Market Share (Q2 2012)

Source: IDC, May 2012 Note: Android market share not necessarily indicative of enterprise

penetration – yet.

BYOD Challenges

1) Securing corporate data – at the user, device, network and app levels

2) Provisioning and managing mobile apps – both public and enterprise on a single device

3) Managing network performance / user experiences

4) Who pays for what? (ownership models)

•Corporate-Liable (CL). The enterprise procures,

manages and secures all end-user devices and is responsible for

paying all monthly network service plan fees.

•Employee-Liable (EL), a.k.a. Bring Your

Own Device (BYOD). Employees purchase personal

devices, use them at work and are responsible for paying the monthly

network service plan fees. The enterprise might reimburse for

business-related network service costs via a flat monthly stipend in the

user’s paycheck or via expense report.

•Hybrid. A mix of CL and EL/BYOD, likely to be the most common

model in all but the most security-conscious organizations. Enterprises

need automated tools for for top-down control regardless of who buys

the device.

Basic Mobility Lexicon: Ownership Models

Spectrum of Device Ownership Models

Fully Corporate Liable (CL)

Corporate Owned, Personally

Enabled (COPE)

BYOD, managed (agent software

on client)

BYOD, unmanaged

Locked Down Open

Hybrid BYOD and Corporate-Liable (CL)

Decide what kind of “liable” your organization is, then create policies to match

Why the Fuss over BYOD?

Employee Rationale Corporate IT Rationale

• Convenience; carry one device • Compete with other employers sanctioning BYOD

• Blending of personal and work life natural to 20- and 30-somethings; some feeling of entitlement to use the tools they know and love

• Create friendly corporate culture

• Offload capex/device purchase costs to employees (effective?)

• Make IT look heroic instead of being perceived as a roadblock

• If you can’t beat ‘em, join ‘em (how do you keep BYODs out?)

The BYOD and mobile imperatives must be embraced − whether as a necessary evil or as a strategic competitive move

Source: CCMI and Dimension Data/Xigo, “Mobility Temperature Check: Just How Hot Is BYOD?,” July 2012; N= 116

Not all companies are saving $$$ by offloading mobile capex to employees. Respondents gave very similar responses when asked about monthly service fee changes.

Does BYOD Deliver Savings?

What Needs Doing?

① Survey users about wants, concerns – a general best practice ② Make ownership model decisions ③ Set policies (usage and security) at device, application and

network levels; get employees to sign off ④ Evaluate tools to automate the enforcement of those policies ⑤ Decide tools form factor: on-prem hardware, virtualized

software servers or cloud services (or a mix) ⑥ Try for as much user database, interface and feature

integration as possible ⑦ Pay attention to vendor mergers and partnerships (MDM, Wi-

Fi, TEM, endpoint security, networking companies…)

Enterprise Mobility Management

Policy Decisions

Is every mobile OS and hardware platform allowed onto your network? Does IT have to support them all? Is a client agent required to access corporate resources? If BYOD, user pushback? Who pays the monthly bill? How much of the bill? Stipend? Expense report? Can corporate data reside on the device? Who owns the handset phone number? What is your legal liability if you wipe personal data?

Will depend on what kind of ‘liable’ you are

Enterprise Mobility Management (MDM, MAM, Mobile DLP…)

• Network Access Control/Posture Check, including ActiveSync Filtering • URL and App Filtering • On-Device Encryption • OTA Encryption/VPN • Intrusion Prevention/Malware Scans • Remote Wipe – Partial or Full

Performance Management /

Troubleshooting

Mobile Application Management

(MAM) & Security

• Enterprise App Store/ Catalog (App Delivery) • Volume Discounts and Licensing of Public Apps • App Whitelist/Blacklist • App Sandboxing, Containerization, Wrapping, Dual Persona, Virtualization, Per-App VPNs • Dev Tools for Baked-In Per-App Policies

• Remote Diagnostics • Network Coverage Check • Troubleshoot Bad Radio/Antenna • Deep Packet Inspection and Traffic Management

Device Provisioning,

Visibility, Management

• Know What’s on the Network • Track Assets and User Access • Basic Usage Policy Setting, Enforcement • Expense (Usage) Management

“Single Pane of Glass” Administrative Portal

Device and Network Security

2009……………..2010………….2011………………………2012……………………....2013…….

• Corporate-liable (CL) devices: MDM very viable for users

who work for you and are in the enterprise LDAP or Active Directory use profile database. Might be all that’s needed for complete lifecycle management and security.

• Employee-liable (EL) devices (BYOD): If you encounter user

resistance to installing corporate client software on BYODs and want to make some apps available to partners (not in your user DB), consider MAM with app-level DLP. Touches enterprise apps only and leaves user device settings, files, and email intact. Privacy laws differ from country to country, which could affect strategy.

Usage Scenarios: MDM and MAM with Mobile DLP

Mobile Application Management (MAM)

MDM

MAM

Application-layer management and security

Management: Developing/mobilizing, deploying, updating, and patching apps Security: Mobile DLP; partitioning application data

Many MDM vendors include MAM

Enterprise Application Store (EAS)

MAM

EAS

Enterprise & consumer apps • Available from MDM, standalone MAM, ‘storefront’ vendors • Apple Volume Purchase Program • Run it on prem or in cloud • Requires zero end-user training

If you need app control, implement an EAS

Deploying, Updating & Managing Apps

App Security Policies and Issues to Consider

MAM

DLP /Security

Access to app (PIN or password) Geo-fencing Blocking offline use Wiping data/app Encrypting data (including email attachments) Copy / paste OK or not Sharing data on social networks

Sandbox Containerization App Wrapping Dual-Persona Virtualization: ‘Personal’ and ‘Work’ Images & Accounts on One Device Per-App / Inter-App VPN

Emerging App Security Options

Sandbox (One Big Enterprise Apps Container)

Other

Browser

Email

PIM

Sandbox

Mobile Device Puts apps inside protected space

Access by password or PIN

Encrypts all corporate app data

Email, PIM… apps supplied by vendor • Doesn’t use native apps (uses third-party user interface)

Custom apps need to use vendor’s SDK

Whitelist allowed apps/blacklist disallowed apps

App Security Options:

Containers and Wrappers

Public

App

Container

Mobile Device Isolate each app

Access by password or PIN

Encrypt each app’s data or apply other per-app policies

Solutions are built for individual OSs

Can be applied to native apps and individual email accounts

(Most) require no customization • (Might) require app built with SDK

Usually no sharing between containers, unless use encrypted ‘inter-app’ tunnel

Email Account

Container

Enterprise

App

Container

App Security Options:

Virtualization of Device Mobile Device

Works like server virtualization (multiple sw images on one hw device)

Software and hardware in device • Unclear effect on power usage

Two ‘device’ images kept separate • Encrypts data in enterprise’s image

• No sharing between

Different data plans for each image

(2 accounts) • Carriers are very interested as service • Allows data pooling between devices – get your volume discounts!

Uses native apps

Hypervisor

Image of Employee’s

Personal Device

Image of Employee’s

Work Device

Enterprise

App

Enterprise

email

Personal

App

Personal

email

App Security Options:

Dual-Persona Mobile Device

Split apps into two versions

One is for corporate use

One is for personal use

Enterprise side is in a container

Two images are kept separate • Encrypts data in enterprise’s image

• No sharing between

Policies on when to use which one

- tricky?

Personal Version

App

Container Enterprise

Version

App

(Public / Native) App

App Security Options:

Closing Comments •Mobility creates the biggest network challenges to date •The mobile environment needs embracing regardless of whether: CL or BYOD or hybrid ownership Motives are strategic or defensive

•Let corporate goals, not peer pressure, drive strategy

Questions & Answers