mobile lifecycle management - netmotion softwarediscover.netmotionwireless.com/rs/netmotion...2 •...

Mobile lifecycle ManageMentS e c u r i t y, M D M a n D M o b i l e P e a c e o f M i n D

presented by sponsored by

2 • Mobile enterprise / At&t • Mobile lifecycle ManageMent

oday’s business environment is filled with huge numbers of smart mobile devices. Whether all of this mobile hardware finds its way into the enterprise from the workforce side, as is the case with “Bring Your Own Device” policies, or from the corporate side through carefully controlled deployments, the truth for corporate IT departments is that these mobile devices are now being fully utilized as part of everyday enterprise business life.Ranging from traditional laptops to emerging Ultrabooks to tablets and smartphones,

these powerful mobile devices now access highly sensitive corporate data every minute of the business day. Literally anywhere and at any time. The tradeoff for corporate IT in creating a highly productive mobile workforce is a potentially dangerous gap in corporate data security, access with state-of-the-art security features back to the corporate network, privacy issues and mobile device management (MDM).

Highly reliable security options for closing the mobile security gap are available to enterprises, ranging from MDM solutions to Mobile VPNs to IPsec and SSL VPNs. Each of these options tackles different mobile security issues and they can become overwhelming to deploy and manage, especially when IT resources are limited. This whitepaper provides a detailed perspec-tive on developing the right mobile security lifecycle management strategy for your company, delivers an overview of which mobile security options fit what security needs, and offers real world perspectives from key businesses operating on the cutting edge of mobile deployments.

The Complete Enterprise Mobility World

Real World Mobile Security Scenarios•San Diego County Deploys a Mobile VPN•Kimberly-Clark Puts MDM to Proactive Use

The Right Mobile Security Technology for the Job• IPsec and SSL VPNs - The Ultimate Mobile Security Choice•Mobile VPNs - Mobile Security Virtually Anytime, Anywhere•Mobile Device Management (MDM) - IT Peace of Mind

A Full Lifecycle Security and Mobile Management Strategy•Define Your Mobile Management Needs First

Match Your Mobile Management Needs to the Right Hosted Service•Mobile Advisory Services•AT&T Mobile Security Service•AT&T Network-based IP VPN Remote Access (ANIRA)•Mobile VPN Services•Mobile Device Management Services

Conclusions

3

4

6

10

12

15

Table of Contents

Mobile enterprise / At&t • Mobile lifecycle ManageMent • 3

Today’s mobile enterprise world is growing ever more complex, with ever more sophisticated smart mobile devices and mobile software now finding its way into every part of a business, wheth-er that mobile deployment is employee-facing or consumer facing. All businesses, whether large Fortune 1,000 companies or SMBs, must deal with rapidly escalating numbers of employees bringing their own devices - from smartphones to tablets - into the workplace and demanding that companies allow them to use the devices. These new mobile devices add security complex-ity to already existing laptop-based remote access solutions, and with the nuance of each mobile operating system, the challenge for IT becomes more complex every day.

Office and information workers are the largest groups of users driving this mobile environment, now referred to as BYOD - Bring Your Own De-vice. BYOD in and of itself is not new – it can be traced back to 2006, when Research in Motion introduced its first consumer-centric BlackBerry devices, the 8800 and the Curve, which were sub-sequently followed by the Bold. These devices became readily available through AT&T and led to the emergence of the notion of corporate-liable and user-liable smartphones (AT&T refers to these as Corporate Responsibility Users or CRUs, and Individual Responsibility Users, or IRUs).

Corporate-liable devices are those a company pays for and essentially owns and fully controls. User-liable devices are typically smartphones (and now tablets as well) that are paid for and owned by individuals and brought into the work-place and used for both personal and corporate purposes. As the the iPhone and Android devices became enormously popular following the iPhone’s launch in 2007, the influx of user-liable/IRU devices escalated at a rapid pace, to the point that in 2011 the term BYOD was coined as a catch-all phrase for them.

BYOD presents several key issues. First, in allowing users to own their de-vices many companies are able to re-duce, to some degree, their smart mobile

device hardware and data plan costs. Second, on the flip side of the coin, BYOD opens up a number of significant enterprise data security and device management concerns. Users that are allowed to access corporate data and company email on their personal devices create numerous security holes that must be carefully managed in order to make BYOD environments fully feasible.

Smartphones, today’s tablets and BYOD get most of the attention and headlines in today’s business world. However, most companies, again whether SMBs or Fortune 1,000 level en-terprises, face additional mobile concerns that require careful security considerations. Primarily these additional concerns involve laptops that are used in either campus settings or on the road - or both, and they typically involve either wireless data connections through services such as AT&T Wireless, or through WiFi hotspots and other WiFi access points.

There are millions of such enterprise laptops in use, and they are not limited to office road war-riors and traveling knowledge workers. A major segment of the workforce that requires mobile laptop use is the enterprise field service work-force. These groups represent different security issues and different mobile connectivity needs from pure BYOD users, and require different enterprise services to meet those needs.

What are the key services/scenarios that any SMB or larger enterprise needs to concern itself with? They are:• IPsec/SSL VPN services for road warriors and

other traveling knowledge work-ers when operating from typically fixed remote locations such as hotel rooms or airport locations, or when the highest level of remote and mo-bile security is required• Mobile VPN services for employees using laptops (or older Windows-based tablets) that are constantly on the move in the field, such as field service forces• MDM for BYOD and CRU environ-ments

Smartphones and tablets get most of the attention and head-lines in today’s busi-ness world. However, most companies face additional mobile concerns that involve laptops that are used in either campus settings or on the road - or both.

New mobile devices add security complex-ity and with the nuance of each mobile operating system the challenge for IT becomes more complex every day.

The Complete Enterprise Mobility World


Real World Mobile Security Scenarios

Mobile VPNs and MDM are critical to the well-being and peace of mind of any enterprise, especially those with sizable field work-force deployments, and companies with a rapidly increasing level of CRU and BYOD deployments. Two excellent examples of how Mobile VPNs and MDM are being “proactively” used in the field today are demonstrated by the County of San Diego, CA - which is utilizing Mobile VPN technology to both enhance mobile security and significantly increase field worker productivity, TCO and ROI, and by Kimberly-Clark - a major Fortune 500 company that has opened the doors to CRU mobile devices for its workforce.

San Diego county - Mobile VPnS leaD to great roi

Harold Tuck, San Diego County’s CIO notes, “We recently installed a large scale Mobile VPN deployment. What is very interesting to me is how this project came about. AT&T sits on, and is an active member of, a council I assembled some time ago that reviews our technology initiatives, our IT strategies going forward and essen-tially helps me to set my agenda and priorities.”

Tuck notes that one day during one of these council sessions one of his IT direc-tors mentioned that he had a problem in that his field service workers were lugging laptops out on the road and having all sorts of produc-tivity problems in that they could not reliably establish VPN connections and that the constant need to recon-nect was eating up substan-tial field service time.

As Tuck notes, “We have an extensive field ser-vice team that is constantly on the road, often out in the countryside where wireless cellular access is spotty and

unreliable. It makes network access dif-ficult at best. Initially we didn’t view this as a problem we would be able to quickly solve, nor was it my explicit intention to seek a solution. However, once my team member brought the is-sue up, AT&T jumped into the fray, so to speak, and took a highly active role in focusing our attention on the fact that there was a solution to be had.”

AT&T rightly sized up the issue as one that re-quired a Mobile VPN to solve, rather than using an SSL VPN solution, as the county had been doing. Keeping in mind the earlier discussion on the types of situations where a Mobile VPN is the right solution to deploy, AT&T brought in a trusted Mobile VPN vendor, in this case Net-Motion Wireless, to work with Tuck, his team and the county field workers to pull together a mobile solution that would sig-nificantly improve field worker productivity.

Tuck says that “The de-cision to deploy a Mobile VPN was right on the mon-ey. It has made our field service team extremely happy - they now log in to

the corporate network once and then no longer need to worry about re-maining connected - even when they may be out of coverage they simply don’t know or care. The Mobile VPN takes over, monitors all communi-cations and handles reconnecting transparently. Field productivity has increased so much that the solution has essentially already paid for itself. In fact, it was clear during the pilot stage of the project that this would be the case. We were eager to get it fully deployed - and we are now eager to get it deployed across other groups that were not originally scoped out to be a part of the deployment.”

Tuck notes that AT&T not only took a proactive role in pushing the solution to a mobile problem that was not initially on Tuck’s front burners but was also proac-tive in managing the entire process. In fact Tuck says, “AT&T not only deployed the solution for us, they now manage the entire operation. We’ve completely outsourced it to them, and just as our field workers no longer need to worry about being connected, I and my team no longer need to worry about whether or not the field force is operating at peak productivity levels -at least as far as my IT concerns go. Outsourcing the project to AT&T gave me a lot of flex-ibility and peace of mind.”

“We have an exten-sive field service team that is con-stantly on the road, often out in the countryside where wireless cellular access is spotty and unreliable, making network access difficult at best. The decision to deploy a Mobile VPN to solve our network access problem was right on the money.”

— Harold Tuck


KiMberly-clarK - Proac-tiVe MDM DePloyMent KeePS it teaMS in charge

San Diego County’s experiences demonstrate the value of having a mobile management partner in hand. In Tuck’s case the mobile solution was not one that drives today’s BYOD headlines. Rather, it demonstrates that different mobility solutions are required to meet business mobility needs. There is no one size fits all scenario. That said, BYOD and the need to manage both the BYOD and corporate-driven proliferation of mo-bile devices is a central mobile issue in today’s enterprise world.

A good example of this relative to mobile devices on the corporate li-able side is Kimberly-Clark Corpora-tion, a major Fortune 500 business. The company found itself in need of transitioning away from what had been Windows Mobile-based de-vices. Don King, the Lead Mobility Engineer at Kimberly-Clark says that “Kimberly-Clark made the decision to offer our employees a choice of Apple iPhones and BlackBerry de-vices. Interestingly, about 15 per-cent of our users selected BlackBerry hardware, while the rest had no hesi-tation in choosing to go with the iPhone. As corporate-liable mobile devices (CRUs in AT&T terms) be-gan to find their way into the larger overall Kimberly-Clark workforce it became very clear to us that we needed to find a way to proactively manage this hardware and to ensure that we would be able to do so in a highly secure manner.”

King says that his f irst move was to put in place an RFP pro-cess to determine the best vendor fit for the company’s MDM needs. As part of the process AT&T was invited to participate. AT&T reviewed King’s needs and requirements and advised him to get MDM vendor MobileIron on board. Ultimately the RFP process led to Kimberly-Clark selecting MobileIron, and setting up an MDM deployment that would satisfy the needs of King’s IT team to easily deploy the MDM solution and King’s need to remain confident that his users would not find the solution intrusive or otherwise too onerous.

Unl ike Tuck , who handed off his entire operation to AT&T, King notes, “We keep every-thing in-house. We have adequate IT resources to install, deploy and main-tain our solutions within the busi-ness. We don’t have a need - at least not yet - to outsource these things. What we do have a major need for is an independent set of eyes and ears to keep us well ahead of the technology curve so that we can deploy technology proactively, and not reactively.”

King continues, “MDM is a good example of this - we didn’t put our-selves in a position to have to quickly and reactively get MDM in place be-

cause we were behind the mobile device curve. In our case, we made a conscious decision to open the smart mobile device doors but to open them to a well-planned and

controlled mobile device environment. What we needed was knowledge-able advice to get us quickly and proactively operational without pro-longed RFPs and vendor evaluations. AT&T had already done the home-work for us - they know the MDM field, they un-derstood our business and technology require-ments, and they steered us to the right MDM ven-dor. We’re pleased with the choice and extremely happy with the advice and end results.”

King says that he looks to AT&T to keep him ahead of the curve on both technology and hardware. “Who is better positioned than AT&T,”

he notes, “To advise me on what the right devices are to put out there for our employees?” It is a rhetorical question. King echoes Tuck in not-ing that “although we don’t rely on AT&T for outsourcing our IT, their carefully considered advice is infor-mation we can trust - we can relax and take it easy knowing that AT&T is doing the mobile research and forging partnerships with the ven-dors we’ll need down the road as we expand our mobile operations.”

“As corporate-liable mobile devices began to find their way into the larger overall Kimberly-Clark workforce it became very clear to us that we needed to find a way to proactively manage this hardware and to ensure that we would be able to do so in a highly secure manner.”

— Don King


iPSec anD SSl VPnS - the ultiMate Mobile Security choice

IPsec VPN (Internet Protocol Security Virtual Private Network) and SSL VPN (Secure Sock-ets Layer Virtual Private Network) technolo-gies have been around for a long time and primarily came of age during the heyday of massive Internet and Web growth, a period ranging from the later 1990s through the

middle of the 2000s. As Internet and Web use became critical to the daily functioning of all businesses, the ability to connect back to company intranets or to the Internet/Web itself in a highly secure manner when traveling or otherwise working outside of the secure office environment became just as critical.

IPsec/SSL VPN technologies allow a re-mote worker - whether connecting from a hotel room, a remote office, a home of-fice and so on - to establish a highly secure connection back to the corporate network/

intranet. Once users establish such a secure connection they gain all of the functional-ity and access to corporate applications and data they would have when back in the office.

These VPNs are ideal for full scale lap-top use, especially when a user needs the available functionality a laptop provides. IPsec and SSL VPNs also offer the most se-cure option for connecting mobile devices. As security requirements increase, IPsec and SSL VPNs will provide the highest level of security. Additionally, SSL VPNs allow non-corporate controlled devices to have connections with state-of-the-art security features offering granular access controls to specific applications. Often, companies will use SSL VPN for extranets for the use of business partners, retiree populations….and BYOD.

IPsec and SSL VPNs work best from fixed remote locations and are not optimized or engineered for constant movement. How-ever, even for people who are constantly on the move, IPsec and SSL VPNs offer a high level of security. By utilizing IPsec and SSL VPNs to connect back to the corporate network additional security measures also become available at the network level that are otherwise not available through other mobile access methods.

The Right Mobile Security Technology for the Job

Mobile security isn’t only about ensuring that corporate data and email is better secured. It is also critical to ensuring that outsiders - hackers, corporate spies (yes, they do exist), and other parties that may have an interest in finding their way into a corporate network - cannot get to the corporate networks. VPNs and MDM both work to help keep corporate data from “leaking out” of the enterprise, and to help ensure that outsiders cannot get into the enterprise.

Depending on the type of mobile device and the use the devices are being put to, differ-ent mobile security and mobile management technologies fit the bill. Below are important details on the three primary mobile security technologies available for deployment.

Though IPsec and SSL VPNs require additional effort to re-connect back to the network if a connection is lost or dropped, in many cases the security that comes with needing to do so make IPsec and SSL VPNs the most secure mobile and remote access methods available.


Mid to large size companies don’t want always-open VPN con-nections from mobile devices or laptops being used on the road be-cause the IT/Security team needs to maintain a very tight lock on timing sessions out. For employees that are likely to have access to critical data in the network, the additional levels of security that SSL and IPsec VPNs deliver will be invaluable for both IT security and overall corporate peace of mind.

IPsec and SSL VPNs require ad-ditional effort to re-connect back to the network should a connection be lost or dropped. In many cases the security that comes with needing to do so - and the requirement a company may have in terms of security levels that may require it - make IPsec and SSL VPNs the most secure mobile and remote access methods avail-able. Companies need to determine the level of security they require - typically security issues will be significantly more rigorous for higher level executives than for field workers who have limited data security needs but re-quire easy mobile reconnection and access.

Mobile VPnS - Mobile Security Virtually anytiMe, anywhere

Beginning roughly around 2002-2003, a new class of VPN emerged that was dubbed the Mobile VPN. Mobile VPNs take ad-vantage of newer security protocols that provide greater flexibility for true mobile workers while maintaining highly secure communications channels. We define a true mobile worker here as a field force worker who is constantly on the move, traveling from location to location regular-ly, and requiring laptop or Windows-based tablet connectivity back to the network not from fixed environments (e.g. hotel rooms) but from the field itself. Typically this means connectivity through wireless

data networks that range from slow 2.5G to faster 3 and 3.5G wireless data network environ-ments (as well as high speed 4G LTE that is now starting to come online as well).

The ability to connect to these networks from virtually any lo-cation is a major plus for field workers, but in order to deliver significant productivity improve-ments over IPsec and SSL VPNs, Mobile VPNs add additional functionality. Primarily, Mobile VPNs deliver the critical ability to automatically reconnect to a wireless network while maintain-

ing the user’s login state. What this means is that a user may become disconnected from a wireless network but never needs to worry about it or about reconnecting.

When a user becomes disconnected from a wireless data network (this can also be the case for higher speed WiFi connec-tions) the field worker simply keeps work-ing as if the laptop or tablet still had its connection in place. The Mobile VPN mon-itors the availability of the network and when the wireless network is once again available it reconnects the user without the user needing to go through any re-login/reconnection procedures.

The Mobile VPN keeps track of the us-er’s login credentials and status of all data transfers and automatically reinitiates bi-directional data transfers. Mobile VPNs are also able to keep track of available wire-less data bandwidth and can manage data transfers depending on what bandwidth is available. For example, a Mobile VPN can detect when a high speed WiFi network

By utilizing IPsec and SSL VPNs to connect back to the corporate network additional security measures become available at the network level that are otherwise not available through other mobile access methods.

Mobile VPNs deliver the key ability to automatically reconnect to a wireless network while fully maintaining a user’s login state. What this means is that a user may become disconnected from a wireless network but never needs to worry about it or about reconnecting.


becomes available, can be set up to disconnect from a much slower 3G network and reconnect to the WiFi network, and can handle such things as automatically initiating larger scale data transfers - for ex-ample, field-captured photos or video clips - all of it without the mobile field user need-ing to take any specific actions.

Both IPsec/SSL VPNs and Mobi le VPNs can work in conjunction with ad-ditional security soft-ware, such as third party two and three factor user authenti-cation services. The former r equi r es a login and password, while the latter requires a third means to authenticate, possibly through a biomet-ric sensor (such as a thumbprint scanner). Laptops and Windows-based tablets also make it fairly simple to install data encryp-tion capabilities.

Mobile DeVice ManageMent (MDM) - it Peace of MinD

Today’s smart mobile devices come load-ed with numerous features, not the least of which are GPS and location based ser-vices (LBS) capabilities. It is fairly easy to track smartphones and today’s new crop of tablets. Smartphones and tablets also come equipped with a significant amount of on-board memory, which means that they are able to store a good amount of corporate data on the devices, which al-lows a user to be able to perform a fairly substantial amount of work. Smart-phones and tablets are already optimized to work with both wireless data networks and Wifi, and are able to maintain con-nections automatically.

There is very little for an IT department to do in order to allow users the ability to operate in a truly mobile fashion - in fact, it is nothing more than a question of deciding to grant users mobile access. It is this frictionless ease that has allowed BYOD to take root and blossom into an enterprise-wide phenomenon over the last several years.

Wireless connectivity through smart mobile devices is in fact a significantly secure communications channel. Com-pression and encryption schemes make it very difficult if not mostly impossible to grab data as it is transmitted over the wireless networks. The security threats for BYOD aren’t found here. Instead, the true security issue with BYOD is the corporate data and email that ends up residing on the device itself. Even GPS data that a smart device might gather can be pulled

Mobile VPNs keep track of available wireless data bandwidth and can manage data transfers depending on what bandwidth is available. A Mobile VPN can disconnect from a much slower 3G network and reconnect to the WiFi network, and can auto-matically initiate large scale data transfers - all of it without the mobile field user needing to take any specific actions.

the right Mobile security technology for the Job

Mobile VPNs deliver the key ability to automatically reconnect to a wireless network while fully maintaining a user’s login state. What this means is that a user may become disconnected from a wireless network but never needs to worry about it or about reconnecting.


out of a device by intrepid hacking, and can allow someone to piece together a user’s travel patterns.

The real threat posed by BYOD, then, is one of numerous devices, many or most of which will have sensitive data on them. Both smartphones and tablets can easily be lost or stolen, and as a recent Wall Street Journal article has pointed out, can simply be left behind in the back of airline seats - appar-ently a quickly growing problem.

With BYOD smart mobile devices the burden of corporate security falls not on managing the security of the connection, as is the case with VPNs, but in managing the de-vices themselves. Mobile device management - MDM - becomes the key point of defense, and the entire foundation of MDM se-curity hinges on the ability of an MDM platform to easily track devices, monitor what users are doing with their devices, easily allow IT to control what applica-tions a user has access to, and to lock down devices and wipe all data from a device.

The shortest and most direct path to BYOD security is to be able to quickly bring a device to a “factory-fresh” state. This means that all corporate information has been reliably removed from a lost or stolen device.

Given the disparate nature of this wide range of corporate mo-bility issues, what is the best strat-egy for aligning these three mobile roads? In the good old days of the previous two decades both SMBs

and large enterprises simply turned to their IT departments.

But in the current decade, especially fol-lowing the fairly devastating impact of the

2008 recession, IT departments are now hard pressed to muster the resources they once did. Fur-ther, with IT departments having to deal not only with mobility but an entire range of new IT issues, such as large scale virtualization, in-memory database manage-ment, and meeting enormous scaling requirements for storage, they are simply stretched thin.

BYOD, of course, complicates things in that it touches almost everyone in any given company - BYOD requires IT management on a large scale. What’s an enterprise to do?

With BYOD smart mobile devices the bur-den of corporate security falls not on managing the security of the network connec-tion, as is the case with VPNs, but in manag-ing the devices themselves. MDM becomes the key point of defense, and the entire founda-tion of MDM security hinges on the ability of an MDM platform to easily track devices and to lock down the devices and wipe all data from them if necessary.

The true security issue with BYOD is the significant amount of sensitive corporate data and email that ends up residing on mobile devices. Both smartphones and tablets can easily be lost or stolen - a major security threat if proper precautions are not taken to protect that corporate data.


Define your Mobile ManageMent neeDS firSt

Whereas VPN needs are well understood, find-ing the right mobile management solution for BYOD will be an exercise in futility if the require-ments specific to any particular company are not first fully developed. Different companies will have different core requirements.

Any BYOD MDM solution will - or should - have the following core capabilities (among others):

• Device lockdown• Application control/screen lockdown• Selective data wipe

• Complete data wipe and factory-fresh reboot

• GPS and location tracking• User services monitoring (what is your

user actually doing or trying to do?)• Ability to manage multiple mobile oper-

ating systems and their different versions• Ability to define corporate mobile man-

agement policies and to enforce those policies at different corporate group lev-els (e.g. executive management, VP, Di-rector, field worker, office worker, etc.)Examples of MDM capabilities and

requirements that may not be easily sup-ported across all MDM platforms include:

A Full Lifecycle Mobile Management Strategy

Finding the right mobile security management solution will be an exercise in futility if the require-ments specific to any particular company are not first fully developed. The first step is to view mobile security manage-ment not as a set of individual solutions to solve each mobile need individually - as is often done - but instead as a detailed top to bottom mobile management strategy that encompasses all mobile needs.

Virtualization, in-memory database management, and massive storage development are all thorny IT issues. Even where most of that technology is moved to a cloud environment, IT departments will continue to have their hands full. The good news on the mobile man-agement end of things is that there are third party mobile management solutions available to businesses of all sizes that encompass all three mobile technologies - IPsec/SSL VPNs, Mobile VPNs and MDM.

The first step towards a third party solution for all mobile management needs is to view mobile management not as a set of individual solutions to solve each mobile need indi-vidually - as is often done - but instead as a detailed top to bottom mobile management strategy that encompasses all mobile needs.

In the case of both IPsec/SSL VPNs and Mobile VPNs, the mobile management needs are already fairly well understood. However, numerous products within each category require vetting for both technical capabilities and for cost-performance benefits. Down the road VPNs are likely to take on more mobile responsibility as Windows 8-based tablets emerge in Q4 2012 and beyond. These tablets are destined to replace enterprise laptops, and VPNs are likely to be integral to their mobile security profiles, much as they now are for laptops.

On the BYOD side, the mobile management needs are not yet necessarily well-under-stood. There are numerous enterprise policy-related issues that must be addressed, and there are typically a large number of different mobile device types to manage. These can include mobile devices that run on different versions of the same mobile operating systems, which in turn bring different levels of security and management capabilities to the table.

Finally, BYOD-IRU is essentially still a new scenario, and there is a fairly large collec-tion of MDM vendors for businesses to choose from. While the large number of vendors in today’s market today may ensure that mobile management technology develops into a very robust and trusted platform overall, enterprises must invest significant resources to determine the right fit for specific company needs.


• Built-in compliance with specific security certifications (e.g. FIPS-140) or federal and state mandated regulations (e.g. HIPAA); certain verticals, such as healthcare, have numerous data security and privacy restric-tions that must be met

• The ability to create an enterprise mobile application storefront

• The ability to create a storefront with nu-merous levels of control for both public and privately available mobile apps

• OTA and on the fly device management upgrades

• Easy mobile operating system upgrades• Single admin/management console• Ability to integrate admin/management

console with other platforms (e.g. Micro-soft’s System Center and System Center Configuration Manager)

• Integrated malware and anti-virus protectionThe task of defining these MDM require-

ments for any specific business within any spe-cific industry is not necessarily straight for-ward. Companies that are only now beginning to investigate moving to a fully BYOD environ-ment are most at risk of not fully establishing the necessary MDM requirements and corpo-rate policy requirements/definitions needed to ensure a highly secure mobile environment. Other considerations include less tangible is-sues, such as determining how much mobile security is enough security.

A set of security policies that overburden mobile users will typically prove detrimental because users may seek to thwart the security measures.Overburdening users with security and device management requirements works against effective MDM use.

There is one simple rule for all companies that will put BYOD in place to follow: ensure that your company has a well-defined and ex-plicit general BYOD policy that users clearly un-derstand, and require users to read, accept and sign the general BYOD policy. This is critical in the case where, for example, an enterprise wants to retain the specific right to completely wipe a device clean if it is suspected of being a compromised device. Wiping a device clean (to factory refresh status) specifically means that

Companies cannot afford to become mired in the nuts and bolts of mobile secu-rity deployment from a tactical perspective. To effectively do so, a smarter means of approaching the mobile security lifecycle management issue is to consider a third party service that can bring experi-ence- and knowledge-informed strategic thinking and tactical deployment capabili-ties to the table.

users will lose all of their personal data. BYOD inherently means that users will have personal data and applications on their “personal” de-vices that will cause a great deal of friction un-less the policy is well-defined up front.

How can a company ensure that all of its mobile lifecycle management and security requirements - from VPN use today, to VPN use with Windows 8-based tablets tomorrow, to creating a comprehensive yet not over-burdening set of MDM and security policy

requirements, to selecting the right MDM platform - will be met?

The typical enterprise reaction is likely to be to do it in-house. If a business has the available IT resources to dedicate to the tasks associ-ated with doing so, and is willing to take 6 to 8 months or longer to draft a plan of attack, a set of policy requirements, send out RFPs, de-velop bake-offs eventually select a vendor, and then ensure that the company is able to stay ahead of the rapid development curve mobility represents, doing it in-house may make sense.

For most companies however, mobility now represents a key strategic initiative - and both technical and business resources must come together to develop a company-wide mobile strategy, for which mobile management is only one piece of the overall strategy. Companies cannot afford to become mired in the nuts and bolts of mobile deployment from a tacti-cal perspective - they need to remain intensely focused on meeting business challenges.

To effectively do so, a smarter means of approaching the mobile lifecycle management issue is to consider a third party service that can bring experience- and knowledge-informed strategic thinking and tactical deployment capabilities to the table.

A set of security policies that overburden mobile users will typically prove detrimental as users are likely to seek ways to thwart the security measures a company may be trying to implement. Overburdening users with security and device management requirements works against effective MDM use.


Mobile aDViSory SerViceS

A key aspect of AT&T Mobility is its ability to extend in-house mobile expertise to its customer base. AT&T can provide passive advisory services as well as active partici-pation in the brainstorming, planning and

vendor selection process of any mobile deployment. Post-deployment, AT&T can take a similar ongoing advisory role, or can take over complete management of a mobile deployment - allowing a business to fully outsource its mobile management deployment.

AT&T maintains extensive relationships with the key mobility vendors. By doing so it is able to offer its enterprise customers unique insights into vendor products. AT&T can quickly narrow down and match vendor partners to business customer needs and requirements, substantially speeding up the vendor selection process that is a core and typically time-consuming component of any mobile deployment.

Match Your Mobile Management Needs to the Right Hosted Service

A number of vendors are now emerging to operate within the managed mobile services marketplace. Selecting one of these new vendors as a corporate mobility partner can prove almost as difficult as putting a mobile management game plan in place. The deciding factor here should be long term mobile experience across the key platforms that are likely to become integral to a holistic mobile management plan - VPNs, Mobile VPNs and MDM.

A key long term vendor in this space and one well worth considering is AT&T and its extended range of mobile management services that are offered through AT&T Mobility. It is outside the scope of this white paper to cover the entire broad range of services that AT&T Mobility is able to make available to both large enterprises and the SMB business segment, but it is worth a brief review here.

In particular, among this large collection of mobile services, the following are capabili-ties that address the issues specifically raised in this white paper:

• Mobile Advisory Services• AT&T Mobile Security Service• AT&T Network-based IP VPN Remote Access (ANIRA)• Mobile VPN Services• Mobile Device Management Services

Many - if not most - businesses today manage their remote access solutions separately from their core VPN services. Separate from that they have an MDM infrastructure that originated in the cellular world but now is evolving to handle the complex needs of device security. AT&T is evolving its portfolio of services to integrate all of these needs to a single modular service structure to simplify the environment for the end user and the IT staff.

The key requirement is to look for in a third party security lifecycle management provider is long term mobile experience across the key platforms that are likely to become integral to a holistic mobile management plan - VPNs, Mobile VPNs and MDM. Look for a vendor that can integrate all of these needs in a single modular service structure that simplifies the environment for the end user and the IT staff.


branch offices and business entities such as retail stores.

A substantial range of remote access capa-bilities become available through ANIRA. The most important thing to note however is that AT&T delivers classic VPN remote and mobile access capability as a core component of its suite of mobile services capabilities. ANIRA

offers the highest levels of security possible for any mobile user, whether that user is a traveling high level executive, a road warrior, or a field worker out in the field. If the data and corpo-rate network access requires stringent security control ANIRA is the mobile security option to consider first.

Mobile VPnS

As noted above, a key aspect of AT&T Mobility is the fundamental role the company plays in selecting best of breed mobile products that are offered by third party vendors. An excellent example of this - as well as an excellent example of AT&T playing an active role in the planning and outsourced management of a mobile de-ployment is highlighted by the deployment noted earlier by San Diego County, CA, where AT&T has played and continues to play such a diverse set of roles.

The key for Mobile VPN deployment is to ensure that the right Mobile VPN technology is matched to the needs of any given deploy-ment. AT&T works closely with key vendors in the Mobile VPN space and is in a position to both advise on technology as well as to fully manage any deployment from the ground up.

A security lifecycle management partner needs to provide both passive advisory services as well as active participation in the brainstorming, planning and vendor selection process of any mobile deployment. The right partner will provide both ongoing advisory capabilities, or can take over complete active management of a mobile deployment.

The ability to execute at these opposite ends of the spectrum - from passive to active mo-bile participant - provides business customers with a great deal of IT execution flexibility. Enterprises, for example, may want to retain tighter control over certain aspects of a mobile deployment - where they may already have in-house expertise, while outsourcing pieces of a deployment - such as MDM for example, where in-house expertise may be lacking or where resources are simply unavailable.

at&t Mobile Security SerVice

This mobile service is an application that is installed on end-user smart mobile devices. The application enables device-level security features and provides a connection to AT&T’s virtual private gateway, where additional levels of network-based security are applied. AT&T Mobile Security service also provides a Web-based administrative console that allows busi-nesses to manage and control security policies across both wire-line and wireless devices. The service also allows you to connect to the AT&T Secure Network Gateway platform as well as other AT&T services, including remote access and AT&T VPN.

anira (at&t networK-baSeD iP VPn reMote acceSS)

ANIRA is AT&T’s own VPN suite of services. ANIRA is the foundation for providing mo-bile access to workers who need full and com-plete access to the corporate network while on the road. ANIRA makes use of the Internet and AT&T’s global network access through numerous gateways that are deployed on an international scale in order to allow remote users to seamlessly integrate with their corpo-rate networks and core business applications regardless of location or means of access to the Internet. ANIRA also allows enterprises to easily and seamlessly connect remote offices,


Mobile DeVice ManageMent SerViceS

The best mobile device management technol-ogy will deliver two things: ease of deployment from an IT standpoint, and an almost invisible nature from the perspective of the mobile end user. It is a well-known fact that if MDM gets in the way of ease of use for mobile users they

will seek to circumvent MDM-based security capabilities, and in the process creating a self-defeating scenario.

AT&T has conducted a significant amount of research into what the various MDM ven-dors offer, in terms of deployment capabilities and end user ease of use. AT&T is in a strong position to aid enterprises in determining what MDM solution is the best fit for a company’s needs - as the Kimberly-Clark deployment not-ed earlier demonstrates.

Executing at opposite ends of the management spectrum - from passive to active mobile participant - provides business customers with a great deal of IT execution flexibility. Enterprises may want to retain tighter control over certain aspects of a mobile deployment - where they may already have in-house expertise, while outsourcing pieces of a deployment where in-house expertise may be lacking or where resources are simply unavailable.

Match Your Mobile Management Needs to the Right Hosted Service


The ability of a third party partner to manage a wide range of VPN connectivity options and to be able to deliver the right MDM solutions for any mobile deploy-ment is the right foundation and start-ing point for moving forward in establish-ing a third party partnership. Aligning with the right mobility partner is critical for gaining - as San Diego County CIO Harold Tuck puts it, “peace of mind.”

Conclusions

Mobility today is not a one size fits all solution set. It is a large scale mix of differ-ing requirements amongst many different types of businesses and organizations, and ranging from smaller SMBs to the massive mobile deployments of the For-tune 10 world. In seeking to work together with an external mobility management partner, enterprises need to look for a wide range of mobile expertise that can be applied to a wide range of customers.

This paper has focused on SSL and IPsec VPNs, Mobile VPNs, and mobile device management. Enterprise mobility however extends significantly beyond these three core mobile issues. For example, mobile application development is a topic that falls outside of mobile management of devices and the different ways mobile devices can tie back into corporate networks. An emerging area is that of specifically managing the applications that run on devices and carefully controlling what the applications themselves - as opposed to the mobile users - are actually doing.

Mobility is a rapidly expanding field. In order to stay ahead of the curve vendors, as Don King at Kimberly-Clark points out, “Must be in a position to proactively rather than reactively tackle mobile projects, and this requires part-nering with vendors that are already ahead of the curve.” The ability to manage a wide range of VPN connectivity options and to be able to deliver the right MDM solutions for any mobile deployment is the right foundation and starting point for moving forward towards this goal. Aligning with the right mobility partner to do so is critical as well for gaining - as Harold Tuck puts it, “peace of mind.”

S e c u r i t y, M D M a n D M o b i l e P e a c e o f M i n D

Mobile lifecycle ManageMent

AT&T is the communications provider of choice among large, medium and small

businesses. We serve thousands of customers on six continents, including all of the

Fortune 1000. AT&T delivers one of the most comprehensive and globally consistent

portfolios of business services to large businesses. This portfolio includes advanced

network management and network-based security tools, enterprise mobility solu-

tions and applications, content management and delivery services, together with

web hosting and application services.

mobile lifecycle management - netmotion softwarediscover.netmotionwireless.com/rs/netmotion...2 •...

Documents