1 Five Best Practices for Secure Enterprise Content Mobility
2 An Accellion Whitepaper Five Best Practices for Secure Enterprise Content Mobility Executive Summary The proliferation of mobile devices and IT management s increasing acceptance of Bring Your Own Device (BYOD) are creating new security challenges for enterprises. Employees are using personal devices such as ipads and Android phones to access and store business data. To share this data, they re relying on and consumer-class file sharing services. Never before have so many different devices had access to so much enterprise IT resources and data, with so few IT and security controls. In addition to the risk posed by insufficient data security for file sharing services, enterprises are also facing the risk of new, difficult-to-detect security attacks against mobile devices. Attacks on mobile devices are expected to grow in frequency and sophistication now that these devices are storing valuable data such as business files, contacts, and login credentials. Enterprises need a data security solution that encompasses employees personal mobile devices. While Mobile Device Management (MDM) provides a useful framework for provisioning mobile devices and Mobile Application Management (MAM) provides a useful framework for provisioning and managing apps, neither MDM nor MAM address the file sharing and collaboration needs of mobile users. Such a solution Mobile Content Management (MCM) protects content itself, regardless of which devices are being used, enabling users to share that content securely across mobile devices and with other authorized users. By making file sharing safe and convenient, MCM enables mobile workers to be as productive as possible on any device, anywhere, anytime. Mobile security should be granular enough to let IT managers define and enforce policies that vary by position, department, geography, and security level, but flexible enough to enable mobile workers to use enterprise content in the way that best suits their position and work style. Collectively, MDM, MAM and MCM solutions, supported by solid policies and enforced by proactive IT departments, represent the key components of an effective, secure enterprise content mobility solution.
3 The Tidal Wave of Mobile Computing Is Upon Us The proliferation of mobile devices and the increasing acceptance of BYOD at the corporate level are creating new security challenges for enterprises. Employees are buying their own mobile devices, bringing them to work, and using them to access both personal data and business data. Through these devices, employees are accessing business applications, which are now expected to work just as well over wireless networks as they do on the web or through desktop clients that have a wired connection. To ensure that they have access to the information they need, irrespective of device, employees are copying files and using cloud- based services to sync them across devices. As a result, business data has never been easier to access and more difficult to secure. The challenge of securing this data is only going to increase. The consumerization of IT has wrought profound changes on how and where employees work. To appreciate the magnitude of the transformation that is under way, consider these statistics: 3 out of 5 workers say they no longer need to be in the office to be productive. 1 The average mobile worker is now carrying 3.5 devices, up from 2.7 devices in % of mobile users use a tablet for work, as of March Based on purchasing predictions from users, that number likely reached 80% by October Apple iphones and ipads and Google Android devices all of them consumer devices now make up more than 70% of the mobile devices used by mobile workers. 3 Mobile workers are using smartphones for , web conferencing, social media for work, accessing and editing Office documents, and note-taking. In 2010, web-based usage declined 6%, while mobile access rose 36%. 4 By now, nearly 72% of U.S. enterprises have adopted BYOD policies, recognizing the benefits of allowing users to pick their own mobile devices, or use more than one device when accessing corporate systems or data. 5 IT departments have little choice but to conform IT infrastructure to accommodate the various personal mobile devices users are bringing to work. Mobile security was challenging enough before. Even supporting hundreds or thousands of mobile workers on a single platform such as BlackBerry was time-consuming and error-prone. Now IT departments are facing even greater difficulties as they scramble to implement data security and compliance controls for a growing number of devices and mobile Operating Systems (OSs). Meanwhile, security threats and industry regulations aren t going away. Security attacks against consumer mobile devices are expected to increase, now that these devices are storing and transmitting valuable business data. Researchers have discovered new forms of malware (such as the android.bmaster rootkit) specifically designed to target mobile devices. 6 Meanwhile, 73% of CIOs believe their mobile IT infrastructures are not yet secure enough to pass an audit, presenting a separate challenge for regulated and publicly traded companies. How should IT and security executives make sense of these changes and challenges? Let s examine the mobile security landscape, feature by feature, and then conclude with some best practices for deploying mobile security solutions to keep mobile users protected and productive ChangeWave Research, a division of 451 Research, quoted in The battle for third place in the mobile enterprise, Chris Hazelton, 451 Research, November different.html?print#axzz2mxxqcgmb
4 Managing Mobile Policies: Details Matter What mobile workers have in common is their mobility. What they don t have in common is everything else: their roles, responsibilities, geographies, security clearances, and device usage patterns. Mobile security solutions need to be detailed and flexible enough to let IT managers define and enforce policies that vary by position, department, geography, and security level. Policies should be able to restrict access to apps, files, and workspaces according to an employee s role in the organization. Enterprises need mobile security policies that are as specific as the policies governing employees working on desktop computers and other in- house systems, but also take into account the variables of mobile content access. For example, is the employee on the corporate network, a trusted home network, or a public network at a coffee shop? Mobile policies may restrict the employee from downloading files when on a public network, for example. Mobile Device Management: Important but Not Sufficient To help IT departments provision, manage, and secure their mobile devices, an estimated one third of enterprises have deployed MDM solutions. 7 MDM enables IT organizations to provide over-the-air (OTA) updates of applications, configuration settings, and data to mobile devices, including smartphones and tablets. IT managers can use MDM systems to control which mobile devices are granted access to internal resources. Should a mobile device be lost or stolen, IT managers can use MDM to remotely wipe the device the next time it connects to the Internet. MDM solutions are available from an increasing number of vendors. MDM solutions provide a useful framework of provisioning mobile devices and mobile apps and for enforcing fundamental device-security controls, but they do not address the file sharing and collaboration needs of mobile users. Mobile workers need to be able to extend the secure file access they enjoy in the office to all their mobile devices. They need support for secure cross-boundary communication the ability to share files securely with users both inside and outside the organization. And they need the ability to access files in context, so they can have a broader understanding of the data they re working with. A spreadsheet titled Transportation YTD is much more meaningful when seen within the folder labeled 2013 Q2 Expenses, for example. Other examples of context include the comments and threaded discussions that may exist in the same environment as the files being worked on. Automatic notifications of changes also keep mobile users up to date about the status of important files. Unfortunately, MDM solutions alone do not provide the rich set of dynamic features that workers need in order to be as productive as possible. Another consideration is that MDM client software can be costly to deploy, especially for those mobile workers carrying multiple devices. Every time an employee buys a new phone or upgrades to a different tablet, the MDM app must be installed and configured. With so many devices accessing content in large enterprises, it is impossible to be certain that MDM policies are universally enforced, which undermines the use of MDM as a means to ensure corporate compliance. Mobile Application Management: Security for Mobile Apps One of the great things about mobile platforms such as Apple ios and Google Android is the vast number of custom applications or apps developed by third parties. For just about every business and leisure activity from filing expense reports to playing Texas Hold Em you can say, There s an app for that. 7
5 But one of the biggest threats to enterprise data security is, yes, all those apps. There are literally hundreds of thousands of mobile apps, many from small software companies whose reputations are unknown. Many apps are excellent, but many are mediocre and some are risky. In April 2011, Google had to remove 58 applications from the Google Android Marketplace after it was discovered that the apps contained rootkit malware. By then, the apps had been installed on more than 260,000 devices. To ensure that the devices were safe, Google had to remotely wipe the devices clean, deleting all their data. Since then, Google has tried to monitor the Android marketplace more carefully. Apple has been diligent about the way they screen apps from the beginning. Nonetheless, the threat of malicious apps remains. Users must be careful about what they download. Malware can infect a mobile device, leak data from the device to hackers, infect systems on internal networks, and become a vector for a major security attack or data breach. Apps are too valuable to be avoided altogether. But any effective mobile security strategy must include tools for limiting access to certain apps and ensuring that installed apps behave properly and pose no threat. Mobile Content Management Increasingly, organizations are recognizing that the most important asset to secure is not the device or the apps: it is the content itself. Content is what is most important to mobile users. To a large degree, mobile devices are simply a convenient way of getting at content anywhere, any time. By focusing on securing content, IT departments can avoid the arduous task of endlessly securing an ever-changing collection of devices an average of 3.5 per mobile worker at any time that are being used to access internal content. A MCM solution protects mobile content, enforcing access rights on specific files across locations and devices. MCM solutions often include their own secure app environments (known as sandboxes ), integrating mobile app management with content security, and making it easy for users to avoid the temptation to use unmanaged consumer cloud-based apps for accessing confidential content. IT managers can deploy MCM platforms to ensure that confidential data is always secure and under IT s watchful eye, even if users frequently change devices, or management does not want to roll personal devices into the corporate MDM plan. To be comprehensive, an MCM solution should provide secure mobile access to all the content an organization already has. That includes not only files stored on a user s desktop or on a file server, but also files stored in Enterprise Content Management (ECM) systems such as Microsoft SharePoint, imanage, and Documentum, as well as files stored on networked file shares such as CIFS or NFS. In many organizations, users can only access ECM content remotely through a VPN, making the experience very cumbersome on most mobile devices. It s so cumbersome, in fact, that it has become yet another factor driving users to seek an easier way to share files on mobile devices. By providing convenient, easy-to-use, secure access to ECM content, an MCM solution obviates the need for risky alternatives such as Dropbox and other public cloud services that lack rigorous security features. Putting IT All Together: Secure Enterprise Content Mobility Security for mobile apps, role- and department-specific security policies, file sharing through secure workspaces, collaboration features that complement and extend the security features of MDM, MAM, and MCM put all this together and you have secure enterprise content mobility. Secure enterprise content mobility brings the granular access controls, data encryption, event logging and reporting of enterprise content management solutions to mobile devices. It gives authorized users access to the business data they need, anywhere, any time, and on any device, including personal devices. When MAM, MDM and MCM are applied selectively and combined with old-fashioned common
6 sense, enterprise content mobility provides a robust structure of security and control for the enterprise, while allowing mobile users the flexibility, access, and autonomy they need to be productive. Conversely, when poorly executed, the security and enforcement systems can burden IT with extra work, drive users off the network, and exacerbate the challenges for employees and the organization as a whole. 5 Best Practices for Secure Enterprise Content Mobility To support secure enterprise content mobility, enterprises should develop a strategy based around technology devices, content, and apps - and supporting policy guidelines, training, audit and enforcement. Here are some best practices for supporting secure enterprise content mobility: 1. Support A Wide Range of Devices A secure enterprise content mobility solution should support all mobile devices users are carrying. In organizations that have adopted BYOD policies, Apple iphones and Android phones are replacing BlackBerrys, but all three platforms remain popular. And Microsoft s Windows Mobile 8 is also gaining ground. In the course of a typical day, many employees use multiple devices running different operating systems, so supporting a single user might involve supporting both BlackBerry and ios. 2. Support Better Content When you re on the road, getting a file is good, but getting a file and immediately understanding why it was revised and what sensitive issues it contains is better. Secure workspaces don t just provide access to files; they also provide context for files, making it easy for mobile users to track revisions, follow discussions, and better understand the purpose and structure of content. Especially important when collaborating with others outside the organization or at remote locations, information in context eliminates the need for back-and-forth communications, such as long threads about document revisions. When employees can quickly find and understand the data they need, they become more productive. Employees are working with files that are larger than ever before: media files, graphics, medical images, etc. Users need to be able to share and discuss multi-gigabyte files, even if they re not downloading these files to every mobile device. For organizations using ECM systems such as Microsoft SharePoint or imanage, it only makes sense to integrate them with file sharing applications for mobile users. As mentioned earlier, in many organizations, mobile users can access ECM content only through a VPN, which is difficult on many mobile devices. Beyond providing basic access to ECM content, an ideal MCM solution should: Provide direct access to ECM content to the document of record - so files are not copied every time they are accessed or shared. Enforce file- and role-based access controls established by the ECM. Provide access to ECM content without requiring additional licenses such as Microsoft SharePoint Client Access Licenses (CALs) A MCM solution should give mobile workers secure, convenient access to ECM content without creating new costs or complexity for managing ECM systems themselves.
7 3. Take Control of Mobile Apps Deploy a secure enterprise content mobility solution that provides the app-selection features of MAM platforms, giving the IT department control over which apps users can download and minimizing the risk of malicious apps compromising devices and business data. Especially on devices that also store personal data, it s important for business data to be kept in a secure sandbox a separate area of memory and storage that is inaccessible to unauthorized apps. Users should be able to access and edit content within those secure apps, so that content does not become vulnerable to attack through an unapproved and possibly malware-infected app. 4. Extend Mobile Security Deploy a secure enterprise content mobility solution with dashboards and logging features that give administrators complete visibility and control over file sharing activities and mobile access policies. Administrators should be able to enforce detailed access controls for individual files and for shared workspaces, going beyond the typical app and data security controls of MAM or MDM solutions. Files should be encrypted both at rest and in transit. File owners and administrators should be able to set expiration dates for files, so sensitive data isn t left exposed on servers. Administrators should be able to restrict access to certain files to view-only. If a device is lost or stolen, administrators should be able to remotely scrub the device of all its business apps and content. Even if mobile devices fall into the wrong hands, mobile access should never jeopardize data security or regulatory compliance. Rigorous security should never imperil worker productivity. Just like their peers in the office, mobile workers also need to be flexible and dynamic when communicating and collaborating with internal and external users. External users include partners, consultants, and even customers users who are not likely to have accounts on an internal LDAP server or otherwise have access to information stored behind the corporate firewall. An enterprise content mobility solution should support legitimate crossboundary communication with external users without turning mobile communications into a free-for-all. Finally, the solution should include security and audit controls that support compliance with industry regulations such as GLBA, HIPAA, and SOX. Ease-of-use and employee productivity should never come at the expense of compliance with industry regulations and federal and state laws. Enterprises need to stay compliant while making life easier for their mobile employees. 5. Avoid Risky Public Clouds It s well recognized that, for specific business applications, cloud-computing services deliver high performance, elastic infrastructure services in a cost-effective manner. But trusting confidential data to public cloud services is risky. Public cloud services lack the precision and control of in-house data services. Enterprise IT departments are often understandably leery of trusting the organization s daily exchange and storage of data to a third party service that pools resources for many different organizations. In addition, the terms of service of many of these public cloud vendors skew heavily toward protecting the host, not the customer. To take advantage of the cost and performance benefits of cloud computing without exposing the enterprise to the risks inherent in public cloud services, the IT department should select a secure enterprise content mobility solution that runs in a private environment. Private cloud solutions offer enterprises the best of both worlds: the flexibility and cost-effectiveness of highly scalable virtual environments, along with the control and oversight of traditional in- house data centers.
8 Conclusion By following these best practices for secure enterprise content mobility, you ll give your mobile workers access to the critical business data they need, anywhere, any time, and on any authorized device, including tablets and smartphones. Enterprise content mobility provides an essential layer of security and control for mobile computing, ensuring that greater convenience and productivity never comes at the expense of security. For information about how kiteworks delivers a secure enterprise content mobility solution, please visit Related Resources Case Study: London Borough of Camden GigaOm Pro: The Rewards and Risks of Enterprise Mobility Gartner MarketScope Report About Accellion Accellion, Inc. is an award-winning private company that provides mobile solutions to enterprise organizations to enable increased business productivity while ensuring security and compliance. As the leading provider of private cloud solutions for secure file sharing, Accellion offers enterprise organizations the scalability, flexibility, control and security to enable a mobile workforce with the tools they need to create, access and share information securely, wherever work takes them. More than 12 million users and 2,000 of the world s leading corporations and government agencies including Procter & Gamble; Indiana University Health; Kaiser Permanente; Lovells; Bridgestone; Ogilvy & Mather; Harvard University; Guinness World Records; US Securities and Exchange Commission; and NASA use Accellion solutions to increase business productivity, protect intellectual property, ensure compliance and reduce IT costs. Phone: Accellion, Inc Embarcadero Road Palo Alto, CA ACC-WP-1113-SECM Accellion Inc. All rights reserved Whitepaper For additional Five information: Best Practices for Secure Enterprise Content Mobility