A Guide to MAM and Planning for BYOD Security in the Enterprise

Transcription

1 A Guide to MAM and Planning for BYOD

2 Bring your own device (BYOD) can pose a couple different challenges, not only the issue of dealing with security threats, but also how to handle mobile applications. Fortunately, there are a number of ways to manage and secure mobile applications. This expert E-guide deep dives into the strategies and tools for managing BYOD applications and security. Management Guide One of the most common issues for admins in the BYOD era is how to handle mobile applications. Users love their apps, but consumer apps don't usually have the enterprise in mind, and enterprise mobile app offerings aren't users' first choice. Luckily for IT, there are ways to manage and secure mobile applications, such as with enterprise mobile application stores and other delivery methods. With acceptable use policies, mobile application management (MAM) and mobile device management (MDM), admins can regain some control and take advantage of mobile apps' popularity. Table of contents: Enterprise mobile application: Consumer devices go corporate Personal mobile devices today can act as a phone, a GPS, a camera and a garage-door opener all at once. Users who take their smartphones and tablets to work expect their devices to multitask at the office, too. With enterprise apps for remote access, collaboration, security, social networking and more, employees' devices can work overtime. Mobile app delivery options for IT's consideration When IT has a good mobile app delivery strategy, it helps lessen management burdens and helps users do their jobs better. To beef up your Page 2 of 8

3 delivery approach, consider enterprise mobile application stores, application and desktop virtualization, and Web and cloud apps. App stores control consumerization to a point An enterprise app store is a great way to help deal with consumerization, but it comes with some caveats. Building an app store isn't easy, and the store itself needs to be secure. At the same time, it needs to be user-friendly, otherwise employees won't use it. Android mobile application management isn't a cure-all for security problems With Android mobile application management, admins can combat some app security risks, but IT's options are fairly limited. Admins can offer an alternative to Google Play or use a MAM product to control app distribution, tracking, and application lifecycles. The best way to combat Android security risks, however, is to regulate device access. How an acceptable use policy and app control can improve BYOD success In a bring your own device (BYOD) environment, an acceptable use policy gives admins the upper hand when it comes to app security and control. Using application blacklisting and whitelisting, plus MDM, can help you enforce acceptable use policies. And MAM will help with enterprise mobile application installation and delivery. Managing mobile application security in the BYOD era What's a mobile device without the apps? Definitely not something employees want to use. What they may not realize is how much data their apps have access to. In the BYOD era, this is just as much a problem for admins -- who are trying to protect corporate data on personal devices -- as it is for users. Improve mobile app security with MDM, MAM and enterprise mobile application stores. Page 3 of 8

4 By: Dan Sullivan, Contributor Securing an IT environment is hard enough when administrators have full control over the hardware on a network, but a BYOD program can exacerbate that challenge. Organizations must devise BYOD security strategies and use the right tools when they allow employees to use their own devices to access critical data and applications. Bring your own device (BYOD) and bring your own PC (BYOPC) policies can open enterprises to a host of security threats. Personal devices may convey malware to corporate networks. Confidential company information can be downloaded to smartphones that end up lost or stolen. A strategic plan or customer data could be streamed from a server to an executive's tablet over an unsecured connection at some coffee shop. To realize the benefits of BYOD, such as flexibility and cost savings, you'll have to secure data at rest on employee-owned tablets and smartphones. You'll also have to protect data in transit to and from those devices. But first, you need to clearly define and enforce minimum BYOD security requirements for personal devices used for business activities. Here are some strategies and tools for managing data security and maintaining regulatory compliance within a BYOD or BYOPC workplace. Protecting confidentiality, integrity and availability Data security encompasses three broad types of protection: confidentiality, integrity and availability. When company data is copied to personal devices, it should not sacrifice any of these. Protecting confidentiality is about preventing data leaks. A BYOD policy should include a data classification scheme that identifies the categories of data that cannot be copied to a personal device or may be copied in limited cases. For example, new product designs or emerging intellectual property Page 4 of 8

5 might be considered too valuable to risk on any device other than companycontrolled hardware. Similarly, while it may be acceptable to have small amounts of customer, client or patient data on an employee-owned tablet, be sure there is a plausible business justification for copying large numbers of customer records to a personal device. Users can easily download large amounts of data to personal laptops or desktops with hundreds of gigabytes of storage. In a BYOPC environment, consider using data loss prevention applications to block the transfer of large amounts of confidential information. Keeping smaller amounts of storage on tablets and phones reduces mobile device security risks but does not eliminate those risks. Roles and responsibilities should drive the limits on data. A salesperson has a reasonable need for information about clients in his territory. A marketing analyst will likely need data from numerous customers, but does not need indepth data about every customer. BYOD security practices should also address physical security. Personal devices storing company data should be secured to prevent theft when not in use. Data devices, such as USB thumb drives, that contain company information should not be used for nonbusiness purposes or shared with others. Lost or stolen devices are a top concern. Require that screens be locked with passwords or another authentication mechanism. Use mobile device management systems that support remote wiping of lost or stolen devices. Personal laptops and mobile devices should use encryption to mitigate the risk of a data leak if they are lost or stolen. Protect data integrity by reducing the chance of tampering. Screen locking is just the first step in this effort. Smartphones and laptops should be password protected. Employees should not store passwords to business applications in Page 5 of 8

6 browsers on personal devices, especially if the devices could be shared with someone else. When a laptop or desktop is shared among multiple users, each user should have his own account. Access controls should protect business data stored on the file system from being copied, altered or deleted by a user other than the employee. Tampering isn't always malicious. Just think of the last time you saw a frustrated parent pass a tablet to a child to get the youngster to pass some time quietly by reading or playing a game. What if that tablet was still logged into the parent's business ? Include controls such as inactivity timeouts in your policies to mitigate the risk of unintentional tampering. IT must also prevent malicious software on personal devices from interfering with business applications, data or networks. PCs and personal devices might not be affected in the same way by malicious content, but attackers could use BYOD as a vector for introducing malicious content to networks. When a personal laptop or desktop connects to a virtual private network, it should be scanned to ensure that the operating system is a supported version and sufficiently updated. Scans should also determine if antimalware apps and personal firewalls are installed. Perform vulnerability scans as well. Mobile devices with potentially compromising apps should be blocked from the network; use application blacklisting to enforce your BYOD and BYOPC policies. Make sure content that is uploaded from personal devices is scanned for malware. Malware developers have become adept at hiding their payloads from signature-based detection. IT should also use behavior-based detection methods, which analyze what a program does. About the Author: Dan Sullivan, holds a master's degree in computer science, and is an author, systems architect and consultant with more than 20 years of IT experience. Page 6 of 8

7 He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. Page 7 of 8

8 Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 8 of 8