Watch Out

This article first appeared in InformationWeek (May 3, 2010), and is reprinted here with the permission of the publisher.

They want new gadgets. Economic recovery will unleash pent-up employee demand for new and different smartphones, making mobile device management strategy more critical than ever.

Remember the good old days, when only star salespeople and top execs had smartphones, and they could choose between a BlackBerry and a BlackBerry? Now, platform choice is the name of the game for end users.

If you haven’t seen demand for smartphones explode yet, you will. That’s the top-level finding of our InformationWeek Analytics 2010 Mobile Device Management and Security Survey. Surprisingly, employee smartphone use hasn’t moved much since our last survey on the topic, in 2008: today, 21 percent of companies have more than half their employees using smartphones, little changed from the 17 percent in February 2008.

However, fully 87 percent of the 307 respondents say smartphones will become more predominant in their environments, and just 6 percent say the fixed/mobile mix will stay
the same. And the surge of smartphones won’t be all BlackBerry—seven mobile device vendors registered double-digit adoption levels in our poll.

IT is getting ready for the boom: Security is by far the top reason for deploying or planning to deploy software for mobile device management (MDM)—cited by 73 percent in March versus 52 percent in 2008. There’s good reason to worry. The mix of peripatetic hardware IT must now lock down extends beyond smartphones to netbooks, tablets, and multigigabyte USB devices the size of pop-tops. We’re surprised to see flash drives take the No. 1 spot among eight data disclosure risks. But if the economy grows and business spending increases, smartphones are most likely to surge and create new problems for IT.

“As mobile devices grow smarter, this is the biggest area of data leakage concern, besides cloud computing,” says a principal security architect with a large IT vendor. Good luck reining in either of them. Employees want to work and share information wherever they happen to be. Mobile utopia is the theme of lavish ad campaigns from carriers and smartphone makers. Your users see rich ecosystems replete with slick hardware, clever applications, and ubiquitous network connectivity, and think, “Hey, that could be me!”

Reconciling the “I want my e-mail on an iPhone, and I want it now” sentiment with the practicalities of managing multiple platforms and securing the data passing through or stored on devices, without breaking the bank, is made more difficult by stagnant technology spending of late. But IT teams need to figure it out, and fast. A unified response includes security policies, education, and management, either via one or more homogeneous platform manager, or a single heterogeneous tool that can administer multiple phone platforms.

In terms of mobile devices, if there’s one silver lining to the recession that hit on the heels of our 2008 poll, it’s that IT got some breathing room to get policies and security technologies in place to handle the demand for devices other than BlackBerrys. You have been working on that, right? We hope so, because as budgets loosen, the sky’s the limit for mobility projects.

And don’t discount having to support work apps on personal phones. In our October 2009 End-User Device Management Survey, nearly 40 percent of 558 respondents said their companies let end users connect their own equipment to the enterprise data network. If an employee will pay for a smartphone and use it to check work e-mail, what manager would object? Then it’s up to IT to make sure that can happen securely.

Even if employees can’t use their personal phones, the BlackBerry company standard goes out the window the moment the CEO walks in the door with her new Droid device and says, “Support it.” The only hope is heterogeneous MDM software.

The MDM Landscape

Even if you’ve so far been able to maintain standardization of devices, it likely won’t last. This puts IT into a tough spot, though, since bowing to pressure on the phone front means an infrastructure component upgrade—and often a philosophical security posture change as well. More on that later.

Even with these hurdles, over the next 24 months we expect many enterprises to at least lay the groundwork for managing multiple device types, if not move wholesale toward new systems that can manage disparate phone types under one umbrella.

Functional as RIM’s or Microsoft’s management software is, your ability to support the Droid, iPhone, or other devices is too limited with them. Third-party systems are your best bet for multiplatform depth—though with some, you’ll still need BlackBerry Enterprise Server. Good Technology’s Mobile Control and Trust Digital’s Enterprise Mobility Platform, for example, support Droid, iPhone, Palm WebOS, Symbian, and Windows Mobile, but not BlackBerry. MobileIron, Sybase, Zenprise, and others also compete here.

Just don’t count on one perfect software system to build your management strategy around. “It seems like a lot of vendors out there offering MDM only have pieces of the puzzle,” says one respondent, nailing the problem. “There isn’t a clear front-runner that offers all the flexibility and features a large enterprise looks for, such as multiple device support—iPhone, Droid, and Symbol for example—with robust features. We are left using different vendors for different tasks.”

Keep some general rules in mind when developing a short list for MDM software.

First, if you want to impose certain settings across an entire class of mobile devices—smartphones, in this case—ensure you can craft a policy and push it to devices that are enrolled as participants in the MDM system. Before phones are allowed to access company data, the devices must be enrolled. Your policy should mandate key device settings, capabilities, and operational modes, including:

• Remote wipe/remote reset; 
• Hardware control: Include camera on/off, Bluetooth on/off, Wi-Fi associations to certain SSIDs only, and access to internal or external storage; 
• Mandatory authentication methods for gaining user interface access; 
• At-rest encryption: Whole disk or file-by-file; 
• Firewalls: Protection from unwanted inbound IP connections to the device via the Wi-Fi or 3G/4G radios; and 
• Anti-malware: Protection from malicious software code for operating system components or files that make their way onto the device, such as via e-mail.

Among MDM features, remote wipe is the one most often cited as interesting, by 72 percent. Perhaps that’s because of its appealing finality: If a device is lost, you have a sledgehammer that can be brought down quickly and decisively. Compliance and policy settings drive whether and how a device’s functions should be enabled. Think authentication here.

More than 60 percent cite support for multiple devices as important in MDM. We understand the interest companies have in providing choice to employees and not locking them into one corporate standard. But be sure that the potential operational cost of supporting a heterogeneous smartphone environment, even beyond an MDM system, is well understood. Different platforms mean new skills may be needed at the help desk, and you may need to compromise on protection capabilities—a nonstarter for heavily regulated industries. And that doesn’t even begin to address possible application interoperability issues.

Choice is good, but it comes with a cost. Acknowledge it.

The most familiar enterprise-class MDM product is the BlackBerry Enterprise Server. Microsoft’s version for Windows Mobile is the mouthful known as Microsoft System Center Mobile Device Manager. These two represent the bulk of the MDM market, with Microsoft’s share growing but BES holding a commanding lead. These are both homogeneous MDM systems.

The upside for IT that comes with a huge (and growing) demand for better, smarter, cooler mobile devices is that there is no longer any one monolithic player in the enterprise MDM arena. To meet demand, software vendors, including Microsoft, are catering to new hardware and disparate phone environments. No one provider is likely to guarantee support for every phone anytime soon, but that concept is no longer as far-fetched as even a year ago.

Waiting to buy may not be a bad thing—and many of our respondents have to, since MDM isn’t a high-budget priority. Barely half of respondents deploying or planning to deploy MDM will be increasing their investment in the technology—52 percent, down from 56 percent in 2008. Those without deployment plans most often cite lack of personnel to run MDM systems, or say they don’t have the volume of devices to warrant the investment.

Our survey includes data for a wide range for organizations: 8 percent have fewer than 100 employees, and we can understand how economies of scale might not kick in here. However, 36 percent of respondents have between 1,000 and 9,999 workers, and 29 percent have 10,000 or more. For these shops, MDM is a smart move given the level of assurance it can provide when done right.

Smaller companies should also keep in mind that software vendors are moving toward holistic security packages that can protect many device types, from desktops to USB. So you may be able to leverage your current centralized antimalware product, for example, and extend it to also manage smartphones for just a small license fee.

More Mobile Apps Ahead

Little has changed since our previous survey with respect to the most critical mobile device applications. E-mail access is king, followed by contacts and calendar, then voicemail. Before adding a smartphone to your supported list, ensure it handles these basic features in tandem with your environment. Period.

Less critical—for now—are general office productivity applications, which are deployed on about one in three devices and saw about 30 percent growth over the 24 months between polls. Not as dramatic an uptick as one might expect, given the “there’s an app for that” marketing blitz, but still a notable gain considering that mobile device form factors haven’t changed much. Microsoft’s Office 2010 is an example, though, of how vendors will ramp up the pressure to get apps on phones. The new Office suite has features built expressly for smartphone use, such as a take-a-picture button to include a photo in the OneNote app. As more vendors craft smartphone-friendly versions of enterprise apps, look for employee demand to shoot up.

The bottom line is that any MDM strategy needs to plan for diverse applications on smartphones, not just diverse devices. Forty-two percent of companies are already deploying mobile applications on smartphones, found our November 2009 InformationWeek Analytics Application Mobilization Survey, with an additional 11 percent saying they’ll do so within twelve months and another 6 percent in twelve to twenty-four months. Only 21 percent of these, however, indicate widespread adoption throughout the company, with 42 percent pointing to department-specific deployments.

In many cases, as in our survey on MDM, security concerns hold back app expansion. Another inhibitor is the crazy quilt of smartphone development platforms: In our App Mobilization Survey, when asked their primary mobile/wireless application architecture, 40 percent said a native mobile platform client, 28 percent a mobile browser, 15 percent a Java client, 8 percent a hybrid browser/native client combination, and 5 percent a mobile middleware approach. Phew.

However, we predict that as the choices for mobile devices expand—think iPads and slates and Google Chrome netbooks—and development environments mature, we’ll see much more use of apps outside of e-mail, so get ready.

Something to watch: As applications continue to multiply on new and exotic hardware and operating systems, properly vetting and securing everything is going to be a daunting task. Keep an eye on security products, in particular endpoint protection systems, to see how—or even if—vendors pull hybrid mobile devices such as iPads into the enterprise protection fold.

Of primary importance for IT is supplying remote-access capabilities. People living the mobile life want entrée to the internal network from client sites, the coffee shop, the airport—wherever they happen to be. This reinforces the need to first authenticate the user to the device, and then the user to the corporate network. If the device is lost or stolen, we don’t want an interloper perusing internal data stores. Of course, to get remote access in the first place, wireless service in the form of Wi-Fi or 3G/4G is a must. IT will need a plan to troubleshoot smartphone connectivity issues for core applications, such as e-mail. Our point: Start planning—and budgeting—for the software besides MDM that you’ll need to maximize productivity.

State of Uncertainty

The risk landscape is constantly changing, and mobile systems are particularly disconcerting because we are letting our most critical business assets travel to or be accessed from literally anywhere in the world.

It’s tempting to lock down all mobile devices to levels commensurate with information stored in our network core. But is that even possible? Probably not. So as with all security- or risk-based decisions, we must find the sweet spot. Here’s our road map:

• Create and enforce a flexible security program that fully integrates mobile data security. Include policies specifically for mobile devices and operating procedures. Don’t just think smartphones—include laptops, USB drives, and other portable units. 
• Decide on a strategic direction for platform adoption, and define your requirements. It makes no sense to evaluate products or purchase gear if you don’t even know what problem you’re trying to solve. 
• Evaluate what you already own. What used to be a simple antivirus server could morph into a full endpoint management suite, so talk to your security vendors. If you need new tools, we recommend heterogeneous management products over single-platform systems. But newer is not always better, so always do a proof of concept before buying. Most vendors will let you try out their products in your environment. Take advantage of this, and test all the devices on your approved list. 
• Don’t ignore your colleague’s business needs, but don’t cave in to trendiness. You’re in charge of protecting the company’s assets, so if a heterogeneous smartphone environment is too risky right now, say so, and explain why. 
• Take the time to understand the types of data flowing through mobile devices. Classification is critical. 
• Educate all employees, from the CEO on down, about sensitive data handling. Explain why controls are in place and why certain tools haven’t been adopted by the organization. If the CEO is the only one allowed to have an iPhone, what does that say to staff about consistency and security? 
• Be vigilant. Changes come in the blink of an eye, and previously secure systems can be exposed literally overnight.

"The implications of mobile device security breaches are often being ignored for the sake of functionality and simplicity,” says one tech pro in our survey. “This is a ticking time bomb.” We would counter that at least when you hear that tick, tick, tick, you have fair warning to get a plan together before the explosion hits. Don’t say you weren’t warned.

Richard Dreger and Grant Moerschel are cofounders of WaveGard, a vendor-neutral consulting firm specializing in information assurance strategies and security assessments.