The threat of data loss at organizations is significant today, be it at small and medium-sized enterprises or large companies. Such data loss most commonly occurs via unsecured data connections, device thefts, and data copying that is unauthorized. They typically happen because of loopholes in the enforcement of the organization’s IT policy.
Any enterprise that supports mobile IT systems and tools is susceptible to hacker attacks and data breaches unless it has in place a comprehensive security policy backed up by powerful tools to enforce it.
All you really need is one comprehensive solution, but your organization may instead be using a patchwork of many disparate tools. Either way, some security-related capabilities are both critical and essential. Such a solution to manage mobile applications, devices, and content across the enterprise is known as an enterprise mobility management solution. (Just like “Jurassic World” was known as a massive disappointment, but don’t get me started!)
The primary facets of an enterprise mobility management solution are mobile device management, mobile application management, mobile content management, and BYOD policies. Here are some of the most critical security-related capabilities of an enterprise mobility management solution:
Secure remote access
Secure remote access solutions allow you to set up an encrypted, private connection between the corporate network and your mobile devices, thus ensuring that the information transferred through the connection is virtually beyond interpretation by hackers and people looking to steal data.
Such solutions must be able to provide secure channels under various circumstances ranging from in-office access to home network-based access and access from publicly accessible WiFi hotspots. They must be able to support:
- The ability to set granular level access at both device and user levels.
- Remote access provisioning that is both flexible and secure.
- Preferably, access via the web without requiring desktop software installations.
- VPN access that is protected against threats such as worms (no, this has nothing to do with your next fishing trip!), spyware, and viruses by using advanced endpoint and network security integration.
- Multiple VPN access from one platform.
Data encryption and security
There are several key elements related to data encryption and security for an enterprise mobility management solution. Here are a few:
- As far as data at rest goes, always keep it stored in encrypted form using dynamic encryption keys.
- Any data-sharing applications and other related utilities such as messenger programs, personal email, Bluetooth, and camera should be disabled on the device.
- Deletion of confidential documents on the device based upon time to live.
- Data-security provisioning in the transport layer using encrypted data communication built on top of the SSL protocol.
- Transport layer security provisioning using asymmetric encryption key algorithms.
The solution will need to have various types of data wipe-related capability. We mention some of them below:
- Implementing a selective data wipe when multiple users are accessing the same device in a shared device scenario.
- Implementing a complete data wipe when a device is to be disabled or a user has to be dropped from the system due to specific reasons such as move out or lowering of privileges.
- Advanced capabilities related to remote data wipe are required to handle situations where a device gets stolen or lost, or when it is to be wiped clean before reuse. The solution should also have the ability to support data wipe capabilities in an offline mode.
- A factory reset uninstalls all downloaded apps, resets all personal settings, removes any personal data, and undoes all changes made by a user to the device after starting usage. Basically, a factory reset resets a device to the state of a new handset.
- An enterprise device wipe erases all enterprise profiles and account data, corporate contacts, messages, and associated policy configuration settings. This option does not modify any personal data like public apps, media files, personal email messages, or other data downloaded in a personal role association.
- A container wipe removes all enterprise apps within secure data containers along with the associated data. This may be implemented as a full or partial data wipe based upon the specific need, with a partial wipe being offered at the level of device data partitioning or at the user profile level.
- A selective application wipe (no, you do not need Windex with this type of wipe!) uninstalls only a specific application from the device along with the associated configurations, data, and settings.
Dashboards, statistics, and reports
Dashboards and reporting-related capabilities make up probably the most significant element of an enterprise mobility management solution. These are some of the most critical aspects that are required:
- Real-time reporting for critical variations, aspects, and trends such as application usage on various device platforms, applications on various device OEMs, application usage per platform version and application usage based on location.
- Dashboard permitting dynamic configuration of policies at both application and enterprise levels.
- Generation of statistics and reports should be built into dashboards in a simple yet powerful manner.
- Key capabilities such as data wipe, deregister, block/unblock, and version update should be made available at the user, device, and app levels from the web dashboards.
This element of the enterprise mobility management solution is fairly generic and is similar to what one would expect in most applications on the IT systems administration side.
The solution should provide a sophisticated implementation for system policies related to mobile devices and applications. Policies can be both dynamic and static, and can be rules that are applied at a global level or at device, application and user level, based on the scenario in question. Here are a few critical capabilities that are required:
- A common scenario that needs to be supported is to execute application provisioning only to certified OEM devices. This is a critical need for just about all organizations to ensure that licensed applications are provisioned only to certified devices and not to other possibly personal devices.
- To disable device access in case of lost or stolen device, or if device has been operating in an offline mode for a certain number of days.
- To blacklist the installation of designated malware apps on any device.
- To disallow jailbreaking of enterprise-issued devices is another critical capability needed to maintain device integrity at both software and hardware levels.
- To allow access to enterprise apps during working hours only.
- Block specific app versions based on reporting of critical bugs or flaws.
Photo credit: Pixabay