Five Components of Enterprise Mobility Strategy
Are you the type that starts a workday long before stepping into the office and firing up your computer? Most of us get business emails on our phones and start messaging coworkers as we commute. Back in 2012, Forrester found that 67 percent of employees with smartphones chose them personally without any corporate guidance. And a year later, a McAfee survey suggested that 80 percent of employees regularly use unapproved SaaS apps at work.
So, BYOD (bring your own device) is no longer a trend. It’s reality. The boundary between workstation and mobile is so fuzzy, the question isn’t if we embrace enterprise mobility, but rather how we do it.
Enterprise Mobility is Highly Efficient, Unless It’s Extremely Harmful
Having instant mobile access to operational levers is great for the employee and the organization in general–and in theory. If you run many distributed locations where employees need to operate unified management software, opting for mobile can be very rewarding.
For instance, The Walsh Group, a construction firm, embraced the BYOD demand to let their project managers share critical project information straight from the construction sites instead of going back to an office and configuring blueprints from there. This increased their cost estimation speed by 20 percent and put the company ahead of competition. For one of our clients, AltexSoft developed a customizable app for production workers to complete digital checklists when on-site, track machinery performance, take photos of malfunctioning hardware, etc. This allowed for rapid reaction and on-time employee tracking.
On the other hand, if you handle those devices or let employees use their own, you should acknowledge that humans are the weakest link in any data security structure. People lose smartphones, they install harmful software, copy information and irresponsibly paste it, or just let others access it.
That’s the problem worth considering.
How do you control access to sensitive corporate data? How do you ensure that employees won’t irresponsibly share this data? And, more importantly, how do you manage the use of mobile devices without invading employee privacy?
- Balance user accessibility. The easiest way to have your enterprise mobility strategy fail is to overregulate access to corporate resources. If your employees have to take multiple, convoluted steps just to log in, it’s likely that they will use an app only in the case of urgency. Or, they will most likely download some third-party app with the same features and better accessibility. Why should they use a laggy, overprotected corporate messenger if there’s Slack? So, consider ease of use, look and feel of software, and its performance, all of which will foster adoption.
- Choose wisely between BYOD and corporate devices. BYOD is great in terms of reducing investments in corporate hardware. On the other hand, the diversity of smartphones, tablets, laptops, and their operating systems that update differently challenges an IT department’s ability to keep current with software adjustments across myriad end-points.
- Tailor data protection measures to operational needs. Access to data differs and corresponds with how your employees engage the application. If mobility aims at tracking activities or inputting data to be further processed (as in the restaurants), access to records can be either completely or partially closed. If some data access is required, consider multilevel protection. For example, setting multiple user roles will allow you to segregate valuable data based on user type at every level.
The software you’re looking for is usually referred to as identity management, mobile device management, and mobile app management (MDM / MAM) solutions.
Identity management is focused on providing employees with simplified access to all work-related apps. The concepts of MDM and MAM imply tracking and managing employee mobile devices (MDM), either personal or corporate ones, or managing work-related applications (MAM). Correspondingly, building an MDM / MAM infrastructure aims at protecting sensitive data and keeping mobile devices healthy.
Let’s have a look at what product types are available to support an enterprise mobility initiative.
Identity management solutions address the problem of employees using popular SaaS applications. Instead of requiring workers to use different names and passwords to access multiple applications, identity management enables employees to have a single name and password to use multiple apps.
Major functionality to consider:
- Single sign-in for all applications
- Support for apps used by your organization
- Group access management, which allows managers to assign access to employee groups without enumerating any users in particular (those who can log into apps). This also implies setting specific access rules, like all users from sales departments in the US and Canada can access this app.
- Multi-factor authentication that supports additional levels of verification besides single sign-in
- Some services provide advanced reports that employ machine learning techniques to identify anomalous sign-ins (unknown sources, irregular sign-ins, suspicious IPs, etc.), usage reports, error reports, activity logs, and others.
- Remote access to on-premise software
How to integrate identity management solutions. Usually, leading vendors like VMWare or Microsoft have a list of supported public apps that can be integrated with identity management software. However, when using custom apps or other unsupported software, you will require additional engineering to enable successful integration.
Obviously, each vendor integration scenario may differ, but generally, the following steps are advised:
- Research the authentication requirements that your enterprise mobility vendor has.
- Check whether your app authentication matches them. If it does, most likely app integration will take only administrator-level effort.
- If they don’t match, you’ll need additional app customization to meet these requirements.
For instance, here are some possible scenarios for Microsoft Active Directory custom app integration:
- Consider integration at the developmental stage. If you just plan to build a custom app and consider Microsoft Identity Management, you can approach the development with further integration in mind. Microsoft elaborately lists authentication scenarios for developers to make apps compatible with Microsoft AD.
- Enable support of SAML 2.0 or have an HTML-based sign-on page. You can update an existing app following the requirements. Once you have it enabled, an administrator can use a dedicated tool for integration.
- For Xamarin apps, use Xamarin.Auth. We’ve already discussed Xamarin pros and cons in detail. To sum up the conclusions, Xamarin technology is great for enterprise apps if you opt for cross-platform development and BYOD. For Xamarin-based apps, there’s a convenient way to integrate them in two simple steps.
Mobile Application and Device Management
MAM / MDM solutions are built around the idea of both device and application management for corporate users. Basically, they provide dashboards and management environments to track and remotely control devices and apps across all major platforms (Android, iOS, and Windows). Usually, the functionality of these products can be divided into two general task groups: device management and application management.
Application management. The MAM features are designed to meet the BYOD scenarios, when your employees actively use their own devices for work but aren’t thrilled about letting an organization intrude on their private lives. Employee use of a single device where private and work-related usage mix may raise a number of security concerns. MAM allows for decoupling personal and job use by managing applications without sacrificing users’ privacy. This means that you can impose rules and regulation for work-related apps allowing free use of the others.
Some things to consider:
- Block copy and paste
- Block “save as” and backup to a personal cloud
- Impose PIN-access to apps
- Update apps remotely
- Erase sensitive data from device memory
- Require all work-related links to be opened within a dedicated, managed browser, etc.
Device management. If you hand corporate-owned devices to employees, you can manage the devices to avoid any corporate security breaches. Devices enrolled in your system and their resident apps can be managed. As with the MAM principle, you can impose different policies on enrolled devices with the following rules that might:
- Define available apps that users can install or those that are automatically installed as a result of enrollment
- Define compliance rules that evaluate which devices can be enrolled
- Manage security settings on devices
- Set conditions under which apps and resources (e.g. corporate emails) can be accessed
- Assign certificates and VPN/Wi-Fi profiles to users of an enterprise infrastructure
- Remotely erase data from managed devices, etc.
Additionally, you have a dashboard that updates you on device health, policy settings, managed apps, and alerts about suspicious stuff. Convenient!
Most EMM systems–like industry leader AirWatch–have geofencing support. This allows for defining geographic zones connected with specific policies. For example, many hospitals provide their staff with tablets having clinic management software to record patients’ symptoms and instantly retrieve patient-related information. To ensure that sensitive patient data is safe, geofencing can lock this tablet if it were to leave the hospital’s defined perimeter. Basically, you can tether any policy to a device’s geographic zone.
How to integrate apps with application management solutions. Like identity management, popular EMM vendors support integration with certain apps available at the AppStore or in Google Store. If your app isn’t on the list of supported ones, you’ll need programming to enable this integration. Usually, there are two paths you can take:
- Use app wrapping tools. Integration may be relatively straightforward if you have a simple app. Wrapping allows you to manage applications without directly tweaking their source code. In fact, wrapping is a technique that implies that the app code will be automatically decompiled and specific functionality will be replaced for application management. Obviously, this method has a lot of limitations and is recommended for tactical use. Generally, wrapping will allow for relatively basic management like data transfer limitations, blocking copy and paste, blocking screen capture, etc. To provide a profound MAM, you’ll need SDKs.
- Use vendor-provided software development kits (SDKs). An SDK is a set of libraries and tools for software engineers to implement the functionality compatible with a given software. In terms of MAM, using SDK entails tweaking the source code of an app or developing it with further application management in mind. For instance, using AirWatch SDK you’ll be able to manage password policies, data encryption, integration authentication, etc.
While MAM, MDM, and identity management systems cover applications, access, and devices themselves, some scenarios remain when data security can be compromised. What if somebody who is only authorized to access your financial report forwards it to an outsider? To prevent this type of breach, you can secure the data itself.
File Security and Information Rights Management
The file-security concept focuses on data files instead of devices and apps. How does that work? Basically, as with previously discussed types of software, you can impose specific policies on files and define who is allowed to see stored information. Usually, these services provide three types of policies: encryption, identity, and authorization. You can also configure such things as rights to read, edit, and print documents. Another good feature is usage monitoring. Even if a file leaves the boundaries of your organization (e.g. is sent to subcontractors), you’ll be able to track when and whether specified people opened the document, as well as whether unspecified people attempted to open this document. Or… succeeded in opening it.
Yet, as always, there are some limitations. For instance, if you are a Microsoft fan and its products are ubiquitous in your organization, it’s likely that you store information in Office files. Well, it’s better to use Azure Rights Management if you do, because Microsoft frequently supports advanced protection for their formats.
Basically, there are two types of protection available:
Native protection. Not all files are born equal. Vendors have lists of formats that allow for a deeper level of protection than others. With natively protected files, you can restrict usage to read-only and assign permissions for editing, copying, and printing. For example, Azure Rights Management supports native protection for Office files, PDFs, TXTs, common image formats like JPG, JPEG, PNG, BMP, and some others (here’s the full list).
Generic protection. This type of protection works for unsupported formats. Unauthorized agents can’t open a file. But if an authorized person opens the file, you can’t control such things as copying and printing. Accordingly, authorized agents can then send information outside your zone of security comfort, and a service will only be able to remind users of the protection recommendations.
There are also other powerful players in this market like Vera Security. While focusing on Office files, Vera Security also provides an additional level of protection for file sharing in DropBox and can lock email attachments. It is currently planning to roll out email encryption.
Machine Learning-based Protection
Another effective way to enable mobility security is to employ machine learning techniques to detect abnormal and potentially hostile activities. Some software packages have machine learning-based solutions out of the box, which can greatly simplify the implementation of this layer of protection. For example, Advanced Threat Analytics is included in Microsoft’s EMM Suite. If your vendor software doesn’t support such advanced analytics, consider engaging a consultant to assess your EMM infrastructure.
Having a long record for both device and application usage, you can leverage interaction history to build machine learning models able to detect outlying use events. Basically, by adopting this type of threat analytics, you’ll drastically minimize any data leaks. We have discussed machine learning adoption in our 7-step strategy guide. Have a look there to understand what you can do now to embark on this initiative. Machine learning algorithms can be applied to a wide array of possibly menacing actions:
- reconnaissance activities
- finding compromised credentials (e.g. account credentials are sent in plain text or some account shows abnormal working hours)
- lateral movements (finds abnormal resource access), etc.
Consider Enterprise Mobility and Security Early
Employee mobility and BYOD are disruptive trends in terms of enterprise security. As corporate information becomes increasingly accessible, we should address this threat early in a smart and balanced way.
The enterprise mobility market is expected to grow to over $4.5 billion by 2020 exhibiting a 27 percent annual growth. The software is already accessible for businesses as it has an established pool of vendors, and in many aspects, is a fungible commodity. In fact, consumers usually base their choice of EMM solution on pricing, customer support, or UX/UI qualities rather than feature-set. None of the main EMM layers – 1) single sign-on and identity management, 2) mobile application management (MAM), and 3) mobile device management (MDM) – require much engineering effort to integrate.
So, the general recommendation is to start small and consider mobility management software before you hand devices to employees or upload apps to their smartphones. Then you can gradually scale to additional levels of protection like file security and advanced threat analytics.