Originally published by Rob Patey on IBM Securityintelligence.
As I was celebrating the birth of America’s freedom this July Fourth, I sparked a firecracker for the fact that I was able to use my tablet to take a meeting in a place where the Fourth of July is just another day of the week.
I was offered a stay of execution from the team, but an hour of my time was a small sacrifice, especially since the entire event took place on my iPad and mobile phone from my back porch.
About one-and-a-half scores ago, I remember waving a sparkler at Newark Liberty International Airport as my father headed off to Sweden for a meeting on July 5. The tablet, smartphone and the manifest destiny of last-mile broadband reaching fruition allowed me to turn off Harry Chapin’s “Cats in the Cradle” and spend time with my family watching fireworks once the meeting was finished.
This affordability — having the right device for the job at a time when I need to use it and from wherever I please — wasn’t a freedom simply handed to me. Like any great leap forward in liberation, battles were fought and accords of acceptable use had to be established between employee and employer.
As I recount some of this ancient mobile history and the hallmarks of security, productivity and mobility that resulted from them, I know some of you are going through these trials and tribulations right now. May you avoid the missteps of the past and join all of us forefathers (and mothers) for the next data deluge on the shores of the Internet of Things (IoT).
Freedom Is Never Free, Especially in Mobility
Before anyone can truly decry independence, mobile or otherwise, an upheaval from the status quo is required. An assist from France bolstered America’s liberation, and a few years later, the Bastille was taken by bayonets — not baguettes.
Since the first smartphone could sync with Active Directory, the already beleaguered IT group from the BlackBerry bonanza of the early 21st century showed rightful resistance to employee presumptions on data access. Just because you can, doesn’t mean you should. The email policy was born, and business leaders furiously rubbed rabbit feet for luck in hopes this would be enough to keep employees secure and satisfied.
It didn’t work. And today it really doesn’t work, but we’ll get there in a minute.
Mobile device management (MDM) offered the treatise of device choice balanced with one-window control. MDM became especially vital in the famous battle of bring-your-own-device (BYOD). Without the device and OS agnosticism of MDM and mobile app management (MAM), we might all still be in a state of technological dissemination without user representation.
Freedom from the confines of the office was finally won with the understanding that privacy can be maintained without completely obfuscating the view of IT. Now, policy can be crafted with a preamble of independence for both sides of technology enablement:
When in the course of business events, it becomes necessary for the enterprise to act as one people to dissolve inefficiencies that have disconnected them from each other and corporate data, and respect the freedom of choice to work on the equipment deemed best by the workers actually producing the work.
We hold these truths of mobile productivity to be self-evident, that all devices are created equal, that they are to be enabled by IT with rights to the same data as laptops and desktops and, finally, that usability is held in equal balance with security.
Mobile Independence Is a Privilege Governed by Data Rights
As devices grew more powerful, more expensive and more diversified with tablets and wearables, the concept of BYOD became more palatable to IT. However, these new abilities required more granular ways to control the data flowing in. Transient workers requiring two mailboxes on one device turned to containers. File shares could also live separated from device-level controls along with secure Web browsers and a host of other features that fulfilled a manifest destiny of productivity even when in transit. Enterprise mobility management (EMM) is the current term to define this broadening of devices, data, apps and access to devices.
One mobility program of enabling and securing endpoints, under one management pane of glass, giving mobile liberty to all.
Like the expansion of the United States, now that the mobile device has open freedom across this broad landscape of enterprise data, the CSO (or any level of security really) is a quintessential player in ensuring an uninterrupted flow of information. Mobile threat management (MTM) is how security can reach this new land. With MTM as part of a larger EMM solution, securing in-house and third-party apps from malware, advance jailbreaking or rooting rules and opening the way for seamless single sign-on access to all facets of the device becomes a reality.
The Mobile Bill of Rights
Historically, the Fourth of July isn’t about the Bill of Rights, but I beg a bit of patriotic poetic liberty to hopefully offer the foundation for your mobile liberation:
- Free speech, text, mail, files and access on any mobile device or endpoint, if and only if employees respect corporate data on those devices being managed through some form of endpoint and mobile security.
- The right to bear BYOD, without abstention from IT: When a personal device is compromised, IT will still act to triage the security of data on that device. Likewise, when apps or access to internal networks are needed, IT shall enable those services to ensure expedience in delivery and integrity of data delivery.
- No employee shall willingly quarter malicious material on devices. If workers want to root or jailbreak to experiment with a cool new app or some OS-level optimization, the device is unable to accept corporate data until it is back in compliance.
- Device privacy shall be respected by IT. Yes, MDM and security tools give IT a look at device activity, but IT is not reading emails, texts or other personal material. I always balk at this EMM because if IT wanted, they could have been reading our emails for years now — but they don’t. With MDM, they can’t, and still this wild conspiracy permeates the cube farm.
- Mobile security is not a witch-hunt or an indictment on how employees spend their free time in the wide world of apps. Personal information remains off the table in mobile freedom.
- In light of a breach, theft or toddler who will only be calmed down by tapping away on your tablet, employees should expect a speedy lock, block, selective wipe or reset of the device to keep data safe.
- There is one set of rules governing acceptable mobile use and data delivery. A recent study titled “Why Is App Security Escaping Development?” showed 40 percent of in-house-developed apps are leaving the enterprise without the most basic security. This is an effort to stay competitive and meet the harsh deadlines necessitated by our new global economy. It will also prove foolhardy as black hats become more aware of these sieves in the corporate data structure.
- Excessive bailing on enrollment in mobile security programs shall not be coddled by IT. Yes, mobile security apps take up space on a phone or tablet. But not only is it worth it for the enterprise, it’s vital.
- IT enablement is just beginning and shows no signs of ending. If anything, it’s growing larger. Employees have simply gained new freedoms with device selection; the true business enablement of this world is squarely on the shoulders of IT and security teams.
- Mobile device and data access requires us all to think a little more wisely. Departments, work groups and individual workers should not seek out IT for every little issue with a phone glitch or tablet phantom turn-off. At a certain point, we all need to understand what is business and what is personal on our home screens. IT should not be charged with helping employees access their July Fourth barbecue pictures, just as an employee should never be given a Wi-Fi password on a sticky note and told, “Good luck.”