Securing your data in a BYOD world

With people handing in their company-supplied smartphone for their own consumer device such as an iPhone, it has become harder for IT managers to keep control of who is accessing their network and what information users have on their phone.

This has led to the rise of an ecosystem of mobile device management (MDM) offerings. MDM has proven popular with both enterprise and government organisations because of the ability to monitor devices and separate business data from personal information on consumer-targeted smartphones and tablets, such as the iPhone and Android handsets.

Concerns about protecting corporate data on personal devices led Slater & Gordon Lawyers to introduce a Good Technology MDM suite in 2011.

Slater & Gordon Lawyers infrastructure manager Eric Yew told Computerworld Australia that the main benefit for IT staff has been easier management of smartphones and tablets.

“Staff can bring in personal devices and we don’t need to worry about managing that user’s device,” he said. Ninety-five per cent of the devices are iOS-based, with the remaining 5 per cent running Android.

An IDC survey of 434 IT executives in Australia, the results of which were released last month, found that 82.3 per cent used their personal phone at work while 32.7 per cent used their own tablet in the work environment.

Just over 18 per cent of those participating in the survey indicated their company had a mobile device policy for corporate devices; 41.1 per cent indicated their company had had a policy for both personal and corporate devices

• The rise of security-as-a-service in Australia
• Network security in the BYOD world
• How to create a mobile device policy in the BYOD world

IDC Australia senior market analyst Vern Hue said that MDM and mobile application management (MAM) are merging into what the analyst describes as 'mobile enterprise management' (MEM).

The term describes a solution that can deal with how applications can be managed, secured and distributed and allows for more granular security and policy controls to be applied to the distribution of the application and content.

“IDC is increasingly seeing MEM driving identity services from both a device and application perspective. It provides single sign-on capabilities — both as a means of security and policy procedure, and to help simply the end-user experience,” he said.

He added that MDM has been one of the most tried and tested means for IT managers to keep track of their employees' devices. However, with the increased use of devices for both personal and business purposes, managing the data and applications that reside on the devices becomes “even more imperative” to the business.

“It’s more vital for IT to be able to have more granular control over how the device, data and applications are managed. Focusing solely on the device is simply not enough, and that’s a trend we’re seeing with many of the organisations we work with,” Hue said.

According to Hue, IT's job is getting tougher because of the rise of bring-your-own-device (BYOD) schemes.

“In order to more successfully secure employee-owned devices, IT and security managers need to look at their system and take into consideration infrastructure and applications — how the data is being assessed and how it is being consumed.

“Consequently, this would require them to look at further fields such as the databases and application services they connect to. The new paradigm sees mobile security from the view that the data and application are critically more important to secure than the device itself.”

IBRS advisor James Turner said that if the mobile devices are issued by the organisation, then securing them should not be a major problem for IT managers.

“Effectively, it’s an extension of asset management. If the device is employee-owned, then it’s a more interesting question.”

This is because tracking the device is tantamount to tracking the individual, which can raise workplace surveillance issues — such as tracking the user when they go to the bathroom.

“Most of these issues are best dealt with through a clearly articulated [BYOD] policy that the employee understands and has signed their agreement with,” Turner said

Giving away MDM for free

Turner said the MDM market could be due for a shakeup following the recent announcement by Citrix that it is offering free XenMobille MDM licences to new or existing XenApp and XenDesktop Platinum customers during 2014.

“The importance of this announcement by Citrix is that they are the first vendor to align with the market. MDM should be viewed as a feature, not a product and this will drive the price down superfast,” he said.

Consequently, any security vendor that has pinned their hopes on long term revenue from the MDM market is “destined for disappointment.”

“VMware’s acquisition of Airwatch was a strong strategic move in this direction because VMware recognised that its strategy was not right. [VMware] had been trying to make a new virtual device on the original device, but this is trying to replicate their desktop and server strategy,” he said.

“Citrix have been on target for a few years now because they understand that it’s not about the device. It’s the ongoing dilemma of commoditisation: How can an enterprise justify buying Netscape when Internet Explorer comes free with Windows?”

According to Turner, this raises interesting questions for MDM software vendors such as MobileIron and Good Technology. However, he added that no large vendor should be buying MDM vendors for the long-term revenue.

“If they are bought, it will be for the capability, and that’s a bitter pill for a software vendor to swallow.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia