The usage of consumer devices in the enterprise is spreading
like wildfire, as it allows employees to get access to company
information without getting the IT function involved. While this
has a big impact on productivity, it is also exposing organizations
to a number of security risks. For example, unlike desktops, mobile
devices can be lost or stolen. In addition, mobile devices are also
vulnerable as they are not always patched with the latest antivirus
update and run the risk of introducing malware in the enterprise
network.
As a result, BYOD has emerged as a top concern for enterprise
mobile security. As more and more employees bring in their
smartphones or tablets into the workplace, the first reaction of IT
has been to treat the device, and apply a policy similar to what
they have been following for corporate owned devices. In some
organizations, the IT function allows only specific devices to be
part of the network, as the IT function has the capability to
manage only certain types of devices. However, this is easier said
than done.
BYOD in a disparate mobile world
A recent McAfee report on mobility and security highlights that
businesses are now operating in a heterogeneous mobile environment
where BlackBerry is no longer the standard. Traditionally the IT
had to just deal with a homogeneous desktop PC environment. But the
BYOD trend is forcing them to manage mobile devices from multiple
OEMs such as Apple, RIM, Samsung, Nokia, etc. running on disparate
operating systems such as iOS, Android, Windows Mobile, and Bada.
The survey reports that introduction of these new, unsecured
devices is creating a security hole for the organizations. A mobile
device management policy focused on specific devices will defeat
the true purpose of BYOD.Given the diversity of mobile devices and
platforms, few organizations are well prepared with a security
strategy for this emerging world.
Some enterprise companies have even suggested the use of logical
partitions – one for personal and other for professional use,
wherein the IT function has complete control over the professional
partition. Other enterprise companies are using mobile device
management features of remote locate, track, lock and wipe
facilities if a device is lost.
However, in an era, where the thin line between work and home is
rapidly vanishing, and a number of companies are giving their
employees the option of working from home, it is extremely
difficult for any organization to control how employees consume or
use information.
“Most of the current MDM systems cannot even prevent the
copying and transfer of information between one logical partition
and another logical partition of the same device. From a data
security perspective, this is an absolutely basic requirement. MDM
systems are still evolving and there is a still a long way before
MDM systems can be used to ensure complete security,” says
Vishal Gupta, CEO, Seclore.
Gupta argues that controlling the end device will not work in an
era where the form factor could range from a mobile device, a
tablet or a kiosk. “MDM systems allow contextual and
policy-based access to information. However, they do not
differentiate between the right and wrong use of information. For
example, what happens if a rightful owner of information downloads
information on his tablet and copies it to another personal device?
If this employee leaves the organization, the information leaves
with him,” says Gupta.
The BYOD issue also brings into focus the company’s
insistence on managing personal devices. Most users object to such
an approach, as they do not like the company controlling and
installing device management software, on a device they have
brought with their own money. This is also risky as a remote wipe
initiative can inadvertently wipe off personal information.
A new approach to BYOD
Previously, a company’s information network ended at its
firewall, and its valuable data remained relatively secure within
that network. But today, information is no longer contained within
the four walls of the business, and the network today ends with the
user, and ultimately with the device that the user uses. Security,
hence, has to go where the information goes. This can be enforced
using Information Rights Management (IRM), which ensures that the
security is embedded in the information itself.
"With IRM, an enterprise can do away with the need of
controlling devices. There is no need for partitioning either, as
security is built in the content itself"
- Vishal Gupta, CEO, Seclore
Hence, unlike a mobile device management policy which permits
only ‘X’ or ‘Y’ mobile device to work, an
IRM solution can ensure that enterprises can adopt a BYOD policy
without device restrictions, and have personal devices accessing
corporate information. IRM allows organizations to set rules
regarding who can access data. Prevention of screenshots, copying
and pasting together with clear definition of who can access the
data makes unauthorized replication of the data extremely
difficult.
“With IRM, an enterprise can do away with the need of
controlling devices. There is no need for partitioning either, as
security is built in the content itself,” explains Gupta.
To showcase the capability of IRM in mobile devices, Seclore
recently launched an IRM solution for Apple’s iOS platform.
The solution will enable enterprises to collaborate across
enterprise managed devices and (personal) iPads and iPhones without
worrying about information breaches. The application can be
downloaded from the Apple Marketplace.