Mobile Security: Seven Steps for Supervising Personal Smartphones in the Enterprise

Developing a strategy for managing and securing employees' personally owned mobile devices is no longer avoidable. iPhones and Google Android devices are joining BlackBerry, Symbian and Windows Mobile smartphones in the workplace, and their numbers are only going to increase in the coming months. Regardless of whether corporate policy allows mobile devices to access the corporate network, workers are still bringing them into the office.

According to a recent Forrester Researchreport, almost half of U.S. and European businesses surveyed are embracing the notion of allowing personally-owned devices access to a secure corporate network. One-quarter of businesses surveyed do provide full support to at least some personal devices, and another 21 percent provide at least limited support.

What these companies are realizing is that if they allow employees with personally owned devices to access corporate email and other resources, these employees will be more productive. In addition, in today's economic times, enabling personal devices helps companies offload some of the cost because users are paying for these devices themselves.

Corporate IT departments naturally are cautious about opening up the network and allowing full access to any device. IT needs control over how and under what circumstances mobile devices can access corporate systems. Finding just the right balance-maintaining the integrity and security of the network while allowing easy access to the applications users need to be more productive-will give organizations a competitive advantage in the coming years.

Seven Steps for Setting the Ground Rules

IT can secure the network for mobile devices without endangering corporate assets. These seven best practices will help protect your environment and provide employees the flexibility to use their personal devices without compromising critical enterprise resources.

1. Identify mobile devices on the network.

A good starting point for IT managers is to definitively identify who is accessing - or trying to access the network. Frequently this can be accomplished by auditing existing systems such as your Exchange Server, Microsoft ISA logs and desktop/laptops for the presence of local synchronization software.

If you don't think any mobile devices are on your network, consider this example. A large national retailer conducted a Sybase Exchange server implementation with gating software at its corporate headquarters. Within just a few days, its IT department determined that the company had more than 1,000 unauthorized mobile devices on the corporate network.

2. Determine the back-office systems employees want to access.

Every user shouldn't automatically get access to everything on the network - not by a long shot. Take the time to survey your departments and employees to determine what they hope to gain from mobility. The trends involving personal devices are being driven by "information workers," those employees who are often in the office or travel occasionally, and see mobile devices as a productivity tool.

Do these users simply need access to enterprise email and intranet sites, or do they want access to specific applications? For example, you can provide sales reps with access to their sales applications, executives with access to sales dashboards and purchasing approval systems, while information workers only have access to enterprise email.

3. Formalize user types and set policies.

Based on what you learned in step 2, evaluate users, create groups of users and determine governance policies for each group. These policies will define the "like to have access" and "need to have access" for each group of users. IT can set up management and security protocols that conform to those policies. Varying device management tasks and levels of security can also be applied to each group.

4. Get ready to take action.

A good place to start is to add a filter to control access to your backend systems. A filter is a piece of software that collects data and analyzes it so you can evaluate personal mobile devices coming into the network. One option is to monitor who is attempting access and to block access unless a management client is installed on the device. There are vendors who provide an Exchange ISAPI filter that can identify and deny access to back office email unless each device meets a predefined set of criteria.

5. Add password and encryption policies plus remote wipe capabilities -- at a minimum.

The bare minimum to consider for securing personally owned devices is password enforcement and on-device data encryption. Other critical areas include the ability to remotely wipe lost devices, as well as inventory management that identifies which devices are connected to the network at any given time.

6. Consider separating personal data from business data.

One security strategy that many companies are adopting is a "sandbox approach." This approach involves storing enterprise data, including email and applications, in a distinct area of the device, and encrypting and password protecting only that data. All other files, including personal music, videos and photos are available to the user without logging in to the device.

7. Enable users to be self-sufficient.

Because most IT departments are spread very thin, the best strategy for making all of these adjustments to corporate policies is to keep things as simple as possible. Rather than adding another screen to the bank of displays that IT managers already need to look at for network status and the like, it makes sense to give users a measure of self-sufficiency to comply with company policy.

For example, instead of flipping a switch and barring personal devices entirely, why not direct users to where they can download a management client application that will bring their device into compliance. This self-help policy frees IT staff from spending precious time tending to personal devices, and it helps keep the network secure.

Time to Embrace Mobile Devices

For IT professionals facing the onslaught of personal devices in the workplace, smartphones don't have to be viewed as a violation of corporate security policies. As the Forrester report cited earlier states, because the vast majority of employees are using personal devices at home, harnessing that trend and turning it to the advantage of your company makes sound business sense and will go a long way to keeping employees happy and productive.

Matt Carrier, mobility consultant at Sybase, acts as a technical consultant on the importance of management and security, and application enablement within the mobile enterprise. He has advised many Fortune 500 companies on best practices and security strategies for mobile implementations.