Balancing mobility with security is a fine art

One of the biggest issues IT managers face when rolling out mobile kit such as laptops and smartphones to employees is device management, with the main concern being data security if a device is lost or stolen.

They must somehow balance the business agility that these devices offer with the potential security risks that they can bring, especially if users have access to corporate databases or web portals.

Modern handheld devices now have enough storage for a considerable amount of potentially sensitive data. Most also have slots for removable storage such as Flash memory that can hold gigabytes’ worth of files. But while corporate laptops typically have password protection at the very least, few handheld devices have any kind of protection as standard.

Martin Cross, business development director for communications firm Connect Communications, said that smartphones in particular have made life difficult for the IT department. “Before, there wasn’t a lot of corporate data held on the phone, but now that you have got internet access and virtual private network connections back into the office, you have direct access to your email and corporate data, and losing that device could be disastrous,” he said.

This type of risk was cited as the largest barrier to enterprise mobility deployments in a recent report released by market research firm Datamonitor. Enterprise Mobility: Trend Analysis to 2012 highlights the problems IT managers face when dealing with advanced mobile devices, many of which are designed with the consumer in mind rather than for business use.

To give an idea of the scale of the problem, the report points out that global spending on mobile devices is expected to almost triple, from £3bn today to an estimated £8.6bn by 2012.

Datamonitor associate analyst Daniel Okubo, who wrote the report, said that there is a difference in approach between smaller firms and their larger corporate counterparts with regard to device security management. “Larger enterprises tend to want their IT departments to manage all security issues including mobile devices, and since they pretty much have the necessary resources, it makes more sense for them to purchase solutions from the various vendors with expertise in these fields,” said Okubu.

Conversely, a solution where the devices are managed by the carrier or a systems integrator may be the only viable option for smaller enterprises, he added.

Okubo believes the way ahead for large enterprises is to support only devices approved by the IT department, and blacklist all others. But he believes that IT managers should within reason support as wide a variety of devices as possible, so that employees have a choice. “There is more awareness about the value of smart devices, so IT managers need to get the right solution and the right policies in place,” Okubo said.

Cross, however, said large firms tend to adopt a less restrictive policy in order to gain a competitive edge. “The advantages this approach brings are very compelling for big corporations, because it can give them the kind of flexibility and agility that smaller firms have,” he said.

Corporate security policy will have to adapt to take account of this, he added, while firms will have to educate users on how they should use devices securely.

Another dilemma for IT managers comes with fixed-mobile convergence (FMC), where mobile phones can be used to replace desk phones while the user is on-site. Device management and security tools have yet to catch up with such developments, according to Cross.

“All sorts of things are becoming possible with these new devices, such as mobile email and mobile voice over IP [VoIP], and this means you have to extend your security policy across the whole range of different functions. At the moment, I don’t think anybody has the answers to all the questions FMC is posing,” he said.

Okubo said it is essential for IT departments to be able to lock, wipe and repair devices remotely, and that these management functions should be complemented by a strictly-enforced clear usage policy.

For example, he said, firms must not only make sure that users are prevented from downloading just any old application, but also that they know why they cannot do it.