Smartphones, tablets, social networks, and cloud services are all popular, incredibly useful -- and a security risk. These days, the security focus is on mobile devices, as they tend to be used a lot to work with corporate information, but the variety of platforms, the fact many are employee-owned, and uneven security capabilities all add up to a real -- sometimes impossible -- challenge to manage them in the same way as the corporate PC.
The issue is not so much hacking; outside of malware easily available in the Android Market, mobile devices are safer than PCs from hackers. Instead, the issue is inappropriate information usage, where employees inadvertently spill the beans about contacts, embarrass people, violate any number of privacy regulations, and neglect compliance obligations. Most people do it by mistake, while some people do it deliberately; what matters is that they do it.
That puts organizations in an uncomfortable position. Survey after survey shows that technologically empowered users are happier and more productive, so businesses want to tap into that benefit. But they also have to safeguard their secrets and comply with regulations. The good news is that although the methods and tools are still new, there are known, proven approaches to reducing those risks without disabling the benefit of consumerization.
For mobile devices, these tools fall into several broad categories: data loss prevention, mobile data management, and mobile application management. This guide walks you through each category and explains the key issues and providers.
Data loss prevention
Many organizations have already invested millions of dollars in data loss prevention (DLP) tools, which classify data access rights through text analysis and metatagging, then monitor information flow (such as contents in email) to look for problematic data types -- for example, Social Security numbers or files tagged as corporate secrets. DLP tools are usually set to alert IT or users to possible issues, but can also be programmed to block information first and ask questions later.
DLP tools require effort in creating the information policy rules (usually associated to user roles), then tagging information across the enterprise, and DLP requires shunting all information flow through DLP servers to ensure it is analyzed.
DLP tools are not new, but their use in mobile information flow is. There are several approaches to mobile DLP:
- Routing all mobile traffic through a corporate DLP server, as Symantec offers.
- Providing a mobile app for access to corporate information repositories such as SharePoint; that app honors the permissions set for files in those repositories. Zenprise offers such a tool for SharePoint, and of course many cloud storage providers (such as Accellion, Box.net, Dropbox, and YouSendIt) offer IT-manageable cloud storage services.
- Baking content management into apps themselves by adopting APIs from companies such as Good Technology, MobileIron, and SAP Sybase. A related technology area called mobile application management typically also reaches into content management.