"Mobile device integration policy will provide a framework for the whole IT environment to integrate mobile devices and extend its security"
Mobile Devices To Minimize Threat, Loss And Risk
It is imperative that all the three aspects of security viz. People, Process and Technology areas of the IT eco-system are addressed while securing information on mobile devices to minimise threat, loss and overall risk. Some of the controls that can help one in building an enterprise wide secure BYOD or mobile devices integrated environments are as follows.
Technology
One must understand there are basically three way of managing data security with mobile devices. These are Containerization, Remote Access and usage of Information Rights Management. Most of the Mobile Device Management (MDM) solutions today in the market work on the concept of Containerization. The remote access solution is a fairly simple one but more expensive than MDMs as it require remote access capabilities to be deployed on mobile devices. The third is the usage of Information Rights Management tools which is a fairly new approach and an entirely different way of securing information. In IRM, the information when created has identified authentication, privilege access management, encryption and various controls attached to it. IRM removes the dependency of the mobile device, its operating system, its security controls, etc.
Process
The most important and key success criteria for such project is a strong BYOD/Mobile device integration policy. The policy will not only help the IT administrators and business users to understand the need of security controls and its implementation, but also provide assurance to management and stakeholders. It will provide a framework for the whole IT environment to integrate mobile devices and extend its security around it. Additionally the NDA must specifically mention the privilege provided to the business user by extending the information access on their devices and strongly reminding them of the responsibilities that they hold in using the privilege.
People
Any program is incomplete and never successful without the buy-on of the business users. It is imperative that all the users be made aware of the acceptable usage, their liabilities and responsibilities of protecting the organizations data when using mobile devices. A well-structured training and awareness program can be the starting point. Additionally, self attestation, tests and awareness campaign can help increase the effectiveness of the program. The helpdesk must support queries and troubleshooting requirement of the business users.
Other aspects
The other aspect is the commercial management of mobile device. The question is whether it is co-shared, company provided with discount or user owned. The most common challenge today is a user leaving the organization with information still on the mobile device. Finally, how the organizations control user owned devices and still assure the user of his privacy to his personal data.
Addressing all these aspects, getting the management oversight and adequate investments to implements these controls shall be the first step towards securing the new wave of mobile devices.