The consumerization of IT has opened the floodgates to new smartphones, tablets and cloud services entering the workplace, a development with serious consequences for mobile data security and regulatory compliance.
Every new mobile device or cloud service that an employee buys or signs up for is another location where corporate data can live and potentially leak from. In no time at all, the number of such locations can go from manageable to unwieldy to unknown. Even if certain devices and services boast impressive mobile data security features -- and many do -- not knowing the location of sensitive data can be enough to trigger a compliance violation.
There is no shortage of management technologies available to address these situations. The key is choosing the right products and developing the proper policies to enable secure use of consumer technologies in the enterprise without detracting from their many benefits. Organizations often turn to device-focused strategies and legacy technologies, but a new breed of products and a different way of thinking may be required to strike the right balance.
Traditional approaches to mobile data security
Mobile device management (MDM) follows in the footsteps of IT's traditional approach to desktop management: secure, sometimes heavy-handed control over the entire endpoint. Even if there's only one corporate app on an employee's smartphone, that user must enter a passcode every time he accesses the device. If he leaves the phone in the back of a cab, IT will remotely wipe all of its data; not just the company's financials, but also photos of the employee's summer vacation.
While MDM offers some important features, its all-or-nothing approach isn't always the best fit in a world where employees use their devices for a mix of business and personal tasks. Plus, managing devices can get complicated, simply because of the sheer number of manufacturers and operating system vendors in the market today and the differences in what IT can and can't manage on each platform.
Desktop and application virtualization can also address the mobile data security and compliance concerns around consumerization. With these technologies, all corporate data and applications live securely in the data center and are merely streamed to end users' devices, so the organization always knows where its data is and that it's safe.
However, virtualization typically delivers Windows and Windows apps to mobile devices, and the experience of using this mouse-and keyboard-based software on touchscreen devices is not ideal.
MAM and MIM focus on what really matters
The major benefit of MAM and MIM is that they allow IT to focus on what really matters: securing corporate data without having to worry about the full device. MAM lets administrators enforce policy on corporate data, either at the app level (via secure containers) or the OS level (via dual-persona technology).
For example, if an employee receives a message in his company's securely containerized email app, he may not be able to forward it to people outside the company, or he may be allowed to open attachments only in certain IT-approved apps. But he can still do whatever he wants with his personal email app, because IT has no control over that.
MAM products are on the market today, but for now at least, MIM is a more conceptual management technology. Its premise is to provide even more granular controls than MAM: applying policy directly to pieces of corporate data, controlling who can and can't open them and what they can and can't do with them.
Although the market is in its infancy, IT departments can take steps in MIM's direction today through the use of management technologies such as data encryption. Encryption can't control where a piece of data goes, but it can control who accesses the data wherever it ends up.
Policy ties it all together
Despite the promise of these emerging management technologies, no product alone will ever be enough to solve the mobile data security and compliance problems that consumerization raises. Consumerization tools have empowered the workforce, which can now create and collaborate on corporate documents without ever using company-approved software.
The only way to reduce the security and compliance risks caused by these mobile workflows is to educate employees and provide them the right tools so they won't feel as though they need to go rogue. Write clear policies that spell out what will happen if violations occur, and make sure to enforce them. Unenforced policies are worthless.
The right combination of technology and security policy will be different for every company. Some may have such strict data requirements that MDM and virtualization are the best choices, despite their drawbacks. Some may realize that a lot of their data just isn't that sensitive, and the locked-down approach they've taken in the past just isn't worth the trouble anymore. Others will fall somewhere in the middle. Where you end up doesn't really matter, as long as you meet the needs of both your organization and its end users.
This was first published in November 2013