The mobile apps that employees use to get work done can introduce malware and put corporate data at risk, but there are steps that IT shops can take to secure data without inhibiting workflows.
Malware has been around
The consumerization of the enterprise and bring your own device (BYOD) trends have changed users' expectations for how and when they can get work done. The reaction to malware and data security risks in some IT shops might be to completely lock down the network from interacting with unauthorized devices, but that's not always practical. A better approach to protecting corporate data and infrastructure takes more management and less dictation.
Here are three keys to successful mobile app approval in today's user-driven, BYOD-centric workplace:
IT's most important concern should still be the risk that mobile device and application use pose to sensitive enterprise data. First, define what information is sensitive, who can access it under what circumstances and what to do in the event of a security breach. Specify these terms in a written security policy, then distribute and explain it to the people who need to know about it. Regularly reinforce the policy, and train or educate workers to help create a culture of security. Workers who are aware of the consequences of their habits might think twice about whether a given action, such as downloading a particular app, is acceptable or allowed.
There's no substitute for hands-on application testing and experience, but popular apps such as Dropbox have published reviews and many users have direct experience with the apps. Administrators should look into the reviews, talk to users about their experiences with particular apps and test the apps themselves when possible. With these reviews and local security policies in mind, IT can make a decision about banning or allowing an app. One thing that complicates app approval is that new releases appear frequently and without advance announcement. Admins will need to perform continual due diligence to make sure updated apps still follow the company's security policies.
One of the best ways to approve apps for employees' use and still guard against potential malware is to use mobile application management (MAM) tools that have two key elements: secure containers and a whitelist/blacklist function.
Containerization -- sometimes called sandboxing -- gives IT control of sensitive information because it restricts the way workers can interact with applications. Using secure containers can prevent actions, such as copy and paste, to certain applications. It can also keep corporate data separate from users' personal data, which lets IT wipe the corporate container without affecting workers' personal data. Sandboxing also limits the ways applications can interact with one another and with a device's operating system, which can keep applications with advanced permissions from accessing corporate data stored elsewhere on the device.
Whitelisting specifies the set of IT-verified applications that users may run, and blacklisting explicitly prevents workers from using applications that IT deems unacceptable. If admins have any doubts about the reliability of a given app, then that app should be blacklisted. The number of apps on the whitelist should be as small as is practical. This minimizes the possibility of security breaches and keeps the number of apps that IT has to keep track of manageable.
Good security establishes a balance between protecting information and enhancing the productivity of those using it. Ham-fisted approaches like device wiping are becoming obsolete, but with the right tools, security and approval policies can be very effective for app control.
This was first published in January 2014