Ask The Experts: Mobile Security For The Enterprise

Advertorial: TechWeekEurope is launching a new article series: Ask The Experts. In this series, engineers and developers answer questions asked by members of the TechClub, a free community for our readers.

For the first edition, we invited IBM staff to tell us about the challenges of managing mobile devices in business – and in particular, mobile security.

Trust versus security

Vendors offer a confusing variety of options for securing mobile data, including remote wipe, lock, and encryption. How do we choose or combine these approaches for best effect?

(Security manager in a financial company)

There is no right or wrong answer here.It depends on the use cases within an organisation, its attitudes to risk and its legal and regulatory responsibilities. In Financial Services there are strict legal obligations around data protection and as a result this industry has a low tolerance to risk, and this will drive the decision making process. As a starting point I would suggest any organisation asks the following questions when designing a mobile security strategy:

• Endpoint security: what do I need to be able to do to an endpoint device once it’s registered for use in this organisation?
• Access & Authority: what is the appropriate standard and method for identifying and authorising users of mobile devices?
• Data security:
  • Access to core data: are existing standards/restrictions appropriate for mobile use and how are they to be applied?
  • Data in transit: what is the best mechanism for ensuring that data is secure as it moves between my backend systems and the endpoint device?
  • Data at rest: when data is stored on the endpoint device what security and restrictions are required?
  • Other: what other requirements must be met – for example voice recording, enablement of personally owned devices, etc?

Alongside these considerations one must pay careful attention to usability; the benchmark has been set high by the best of the consumer devices and apps on the market today and as a result tolerance for poor design, complex interactions, and overly restrictive management/security is low. Whilst employees may have to use the device and apps as part of their role they will work harder to find ways around restrictions. Organisations will not see the expected productivity improvements if usability is ignored.

So focus on what is actually required to protect your organisation’s data and systems and meet imposed obligations and select an approach that satisfies these whilst also delivering on usability. Look carefully at the app-based approach to security alongside traditional device management, and consider a layered approach. Above all though, remember that this is an area where it’s about new working practices as well as technology so involve end users, educate them on their responsibilities and on the restrictions and ‘sanctions’retained by the organisation and perhaps engage with a supplier/partner who has done this before. I know IBM would be pleased to help…

Answer provided by Simon Gale, CTO workplace services UKI IBM. Look out for the second part of our advertorial series ‘Ask the Experts’ next Monday!

What do you know about enterprise mobility? Visit the IBM MobileFirst resource page!