Manage the apps not the device to avoid a BYOD risk headache

“You’ve gone BYOD, now what ? I’ll tell you what, you get nuked on security, that’s what.” - Patrick Lujan

According to a recent survey conducted by Apperian Inc. over 65% of respondents used mobile apps in the enterprise, with 35% saying that they had developed between 1 and 3 in-house and a significant 51% saying all were third party apps. With on average half of employees using two mobile devices or more, there is a massive corporate data security risk without tight control and effective policies in place to monitor and control access to all these apps.

Massive risk

Apple proved that the App Store as a mechanism for the distribution of a wide range of business and consumer applications was the de-facto standard for mobility. Then along came the BYOD movement, part of what Forrester called the ‘consumerization of IT’, a trend that allowed employees to use their own personal gadgets in the corporate environment, effectively blurring the lines of personal and professional use of their own equipment.

But the BYOD revolution also led to a corporate information security headaches as personal devices were more likely to be lost or stolen without the effective IT compliant password policies in place to secure the contents within.

How can a business protect and manage its corporate data on employee owned assets ?

The MDM answer

In the early days of smart-phone expansion beyond the Blackberry, vendors tried to implement the “BES” (Blackberry Enterprise Server) security approach to smart-phones. The issue with this approach was, 1) there were already apps running on BB’s other than email-contacts-calendar, and, 2) individuals owned the smart-phones while companies owned the BB’s. Applying the BES approach to this smart-phone evolution was flawed from the start.

More granular security and more seamless control was what was really needed in this new world of business apps and environments mixed with corporate and personal apps and data. This approach gave birth to Mobile Device Management (MDM). Early players looked to leverage the access controls that the phone and OS provider enabled: via a defined MDM protocol. However, companies were (and still are) governed by what is made available to them by vendors who don’t necessarily look for business requirements first. .

As a result, MDM vendors whipped up enterprise solutions that allowed IT to create and control mobile device policies to ensure device compliance. This allowed IT to support and manage devices within the IT infrastructure, log and track devices through IT asset inventory and also the secure the corporate information held within smartphones. For most, this was all that was available and as far as that approach would take them.

But MDM doesn’t take into account how an enterprise should handle the development and deployment, management and maintenance of in-house and third party apps and the information held within them sitting on employee-owned tech.

Manage the information, not the device

MDM solutions do not take into account security and deployment considerations on an application level and this has brought about the need for an app-centric (vs. device-centric) approach to manage access and distribution of approved apps . It has also given rise to the growing trend known as Mobile Application Management (MAM).

Until recently, the primary method available through MDM for securing the contents of the mobile device was to focus only on the device as a whole. MDM vendors work within the confines of what the device and/or operating system made available. In practical terms, this permits IT organizations to lock down or wipe the entire contents of a device – whether intentional like after device theft, or accidental during routine system maintenance. It’s essentially an all-or-nothing approach to securing the mobile device: the device and all of its contents are either under IT control or it is not. For company-owned mobile devices this may not be an issue to users since they are technically using corporate assets, however in BYOD settings this has set off undeniable backlash with users.

The second significant challenge emerging as demand for mobile apps and content in the enterprise increase is the need to manage the full lifecycle of apps. Years ago IT organizations and software vendors realized the value of having system management frameworks to help manage software versions, desktop images and more. What the industry has lacked is a systematic and purpose-built approach to managing mobile apps. This problem cannot simply be seen as an extension to the desktop computing. Mobile apps run at vastly different cycles. There are incalculable combinations of devices, mobile OS versions, and app versions at any one point in time. And unlike the old days when IT was in control, the users themselves are often in control of when new devices or software updates come online. Imagine the nightmare for today’s CIO when they are expected to not only secure this world, but also embrace it, when they do not have control over the underlying asset!

Yes, MAM

These two major streams of demand that have driven innovation in the mobile industry and led to the emergence of platforms purpose-built for mobile application management. Platforms that place their primary focus on the apps themselves – securing, managing, onboarding and retiring them. For an example, check out Apperian, App47 or TIBCO Silver.

MAM lets IT manage internal development, distribution, and control of in-house and third-party mobile applications within the corporate infrastructure, creating an effective solution to support and deliver apps to consumer and enterprise mobile devices.

It gives the CIOs the ability to develop, test, and deploy their own enterprise apps and well as third-party consumer-based apps.

• It gives employees a mechanism for downloading and using mobile apps (that is similar to the Apple App Store) that have been approved for use and provisioned by IT policy.
• It lets IT manage access to the apps depending on factors such as an employee’s job role.

It also gives control back to IT who can manage access to the apps depending on a number of factors such as employee role profile.

There are many questions to ask when considering implementing an enterprise-wide mobile strategy and allowing employees to bring personal devices into the workplace, and how you place the importance of device security, corporate data protection and application development will drive the choices you make.

But the one burning question which over arches them all is; Are you looking to manage just the device or everything on it ?

This article first appeared on TechRepublic and has been edited for SuccessfulWorkplace.