Making sense of mobile-device, app, and information management

Smartphones, tablets, social networks, and cloud services are all popular, incredibly useful — and a security risk. These days, the security focus is on mobile devices, as they tend to be used a lot to work with corporate information, but the variety of platforms, the fact many are employee-owned, and uneven security capabilities all add up to a real — sometimes impossible — challenge to manage them in the same way as the corporate PC.

The issue is not so much hacking; outside of malware easily available in the Android Market, mobile devices are safer than PCs from hackers. Instead, the issue is inappropriate information usage, where employees inadvertently spill the beans about contacts, embarrass people, violate any number of privacy regulations, and neglect compliance obligations. Most people do it by mistake, while some people do it deliberately; what matters is that they do it.

That puts organizations in an uncomfortable position. Survey after survey shows that technologically empowered users are happier and more productive, so businesses want to tap into that benefit. But they also have to safeguard their secrets and comply with regulations. The good news is that although the methods and tools are still new, there are known, proven approaches to reducing those risks without disabling the benefit of consumerization.

For mobile devices, these tools fall into several broad categories: data loss prevention, mobile data management, and mobile application management. This guide walks you through each category and explains the key issues and providers.

Data loss prevention

Many organizations have already invested millions of dollars in data loss prevention (DLP) tools, which classify data access rights through text analysis and metatagging, then monitor information flow (such as contents in email) to look for problematic data types — for example, Social Security numbers or files tagged as corporate secrets. DLP tools are usually set to alert IT or users to possible issues, but can also be programmed to block information first and ask questions later.

DLP tools require effort in creating the information policy rules (usually associated to user roles), then tagging information across the enterprise, and DLP requires shunting all information flow through DLP servers to ensure it is analyzed.

DLP tools are not new, but their use in mobile information flow is. There are several approaches to mobile DLP:

• Routing all mobile traffic through a corporate DLP server, as Symantec offers.
• Providing a mobile app for access to corporate information repositories such as SharePoint; that app honors the permissions set for files in those repositories. Zenprise offers such a tool for SharePoint, and of course many cloud storage providers (such as Accellion, Box.net, Dropbox, and YouSendIt) offer IT-manageable cloud storage services.
• Baking content management into apps themselves by adopting APIs from companies such as Good Technology, MobileIron, and SAP Sybase. A related technology area called mobile application management typically also reaches into content management.

Mobile device management

If 2010 was the year that the bring-your-own-device (BYOD) phenomenon became legitimate, 2011 was the year that mobile device management (MDM) tools were accepted as a way to allow safe BYOD. It’s no surprise that dozens of vendors now offer MDM tools.

Today, MDM tools are deployed in financial services, defense, government, and medical environments — the very industries most concerned about information security. But MDM is not new; enterprises have been using it for years in the form of the BlackBerry Enterprise Server (BES) to manage the access rights and device permissions of BlackBerry messaging devices. Microsoft Exchange, the most-used email server, also supports a modest set of policies through its Exchange ActiveSync (EAS) protocol.

EAS policies can require a device be encrypted, have a complex password, or disable its camera. IT manages those policies in Exchange or the corporate version of Google Apps; the same capabilities will soon be available in Microsoft’s System Center 2012. That email server ties into a corporate identity server (usually Microsoft’s Active Directory) to determine which policies apply to which user. If a device doesn’t comply with the rules associated to its user, that device is denied some or all access. These servers also let IT remotely lock or wipe the contents of a lost or stolen device.

Apple’s iOS, the defunct Windows Mobile, some versions of Google’s Android, and some versions of Nokia’s defunct Symbian mobile platforms support a substantial number of EAS policies, as does Microsoft’s Outlook email client for Windows PC and Macs and Apple’s Mail client for Mac OS X. By contrast, Microsoft’s new Windows Phone 7, some versions of Google’s Android, and Hewlett-Packard’s defunct WebOS mobile platforms support a very limited set of EAS policies. (Research in Motion’s BlackBerry devices work with the BES product and, via connectors, to a lesser extent with Microsoft Exchange and Google Apps.)

Most MDM vendors’ products go beyond what Exchange and other email servers provide, adding access to non-EAS policies that a mobile operating system might support. For example, Apple’s iOS 5 has a policy that lets IT disable its iCloud file-syncing service.

Some MDM vendors go further than exploiting the extra policies in various mobile platforms, such as to detect a modified (“jailbroken”) version of the operating system. To do so, users run their mobile app and the applications within it. Anything in that app “container” can have all that MDM vendors’ special policies applied, giving IT a safe zone on a user’s device. (These apps can be set to not share information outside the safe zone, essentially separating the corporate information from the rest of the device.) Some MDM vendors also provide capabilities to enable help desk support for mobile users and to control telecom spend, such as to alert employees when they are roaming internationally.

The challenge for MDM vendors and IT alike is that because different mobile platforms have different capabilities, it’s impossible to have a uniform management approach to all devices. The MDM vendors handle the hard work of keeping up with all the platforms’ capabilities as they change, but IT still has to face the reality that it may need to be somewhat flexible in its policy requirements to support at least the most popular business-class devices. There’s the wrinkle that comes with supporting iOS devices: Apple requires businesses to get their own Apple Push Notification Service (APNS) credential from Apple to enable MDM management; this certificate gives the MDM tool permission to access iOS devices through Apple’s notification servers on your behalf.

A related approach is to use network access controllers to detect mobile access and apply user policies to that access; for example, F5 Networks has partnered with several MDM firms (AirWatch, MobileIron, SilverbackMDM, and Zenprise) to let their respective management tools work together. Aruba Networks plans a March launch of a mobile device-savvy network-controller-based access manager that monitors device access and can apply policies to them.

Mobile application management

The least established area for controlling mobile information access is mobile application management (MAM), which currently encompasses several types of services:

• App distribution, such as through corporate app stores. These typically focus on managing distribution of and permission for homegrown Web and native apps, but can also provide users links to recommended apps in public app stores. Some can also manage native iOS apps created by the business for internal use.
• Secure app development, to add security and permissions control for homegrown apps’ content and access to corporate network resources. There’s typically a management console allowing IT to act on those embedded controls.
• App content management, such as to restrict apps’ abilities to share authorized content with other apps. These too are focused on homegrown apps, though in some cases can also be used by commercial app developers in conjunction with a management tool. Two vendors in this category, Mocana and Nukona, take an unusual approach of wrapping permissions around apps, rather than requiring the apps’ internal code to implement policies — it’s sort of a DLP wrapper. The other providers rely on policies being specified within the apps’ code.
• Secure app containers, which create a separate partition, app container, or virtual machine to segregate at least some corporate apps and data from personal apps and data. This approach allows freer use of content across apps in a container than techniques that secure data within just specific apps. This approach differs from the use of virtual desktop infrastructure (VDI) to present a remote application in a window; such applications (Citrix Receiver and VMware View are examples) have little to no access to information or capabilities on the mobile device itself, beyond keyboard and emulated mouse access. A related approach is to create separate partitions on the mobile device — one for personal apps and data, and the other for IT-managed business apps and data.

The difficulty in current MAM approaches is that they’re usually application-specific. That favors their use for apps developed in-house, but a variety of vendors are working with commercial developers to embed their technology. Over time we may see more user-installed apps supporting such app and content management capabilities, for access via an MDM or other tool the business has in place or can connect to. But commercial developers still need to pick one API and thus one vendor, or use multiple APIs in their apps, with the complexity that brings.

What’s really needed, of course, is a common set of content management APIs that all apps can use with any management tool — analogous to the all-but-standard Microsoft EAS protocol in device management today. As in the case of EAS, vendors could augment the core policies with enhancements for specialty application needs, and commercial developers could decide when to use these extended capabilities, such as to reach high-security markets.

This story, “Making sense of mobile device, app, and information management,” was originally published at InfoWorld.com.