Technology adoption cycles are fairly consistent in today’s fast-paced, knowledge-driven business environment. Government agencies and companies initially acquire technologies because of the benefits they deliver and only later begin to understand the real burdens of ownership. This scenario is being played out once again in the mobile arena.
The widespread adoption of mobile devices as enterprise-level tools is occurring as compliance is becoming an ever-increasing concern. Many compliance and regulatory drivers, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Information Protection Act (PIPA), govern laws related to personal data privacy and require governments, agencies and sometimes industry groups to protect and secure customer information and manage access to confidential data.
For many government IT groups, it’s common to perceive controls used to comply with these laws as applying only to traditional assets including servers, desktops, firewalls, routers, and even the data centre itself. What then happens with these devices that are more and more becoming the equivalent of PCs in the amount of sensitive data and degree of network access they offer, yet are rarely on the risk and compliance radar of IT?
Mobile devices are an enterprise-level asset and tool. They require an enterprise-level solution, such as a mobile device management (MDM) solution, designed to address the fundamental management issues of exerting control, while offering broad functionality to govern and secure the platform. Traditionally, IT tends to hone in on server components, but that approach doesn’t fit in an ecosystem that extends to third parties such as the device manufacturers, cellular network carriers and device users. Further complicating an organization’s compliance posture, these devices are by design beyond the physical control and access of the IT group on demand.
Management and security advice
The benefits of mobile access are compelling but the increasing sophistication of devices – and their potential vulnerabilities – are putting pressure on IT organizations. There are 10 best practices that every government IT department should follow to mitigate the risks and cost associated with the growth and management of mobile devices:
1. Own every device
Whether issued to employees or employee-owned, each mobile device within an organization stores sensitive information that can put an organization at great risk if not controlled. Proactively take ownership and manage data, such as customer contact information and e-mails with proprietary and confidential data, just as you would with servers, desktops and laptops.
2. Secure your assets
Accurate, complete and up-to-date ownership information is the foundation of an MDM strategy. As mobile devices provide immediate access to the web, social media tools and e-mail, it’s essential to be informed of which software versions and updates employees are running. It is only a matter of time before IT audits will include an organization’s mobile devices.
3. Build trust with employee self-management
As critical and sensitive information travels within an organization, an environment of trust with device users must be maintained and strengthened. A management model that requires the IT administrator to control the system will not scale; instead, device users must be engaged and empowered to perform certain self-management tasks. To reduce administrator and help-desk workloads, offload less critical issues to the device user in a secure and sensible way. Users are likely to be more satisfied if they are allowed to solve some of their own issues, rather than having to always wait for the help desk.
4. Prepare a verification policy
The ability for key employees to walk around with their “office on their hip” provides powerful privileges. Unfortunately, there is a significant amount of time these devices and the data stored on them are beyond an organization’s immediate control. Small, cool devices are easily lost or stolen, so it is essential to be prepared for these situations. The mere existence of a password policy is not enough. Whether there is only one or several policies managing password strength and expiration timelines, an enforcement mechanism is needed. For example, IT organizations need tools not only to initially apply password policies to devices, but also to periodically monitor them for compliance and automatically implement proper policies, including termination to any devices that are out of compliance.
5. Prepare a loss-event action plan
Murphy’s Law stipulates a mobile device is most likely to be lost at 2 a.m. by the user with access to the most sensitive data. Similar to a verification policy, an action plan for managing data stored on a lost or stolen device is needed. This might include remotely locking devices or performing a complete data wipe; organizations must be armed with the tools and resources to complete this operation at all times. It is imperative for authorized IT staff to have the ability to execute over-the-air (OTA) commands to any device from any available browser.
6. Plan for lifecycle events
Not only is it important to manage non-compliance, mobile devices travelling from employee-to-employee should also be managed through an automated lifecycle system. A mobile device once used by a senior manager should not end up in the hands of a new hire without verifying it has been completely purged. Whether putting a device into available inventory or ensuring a privately owned device is cleansed and returned to its original state, these actions should not be left to manual interventions. IT organizations must implement a solution that can connect several OTA commands as part of a business process that automatically launches when these events occur.
7. Develop strong configurations aligned with an organization’s needs
Mobile devices should be configured to ensure they are used in accordance with the organization’s policies. For example, public servants with access to confidential financial data might need to be prohibited from sending e-mails with a blind-copied recipient. This configuration restriction may be necessary to ensure compliance with privacy policies or legislation. Or, it may be necessary to disable voice calling for users who are given devices for data access, but are not signed up for a voice plan to avoid costly bills. As evaluating and building configuration settings that meet an organization’s needs is an ongoing task, a robust MDM tool will prove valuable. Management systems can free IT administrators from dealing with typical and predictable issues and allow them to focus their time on more valuable strategic tasks.
8. Integrate with authoritative sources to manage change
Because configuration settings are generally contingent upon user profile or rights, the management of mobile devices can often be optimized through integration with an organization’s identity and access management (IAM) system directory. This is not only useful for the original provisioning of a device but also for dealing with the changes that inevitably occur such as employee promotions and transfers or as changes in the organization require many users to be granted new rights or have exiting ones withdrawn. Government IT departments need an MDM tool that immediately recognizes rele