Ten essential elements in an enterprise mobile security strategy

[[125054]]

Leverage best practices to protect sensitive business information while maintaining productivity anywhere, anytime.

【51CTO Translation】Mobile technology and bring your own device (BYOD) are revolutionizing the way people complete their daily work and how organizations provide technology support to their employees. Mobile technology is more than just remote access - and mobile devices are more adaptable than just functional devices with limited uses. The ability to access, store and transfer applications and data brought by computers, smartphones and tablets can play a role in almost any type of business transaction. In order to fully unleash the full potential of enterprise-class mobile technology, IT departments need to provide employees with the necessary freedom to allow them to seamlessly access applications and data from any device.

Mobile devices also need to be supported by the right security management solutions to ensure that when employees work with business information in various locations and using untrusted networks, the enterprise is still able to curb the security risks of potential data loss or leakage. IT departments must vigorously maintain compliance requirements and protect sensitive information stored in any way and anywhere. Emerging mobile trends from wearable technology to the Internet of Things have also become new factors that need to be carefully considered. Today, developing a truly comprehensive and security-conscious mobile strategy has become a top priority for every enterprise organization.

This article proposes ten key points, covering all aspects that need to be considered when developing your own enterprise mobile strategy, including security, user experience, IT operations, and BYOD. As a leader in the field of mobile work, Citrix provides a number of complete solutions to ensure the security of enterprise mobile solutions, including mobile device management (MDM) technology, application and desktop virtualization, and end-to-end security mechanisms from data center to device. These guiding opinions will be summarized as best practices and technical guarantees to help enterprises realize the full potential of mobile technology.

1. Manage and protect key factors

When people access data and applications from multiple devices—including personal smartphones and tablets—it becomes increasingly difficult for IT to control and manage every aspect of the environment. Instead, you should focus on the key factors that are most important to your business and choose the mobile management model that best fits your business and mobile use cases. There are four main models to choose from, and you can choose one or all of them.

Mobile Device Management (MDM) - MDM allows you to manage and control mobile devices used to access business resources. Before a device - whether corporate or employee owned - accesses the corporate network, you can verify that it is not jailbroken or otherwise in violation of security regulations. Encryption, remote lock and content wipe, mobile VPN, application blacklisting, and the ability to disable selected native device features provide a high level of security protection.

Mobile hypervisors and container technology - especially when supporting BYOD, this model allows you to manage applications, data, policies and settings in a container environment on the device without intersecting with the employee's personal content on the device. In fact, this technology is equivalent to splitting a single mobile device into two isolated virtual devices: one for work and the other for personal life.

Mobile Application Management (MAM) - As a solution built on containerization, MAM allows you to centrally manage and control the security of various mobile applications, including the data and settings associated with them as part of the container. Application-level management policies can include authentication, network, location, passwords, and encryption.

Application and desktop virtualization – Existing virtualization security mechanisms also work for mobile use cases. Enterprise applications can be optimized for mobile devices and delivered on demand, while data is fully protected in the data center environment.

2. “User experience” comes first

Mobile devices have become the main driving force of the consumerization trend in the enterprise environment, and also enable users to use applications and information in new and more powerful ways in their personal lives. This undoubtedly puts more pressure on IT departments to be able to provide employees with an excellent user experience that is comparable to that of technology vendors. It is recommended that practitioners find opportunities to communicate face-to-face with users to discuss their actual needs and preferences, so as to ensure that their mobile strategy can truly meet their wishes and expectations.

While we strive to provide an excellent user experience, please also try to find more possibilities that can exceed the psychological expectations of the user group and even bring them unprecedented high practicality solutions. For example:

• Allow users to access applications and data on any device they use, and work with their personalized settings so they can work efficiently in the way they are most familiar.

• Allow users to use self-service provisioning solutions through enterprise application stores with single sign-on mechanisms for any application they need - including hosted, mobile or SaaS applications.

• Provide shared thin clients or other enterprise-class devices so that users can quickly and easily switch to solve the problem if they find that their consumer-grade devices cannot run certain applications due to security requirements.

• Use automatic control mechanisms to enable data sharing and management, such as ensuring that users can copy data between different applications so that they do not have to remember specific management policies.

• Define allowed device functions on a per-application basis so that users can continue to use certain functions, such as printing, taking photos, and local data storage, even if IT has to shut down certain applications.

• Simplify the operational processes that users need to perform to share and synchronize files between different devices as much as possible, and also enable file sharing with external communication partners by sending links.

By developing your own mobile strategy and taking into account the collaboration needs of your users, you can meet each other's needs while also gaining valuable security opportunities - ensuring that users understand IT's own management requirements and meet compliance regulations, such as protecting applications and data, controlling network access and managing devices appropriately.

#p#

3. Avoid sidestepping

Sidestepping is arguably the biggest challenge facing enterprise mobility: a BYOD user using a consumer device that may be exposed to sensitive corporate data and directly connected to the cloud. Sidestepping completely bypasses the control and visibility that IT has put in place, and it’s frighteningly common in today’s enterprise. Of course, we understand why users would do this. Cloud applications can help employees save time and greatly simplify the process of performing work, and they can also create more significant benefits for the company. The core of the problem is that when cloud applications intersect with sensitive corporate data in the wrong way, security and compliance requirements will suddenly become a dead letter.

IT management policies and user training are probably the only solutions that can stop sidestepping at this point - in fact, if IT simply prohibits such practices but employees accept them as necessary to get their jobs done, sidestepping will never completely disappear and IT will never even notice it. In this case, IT needs to force users to cooperate with it, especially in critical areas involving sensitive data and applications. The best incentive is to provide a good user experience and meet employee needs with positive design outcomes, thereby competing out unregulated alternatives.

4. Focus on your service delivery strategy

Mobile users often rely on a variety of different types of applications at the same time - in addition to customized mobile applications, they also include third-party native mobile applications, mobile Windows applications, and SaaS solutions, etc. When developing your own mobile strategy, you should consider how to integrate the different applications used by employees and departments in the enterprise and design a reasonable mobile device access mechanism.

Users generally use mobile devices to access applications in four ways:

Native device experience - In this case, the user's device is completely unmanaged. People buy their own apps, freely combine personal data with business information, and perform daily operations from any network. Similar to the sidestepping scenario mentioned above, this approach is extremely risky and unsafe, and should be completely eliminated from sensitive data activities.

Virtualized access experience - virtualized applications and data - including virtual desktop mechanisms when necessary - are hosted in the data center and presented through remote display protocols. IT departments can manage access activities to ensure that employees can run Windows applications on mobile platforms in a highly secure manner. All data will never leave the control scope of the data center, which greatly reduces the burden of data protection on the device itself. However, this method is highly dependent on network connectivity, which means that offline usage scenarios are limited.

Containerized Experience - The enterprise creates a container environment on the device for all enterprise mobile applications - including customized and third-party native mobile applications - and different applications have their own isolated container carriers. IT departments can manage the applications and data that enter the container while allowing users to configure their own application solutions through the enterprise application store. Related applications can be updated, configured and modified in an automated manner under the guidance of IT management policies. Network settings including SSL, encryption and application-specific VPNs can also be included in the container environment, ensuring that employees can connect to the Internet in the right way in a simpler way. In addition, if the device is lost, stolen, needs to be upgraded, or the employee leaves, such containers can be remotely wiped.

Fully managed enterprise experience - This approach uses embedded management policies to fully control mobile devices, including remote data wipe, geo-location restrictions, data expiration, and other security measures. All mobile applications are carefully screened and configured by the IT department, and there is no room for personalization. Although this solution has the best security effect and is particularly suitable for some organizations and use cases, it will seriously affect the user experience and is not compatible with BYOD scenarios.

For most companies, combining virtualized access with a containerized experience is sufficient to support all the applications and use cases that employees need for their daily work. This also enables IT departments to provide an ideal user experience while maintaining their ability to monitor and control the business environment. Users can access hosted applications and native mobile applications - as well as SaaS applications such as Salesforce and NetSuite - through a unified enterprise single sign-on. When an employee leaves the company, IT departments can immediately disable all of the employee's accounts and remove their access to any native mobile, hosted and SaaS applications through mobile devices.

5. Achieve the desired goals in an automated way

Automation can not only reduce the difficulty of daily IT work, but also help everyone provide a better user experience. Let's take a look at the magical effects of automation in solving daily mobile needs:

• An employee replaces a lost device or purchases a new device for an upgrade. With a single click of a URL, all of the employee’s business applications and work information are synced directly to the new device—fully configured and personalized—and ready for work. New employees or contractors can enjoy the same convenience, with all enterprise mobile apps deployed to a container environment on any personal or corporate-owned device. Single sign-on (SSO) enables seamless access to hosted and SaaS applications.

• When an employee moves from one location to another, or from one network to another, stateful adaptive access control automatically reconfigures the application to maintain the security level of the execution process—and the entire process is transparent to the user.

• Board members bring their own tablets to meetings. All meeting-related documents are automatically loaded onto the device, with read-only access control based on the configuration selected by IT, and limited containerized applications are provided as needed. When the user leaves the meeting room, all information on the device, especially sensitive documents, is automatically cleared.

• When an employee changes his or her position in the enterprise, applications related to the new job will be automatically deployed, and applications that are no longer relevant will be immediately removed. Third-party SaaS licenses will also be promptly recovered and reallocated.

One way to achieve this type of automated control is to use Active Directory. First, match specific roles to corresponding containers. Any employee defined as that role will automatically get the container and all the applications, data, settings, and permissions. On the device side, you can use MDM to centrally set up WiFi PINs and passwords, user certificates, two-factor authentication, and other elements to support the above automation processes.

6. Clearly define the network

Different applications and use cases may have different network requirements, including corporate intranets, Microsoft SharePoint sites, and external partner portals that require SSL authentication, etc. Enforcing the highest level of security settings at the device level will have an unnecessary negative impact on the user experience, while on the other hand, requiring employees to choose different settings for each application may even cause widespread protests among corporate members.

By defining and locking down networks with individual settings for specific containers or applications, you can set each application to use the appropriate network without requiring additional user action. Employees can simply click on the application and go about their daily work, while security-related actions such as logging in, accepting credentials, or starting an application-specific VPN are automatically completed in the background based on management policies.

#p#

7. Treat sensitive data as the most important thing to protect

In most enterprises, IT departments do not know where the most sensitive data resides, so they often treat all data as the highest level of protection - this approach is extremely inefficient and leads to high maintenance costs. The popularity of mobile technology points out a clear way to bring more selective protection measures to data based on classification models for specific business and security needs.

Many companies use a relatively simple classification model that divides data into three categories - public, confidential and restricted - but some companies use more complex classification models, taking into account the type of device and platform used, and even user role and location as additional verification factors. In summary, we can achieve a simple classification model in the following ways:

Public data that does not involve confidentiality, privacy or compliance issues can be moved in an unrestricted manner and made available to users on any device, anywhere, as needed. Employees do not need to use corporate infrastructure to use this public data - you can configure it in the network settings for individual applications, allowing users to choose the ideal access network based on convenience.

Confidential data is information that is not public and could pose a risk if compromised, so it requires a higher level of security. In this case, you can deliver virtualized access on BYOD or consumer devices through the corporate network, while allowing full mobile access to this content on enterprise-grade devices with MDM features such as encryption and remote data wipe, or through mission-grade devices designed to protect data in harsh conditions.

Some companies may believe that container-based solutions are sufficient to handle this type of data. In this case, data can be shared and synchronized at any time on any mobile device - provided that its activities are limited to isolated container environments protected and controlled by IT departments.

Restricted data can lead to huge compliance violations, corporate reputation damage, business interest impact and other negative consequences, so it needs to be taken seriously. Please ensure that only task-level devices and enterprise-level devices using virtualized access mechanisms provide full data mobility access rights. BYOD and other consumer-level devices should not have any access rights to it. In some cases, it is even necessary to exclude mobile devices using virtualization and containerization solutions.

The various models mentioned above take into account both data location and device type. You may also want to introduce more detailed classification criteria in the security management policy, such as device platform, usage location, and user role. Some enterprises and most government agencies will create larger and more detailed data classification schemes, each with its own management rules.

By implementing network access configuration for confidential and restricted data across your corporate infrastructure, you can gain visibility into how employees are using this information, current data sensitivity patterns, and the effectiveness of your mobility control policies.

8. Clearly define roles and ownership

In your organization, which employees use corporate-owned mobile devices? In most cases, mobile technology issues are addressed through dedicated, targeted initiatives, often by committees that oversee the IT function from an infrastructure, network, and application perspective. Because of the strategic role of mobile initiatives in the enterprise and the complex set of issues posed by user and IT needs, it is imperative that the organizational structure, roles, and processes are clearly defined around mobile. Employees should understand who is responsible for mobile initiatives and how those owners will manage them holistically across multiple IT functions.

On the mobile device side, ownership issues also need to be clarified, especially in enterprise environments where mobile solutions and BYOD go hand in hand. Your BYOD management policy should be able to effectively address the gray areas in the actual use of fully managed, enterprise-owned, and user-owned devices - for example:

• Who is responsible for data backup for BYOD devices? Who should provide technical support and maintenance for such devices and bear the resulting financial costs?

• If a judicial agency requests to obtain data or log information from a device held by an individual, how should this requirement be resolved and implemented?

• When employees bring personally owned devices into the work environment, what impact will this have on the private content on them? And how can private information be protected?

Both users and IT departments should understand their roles and responsibilities to avoid misunderstandings. A BYOD management plan must be clearly defined and signed off by participants before personal devices can be brought into daily work.

9. Build compliance into your solution

Globally, companies face more than 300 standardized, legal, and regulatory requirements for security and privacy, with more than 3,500 controls. Of course, it’s not enough to just meet these requirements, you can also bring your own compliance and auditability capabilities into the solution. Of course, it’s best not to build a completely independent management system within the enterprise environment. You may have already solved the compliance challenges in the internal network, and the derivative problems of creating a separate management solution will make managers who have just breathed a sigh of relief fall back into a state of anxiety. Make sure your mobile devices and platforms can seamlessly support compliance requirements in government regulations, industry standards, and corporate security policies, including policy-based and classification-based access control and secure data storage mechanisms. Your solution should be able to provide complete logging and reporting information to help you quickly, efficiently, and successfully respond to audit requirements.

10. Get ready for the full arrival of the Internet of Things

Don’t just set policies based on what’s happening today—also look at how enterprise mobility will evolve over the next few years. Wearable technology, such as Google Glass and smartwatches, will continue to change how people use mobile technology, enabling new use cases and more intuitive experiences. Connected vehicles—including self-driving cars—will leverage data and cloud services in new ways, helping users achieve their goals more easily and efficiently. Industrial control systems (ICS) will use enterprise data as part of human workflows and back-office operations. These trends will further expand the potential of mobile technology, but will also bring new implications for security, compliance, manageability, and user experience.

Pay attention to the current discussions within the industry about the above emerging technologies, and design your own mobile development strategy based on core principles, and ensure that it can be applied to any mobile device and use case type. In this way, you can minimize the frequency of changes in management policies and avoid the trouble or even frustration of a large number of solution iterations to users.

Closing Statement

Enterprise mobility is quickly moving beyond the boundaries of traditional departments and use cases to become a fundamental element of enterprise IT. As you develop your enterprise mobility strategy, make sure you consider all the real needs of both users and IT. Users expect seamless access to data and applications from any mobile device, with a user experience that is superior to the apps they use in their personal lives. IT needs the ability to provide the desired level of control, protection, and compliance for each data type without imposing unnecessary restrictions on the way employees choose to work. By promoting proven security, application, and data access models and management technologies on mobile devices, you can build a comprehensive enterprise mobility strategy that is both current and future-proof.