I was at SAP TechEd 2011 in Las Vegas which was co-located with Sybase TechWave and there was a lot of excitement and energy. There was a lot of focus on Mobility and HANA related offerings and roadmaps. My goal was to participate in as many sessions and consume as much information as possible related to Mobility and HANA related topics.
The backdrop of the Tech Ed event in my view is the overarching trend in the industry where several enterprises are permitting employees (in many cases encouraging) to bring their own mobile devices into the workplace to be used for work purposes. This trend, known as the Bring Your Own Device (BYOD) is shifting the way in which devices are procured, managed & supported and puts an enormous pressure on the IT support organization as the old rules don’t apply. Poor management of this trend will introduce new risks and may end up in significant increase in the TCO for IT organizations.
Being part of Premier Customer Network (PCN) NA organization, I got to participate in a PCN exclusive event where Raj Nathan provided the key note followed by an excellent panel discussions with our own CIO along with a three other CIOs of SAP customers.
From this panel discussion I took away two major themes namely (a) How to manage the provisioning of multiple types of mobile devices and support the BYOD trend (b) How to meet the security demands posed by the blurring of workplace and personal space due to BYOD.
From the discussions, one comment that stood out for me was that enterprises should distinguish “Information Security” from “Device Security” and come up with approaches to address the two. Over the years in traditional computing we have developed a good understanding of what “Information Security” means and practices are in place to manage/control that. But Mobile Device Security is fairly new & evolving and enterprises are in the process of taking measures to address this. In this blog, I would like to compile my thoughts and highlight some key considerations in the context of mobile device security (in no order of importance or priority).
- Enterprise Security Policies – This is very vital to establish a clear set of policies that prescribe a set of acceptable rules to conduct business, shape the behavior from employees and drive compliance. Clear guidelines need to be established regarding do’s and don’ts with mobile devices so any inadvertent exposure of corporate data is avoided.
- Mobile Device Management (MDM) – One statistic that I heard at TechEd was that more than half of one mobility related survey’s respondents were not familiar with the SW products in MDM category. Sybase Afaria (http://www.sybase.com/afaria) is one elegant solution that provides both device and application level management. It offers features such as OTA (On-the-air) capabilities to commission/decommission mobile devices and remote management of mobile applications across multiple device types. Enterprise can learn more about this solution and leverage it to address many of their needs related to MDM.
- Mobile Application Audit – In many enterprises it is a common practice to institute a periodic scan of employee’s workstations (desktops or laptops) to audit and ensure compliance against downloading unauthorized/unsupported applications. The audit becomes even more complicated and critical in “BYOD” situations. How can an enterprise balance between allowing appropriate access to corporate date via an employee owned asset while safeguarding against unauthorized mobile applications. Enterprises ought to consider meaningful SW based solutions to address this without being overly restrictive.
- Intrusion Prevention – Companies should consider appropriate software based solutions to detect and prevent intrusions. Some enterprises are considering and have adopted dedicated firewalls for enabling access to corporate applications via mobile devices.
- Encryption – This is a practice many enterprises are adopting including SAP (encryption of corporate email accounts) which adds another layer of security for all communications to and from the employee mobile devices.
- Help Desk – This is very vital to 24×7 Help desk covering all the regions and time zones employees are located within the enterprise so that in case of emergency immediate remote de-commissioning steps can be undertaken by the help desk.
- Approved Device List – Similar to approved or preferred vendors list maintained by the enterprise’s procurement organizations, publishing an approved list of Mobile devices should be adopted by IT Support organizations. The support organization can publish guidelines which will help employees while shopping for a new mobile device or upgrading an existing one. Combining this with already existing employee specific discounts for preferred mobile device equipment and service providers would give an added incentive to impact behavior.
Mobility is a rapidly evolving trend and I will try to post more blogs on this interesting and exciting topic.