A corporation's data on customers, employees, finances and strategies is the heart of the organization and must be protected. While many corporations have a mobile device management program, they should also have mobile application management to protect sensitive information. The plan should be viewed as an investment and selected to meet a concrete set of criteria.
Think for a moment about the possible impact of a mobile application management (MAM) tool. A business has multiple users with various personal devices like cell phones and tablets running on different platforms. IT has little or no access or security controls on personal gadgets. On those same devices, there is frequently corporate data, whether or not IT wants to believe it. Granted, a mobile device management (MDM) program is likely in place for most businesses.
Personally, I know my corporate laptop has security controls to prohibit corporate data loss by providing access control and encrypted data protection. Those types of controls represent MDM on laptops, cell phones and tablets. While MDM controls the device, the applications on it are left unmonitored.
MAM provides security and access control for the applications on a device regardless of the device type. Its abilities include pushing automatic updates, tracking use, virtual private network (VPN) access for corporate networks and controlling the application access to secure corporate data. Managing the applications that access a corporation's data is critical. Neither an MDM plan nor an MAM tool alone provides a full, robust or totally secure option for mobile data security. However, when used together to provide both device- and application-level security, they are a comprehensive mobile security strategy.
Remote management: Controlling access
Employees are both an asset and a liability to a corporation. When employees are hired, they might bring one or two personal devices to work. It may save money to use those devices rather than ones provided and controlled by the corporation. In addition, if an employee has personal and corporate devices, it's highly likely company data is on both.
The possibility of weak security in third-party applications on employee devices must be addressed. Therefore, a mobile management tool needs to control access by providing multifactor authentication on non-corporate applications.
PIN authentication and an application-level VPN can control access to data or applications outside the security of the corporate network. In this way, the MAM tool leverages the strength of existing network security to protect data within another layer. Adding data-at-rest encryption to these controls allows data protection both in transit and within an application rather than forcing encryption on all the data on the device.
But what happens when an employee leaves the company? How does IT ensure the employee's personal devices no longer have corporate data or access to corporate servers? The most important requirement for an MAM tool is to provide the ability to totally and permanently wipe corporate applications and data from an end user's device. Additionally, future access must be prevented. Both tasks need to be accomplished remotely, without IT having to physically touch the device.
Removing a former employee's access on a personal device must be done quickly. Not all employees would exploit continued access, of course, but it's safer to move quickly to remove all access points to corporate data.
In summary, IT should select a tool that allows remote wiping of all corporate access quickly and accurately while providing additional features that add multiple layers of data protection. These features should include PIN authentication, an application-level VPN, and data-at-rest encryption.
The MAM tool also needs to have a method of tracking usage on a device discreetly and without interrupting performance or functionality. Monitoring usage is generally useful for verifying that users are following access and use policies.
When corporate data is at stake, it's critical to protect the data while making employees generally aware how that is being done. Employees don't need all the details on how usage is tracked, and IT should be aware that employees may feel they are being watched by Big Brother. However, since employees have a vested interest in the company's performance and success, I believe making them aware of usage tracking builds trust and creates a workforce that's committed to understanding the importance of data security.
Furthermore, an MAM tool needs to include management functions that allow for configurable reporting on applications and device usage. Business managers need to know what is being used and how it is being used and on which types of devices. This information generates valuable historical data that is reviewable and useful to help improve data security. Knowing what is happening over time is essential to keeping up with ever-changing security needs.
Delivery, licensing and maintenance
Less exciting perhaps, but still necessary in the MAM tool selection, is the ability to deliver, license and continuously maintain applications on multiple device platforms. The tool should allow the business to do the following:
- Configure and control application downloads;
- Track installation results and issues; and
- Push updates and security patches remotely, either at will or on a regular schedule.
Most corporations are familiar with this procedure in the context of the corporate network, but they need to extend the same or similar functionality to portable devices.
IT professionals should also ensure that the MAM tool interacts appropriately with existing network functionality in order to provide a more seamless implementation with less interruption in coverage. Additionally, IT should verify that MAM allows multiplatform coverage. In this way, the business can leverage existing software delivery, licensing and maintenance policies while still adding coverage for mobile applications on multiple device platforms.
The investment in a tool that manages mobile applications is imperative for any corporation with data that it needs to keep secure. When selecting an MAM tool, ensure that it can control access to the applications on a device through remote wiping, remote access removal and track usage. The tool should also be able to manage updates and maintenance remotely. The final selection of an MAM tool for any specific organization will depend on the MDM procedure a business has, how the individual business is managed, or which policies and procedures already exist. It is generally less painful to add to an existing security plan than to create and train users on a totally new one.
Do you have an MAM tool? If so, what were your criteria for choosing it? Let us know in the poll and comments section below!