Smart Enterprise Magazine

Volume 7, Number 2, 2013

Issue link: http://www.smartenterpriseapp.com/i/145475

Contents of this Issue

Navigation

Page 34 of 43

phone exposes the organization to potential security breaches. Before designing and deploying mobiledevice solutions, CIOs should develop system threat models for both their mobile devices and the resources accessed through these devices. Threat modeling involves identifying resources of interest; identifying the feasible threats, vulnerabilities and security controls related to these resources; quantifying the likelihood of successful attacks and their impacts; and, finally, analyzing this information to determine where security controls need to be improved or added. In this way, organizations can identify their BYOD security requirements and then design mobile device solutions that incorporate the controls needed to meet these requirements. The mitigation strategy for this is layered. One layer involves protecting sensitive data with two main methods: either encrypting the mobile device's storage so sensitive data cannot be recovered by unauthorized parties, or storing sensitive data somewhere other than on the mobile device itself. A second mitigation layer involves requiring authentication before gaining access to either the mobile device or any of the organization's resources that are accessible through the device. BYOD and the Cloud The cloud is often used by mobile workers to both store and access their personal and organizational documents. Yet the cloud presents organizations with a new paradigm; they must rethink not only how they acquire IT services in the context of deployment, but also how these consumed IT services will provide mission and support functions on a shared basis. The cloud also lets employees buy IT on a consumption-based model. Given the dynamic nature of end-user needs, the traditional method of acquiring IT has become less effective in ensuring that the organization effectively covers all its requirements. We're moving from purchasing IT in a way that requires capital expenditures and overhead, and instead purchasing IT on demand. As a result, unique requirements have arisen that organizations need to address when contracting with their cloud service providers (CSPs). CIOs should begin to design or select mobile solutions that allow for purchasing based on consumption in the shared model that cloud-based architectures provide. BYOD and Social Networking It's a given that many employees will use their mobile devices to engage in social net working, whether for personal or enterprise-collaboration reasons. From a CIO's perspective, social-networking collaboration tools need to be institutionalized to meet the demands of the organization. Several solutions providers offer help. For example, Salesforce.com now provides social networking capabilities through its Chatter service. Available on Salesforce's real-time collaboration cloud, Chatter lets users create profiles and post status updates. These might be questions, bits of information or knowledge, or relevant hyperlinks. All of this is then aggregated and broadcast to co-workers in their personal network. Essentially, a running feed of comments and updates flows to those in that particular network. Employees can also follow colleagues from around the company, not just in their own personal network, enabling cross-organizational knowledge sharing. Chatter also provides a profile database that helps users find the skills needed for a particular project. BYOD Acceptable Use Corporate-owned devices usually come with an acceptable-use policy. But crafting such a policy when the device is owned by the employee is far from straightforward. Legal experts have weighed in on BYOD and found that organizations might be vulnerable in several areas. In part, that's due to the way BYOD blurs the line between work and play. This, in turn, creates performancemanagement challenges for managers trying to regulate on-the-job conduct. Other legal concerns include potential liability for harassment (for example, due to inappropriate comments made by an employee on his or her mobile device); overtime liability from unrecorded overtime; minimum-wage issues, since smartphone users often work long hours; privacy concerns, such as what employers can delete; and even workplace safety issues, such as an employee who is caught texting while driving a company vehicle. Covering these issues should be part of every CIO's mobile strategy. I JESSICA KEYES is President of New Art Technologies Inc., a technology and management consulting and development firm, and the author of Bring Your Own Devices (BYOD) Survival Guide (CRC Press, 2013). MOBILE DEVICE MANAGEMENT: LESSONS LEARNED UNIQUE: Every mobile device contains particular apps and programs that work for its owner. Thus, one MDM solution for all will never work. SURVEY, SURVEY, SURVEY: Poll your employees to stay up-to-theminute on their mobile software and hardware needs. CLARITY: Create a policy that clearly states what your company will and will not allow regarding mobile devices. THE APP STORE PROBLEM: Work with suppliers to develop application-delivery methods that work with most devices. GETTING STARTED WITH BYOD DEVICES: Which devices may employees use? Will you give them a free choice, or will only certain devices be allowed? DATA PLANS: Will the organization pay for all, offer a stipend, or let employees expense out? COMPLIANCE: What data by law must be protected and encrypted? Consider all industry and local government regulations. SECURITY: Which security measures do you need? Consider passcode protection, jailbroken/rooted devices, anti-malware, device restrictions, cloud backup and more. APPLICATIONS: Which mobile apps will you allow or prohibit? SERVICES: Which IT services will you make accessible via mobile devices? Consider email, wireless networks, VPNs, CRM and much more. AGREEMENTS: Have you put in place an Acceptable Use Agreement that covers all employee devices with corporate data? PRIVACY: What data will the organization collect from employee-owned devices? And what data (for example, personal information) will never be collected? 2013 • SMART ENTERPRISE 35

Articles in this issue

Links on this page

Archives of this issue

view archives of Smart Enterprise Magazine - Volume 7, Number 2, 2013