jamieJamie Davis, VP Education, Product Management and Quality Control | Safe Systems

What am I supposed to be doing for my mobile devices?  What should I be doing for my mobile devices?  What do you recommend I do with my mobile devices?

These are examples of what’s become some of the most common questions our clients ask Safe Systems employees. With the rise of smartphones and tablets, everyone’s trying to get a handle on how these devices fit within the financial institution’s IT strategy. These are great questions, and something we at Safe Systems have discussed ad nauseam for years.

The problem is that there is no correct answer.  So we respond by asking more questions. What are your goals?  Who owns the phone?  The mobile device discussion is not a simple one.  There are many philosophies, and hundreds of different companies offering many different flavors of mobile device solutions.  Which one should you choose?  The answer changes based on your institution’s needs and who owns the device.  There is no single technology or one company that has the answer to the mobile device conundrum.

That said, let’s take a look at the different options for deploying mobile devices to your employees, and the different management options available for those devices:

The first question you want to answer is who owns the phone?  Who bought the device?  Who pays for the monthly service?

Company-Provided Device: In the early days of mobile phones, many people had a “work phone” (typically a Blackberry) for business email and calls, and a “personal phone” to call and text friends and family.  Control typically followed ownership, so it was easy for the individual to understand that the business phone was for business purposes.  Often it was even controlled or locked down to some degree by the business provider, requiring a password to use, timeout after short times of inactivity, etc.  This was all acceptable because it was the company’s phone. It was theirs to control.

  • Pros: Control – Clear line between work and personal
  • Cons: Cost – Phone and service

 

Bring Your Own Device (BYOD): Over the last five years, it’s become increasingly more common for companies to allow their employees to use personal devices for business purposes.  This BYOD model gives the user the freedom to buy and use the phone they want.  The institution doesn’t force the employee to use a specific phone nor do they pay for the phone or service.  The user is often happier with this arrangement because they have the phone, case, and accessories they want.  Plus, they aren’t lugging two devices everywhere.  The institution typically has to  trade some degree of control over mobile devices in return for the lower costs of purchase, administration, and maintenance.  The BYOD trend has also removed barriers to mobile device adoption for institutions that chose not to allow mobile devices strictly on a cost basis as costs of device ownership shifted to willing employees.

  • Pros: Cheaper – The end user has choices and flexibility, potentially giving way to greater adoption
  • Cons: Less control

 

The next question we usually ask is, what are your goals?  The answer is obvious, right?  Control my mobile devices.  But what does control mean?  This is not one of those politician’s questions where they quibble with you over the definition of “is”.  This a legitimate question due to the options available.

Device Management Options:

Mobile Device Management (MDM): This is what most people think of when they talk about controlling or managing mobile devices. Why? For one, it’s been around the longest.  While it might not have always been defined this way, MDM is basically what Blackberry was offering with their devices and service.  It was a proprietary package of both phones and software to enforce rules on those devices, since they were assumed to contain company data.  Chronologically speaking, the next MDM solution to gain traction was Microsoft’s ActiveSync.  Its popularity was based on its close, built-in integration with Microsoft Exchange and the ability for different phone software vendors to take advantage of its features. Now there are literally hundreds of options.  In just a few years we went from one company with one suite of phones to unlimited phone and MDM options.

MDM allows the IT department to control the device.  This is its both greatest strength and its biggest weakness.  In theory the administrator of the software can enforce rules (passwords, timeouts, encryption, etc.), wipe a device clean, track a phone’s location, and know what applications are installed.  These management capabilities are great features for the most part, but have their problems as well.  Tracking a lost phone is great, but tracking an employee’s movement on the weekend, intentionally or unintentionally, may create problems.  Similarly, the ability to remotely wipe a lost phone is great, but what happens when an employee is terminated or takes a new job somewhere else?   Do you add insult to injury by wiping the phone of a devastated employee on their way out the door?  The wipe will remove sensitive company data and network access, but it could also eliminate all the person’s personal contacts, their spouse’s phone number and pictures of their kids.  So while many of these features are important and easy to implement if the bank owns the device, things may be a little stickier if the employee owns their device.  Also, you will want to compare the MDM’s features to what ActiveSync includes for free.  Many MDM’s are built off ActiveSync so there may be a few more features, more granularity, or better reporting.  The “what are your goals” question will play a key role in deciding if those add-ons are ones you need.

  • Pros: Lots of control; lots of options to choose from; best fits where the institution owns the device
  • Cons: Too much control – control over personal and business information; some features are OS or OS version specific

 

Mobile Application Management (MAM): This is a more granular approach to mobile management.  It focuses more on controlling applications used by the institution instead of the entire phone.  MAM may allow the institution to password-protect, encrypt, or remotely wipe only the applications containing institution information.  For many, this may be just controlling the email application on the device.  The institution no longer cares if the phone has a password or timeout feature.  The applications for business use are defined, secured and controlled.  The downside to this approach is often a limited selection of applications available that are securable in this fashion.  Conversations at our office centered around the question of if a client would be happy using a “second rate” email app just because it’s secure.  Currently, an iPhone user often has all their email in one application provided by Apple.  They see all communication in one screen and in one app.  Many MAM solutions are going to require the user to view their institution email in a separate app that was written from a security perspective rather than focusing on user-experience or aesthetic appeal.  So, the question becomes what apps do you need to perform securely?  What do the secure versions of these apps look like?  Will they be acceptable alternatives?

  • Pros: Granular control; only control business function apps; may be a better fit in a BYOD environment
  • Cons: Apps selection may be limited; Apps may not be as user friendly

 

Mobile Information Management (MIM): This is an even more granular approach to mobile management as it focuses on a specific type of application to secure mobile communication.  MIM typically refers to the ability to sync documents to different devices and operating systems.  Now that Dropbox, OneDrive (formerly SkyDrive), Box and Google Drive offer the ability to store and share information, what role do these play in company data?  How do you control and secure this information?  There are products out there under the MIM heading dedicated to answering this question.  MIM itself is most likely not a mobile solution; instead, it is a potential piece in your institution’s mobile security.  Think of MIM as  MAM, but dedicated to file syncing.  In a similar vein, there are now a few products on the market that just secure email.  While I don’t know of a cool name similar to MIM currently, these products focus on using a MAM approach dedicated to securing company email.

  • Pros: Simple; controls just one aspect/app on the phone
  • Cons: Might need to be paired with other solutions

 

Who owns the device?  What are your management goals?  Answer those two questions and then find the technology that best fits your needs.  As these solutions mature, the lines between MDM, MAM, MIM and others will likely blur, as companies look to fill multiple needs under one solution.  Many institutions have decided to continue with ActiveSync for the short term until they have compelling evidence to add a layer of security.  Some institutions have chosen a direction and moved forward while others have chosen to use different MAM and MDM solutions together to obtain the functionality desired. From a compliance perspective, you will want to have a policy with defined expectations, management options/controls, and monitoring of controls. [See FFIEC IT Handbook – Information Security – Information Security Risk Assessment – “Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.”]

I have attached Gartner’s Magic Quadrant for MDM to note popular MDM and MAM tools.  **Gartner lumps these solutions together in their research**

Sourced from: http://www.sap.com/pc/tech/mobile/featured/offers/gartner/reports/mdm.html