Part 2, Leveraging Mobile Devices Today—a Crash Course
So you want to figure out what to do about mobile devices in your organization today? You first need to understand how these devices are important to your organization, so put your detective hat on and start asking questions. How are mobile devices used in your organization? Why are they used and what would happen if they went away (imagine your CEO’s smartphone being taken away—of course this is a problem, but WHY?) Are they replacing laptops or desktops in some cases and if so, why? Is everyone using them, or only certain groups of people? Also, don’t assume that you already know the answers to these questions. Roll-up your sleeves and talk to people. Get the facts (you’ll be surprised by the feedback and glad you did).
Step 1, understand the different devices in your organization, and the relative numbers:
- Desktops—understanding how quickly these are declining in use is important. - Laptops/Notebooks—on the rise as the standard issue productivity solution and would include “Tablet PCs” (e.g. a Windows 7 Tablet PC). - Proprietary Computers and Terminals—things like highly-specialized handheld computers for inventory control or POS terminals (also understand how these devices specifically plug into your IT infrastructure—mainframe or webserver?) - Tablet Devices—here we’re talking about the category of devices spawned by the iPad and Android, and distinct from Tablet PCs for their different application model management paradigm. - PDAs—remember the 90’s? Is your organization stuck there? Today think more iPod than Palm. - Pure Cell Phones & Pagers—again, remember the 90s (don’t laugh; pagers are still big in healthcare)? - Smartphones—smartphones are of course the synthesis of pure Cell Phones and PDAs and are quickly becoming the standard. - USB Thumbdrives and Mass Storage Devices—they go by many different names, and whatever your preferred vernacular, we’re talking about the USB storage devices that make it quick and easy to save files, data, etc…
Step 2, understand how and why the mobile devices (Tablet Devices/PDAs/Cell Phones/Smartphones etc…) are being used:
- Mobile calling (with skype and related VOIP solutions, this is no longer simply about cell phones). - Email & Messaging (this includes instant message/chat applications). - Information retrieval (everything from browsing the web to querying a corporate database). - Data Storage (both personal and corporate data, including media, email caching, application files and other data). - Productivity (scaled-down versions of word processing, spreadsheets and the like). - Identification (some organizations are using some mobile devices to authenticate user identities). - Entertainment & Leisure.
Step 3, identify concerns for short-term remediation
- Basic Security—greatest concern for PDAs and Smartphones. At minimum ensure employees are using the lock/encryption features that come standard with their devices—these can vary by OS and device, but any decent mobile device (excluding thumbdrives) should cover this. - Data Integrity/Compliance—Make sure employees are not storing data on their devices in a way that would compromise your organization’s standing policies governing company and customer data—this issue can become extremely complex in situations where employees are using personal devices for work purposes. - Access Risks—ensure that mobile devices are not compromising the security of your organization’s “backdoor” services (things like web-based access to databases and other resources).
With this complete, you’ll need to decide what applications, devices, and related services are ‘must haves’ and which are ‘nice to have’. For now, you’ll need to focus on the ‘must haves’ (we’ll talk about the ‘nice to haves’ next time on service gaps).
More than likely you’ll find that managing the needs of these devices and services to be possible, but your organization will likely rely heavily on end users for the time being (some applications do include support for managing some aspects of mobile devices, but are far from comprehensive today). Examples include posting instructions for setting up email, how to use their devices built-in security tools, and more, but ultimately letting employees do the installing and configuring. While this is cumbersome in the near term, it will also help to define what your organization’s MDM needs are in the near and distant future.
Next time— Part 3: Service Gaps and Related Threats