By Steve Bigelow, Features Writer
Network architectures once resembled medieval castles -- fortresses with moats and impenetrable walls, accessible only through a closely guarded entrance. Yet once inside, there were few real defenses. Mobile computing has been shifting this paradigm for years, slowly extending and eroding the network perimeter.
Powerful new generations of notebook PCs, PDAs, smart phones, MP3 players and other personal storage devices jump between corporate, public and home networks. Solution providers who understand the unique demands posed by mobile devices can help their clients achieve the necessary network transparency, while maintaining security and providing adequate user support. The first installment of this Hot Spot Tutorial highlights common management problems associated with mobile devices and their implications for the corporate network.
The mobile device management problem
Imagine this scenario: MyCorp faces myriad problems with its mobile devices. Laptops are a huge headache, and the MyCorp IT staff is regularly chasing down infected files passed to the corporate network because a laptop's OS is improperly patched and the virus signature files are grossly outdated -- the laptop users just aren't in the office enough to download the latest updates.
The chief field engineer has been a particular pain after his personal laptop crashed. It would have been a simple matter to restore Vista on his company laptop, but he insists on sticking with Windows XP on his personal "generic brand" sub-notebook so it took all day on the phone to help him restore his system while other service calls got pushed back. But that wasn't as bad as the new salesperson who forgot her laptop, loaded with customer records, on a bus in Los Angeles. The compliance reporting hoops and bad press there cost the CIO and systems administrator their jobs.
Smartphones, PDAs and other mobile devices create a host of other problems for MyCorp. HR files were recently downloaded from the data center after the HR director's iPhone was stolen. He reported the theft to the phone service provider, but neglected to tell anyone at MyCorp that the phone had no password protection and all his network logon credentials were saved as notes on the phone.
Other users can't access email from their personal PDAs, but they don't want to use standard corporate PDAs that work perfectly with the Exchange servers. Some users have been backing up files on their own USB flash drives, but those users aren't using the corporate backup protocols, and USB devices are almost impossible to secure.
While MyCorp may be fictional, the scenarios above represent some of the very real management and security problems posed daily by mobile computing devices -- problems that worsen as each generation of product becomes more versatile and powerful. But this challenge presents a significant opportunity for solution providers that can master mobile device management and help clients implement the necessary management tools and procedures.
"Every user in our organization needs to be able to do all of their job functions whether they are in the office, on the road or at a client's site," said Adam Gray, chief technology officer of Novacoast, an IT professional services and product development company in Santa Barbara, Calif. "This means you have to support laptops, emerging telephony devices, voice over IP, and you have to have seamless control over the entire environment and provide appropriate services to your end users." The real goal, Gray noted, is to strike a balance between the accessibility and protection of corporate data.
Handling the implications of laptops
Solution providers are acutely aware of mobile device management problems, facing many of the same problems within their own sales and services organizations. Laptops unquestionably present the biggest problems, since they often contain a host of corporate data including databases, contact or customer lists, documents, email, spreadsheets, development code and other electronic assets. Ensuring adequate access, support and security usually starts with laptop users.
For Gray, the overarching laptop security question is solved with encryption. Encryption protects data at rest from loss due to theft and mitigates any reporting requirements if a theft does occur. Laptop management is achieved through agents installed on each system, accessed through tools implemented within the data center.
"As long as the laptop is turned on and online, our IT staff has visibility into that laptop through a persistent SSL connection," Gray said, noting that management connectivity is automatic and users need not be involved in the routine process. With the management connection in place, administrators can push out software patches and updates, perform remote configuration and technical support, and handle other activities that are part of a field operation. Since the SSL connection is sourced from the laptop user, the unit can be anywhere -- even behind a home router or a firewall at a coffee shop.
The ability to perform remote technical support is an important element of remote mobile device management, allowing administrators to test, diagnose and correct common problems that may occur on the system. Speed and efficiency are critical to achieve effective problem resolution in the field. Remote workers "need to have support be the same as if you were sitting next door to them in the office," Gray said.
The final element to laptop management is the operating system itself. Gray has moved away from Windows and runs his own enterprise with a mix of Linux-based and Apple systems. "We found that running Windows, especially in a remote desktop environment, is very expensive, very prone to failure, and very hard to manage."
Dealing with other mobile devices
Today's PDAs and smartphones are essentially specialized computers -- they access and store much of the same data and share many of the same management concerns found with laptops. It's important that PDAs and smartphones allowed onto the network include remote push-and-wipe capabilities so that software updates can be deployed and the unit can be emptied remotely if it's lost or stolen.
There should also be some modicum of control over the data that can enter (or leave) mobile devices. For example, it may be appropriate to allow a smartphone user to access the client contact database and master appointment calendar, but unnecessary to grant that smartphone access to spreadsheets or documents (even though the unit can actually carry that data). Any remote device should invoke strong password protection when it is turned on or returns from an idle state. Many users find such passwords troublesome, but it should become a normal part of the device's security protocol.
GPS and USB devices should also be addressed as part of a mobile device management strategy. Traditionally, GPS devices simply provided directions, but an increasing number of GPS devices are incorporating push capabilities. This allows organizations to download calendar data, contacts and appointment addresses to the GPS. Organizations that embrace such devices should ensure remote wipe features to protect sensitive or confidential data uploaded to the GPS.
USB devices such as flash drives present a more difficult problem -- they are easy to lose, yet can hold up to 8 GB of data. Gray recommends providing clients with a limited list of approved models that the infrastructure can detect, along with the use of encryption to protect the data itself. For example, there are flash drives that include their own onboard biometric authentication and encryption software such as SecureStix and IronKey . Several Novell and Symantec security tools use device control features to detect and restrict USB devices on Windows machines. Logging and other techniques can be used on non-Windows platforms. Ultimately, the goal is to alert an administrator when a USB device is connected to a host system and to track any data exchanged with the mobile device.
Setting the scope of mobile device management
Mobile device management is a challenging endeavor. Every variation in manufacturers and models can present performance issues, compatibility problems and other. For example, one type of smartphone may be incompatible with the Exchange server, while a PDA's operating system may not interoperate properly with the network. These challenges (and the associated costs to address them) multiply with every different device supported by the organization -- quickly evolving into an expensive support nightmare.
So how should a solution provider advise clients on where to draw that line? Choices should be made based on the needs of the organization and the requirements of the existing data center. For example, if the company is currently using Exchange, it makes sense to select mobile devices that can interoperate with the Exchange server, while also meeting requirements such as encryption, remote push and remote wipe. Understand what the client needs to accomplish with their mobile devices and work out from that. But device choices are not a one-time effort. Organizations regularly evaluate new technologies and devices to identify potential upgrade paths and add new mobile features, but the total number of approved supported devices is still limited.
Ownership of the mobile device is another matter of debate. Some organizations allow employee-owned devices to access the corporate network as long as the device is on the established list of approved devices. In Gray's paradigm, employees with nonapproved devices (such as Nokia smartphones instead of BlackBerry units) simply do not get access or support.
Other organizations see device ownership as a key part of data management -- exercising a far greater level of ownership and control over the data. "If a staff member leaves, and has to leave the phone and [clients'] phone numbers behind, I can give that phone to another staff member," said Scott Gorcester, president of Moose Logic, a solution provider headquartered in Bothell, Wash. "I own the contact data for that customer."
Ultimately, mobile device management involves people more than technology, so many organizations enforce a written corporate policy. "You have to make sure that your people understand what your information management policies are," said Dave Sobel, CEO of Evolve Technologies, a solution provider located in Fairfax, Va. Sobel added that employees should sign a form "to acknowledge that they're going to manage that information securely."
The mistakes and costs of mobile device management
Although it's possible to consider many specific technical issues, solution providers like Gray, Gorcester and Sobel point to permissive attitudes as the biggest mobile device management mistake. Many organizations forget that today's mobile devices store their corporate data and should be managed as seriously as the massive storage arrays within a data center. Omitting the password on a smartphone may be convenient, but it's a serious security vulnerability if the unit is stolen.
Gray goes even further, noting that mobility and remote access have virtually erased the network perimeter. Rather than establishing a hard perimeter and innately trusting the users within, consider locking down the entire network, treating every local and mobile user as untrusted and giving only minimal access. The argument is continuity -- treat every user like they're mobile so that administrators apply the same management and security-centric mindset to everyone.
Every organization is different, so the costs of mobile device management are difficult to quantify in dollar amounts. However, organizations that adopt common hardware platforms and manage all employees on the network in the same hardened manner experience very little cost difference between fixed and mobile employees. The same cost management philosophy applies to business acquisitions, converting and consolidating the acquired organization so that all employees are accessing the same data center using the same PCs and other equipment.