In a world where “bring your own device” (BYOD) is becoming increasingly popular, and where multiple smartphones, tablets, and wearables may be owned by a single employee, the data security problems faced by IT in any enterprise are becoming more complex and difficult. Issuing separate “corporate owned, personally enabled” (COPE) devices is one solution, as these can be supervised with a variety of mobile device management (MDM) and mobile application management (MAM) platforms.
But, a COPE approach can be expensive, and doesn’t prevent employees (innocently or not) bringing other devices into the work environment where they may interface with corporate data and applications. In his 2014 book, Enterprise Mobility Management: Everything you need to know about MDM, MAM, and BYOD, Jack Madden cautions,
“[D]on’t be fooled into thinking you can prevent BYOD by buying company phones and locking them down like crazy. Your employees will still bring in their own personal devices, and you’ll have all the same issues to deal with again.”
A basic MDM solution doesn’t deal with the fact that workers today want to use multiple “endpoints,” which may be several mobile devices, desktop or laptop computers, specialty information appliances, and maybe even objects connected to the “Internet of Things” (IoT). From the point of view of IT, each endpoint is a potential security vulnerability. “Smartphones are a prime target for sensitive personal and corporate data,” writes Dror Nadler in Information Week, “But mobile virtualization can isolate data and protect it from threats.”
What is virtualization? It is making a software simulation of a smartphone or other mobile device on a server that copies the look and feel of a user’s own device. When an employee accesses the virtual copy of his or her device, then IT can monitor and control how it is used.
Madden goes even further, advocating for a virtualized operating system as part of a mobile application management approach which enables all corporate apps to work together. As Chad Udell, Float’s managing director, recently outlined, such an approach is built on a layered architecture that separates interface design, business processes, services, programming and operations, allowing maximum data interoperability. This solution builds an enterprise application and data storage ecosystem with deep linking among company apps. The virtualized environment can then be managed by IT on a secure server allowing them to see all interactions between company data/applications, and any endpoint used to access the enterprise system. Madden calls this a “dual persona” approach, and spends much of his book discussing its merits and issues.
With a dual-persona approach to mobile enterprise security, users can have their personal and work “personas” side by side on the same device, without one set of apps interfering with the other. Corporate information would be secure, while employee privacy would be protected for all personally installed apps and data. Madden explains,
“What are the basic requirements for supporting dual persona? Here are the things that you need to be able to do or aspire to: Keep tight management over corporate data and applications. Give users a choice of devices. Support personal devices to the same degree as corporate devices. Allow a free and open experience for personal applications. Allow flexible deployment models to suit different user preferences…all the management features that IT needs are in place without severely impacting the user experience for the rest of the device.”
Have you set up this type of approach in your company? How is it working for you?