Dimension Data Series #2 – Mobility Policy: The Mobile Endpoint is the New Perimeter
Mobile security is a top concern for IT and business leaders. This blog series with Dimension Data explores how organizational leaders can work together to mitigate concern and implement clearly defined policies and mobility goals.
Jason Harris co-authored this blog. Below we will address how the mobile endpoint is the new perimeter. The first blog in this series discussing how concerns outweigh actions when it comes to mobility security can be found here.
Jason comes from a technical and business risk and compliance background, with experience in conducting governance risk and compliance and technical security testing. He has expanded this into policy driven security architecture reviews including development of IT policy and procedures, technical system assessments, penetration testing, security and enterprise mobility architecture and information risk management. Over the last 3 years Jason has been leading the development of Dimension Data’s Enterprise Mobility Development Model (EMDM) and has delivered the EMDM to large enterprise clients.
Employees use their devices to access our systems on their own. It’s nearly impossible to stop.
If you agree with this statement, you’ll join the over 90% of IT decision makers that recently participated in Dimension Data’s Secure Mobility Global Survey. It’s no surprise that mobile security is a top concern for IT and business leaders; however as discussed in our first blog post in this series, concern often outweighs action when it comes to securing mobility.
For example, according to the Dimension Data survey, while over 90% of IT leaders agree that security is a top concern, only 27% feel that they have well-defined network policies in place for mobility.
Based on these figures, it’s clear that it isn’t enough to just talk about security policy; IT and business leaders need work together and focus on upholding and enforcing the policies set in place to close gaps. In this blog post, we’ll discuss why organizations need a policy that is clearly defined and how implementing the right policy will help fill gaps and establish a secure network.
Mobility is the New Endpoint
In our recent conversations with CIOs, many are starting to understand that in today’s mobile and cloud landscape, the mobile endpoint is the new perimeter. This change in thinking is what’s going to be required of all of us as we embrace and deploy clearly defined roles and responsibilities for enterprise mobility policies. If it’s important for IT and business leaders to enable employees to work anywhere, wherever and however, they need to plan it properly to ensure the right amount of controls and mechanisms to support a mobile workforce.
A major part of this shift in thinking involves securing not only the user or the device, but the data the user or device has access to. This data-centric security model can help issue some control around the evolution in enterprise mobility that has basically extended an organization’s network into a thousand mini-networks that IT has little visibility over. This is why we need to change our thinking. Mobile devices aren’t outside the perimeter; they are the new endpoint.
So, now that we’ve changed our thinking, how can organizations institute the right data-centric security policies to enable enterprise mobility?
We recommend that before deploying any mobility solutions, organizations clearly communicate the roles and responsibilities of the business, the IT department and the users within an enterprise mobility program. Whether they are deploying a BYOD program or issuing company devices, all parties need to be aware of the business objectives, conditions of uses, the services and support IT will provide and more. It’s also important to note that all mobility policies should be in line with other company-wide IT policies. Organizations should ensure there is actual management support at the business level for such policies. The days of IT sorting policies and programs out without the help of business leaders are over – IT and business leaders must work together to ensure the success of enterprise mobility programs and policies.
Once roles and responsibilities have been clearly defined, business and IT leaders must institute formal policies for all data and network access, whether on an employee-owned or corporate-issued device. In many cases, employees need to be aware of all of these policies, especially as more users bring a device from home in addition to their corporate-issued laptop and/or smartphone.
Here’s a short list of what recommended operational security policies should be included and discussed:
- Define what constitutes a Bring Your Own Device. What level of network access is allowed for BYOD?
- Determine a plan for how known and unknown devices are brought onto the network. Is this a manual process where users need IT to provision access or is there a user portal? In addition, IT leaders institute a formal policy for how to control the types of devices that are allowed to connect to the company network.
- Outline a policy for what happens when a device is lost or stolen. Will the company remotely wipe the device? Will it be a full wipe or selective?
- Decide how organizations and users deal with device disposal. This is often overlooked; however, it is important to discuss as many users save sensitive business applications and data on the device.
- Institute cloud backup and restoration policies. What data or sets of company data are considered okay to back up to the cloud?
Some of these policies are easier to implement technically, such as the choice to remote wipe, but they are not straightforward from a policy perspective. Security policies such as these need employee buy-in. For example, with one client we worked with, the consultation phase of implementing an enterprise mobility program took one year before everyone agreed to the BYOD policy.
As mobility and cloud become more pervasive and the Internet of Everything works to connect more people, processes, data and things, security policies will need to adapt and become clearly defined. Enterprise mobility and BYOD policies should be under the same IT platform and support business objectives.
Overall, these types of enterprise mobility security policies aren’t just a few guidelines to follow. They should be a rule to live by to help close the gaps between mobility vision and implementation.
In our next blog of this series, we will discuss the steps business and IT leaders can take to close this gap between vision and implementation. For more information about approaches to secure mobility, check out Dimension Data’s Secure Mobility Survey Report and the Cisco 2014 Annual Security Report.