The reports are in. Thousands of people have been lining up outside Apple stores, wanting to be among the first to acquire the iPhone 6 or iPhone 6 Plus smartphones.
The mania for smartphones appears, then, to be no signs of abating anytime soon. The important thing to remember is that these are your company's customers, as well as your employees. If you don't have one already, time for a really comprehensive mobile device management (MDM) program, right?
There are two opposing currents in this space. Lately, I've been hearing about organizations looking to pull back on their BYOD laxity. That is, they are looking to take control of mobile device usage, and issue employees corporate devices that can be effectively managed and secured.
I heard about this retrenchment away from BYOD from two healthcare CIOs both part of an industry where patient data is tightly regulated. In both establishments, doctors, nurses and other caregivers are being issued corporate smartphones or tablet computers. Control and security is very much on their minds, and BYOD is too risky of an environment.
At the same time, there's a continuing movement to embrace personal technology. It's often not IT's call as to what users need and want to do their jobs better. I was at a conference session, led by very knowledgeable IT visionary Michael Dortch, who said MDM should mean “My Data Matters.” If end users prefer to bring in smartphones to do their jobs, it's up to IT to support this.
For guidance, the National Institute for Standards and Technology (NIST), a US government agency,
NIST advocates that every organization have a mobile device security policy of some kind, and also seek out the best ways to “determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services.”
Areas IT leaders should be concerned about include the following, according to NIST:
General policy: “Enforcing enterprise security policies on the mobile device, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring, detecting, and reporting when policy violations occur.”
Data communication and storage: Supporting strongly encrypted data communications and data storage, wiping the device before reissuing it, and remotely wiping the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party.”
User and device authentication: “Requiring device authentication and/or other authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices suspected of being left unlocked in an unsecured location.”
Applications: “Restricting which app stores may be used and which applications may be installed, restricting the permissions assigned to each application, installing and updating applications, restricting the use of synchronization services, verifying digital signatures on applications, and distributing the organization’s applications from a dedicated mobile application store.”
