White PapersIn supporting employee devices, companies tend to exert either very little control, or a stifling amount of control. The approach taken depends on which community has the upper hand: the employees or IT. Download this white paper to discover more...
Give ALL the People What They Want (Sately) Data-Centric BYOD Can Satisfy Both Employees and IT A Good Technology™ Whitepaper Give the People What They Want | good A Good Technology™ Whitepaper Contents Introduction 3 Anarchy: Free-wheeling Employees 4 Dictatorship: Device Lockdown 5 A War With No Winners 5 Freedom: Data-centric security 6 Conclusion 7 About Good Technology™ 7 Give the People What They Want | good.com 3 A Good Technology™ Whitepaper "More than half of US information workers pay for their smartphones and monthly plans, and three-quarters pick the smartphone they want rather than accept IT's choice." Introduction Face it. Modern workers are addicted to mobile devices. Not just any vanilla corporate-issued devices, but our carefully selected and personalized expressions of ourselves: iPads®, iPhones®, Androids™, and whatev- er-comes-next. Many of us get to use our devices in the office: 6 out of 10 businesses have welcomed the savings, satisfaction, and simplicity of BYOD programs enabling corporate application and network access from employee-owned devices. Another 32% plan to move to BYOD soon.1 Forrester Research In supporting employee devices, companies tend to exert either very little control, or a stifling amount of con- trol. The approach taken depends on which community has the upper hand: the employees or IT. Give the People What They Want | good.com 4 A Good Technology™ Whitepaper Anarchy: Free-Wheeling Employees When the employees who shell out many hundreds of dollars for the latest iPad or Android and its monthly bill are winning, they get their choice of devices. The company has a "Seize the savings! Skip the security!" motto. IT may use Microsoft® Exchange® ActiveSync® to enable password-protected access to Microsoft Outlook® and Exchange, and then the devices are free to access corporate email, calendars, and address books. No one looks closely at the confidential data that migrates to these devices. No one can. IT has no visibility into what corporate data is where. Employees can forward email to personal accounts, use free accounts on Dropbox™ to transfer around content and store it in the cloud, and upload sensitive corporate documents or even corporate contacts to cloud-based apps. Each device has different capabilities for data storage and wildly different capabilities for data protection, and no single security policy works across them. For example, without encryption, the company has no safe haven or recourse if an employee loses a device containing sensitive or regulated data. Malicious apps downloaded to these devices have easy access to corporate data and networks, especially if a user jailbreaks a device, disabling native security functions. Today's iOS and Android trolled by ployee Unlike traditional IT-controlled devices, employee-controlled devices mingle corporate and unknown content, Give the People What They Want | good.com 5 A Good Technology™ Whitepaper Dictatorship: Device Lockdown When IT is in control, companies may provide the devices (the BlackBerry® strategy circa 2000-2008) or dictate the device, its OS, and the way it may be used. Mobile device management (MDM) tools offer coarse- grained control: they can require passwords, block jailbroken devices, disable features, or blacklist a broader selection of devices. They can also activate application access, disable app installation, limit configuration complexity, and, in some cases, perform remote wipe of lost devices. Most companies provide email and application access and permit use of productivity apps like Dropbox. However, MDM tools are entirely device-centric, not data-centric. They work to lock down the device and its apps and treat data stored on the device as a black box to be managed and wiped wholesale—removing personal data, music, photos, and contacts along with proprietary email, corporate apps, and files. In some cases, because the device is considered "company liable," users may be restricted from adding consumer apps and personal content such as music and pictures. Although the user's smartphone becomes a lot less "smart" and their personal data less private, the device is perceived to be more "safe." The user's carefully chosen new device becomes as vanilla as the one he or she traded in two years ago. A War with No Winners So far, there are few winners in this battle. Employees either have limited access to enterprise apps or give up privacy and the fun and flexible features that make these devices worth the cost. IT and security folks either experience the painful repercussions of allowing insecure systems on the network or spend their time dealing with workarounds for executive, line of business, and remote users. Often, in the face of employee outrage, IT dumbs down MDM controls like strong passwords or does not restrict any of the device features. In practice, MDM blacklists and whitelists are frail controls that lose efficacy quickly. For example, an ap- proved, whitelisted app may be hijacked to contain malware. Or, if IT permits Facebook® or Dropbox, an employee can use any app that works with Facebook or Dropbox, including ones you may not want. Cloud- based services like these move confidential data into an outsider's control. The alternative, blacklisting all undesired, secondary, and malicious apps, is equally impractical. These black- lists are perennially out of date as apps are added to app stores by the thousands. MDM controls depend on native capabilities, so policies and enforcement inevitably vary across device platforms. For instance, although Apple® is considered a secure platform, Apple only allows a few apps to run continuously. The policies you hope to enforce are inactive most of the time. To get around this limitation, some MDM vendors use location-based services to track the device so that the app remains active in the background. This implementation creates a painful side effect of privacy and compliance liability for the en- terprise. The MDM control is monitoring each employee's private and personal activities, a potential violation of privacy regulations for which IT does not want to be responsible. Even when IT wins, the company loses. In a February 2012 Ponemon Institute survey of mobile device risks, "Fifty-nine percent of respondents report that employees circumvent or disengage security features such as passwords and key locks."2 If a weak password is active, hackers can crack 4-digit passwords in seconds. Once inside, all data is available—both personal and corporate. Give the People What They Want | good.com 6 A Good Technology™ Whitepaper TM Each workaround, jailbreak, and weak password increases the risk of a data breach. These breaches can cost you dearly. The March 2012 Ponemon Cost of a Data Breach survey showed that data breaches from lost or stolen devices increase the per-record cost by $22.3 CXOs need to start guiding BYOD initiatives to establish a more secure, more enduring, data-centered foundation for mobile device usage. You can start by asking a fundamental question: why does it have to be a choice between employee satisfaction and IT policy? Why can't there be a win-win: a way for both employ- ees and IT to get what they want? Freedom: Data-centric Security Through rapid advances in consumer devices and enterprise vendor technology, businesses now have attractive options besides employee anarchy and IT dictatorship. While MDM functionality—application access, policies, reporting—remain necessary, you can now also layer in nuanced and sophisticated data-centric security. Data-centric security empowers employees with device choice, user friendliness, and privacy, while enabling IT with manageable policies and reliable control over sensitive data. It makes distinctions between data types—personal and corporate—and rigorously secures the confidential corporate data without nosing about in private information. In this approach, apps and data can be partitioned, or apps can operate around the data. Sensitive apps and data can be firewalled off from other content in an encrypted container. As personal apps and data come and go, employees make full use of their devices but keep sensitive data separate and safe. If an employee downloads a cool new game app that carries a payload of data-stealing malware, the malware cannot access the data inside the container. Confidential data associated with an internally developed app inside the container isn't accessible to a personal app outside the container. Files can't be copied from corporate email to personal inboxes, for example. Most IT teams are moving to a data-centric model for other aspects of enterprise infrastructure—data loss prevention, data centers, database monitoring. Adopting data-centric security on the device allows enterprise data management policies to be extended to mobile devices and assigned based on users, devices, and roles. Mobile devices become a logical and manageable extension of the infrastructure, not an unwelcome and unmitigated hazard. Unrestricted Employ Data-Centric: Secure Data on Secure Devices Data-centric security offers a middle ground where both employee and IT needs and preferences are satisfied, Give the People What They Want | good.com 7 A Good Technology™ Whitepaper TM With confidence in the security and compliance of smartphones and tablets, enterprises can also move forward to adoption of in-house developed mobile apps and approved and certified third-party apps. As tablets replace laptops, and smartphones replace wired lines and fixed function devices, mobile apps now represent a core productivity tool of the modern workforce: in the field, the factory, and the corner office. Conclusion Give the people what they want. Instead of trading off employee preference and privacy against IT policies and priorities, enterprises can use data-centric security to accommodate all requirements. Using this founda- tion, you can move beyond the basic cost savings of BYOD to advanced uses of mobile apps. Who knows? The next killer business app may be a mobile consumer app your employees install today, or a mobile app your team builds in-house. Either way, you win. About Good Technology™ Mobility is here, and business is changing. Your employees need to be productive on devices they bring from home. And you need to provision, monitor, and secure the mobile apps and services that allow them to col- laborate anytime, anywhere. It's how people work now. Good Technology™ is transforming how mobile work gets done, through secure app-to-app workflows that include integrated email, communications, document management, business intelligence, social business, wireless printing, and more. We also offer complete enterprise mobility management solutions, including device, app, data, and service management; as well as analytics and reporting. We complete our stack with professional services that include mobile deployment rollouts, BYO onboarding constructs, and platform transition consulting. Only Good™ offers a complete mobile solution that puts IT back in control. All of Good Technology's secure solutions work to keep employees productive and corporate and personal data secure, and accessible. Established in 1996 and headquartered in Sunnyvale, California, Good Technology's services are used by 3900+ major organizations worldwide, including nearly half of the Fortune® 100 as well as more than 4,000 enterprise customers in 90+ countries operating on over 200 carriers. Good Technology has partnerships with industry leaders including Apple®, Google®, LG®, HTC®, Microsoft®, Nokia® and leading systems integrators. Want to know more? Visit good.com. 1 Source: Consumerization Drives Smartphone Proliferation", Forrester Research, Inc., Ted Schadler with Matt Brown and Heather Martyn, December 2 2011 2 http://www,websense,com/content/ponemon-institute-research-report-2012,aspx?cmpid=prnr2,29,12 3 http://www,symantec,com/content/en/us/about/media/pdfs/b-ponemon-2011 -cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_ facebook_marketwirejinkedin_2012Mar_worldwide_CODB_US Global Headquarters EMEA Headquarters Asia/Pacific Headquarters +1 408 212 7500 (main) +44 (0) 20 7845 5300 +1 300 BE GOOD +1 866 7 BE GOOD (sales) ©2013 Good Technology Corporation and its related entities. All use is subject to license terms posted at www.good.com/legal All rights resen/ed GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD DYNAMICS, SECURED BY GOOD, GOOD VOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD VAULT and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Good's technology anc croducts are protected by issued and pending U.S. and foreign patents Pad and iPhone are trademart
