Editor’s note: SandHill readers are some of the world’s leading companies, and they’re asking for advice on how to implement their mobility strategies securely and cost-effectively, yet quickly. Are MDM software, secure containers for corporate data and other solutions on the market effective? I spoke with Naeem Zafar, president and CEO of Bitzer Mobile. In this interview, he describes the challenges of enterprise mobility and BYOD policies and then describes how to resolve these issues.
SandHill.com: A lot of CIOs or IT managers are looking at how to grant information access to employees who walk in with a new tablet or smartphone device they want to use at work. What’s the best way to address the challenges of the Bring Your Own Device (BYOD) model?
Naeem Zafar: BYOD often can be a better idea than giving corporate-owned devices to employees, as it saves the company money. But as these companies design an enterprise mobility solution, there are four key elements that they should address. These challenges, if addressed properly, can lead to much higher employee productivity and morale.
SandHill.com: What’s in the first bucket of challenges?
Naeem Zafar: Challenge #1 is how to preserve the same authentication mechanism that the company has developed over the years and still accommodate the mobile users. Companies have spent millions of dollars putting together authentication infrastructures. Companies use several different mechanisms such as passwords and usernames, smartcards, digital certificates and Single-Sign-On technology. All these solutions, behind the scenes, make the user experience seamless and effortless.
The problem is when you go mobile; almost none of the operating-system providers support these authentication technologies and protocols. So some companies make exceptions for mobile users by reducing the security requirements. From a risk standpoint, this is going in the wrong direction; a mobile device is likely to get lost or stolen, and security should be increased and not reduced.
SandHill.com: That’s obviously a risky maneuver. What’s the second challenge?
Naeem Zafar: Data security, but this has two really important parts: Securing data-at-rest and data-in-transit.
The data-at-rest issue comes into play when there is sensitive corporate data on a mobile device. Can somebody get to that data if the employee loses the device? Some devices (Apple’s iPhones and iPads) offer some encryption; others (some of the Android models) don’t. Companies are asking how they can get additional security and, furthermore, can they hide the encryption keys so that a hacker cannot root or jailbreak the device, get to the key and decrypt the corporate-sensitive data. An ideal BYOD solution must offer a safe way to encrypt and protect the data beyond what a device manufacturer offers.
Data-in-transit security implies that the data is secured as it goes back and forth between the corporate network and the mobile device. Most companies rely on device-level VPN as a way to connect data-secure channels. VPN works great for laptops because laptops are locked down by the IT department, preventing users from installing harmful applications. But people who have an iPad can install anything they want. Simple VPN creates an open tunnel at the device level between the mobile device and the company’s network, and any rogue app or resulting malicious data can get into the tunnel. So this creates a heightened security risk. Most companies don’t want to do that but haven’t found a better way than VPN.
SandHill.com: You mentioned employees losing their mobile device.
Naeem Zafar: Yes, and that ties in to the third challenge: control of the data. If the employee leaves, the company should be able to wipe the corporate data from the device. If the device is lost, the company wants to be able to wipe or lock the data.
Companies should be able to provide additional fine-grain control over their corporate data. For example, if there is an hourly or union employee who should access the data from, let’s say, midnight to 8:00 a.m., why is the employee accessing it at 10:00 p.m.? Let’s also take the example of “geofencing.” If an employee works in California, why is the employee accessing the data from Australia? Companies try to build these restrictive controls into their systems. Some include a rule about what to do if a user has exceeded a certain number of attempts to log in. An ideal mobility solution should allow IT departments such fine-grain controls over the corporate data but not necessarily the employee’s mobile device.
The fourth challenge in mobility is about enabling employees to run business applications on their mobile devices, hopefully separating the corporate apps and data from personal apps and data. Apps drive mobile productivity. They need the freedom to have a single mobile solution that can run Web apps, HTML5 apps and native apps securely while not worrying about challenges #1, #2 and #3 that I described.
SandHill.com: So let’s go back to challenge #1, authentication. Please describe the best practices in this area.
Naeem Zafar: They key point is that one must not make exceptions if the user is a mobile user. Employees log in just as they would if they were sitting at their desks. If the company is using Windows Active Directory then employees should use the same credentials or use two-factor authentication like a smartcard. That’s one part of the solution.
But there’s another element: Once logged into the network, can the employee go from one site to another site and from one application to another application without re-authentication? This is called Single-Sign-on (SSO) (the Microsoft standard is Kerberos).
Bitzer Mobile is the only company that supports this protocol from a mobile device. Without SSO, the mobile experience is very painful because every time you want to look at a different application or intranet site, you have to re-authenticate to get into it. That gets really cumbersome, especially on a mobile device. As a result, people don’t use those corporate applications because it is frustrating. The consumerization of IT is causing people to expect the same experience at work as they have on their personal mobile devices.
SandHill.com: What about container-based solutions for addressing the second challenge: data security?
Naeem Zafar: Yes you are right. There are a few new companies that offer a secure container-based solution to isolate personal data from corporate data; Bitzer Mobile is one of them. A secure container solution offers additional security and encryption, but one should always take a closer look at the specifications of the container: It should have a secure browser and allow local data storage for offline access, and it all should be well encrypted.
Bitzer Mobile takes the approach of a secure container on the mobile device; all the corporate-related data sits in the container. It is protected by security keys that are never stored on the device keychain (enhanced security is offered using an encryption standard called AES256). This goes beyond what Apple and Android device makers provide, and Bitzer uses a unique way to derive and secure the keys needed to decrypt this data.
SandHill.com: More and more secure container solutions are entering the market. How can a company determine which is the best for their situation?
Naeem Zafar: There are several players and this can get confusing for a CIO. For example, Good Technology has been around for 10 years. Symantec recently acquired two companies in this area. Primarily container solutions differ in how they connect to the corporate network (the pipe). How does information get to and from the container? Data-transit issues are not as simple as they look.
As I mentioned before, many companies just use a VPN to get to and from the container. However, that is not sufficiently secure and can be hard to maintain for people who travel and go between Wi-Fi and 3G/4G cellular networks. At this lower-level connection, any application or malware can travel along with the good data through the tunnel; a VPN allows other malware to mosey on over to the corporate network.
At Bitzer Mobile, we created a tunnel with a security guard at the entrance. So only approved applications can get to the network. In other words, it’s a closed environment, which is much more secure. Since it can’t be used by malware or other bad elements on a user’s device, it protects the corporate network.
SandHill.com: As to the third challenge of controlling the data and being able to wipe corporate data from a mobile device, aren’t there a lot of MDM (Mobile Device Management) solutions now in the market?
Naeem Zafar: Yes, companies such as Mobile Iron, Zenprise, and Airwatch have MDM solutions. These software solutions take over mobile devices remotely. They set profiles and push an application to a device, wipe the whole device clean and basically spy on the mobile user.
SandHill.com: Yes, companies participating in our SandHill study on the risks and opportunities of a mobile environment mentioned risks around privacy issues in connection with MDM software.
Naeem Zafar: There are all kinds of privacy issues related to MDM software on an employee-owned device. In some instances, there are legal issues around whether a company can remotely wipe a device with personal data on it, as is the case with MDM solutions. It can be uncomfortable for employees to know that their employer knows that a user played games on the device or downloaded inappropriate content.
Besides the privacy issues, it’s important to realize that MDM really doesn’t do all that much for protecting the corporate data. If the employee has an iPhone with MDM set up on it, when the employee backs it up to iCloud, it copies the corporate data to the cloud. So even if the company wipes the device, the employee already has a copy of the data.
Employees are afraid that the company will wipe their whole device, so they don’t report a stolen or lost device right away. But companies need to wipe the device immediately. The fear of loss of personal data prevents employees from reporting as they keep hoping that they will soon find the misplaced or stolen device.
Also, when an MDM solution controls an employee’s device, they are forced to insert a code to open the phone, even if they’re checking the stock prices or want to make a phone call. That ruins the user experience.
SandHill.com: Then what do you recommend as the best-practice approach or solution for these issues?
Naeem Zafar: The best practice is to have an end-to-end solution that is similar to that of Bitzer’s. We put all the corporate stuff inside the secure container; and then through our Admin Control Panel we enable IT departments to remotely wipe the container, if needed, but not the whole device. The secure container prevents cut/paste functionalities from documents and websites inside the container and also prevents backup of the container’s data to the cloud or another external device.
SandHill.com: What best practices and recommendation do you have for addressing the fourth challenge — the apps?
Naeem Zafar: Based on the premise that a company uses a secure container on mobile devices, the best practice is to run the applications inside the container. With a secure browser inside the container and native app functionality, the company can run the applications inside the secure container and isolate them from what’s happening on the personal side of the device. The container becomes the user’s little office on a mobile device.
Some companies provide a corporate app store for securely distributing the company applications. At Bitzer Mobile, we do the same thing, but users don’t have to keep logging into each application; they sign on only once. Plus authentication, access and security are part of the solution.
SandHill.com: It seems to me that most companies are not aware that these kinds of solutions are on the market now.
Naeem Zafar: It’s a classic situation where a new solution comes with a lot of promise but also creates new challenges. First-generation solutions are seldom complete. It’s the same thing with enterprise mobility. Everybody is excited about being able to access mobile apps. But there are a bunch of gotchas. Companies really need to think through this and select the right solution.
Naeem Zafar is the co-founder and CEO of Bitzer Mobile. He is also a faculty member of Haas Business School at the University of California Berkeley, where he teaches Entrepreneurship and Innovation. Naeem is a serial entrepreneur, having started his first company at the age of 26, and has worked at six startups. Contact him at email@example.com.
Kathleen Goolsby is managing editor at SandHill.com.