|Issue:||Europe I 2014|
|Topic:||Accessing and sharing files on the go poses a major risk
for companies, but what´s the solution?
|Title:||Regional Director UK&I, Netherlands, Africa|
Russell Crawford, the Regional Director UK&I, Netherlands & Africa, Cortado has been working with Cortado for over nine years. Before joining Cortado he gained extensive sales and management experience during an eight-year stint working for Vodafone UK.
Russell studied at The University of Abertay Dundee, graduating with a BA(hons) Business Administration.
BYOD raises several issues around file sharing, where consumer style procedures are not appropriate but corporate style is too restrictive. The use of dropbox, for example, is risky for enterprise confidential material. Users want full bi-directional file synchronisation, but the business cannot allow uploading or deleting of shared files. MAM (Mobile Apps Management) defines new facilities to help resolve this: containerization of corporate data separately from personal data, and the wrapping of applications – applying a management layer with policy rules that modify mobile app behaviour without changing the app basic functionality.
According to a recent study by Samsung, more than a third of companies found that employing a bring your own device (BYOD) policy boosted employee productivity. The same report showed almost a third of large European companies had lost customer data and leaked confidential information due to security breaches, through the use of personal mobile devices for work, with nine in ten large companies having seen or expected some form of security scare in the past two years owing to the growth of BYOD.
This is proof that companies need to look at file access and file sharing amongst increasingly mobile workforce. The following are a few ways companies can take a more considered approach to ensure files can be better managed and remain secure when accessed via mobile devices.
The dropbox effect
As mobile access to files and documents increase productivity, a significant security risk remains: employees bringing unauthorized documents to their mobile devices.
Many IT departments complain of employees using Dropbox or similar services in order to access files when mobile, and are able to share files with external parties. The result of this is that many established producers are developing Dropbox imitations for companies, such as Citrix Sharefile and VMware Horizon Data, among others. However, before companies decide to use a public cloud solution, they should analyse whether the Dropbox approach suits them and what criteria an enterprise solution must meet.
One file sharing approach is the use of sync folders. Companies must determine which individual work groups´ specific documents should be available for mobile employees. While it is obvious that frequently used files such as price lists or contract forms can be made available in the sales folder, other, less obvious documents are often needed in the field too. If these are not available, then employees must ultimately spend time searching for a solution, call the company, and have them send the document, or postpone the task altogether. It is far more productive to allow employees access to the file system.
File server integration
The main purpose of an enterprise mobility solution is to increase productivity among mobile employees. This only succeeds when employees can actually access all relevant information on-the-go. Security is extremely important in this context, and company documents must not fall into unauthorized hands. The most sensible solution here is integration into the already existing Active Directory. The existing rights management can be expanded to the mobile sphere or further restricted for mobile use. The result is that data is fully protected, but workload for the IT department stays within manageable limits. It also makes sense to integrate a search function, which vastly simplifies finding required files.
When considering the synchronization aspect, there are two different approaches. In bi-directional synchronization, edited files are synchronized on all devices. What works for an individual user, turns into a disaster in the enterprise context, as data traffic must be taken into consideration. Imagine a terabyte of data being synchronized on 300 mobile devices! The resulting data traffic generates unacceptable costs. Secondly, bi-directional synchronization means that a document changed by one employee automatically overwrites the original document intended for use by the team. If a file is deleted, it is no longer available to other employees. Bi-directional synchronization is thus a highly-unsuitable approach in the enterprise context. The most effective way to handle this is to use uni-directional synchronization.
With uni-directional synchronization data is synchronized in one direction only. The user can decide which folders they want to synchronize, and in which direction. If auto upload is selected, the contents of the defined local folder are automatically uploaded to the corresponding user directory on the server. With auto download, the contents of a predetermined folder are automatically synchronized on the mobile device, which is ideal for price lists, contracts and presentation templates. Solutions following this approach also ensure that deleting of files is not synchronized, and thereby avoid data loss, because uni-directional synchronization ensures data traffic stays at a manageable level and causes no explosion of costs.
Cloud service versus on-premise approach
Many companies toy with the idea of storing mobile device management (MDM) systems in the public cloud or have already done so. The most frequent argument for a cloud-based solution is the implementation speed. However, once mobile devices are required to be used productively, access to internal resources is needed. Storing this entire file structure in the cloud is an approach that is neither secure, nor quickly realized. For security reasons, companies should only consider an on-premise version on the company network.
Integration in the existing IT infrastructure
MDM, mobile application management (MAM), file sharing and everything associated with enterprise mobility should fit into the existing IT environment as seamlessly as possible. Most integrate the leading mobile operating systems, such as iOS and Android, but also BlackBerry, into the Windows backend. Through Active Directory, the existing rights can then be used and additional rules defined for mobile use. For example, it can be useful to prohibit the deleting of files with the mobile device. However, IT departments should avoid building and managing a parallel space for mobile users.
It makes sense that the MDM system should not only be able to import users and user groups from the Active Directory, but synchronize the rights with each other in the running system as well. If an employee moves from one office to another branch or from support to consulting, it is sufficient to change the employee´s details in the Active Directory just once. The mobile device then automatically adopts the rights for the user’s new group as defined in the MDM. This also applies to other function areas: access to the existing network drives, storage and e-mail systems, network printers and databases.
Printing, even on a network printer
With the use of mobile devices increasing, the desire to print available documents increases too. It is important that companies take into consideration mobile printing when choosing an enterprise mobility system. Even mobile devices require flexible output options, and both, network and home office printers should be supported.
The entry of smartphones and tablets into companies began with users wanting to bring their personal devices into the work environment. For enterprise use, this acceptance on the part of users is significant. Only when employees can use their devices productively is it possible to implement a mobile enterprise strategy. A straightjacket that constricts the possibilities of the devices is counterproductive. Applications, for example, that need to access a virtual Windows desktop are unlikely to find user acceptance and they also fail to fully leverage the advantages of the device. In addition, an online connection is not always possible. The consequence, as already mentioned is that users attempt to circumvent restrictions by working around IT, and this is anything but secure. A minimum requirement of a solution is that it must have the capability to function offline. At best, a native app and a web app are available for users who choose what best meets their requirements.
It is important to take the best possible advantage of the native resources of the respective devices and the respective operating systems. Everyone should work with the apps that best suit their device, for their application. Conversely, this does not mean of course that everything must be allowed, so unwanted apps should be blocked.
Companies should also enable the native e-mail client that is best for the respective device. All reprogrammed e-mail clients lead to losses in operation and lag behind improvements with system updates –almost every new version of Apple´s iOS has introduced new features for the e-mail client.
MDM, and especially MAM, should adhere to the native possibilities of operating systems. One example of this is app wrapping, which is the process of applying a management layer to a mobile app without requiring any changes to the underlying application, allowing a MAM administrator to set specific policy elements that can be applied to an application or group of applications.
In order to facilitate the secure use of iPads and iPhones in companies, a multitude of MDM and MAM vendors have developed their own solutions in the past. The reason being that despite Apple improving the security and administration of its devices with every version of its iOS operating system, there are always significant gaps that make its use in the business sector difficult. Most recently the approach of MDM and MAM vendors has given rise to two important technologies: containerization and the wrapping of applications.
App wrapping attempts to change a group of apps in such a way that they meet higher security requirements, and exchange data and documents only among each other. As part of the wrapping process, libraries are replaced with modified libraries in an existing application. Unlike a container solution, which deals with a closed, stable working solution, app wrapping can lead to both legal and technical problems. Nonetheless, this technology has been the subject of some significant hype over the past year. There have already been calls for standardization because every app wrapping approach works differently, which has led to apps in app stores being available in multiple forms: one for the standard user and then one in wrapped form for the various MAM makers.
App wrapping, however, has its problems. First, the technical concerns. If the wrapped app does not adhere to the standards, will data possibly end up outside of the company´s realm of control? How does the app react to the wrapping? This is different for each and every app. This also means that before an app is used, it must be tested. How does the performance change with each update? Who provides the support for the wrapped apps? Where are the rights? Who is liable?
The good news is that this approach is now obsolete with iOS 7, which brings many enterprise features like multitasking, per app VPN, enterprise single sign on and most importantly, managed open in. With managed open in, businesses can configure apps and accounts specifically for company use.
They can also allow personal e-mail accounts and apps on the devices and at the same time ensure that company documents can only be exchanged between company mailboxes and defined apps. For Android devices, Samsung Knox offers similar options.
It is clear that file sharing in companies has different requirements from personal use. If file sharing is based on a company’s file server, then there is no reason to use a riskier cloud service. When companies choose iOS 7 and Samsung Android devices and complement them with an integrated file sharing and MDM solution, all security-critical requirements will likely be met, and IT departments can rest assured that files are managed properly and security risks remain minimal.