Securing ‘BYOx’ with enterprise mobility management

holding iphone using mobile phoneEnterprise Bring Your Own Device (BYOD) policies allow employees to use their personal mobile devices to get work done, but the policies are evolving into a BYOx (Bring Your Own Anything) concept that includes wearables as well as devices you carry.

That’s the next challenge for Mobile Device Management (MDM) software, which was created to manage mobile devices but which must now also cover smart glasses, smart watches and whatever else is coming.

J. Gerry Purdy, Chief Mobility Analyst, Compass IntelligenceA new category of tools called Enterprise Mobility Management (EMM) is evolving to become “a facilitator and monitor of just about everything that’s going on in the device,” J. Gerry Purdy, Chief Mobile Analyst at Compass Intelligence, told SiliconANGLE. Purdy said EMM covers three main areas: applications, content like files and data and containerization, which makes sure that consumer apps are managed separately from corporate data.”

The ranks of EMM software providers include AirWatch (acquired by VMware, Inc. in February), Citrix Systems, Inc., Fiberlink Communications Corp. (an IBM company), MobileIron, Inc., SAP SE and SOTI, Inc. Their third-party EMM software provides security by connecting with the EMM application programming interfaces (APIs) inside mobile devices from mobile device manufacturers such as Apple Inc., BlackBerry Limited, HTC Corp., LG Electronics Inc., Samsung Electronics Co., Ltd., Sony Corp. and others.

Stacy Crook, Research Director, Mobile Enterprise at IDC

Stacy Crook, Research Director, Mobile Enterprise at IDC

If you are a company looking for EMM software, how do you know which solution supports the devices that your company uses? “Third-party EMM providers support different operating systems, and they’ll support Android 2.x, Android 4.x, Apple, and so on,” said Stacy Crook, Research Director, Mobile Enterprise at International Data Corp. (IDC). “The hardware manufacturers have some differences in their implementations of Android so if you want to get to a greater level of granularity, then it’s helpful if the [EMM] provider has partnered with that device manufacturer.”

EMM capabilities within the hardware


Purdy estimates that the world’s top companies have either already implemented mobile device management or are in active evaluation. But, he warns, “We’re still finding that there are thousands, if not tens of thousands of companies that haven’t addressed mobile device management.” Here are the EMM capabilities that Apple, BlackBerry, HTC, LG, Samsung and Sony each offer within their smartphones.

Apple: In iOS 7, Apple placed some new commands, queries and configuration options specifically for third-party EMM. They allow IT managers to wirelessly set up managed apps, install custom fonts and configure accessibility options and AirPrint printers as well as whitelist AirPlay destinations.

blackberry logo on leatherBlackBerry: The Canadian company is known for its secure enterprise offerings and, even before BlackBerry 10 launched, the mobile operating system (OS) received Federal Information Processing Standard (FIPS) 140-2 certification. That means the platform is safe to use in U.S. and Canadian government branches as well as in private companies. BlackBerry claims its BlackBerry Enterprise Service 10 (BES10) is the only operating system that delivers secure device, application and content management, with integrated security and connectivity for BlackBerry, iOS and Android devices. To prevent enterprise data leaks, BES10 employs separation of work and personal data, and offers a selection of enterprise apps that can be securely deployed with Secure Work Space for iOS and Secure Work Space for Android.

HTC: HTC has partnered with mobility independent software vendors (ISVs) for an MDM solution that’s included in its HTCpro enterprise offering. HTCpro-certified devices include a wide range of EMM APIs that are designed to deliver capabilities to secure, configure, manage and audit these devices.

LG: LG GATE is the company’s enterprise software offering. It provides secure management of LG mobile devices through collaboration with EMM providers such as AirWatch, SOTISAP and Fiberlink. IT managers can remotely manage personal devices to keep the devices secure without interfering with the user’s personal data.

Samsung: Samsung has partnerships with EMM providers MobileIron, SAP, SOTI and AirWatch which enable secure management of corporate mobiles deployed outside the company. These partners have either developed or will develop Samsung for Enterprise (SAFE) apps to address challenging management and security concerns.

Sony: Some of the company’s existing partners for its enterprise Software Development Kit (SDK) include AirWatch, SOTI and Citrix. They have been able to utilize the APIs included in Sony’s enterprise SDK to provide businesses with the ability to perform over-the-air security, monitoring and management of mobile devices used in the workplace.

How each manufacturer addresses mobile security


Apple: The company’s enterprise solution has an “open in” feature that allows IT managers to select which apps and accounts are able to access enterprise data. This prevents the mingling of personal and business data. It also has a per-app Virtual Private Network (VPN) which ensures that corporate apps only connect to the company’s secure network while personal apps don’t. Employees can use Single Sign-On (SSO) to securely log in once without compromising the security of the network.

BlackBerry: For security and multidevice control, BlackBerry employs the Secure Work Space which is a containerization, application-wrapping and secure connectivity option that delivers control and security for iOS and Android devices managed through BES10. Secure Work Space allows for the separation of work and personal apps and data, provides integrated email, calendar and contacts app, includes an enterprise-level secure browser, and provides for secure attachment viewing and editing with Documents To Go.

BlackBerry announced on August 6 that the Secure Work Space for iOS and Android received Security Technical Implementation Guide (STIG) approval from the Defense Information Systems Agency (DISA). That means that BlackBerry 10 devices and BES10 are also STIG-approved, underscoring the company’s mission of securing enterprise mobility.

analytics on mobile 2HTC: HTC implements government-grade data encryption allowing HTCpro-certified devices to deploy a FIPS 140-2 certified, 256-bit AES encryption engine that is certified by the National Institute of Standards and Technology (NIST) to meet current U.S. government standards for acceptable cryptographic modules. HTC also has flexible activation and management features for the encryption engine, which allows it to be controlled either manually via the Microsoft Exchange ActiveSync (EAS) protocol or via third-party EMM solutions integrated with HTCpro’s EMM APIs. This security feature also allows the use of a VPN client with the same encryption engine, making data-in-transit applications compliant with FIPS 140-2 guidelines.

LG: For security, LG Gate offers device and SD card encryption, the ability to restrict apps regarding what data they can access, the ability to remotely wipe or lock devices in case they get stolen or lost, strong password policy, and the ability to restrict, block or quarantine by device type or models. It supports full features of Internet Protocol Security (IPsec) VPN using a government-grade, FIPS 140-2 certified crypto module which allows the enterprise to build secure networks on top of public communications networks.

Samsung: Samsung SAFE’s security is enhanced with KNOX Workspace which offers multiple layers of hardware and software device security to prevent leakage of corporate data. It uses two-factor authentication requiring both biometric and password, or pass code or pattern unlock to complete the process.

Sony: Xperia in Business protects sensitive enterprise information via an initial combination of strong passwords, PINs and screen unlock patterns. Data held in the internal memory and SD cards are encrypted with 256-bit AES. It has Secure/Multipurpose Internet Mail Extensions (S/MIME), and remote wipe of data in case the device gets stolen or lost. It implements Allow/Block/Quarantine (ABQ) to manage which EAS-enabled devices can connect to your Microsoft Exchange Server.


Some enterprises aren’t supporting BYOx


These mobile device manufacturers all offer formidable enterprise solutions that can help keep sensitive business data safe but still be easily accessed by people who have the right level of clearance. Most of the solutions are pretty device-specific, meaning their business management and security solutions only work for the device they manufacture. So, if a certain company likes the security offering provided by one of these manufacturers, the company will be forced to let go of BYOx and, instead, implement a strict mobile device policy in which only one brand of mobile device is allowed for work use.

car driver speedyThe Ford Motor Company is an example of a company that is voluntarily letting go of BYOx. Ford recently announced that it will issue one standard mobile device for all of its employees. By the end of the year, about 3,300 Ford workers will have their old phones replaced with iPhones. Within the next couple of years, the company aims to have all of its 6,000 employees using iPhones.

Ford believes that Apple’s mobile devices are able to serve both its company needs as well as personal needs without compromising the security of business data. We may soon see IBM courting Ford to use its Fiberlink EMM software to secure their iPhones. The recent partnership between IBM and Apple is exclusive; Apple has agreed not to sign with any other company for the distribution of Apple products to enterprises. But, according to Purdy, companies using iPhones don’t necessarily need to also use IBM’s EMM software for security.

Photo credit: neeravbhatt via photopin cc
Photo of J. Gerry Purdy courtesy of Compass Intelligence
Photo of Stacy Crook courtesy of IDC
Photo credit: SimonQ錫濛譙 via photopin cc
Photo credit: Dell’s Official Flickr Page via photopin cc
Photo credit: / via photopin cc