How Can Employee-Owned Mobile Devices Be Secured and Managed on Corporate Networks?

With the rise of personal mobile devices, a growing number of enterprises have scrapped the homogeneity mandate: instead of requiring employees to use a standard smartphone, more IT departments are now looking at some degree of control over employee-owned (or “employee-liable”) devices, to manage and secure them. Mobile Security Definition and Solutions

Slideshow: Mobile Security: How Gadgets Evolved

“The corporate standards dam is breaking, as platforms like Android and iPhone push their way into the enterprise,” says Gartner Vice President Phillip Redman. “Most companies will accept these, and prepare guidelines and processes for managing and securing them.”

More wireless burning questions:

Should you even bother looking at Windows Phone 7?|How can enterprise WLANs manage the bandwidth crush from mobile devices and multimedia apps?|Is Sprint losing its WiMAX/4G gamble?|What’s the impact of carriers’ new “capped” wireless data plans on corporate networks?|How can wireless and wired security be brought together, rationalized and managed?|How are large-scale, dense Wi-Fi networks affecting radio management issues?|“Who should own your smartphone?”)

Best practices, Redmond says, include “segmenting users into work styles by mobility and application requirements, and matching up device choices.” Another key: adopting of a mobile device management platform or service to help manage the use, configuration and security of these devices.

The approach needs to be systematic and comprehensive, says Khoi Nguyen, group product manager for the mobile security group at Symantec. Crucial elements are: general device and application management; security features to ensure policies are in place, enforced and up-to-date; and alerting and reporting on unauthorized access.

Whatever the details, the overall process “boils down to a regimented and policy-driven approach that recognizes that smartphones and other mobile devices need equal treatment because they’ve become equally important with other IT assets,” says Tom Henderson, managing director of ExtremeLabs.

“Nothing technologically prevents this,” says Enterprise Mobility Foundation President Philippe Winthrop. Instead, he says, the real issues are cultural. “There has to be a recognition by the individual [employee] that e-mail is corporate intellectual property,” Winthrop says. “And if you’re looking at more than e-mail, then the company has every right to secure that information.” (See “Endpoint security: managing enterprise smartphone risk”.)]

A growing number of companies are formulating written mobile policies and requiring employees to read, understand and sign them before they have access to e-mail and other data from their device. One of Winthrop’s neighbors bought a new iPhone 4, and his company’s IT department installed, via the App Store, the corporate-mandated secure messaging platform. That will become increasingly common, Winthrop says.

“The big question surrounds legal issues — agreements between employees and employer — and placing an enterprise-owned agent on an employee’s handset,” says Craig Mathias, of the Farpoint Group mobile consultancy.

It’s the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work.

Read more about anti-malware in Network World’s Anti-malware section.