How to create seamless mobile security for employees

The salespeople at financial services firm Vanguard Group need on-the-go access to presentations, client data and meeting details from wherever they are without a lot of hurdles. That doesn’t mean, however, they need to access the complete suite of Vanguard applications and all of its data. So access is built around determining what users need in order to be productive without jeopardizing security by giving them too much access, says John Marcante, managing director and CIO at Valley Forge, Pa.-based Vanguard.

“That’s the challenge. You have to figure out how to make things usable and at the same time secure. That’s the world we’re in today,” he says.

The mobile workforce is here. A perfect security system isn’t. That leaves enterprise technology departments scrambling to keep up with employees’ demands for access that’s as seamless as what they get with their personal apps yet secure enough to meet organizational and regulatory requirements.

“A focus by IT teams on tools and solutions that provide a good user experience while meeting their enterprise security requirements is really vital — if [a tool is] too painful or annoying for users to adopt, they’ll be less productive, more unhappy and more likely to break the rules — bringing potentially more risk into the enterprise,” says Nisha Sharma, managing director at Accenture Mobility, part of Accenture Digital.

Sharma says IT leaders need a combination of tools to strike the right balance between access and security.

“Security solutions need to be unobtrusive and offer the excellent user experience that people are so used to from their mobile devices — they don’t need to know how complex all the integration is at the back end, just so long as they can access what they need in as few taps as possible,” she says.

Here’s a look at how several CIOs are working toward that.

Decide what specific users need

At Vanguard, Marcante says salespeople now can use apps to access marketing presentations and business documents or work on meeting prep and wrap-up. Because the systems used for these activities are housed in a password-protected, encrypted container, workers can access them either online or offline. The setup supports immediate access even if there’s no Wi-Fi, and access is easier and quicker than it would be if users had to connect to applications through a secured network.

Vanguard’s approach to meeting its salespeople’s needs highlights a key principle of its mobile security policy: Enable and secure what each team needs rather than giving everything to everyone — or blocking everyone from all but basic functions, Marcante says.

“Different business needs are going to be equipped with different solutions, and our approach is less about giving them access to corporate information and more about designing solutions specific to them,” he says.

That approach doesn’t just ensure that the sales folks get what they need, Marcante says; it helps IT better balance ease of access and security requirements. Some people need to view material but don’t need to download it to their devices; others might need access even when offline. That means two access requirements with different security needs.

“There’s a dozen different personas throughout the company, so we’re trying to look at those individual personas to see how we can meet their specific needs,” explains Mimi Heise, a senior manager in Vanguard’s IT division.

She says Vanguard relies on mobile device management (MDM) and containerization software, which allow the company to encrypt information, create separate areas on a device for work and personal data, and remotely wipe data off the device if it’s lost or stolen.

More important, Heise says, such software also allows IT to implement security layers at the device level and at the application level. “It means we don’t have to have a one-size-fits-all policy,” she says. That allows easier access for those whose workloads don’t demand the heaviest layers of security — which can create a cumbersome experience.

Still, it’s not perfect, she says.

“The latest is better than we had four years ago. And a few years from now, it will be even better. But there are still areas of opportunity” for giving users a smoother, yet more secure, experience, she says.

“Areas of opportunity” that Vanguard is exploring include the possibility of using digital rights management (DRM) technologies, deploying software that supports single sign-on and using tools that would make it possible to adopt a “bring your own identity” (BYOID) approach to digital authentication.

A multipronged approach

Wes Wright, CIO at Seattle Children’s Hospital, is also balancing ease of access and security. His IT operation serves about 6,500 employees, 4,000 of whom want to use mobile devices for at least some of their work. Those employees can use either company-issued devices or their own laptops, smartphones and tablets.

Wright says his approach to mobile security is based on the same five objectives that drive the rest of his IT operations: stability, security, simplicity, speed and safety.

“That’s how we approach everything in the IT implementations we do,” he says. “If you miss any of those, your chances of failure go up. But if you can get a little piece of each of those, you’re chances of success are pretty high.”

As Sharma would advise, Wright doesn’t rely on a single security solution.

Seattle Children’s uses Microsoft enterprise tools to enforce the requirement that every device must be password-protected and to remotely wipe lost or stolen devices.

Wright’s team also uses software from vendors Accellion and Proofpoint, which offer tools that allow users to click to encrypt confidential information being sent via email.

And his team implemented virtual desktops so workers can securely access enterprise applications and data by firing up a browser and going through a two-factor authentication process from whatever device they’re on — be it a tablet, a smartphone or a home desktop. The virtual desktop keeps everything in the hospital’s data center — not on the user’s device. “It presents the end user with the exact same look and feel as they have at work, regardless of the device they’re on,” Wright says. “They do appreciate that. It’s pretty responsive, and it’s pretty quick.”

Wright admits that while these technologies are straightforward, the system isn’t flawless. For example, the hospital’s approach to encryption relies on users recognizing that information is confidential and remembering to encrypt it, and recipients outside Seattle Children’s must be registered in order to get the protected information. Meanwhile, the virtual desktop doesn’t allow users to toggle from applications housed on the virtual desktop to those outside it. Moreover, setting up a virtual desktop is complicated and costly, he notes.

“It’s not as seamless as I’d like it to be, but it’s the best we have out there now. And with the virtual desktop, I think we’re really, really close,” Wright says.

Many layers of security

Roger L. Neal, vice president and CIO at Duncan Regional Hospital, is in a similar situation.

“Everybody wants it to be seamless. I want this, too. I want to be on my phone and easily jump over and work on my spreadsheet or check my email. And I’d like to have all those sync up and have one password,” Neal says. “The problem is, unfortunately, I don’t know if there’s a perfect solution to make that happen. It’s a combination of things.”

Neal and his staff at the Duncan, Okla.-based healthcare provider face several challenges. For example, certain groups of users need access to applications and data that must be protected with varying degrees of security. Some 3,000 people in the organization have to use enterprise applications, and 80% to 90% have some mobile needs. Workers must use hospital-issued devices to access clinical information, but they can use their own devices to access nonclinical applications.

Neal says he starts with a solid foundation, with policies stipulating who gets access to what and rules that require employees to use complex passwords and take security training. Then the IT group deploys technologies to enforce those requirements without overly burdening users.

It starts with credentialing within the active directory, so a user’s level of access is determined by his or her job. There’s also a single sign-on system, with devices that read workers’ RFID-equipped badges any time they’re within 2 feet of a device for more than two seconds. (Workers also can manually enter their usernames and passwords if they don’t have their badges.) The system automatically signs out workers after a set amount of time or when it detects that a badge has moved out of range. Duncan Regional Hospital also uses virtual desktops, giving mobile users access while keeping data secure within the data center.

Neal says implementing these technologies has increased both the degree and ease of mobile access in the past few years, but he acknowledges that there are still challenges, such as occasional disconnects or systems that don’t work exactly as they should on the virtual desktop.

“From a mobility standpoint, over the past several years, we’ve committed a lot of dollars and resources to make it work because we know it’s the best model for what we do. We want the information at the bedside or at the patient,” Neal says. “And I think we do a really good job. Is it perfect? No. Will it be in another five years? No. But we’re always trying to figure out the best way to do it.”

Improving access

Getting better is what drives IT at the Idaho National Laboratory.

The federal research organization is deploying technologies that leaders believe will make mobile access much easier for employees, says Hortense K. Nelson, director of program integration in the Idaho National Laboratory’s information management section.

The lab employs about 4,000 people, and its IT department supports 1,300 mobile devices — a combination of smartphones and tablets that are both government-issued and employee-owned — and about 8,000 government-owned laptops. For years, the INL has used LANDesk software to secure its laptops, and it uses MDM software to secure tablets and smartphones.

But INL employees can currently access only emails, contacts and calendars on their mobile devices, Nelson says.

But that will change this year. The lab deployed Google Apps over the past two years, and the cloud-based suite of tools allows workers to work from any location at any time, though Nelson says security concerns have kept the lab from opening up its entire environment to mobile access.

To address those concerns, the INL is deploying AirWatch’s enterprise mobility management platform, which complies with the guidelines set down in Federal Information Processing Standard (FIPS) Publication 140-2, according to Nelson. The AirWatch system allows for easy provisioning, and it will have two-factor authentication, remote-wipe capabilities, containers to keep work and personal data separate, and application-level controls.

And because Google Apps resides in the cloud, neither the applications nor the data they use stays on the device.

Nelson emphasizes that not all systems and data will be open to mobile access: “We have some data sets that will always be off-limits to anything other than highly secure networks,” she says, but the tools being deployed this year will allow workers to access about 90% of INL work processes.

Nelson says INL workers will have wider and easier access via their mobile devices by the end of the year. But that’s hardly the end of the story. She says her team will continue to evaluate technologies because she, like IT leaders everywhere, knows that mobile demands will continue to grow — as will the risks and the types of security measures needed to mitigate them.