Speed Versus Need In IBM i Mobile Initiatives
February 15, 2016 Dan Burger
As mobile access to corporate communications and data becomes more widespread in IBM midrange shops, those who are just arriving at the party can learn a great deal from those who came before them. We learn from our mistakes, but actually it’s a lot less bloody when we learn from others mistakes. And when mistakes do get made; there will be pressure to step on the accelerator before turning on the lights. Damn the darkness. Let’s go mobile!
Security and employee education are two major issues that are being de-emphasized or ignored until something bad happens. If it wasn’t for regulatory compliance in some industries, the security downplaying would likely be worse. The IT department is supposed to be the trusted source of information. You are the one who is supposed to think of everything and cover all contingencies.
In a study funded by IBM, conducted by the Ponemon Institute and released last year, it was determined that nearly 40 percent of large companies, including many in the Fortune 500, aren’t securing their mobile apps. Speed-to-market and user experience are the priorities. Meet those objectives and get it out the door. In other words, there are a lot of mobile strategies that are poorly conceived.
The popularity of BYOD (bring your own device) connections to unsecured networks and applications and untrusted sources, brings malware one step closer to the enterprise.
In the Ponemon study, 55 percent of those surveyed say their organizations are without a policy that defines the acceptable use of mobile apps in the workplace. And 67 percent say their companies allow employees to download non-vetted apps to their work devices.
This kind of thing doesn’t fly in highly regulated environments like banking, for instance.
Amy Hoerle, an IT administrator at a Midwestern financial institution and a speaker on the topic of managing mobile devices at the past several COMMON Annual Meeting and Exposition conferences says employee use of mobile devices is closely watched.
“As a financial institution, we have to deal with auditors and the checklist of security rules enforced on employees using mobile devices,” Hoerle says. The subject of BYOD (bring your own device) is DOA (dead on arrival). Employees with a need for mobile access are issued corporate devices. “After users are registered, their email gets pushed to them. They cannot access their corporate email and calendar from their private devices. The auditors make sure this is our policy and the policy is being enforced. We can track our users and our devices,” she says.
The security policy extends to passwords that must be changed every specified number of days and password strength is improved by mandating a combination of letters, numerals, and symbols, which eliminates the simple to guess familiar favorites. Users are also forbidden to upload cloud-based sharing software such as Dropbox. Mobile device management (MDM) software monitors for security infractions and warns users with a “YOU’RE IN TROUBLE” message before cutting off access to email and calendars.
Although she considers the employee use of mobile devices in her work environment “pretty basic,” compared to large scale mobile initiatives that are not uncommon, it allows security to be a priority.
Employees are not accessing IBM i apps and mobile devices are not connecting to the corporate network. There is no in-house development. Applications that are needed are purchased as software packages.
“We are very security conscious. And my advice to any company that is going to have multiple mobile devices accessing anything is to implement mobile device management,” she says.
The reality, however, is something different, particularly outside of industries that are closely audited.
Based on her observations, BYOD is more popular than corporate mandated devices and mobile initiatives are often being deployed with speed and convenience trumping well-designed plans with security as a priority.
It’s not that BYOD deployments must be avoided. But there are considerations that should be addressed before roll outs. For instance:
Discussions that take these points under consideration lead to answers that take into account preference and risk. That’s a different discussion than the one about how fast can you get this mobile initiative completed?
“You have to think about mobile in a different light,” Hoerle says. “The personal versus corporate discussion can be set aside because ‘it’s just this little device that slips in your pocket or purse and it seems to transition to both personal and professional work so easily.'”
During the planning stage, determine how much you want to manage, how much data will be available, and how much access will be provided. If access to the network is required, explain how that will be monitored and whether email monitoring will be required.
Expect discussions and evaluations to be colored by strong biases for particular devices with users digging in their heels if device standardization threatens either Apple or Android users to adapt to the device not of their choice.
“Define the goals. Mobile is cool. Mobile is a buzzword. But unless you know why you are doing it and what you have to gain, you will have trouble,” Hoerle advises.