This post is part of a series. The previous posts in the series can be found here:
Last post I discussed the types of questions that need to be answered about your mobile users and their requirements. The takeaway was to understand the relevant use case scenarios and personas. In this post we will dig a little deeper and explore some of the security implications of providing different user personas with the mobile capabilities required for specific scenarios. I’m going to consider Data Access and Protection together from an implementation perspective but from a design perspective the can (and should) be decoupled.
Again, this series is not intended to provide you with an MDM strategy. The intent is to make sure that you are asking the right questions during the design phase of your MDM project so that the end result provides the capabilities and outcomes that best meets your organization’s needs.
Data Access deals with how users gain admission to data (and applications). What we need to address is how the various personas and use canes scenarios impact current security policies, applications and infrastructure. Some of the questions we need to be asking include:
- What are the authentication requirements for users to be able to remotely access company apps from their devices?
- Where will the authentication services reside and how will they be managed?
- Is the current platform able to enforce authorization per user and per app without having to rewrite the apps?
- Is it possible to enforce Multi-Factor Authentication according to a user’s location?
- Are current remote access methods adequate for the mobile scenarios you’ve defined? (When we deal with devices we’ll determine whether the UX (User Experience)is acceptable)
Protection and Access go hand in hand. Data Access provides capabilities to enable specific use case scenarios while data protection helps ensure that the data remains safeguarded. The safeguarding of data is a balancing act as too much security can make the UX
- How will data be stored on user’s devices? Will it be encrypted? What is the risk of data loss is it cannot be decrypted?
- What is the risk of data los if the device is lost and the data is not encrypted?
- Will any corporate data stores be accessed by the device? Where is the data located (datacenter, cloud, other)? Will additional safeguards be required for the data being accessed? Will it be encrypted?
- How will data be transferred to and from the device? Will it be encrypted in motion (HTTPS, IPSEC)?
- Will any infrastructure changes be required (PKI, firewalls, gateways, etc.)
- Will the safeguards impede the UX?
- Are there any regulatory compliance issues that need to be addressed (SOX, PCI, etc.)
These are just a sample of the items you might want to consider as part of your MDM strategy. Please let me know if there are other items that you would consider when defining your data access and protection strategy for mobile devices.
Now that we have a covered Applications, Users, Data Access and Protection, I plan to discuss Management and Devices in the last two posts in this series. Stay tuned.
A great reference for BYOD with a Microsoft slant can be found on TechNet. I got a lot of my ideas from this guide.