[ISN] Mobile Mastery

From: InfoSec News (alerts@private)
Date: Wed Jan 17 2007 - 22:06:31 PST


By Galen Gruman
JANUARY 15, 2007

A mobile mess looms for CIOs who ignore the rising popularity of 
connected handhelds. New third-generation (3G) cellular networks make 
handheld computing more convenient for everyone from executive travelers 
to salespeople and field technicians. This trend poses new challenges to 
CIOs who need to maintain enterprise network and data security, plus 
keep end-user support costs down. Yet most enterprises have no policies 
or mobile management strategy in place to achieve these goals, notes a 
recent study by the BPM Forum, an industry association.

And without a mobile device management strategy, a trickle of connected 
devices brought in by individuals can quickly become a nasty, unmanaged 
torrent. That nearly happened at American Family Life Assurance Company 
of Columbus (better known as Aflac) a few years ago. The IT department 
had been willing to set up e-mail access for a few handheld devices 
brought in by frequent travelers, handling them on a case-by-case basis. 
But after returning from Christmas vacation in January 2004, Greg Gatti, 
vice president of infrastructure services in IT, had 3 dozen 
connectivity requests for shiny new Hewlett-Packard iPaqsthat year's 
must-have gadgetand other PDAs that various staffers got as presents.

"Very quickly, we had so many devices that it was a nightmare for our 
computer support team," he recalls. And just as quickly, Aflac created a 
strategy and set of policies to get in front of the connected-handheld 

Like other financial-sector companies, Aflac had to get its smart phone 
house in order not only to reduce management complexity but also to meet 
federal requirements around data management and security. Aflac's 
ultimate strategy: Ban all non-company-issued handhelds from connecting 
to enterprise servers and computers, lock down PCs so 
handheld-synchronization software couldn't be installed by users, and 
forbid the use of POP3 and SMTP e-mail access to the corporate network 
so wireless Internet users couldn't sneak in the back door. Aflac also 
decided to rely on a mobile e-mail server to manage both e-mail access 
and the handhelds themselves, and ensure automatic installation of 
firmware patches and enforcement of password policies. This strategy is 
common in the financial services sector, with similar policies currently 
in use at Citigroup's Primerica subsidiary, Farmers & Merchants Bank, 
IndyMac Bank and Russell Investment Group, among others.

Nonfinancial companies could mimic this approach, Yankee Group analyst 
Nathan Dyer says, but the research shows that many companies have yet to 
craft a mobile management plan.

Our Data Went Where?

Your first big CIO headache regarding handhelds: They are easily lost or 
stolen, putting any data they contain at risk. Even data that seems 
routine, such as personal contact information or e-mails about a deal in 
progress, can expose a company to high notification costs (if customers 
must be contacted regarding a privacy breach) or reveal insider 
information, Dyer notes.

Fortunately, securing handhelds is not hard if you centralize 
communications through a mobile server, such as the BlackBerry 
Enterprise Server for Research in Motion's connected handhelds, or the 
GoodLink Server from Motorola subsidiary Good Technology for Palm Treos 
and other devices. These mobile servers act as proxy servers for 
cellular-connected mobile devices, routing approved connections to the 
corporate e-mail, data and applications servers as appropriate. You set 
rules to set limits on data access.

"We don't keep sensitive information on the servers available to the BES 
[BlackBerry server]," notes Evans Wroten, CIO of InterAct Public Safety 
Systems, which provides emergency data and communications services.

Similarly, Microsoft Exchange Server can manage communications to 
Windows Mobile devices like the T-Mobile MDA and Motorola Q, though 
Windows Mobile devices in general are not popular among enterprise users 
because of overly complex user interfaces, Dyer notes. (IT departments 
also don't like the Windows Mobile interface complexity, or the fact 
that huge variation in interfaces from device to device increases 
support costs, he says.)

Using a mobile server ensures that only authorized devices can access 
e-mail and corporate applications. Mobile servers also can tie into 
identity servers, such as Microsoft Active Directory, to share one set 
of network permissions between the corporate network and the connected 
devices. The BlackBerry and GoodLink servers can also enforce security 
policies, such as password rules, and keep antivirus software updated 

For field forces, Motorola's Symbol Technology subsidiary offers the 
similar Mobility Services Platform server, to manage connections of the 
specialized handhelds used by warehouse, transportation and hospital 
users: You can use this to track handhelds' battery life, keep firmware 
updated and disable errant devices.

At the same time, IT can prevent users from sidestepping the official 
system in three ways. First, prevent or restrict access to the network 
over a Web, POP3 or SMTP interface, so Internet-enabled personal devices 
can't get in. Second, lock down company PCs so users can't install their 
own software (such as synchronization software for mobile devices). 
Third, disable the USB ports so users can't plug in a handheld's docking 
station. Desktop management software from Altiris, Hewlett-Packard, IBM, 
Microsoft, Novell and otherswhich many enterprises already use for patch 
management and software license managementlets you centrally apply these 
lockdown and port management capabilities across all users.

Support Costs (Plenty)

Handheld headache number two: Support costs can get you. Handhelds are 
hard to manage because they're typically with users who aren't in the 
same building as the desktop PC support team. That means handhelds need 
to be managed wirelessly. Although several desktop management tools can 
manage software updates and track device ownership (for support and cell 
service chargeback, for example), they're often not used for that 
purpose. Cost is a big reason, notes David Wade, CIO of Citigroup 
subsidiary Primerica. "You don't want to pay a per-user fee for a client 
license. That's a rip-off," he says.

"Enterprises historically have not seen much of a need to spend $50 to 
manage a device that costs about the same amount of money," concedes 
Rhett Glauser, an Altiris spokesman, though he says the costs of data 
loss are starting to change that calculation.

But enterprises have another option: using the same BlackBerry or 
GoodLink mobile servers they already have to manage e-mail, since those 
servers can also track users, audit user activity, and manage firmware 
and software updates. The desktop management tools don't offer the 
server functions, so they cannot replace the BlackBerry or GoodLink 

One related issue: The wider the variety of handhelds you must manage, 
the bigger the challenge. The mobile servers are typically designed for 
one class of handhelds, sometimes two. Different types of users 
preferand sometimes really needdifferent types of PDAs, so it's easy to 
have, for example, executives standardize on the BlackBerry but 
salespeople standardize on the Treo.

If the BlackBerry is one of those platforms, IT will need to manage at 
least two mobile servers in parallel, which increases IT's overhead. 
(GoodLink can manage both Palm and Windows devices.) Third-party 
management tools that can manage all three types of devices (Palm, 
Windows Mobile and BlackBerry), such as iAnywhere Solutions' Afaria and 
Credant Technologies' MobileGuardian, still need a separate mobile 

While CIOs would prefer a single management platform, they say the extra 
overhead is manageable. "It's not that much effort for IT to support the 
two systems for day-to-day support," says Bob Graham, senior vice 
president and CIO at Farmers & Merchants Bank.

Furthermore, it's better to take on the extra cost of supporting an 
additional platform than to force all users to a single device that 
doesn't serve their needs well, says Brendan O'Malley, CIO of cupcake 
maker Tastykake. "Still, we have two device [platforms], not 17," he 

Get Ahead of Your Users

While IT executives say you can't allow a free-for-all of devices into 
the enterprise, you can choose among different strategies to manage the 
choice and acquisition of the connected handhelds.

At Liquidation World, for example, "only company-owned equipment is 
allowed on the network. That gives us control," says IS Director Chad 
Richardson. At InterAct Public Safety, the fact that IT manages e-mail 
and network access through a mobile server tied into a specific type of 
device gives the enterprise a simple way to manage the devices people 
use, says Wroten. End users can't simply buy their own device and ignore 
IT, since devices have to be registered with the mobile server to get 
any network access. Farmers & Merchants Bank, IndyMac Bank and Tastykake 
take the same approach.

InterAct and Primerica strictly control some devices but are flexible on 
others. InterAct, for example, relies heavily on text messaging to 
communicate to its field and sales forces, so all employee-provided 
phones must support text messaging. While most employees choose to take 
the company-paid cell phone (some even port their personal number to 
it), some bring in their own phone because they belong to family plans, 
notes CIO Wroten. But when it comes to devices that can access e-mail 
and other corporate data, InterAct supports only the BlackBerry devices 
it provisions.

Primerica gives its thousands of independent contractors a list of 
approved handhelds they can buy, but it provisions the BlackBerrys and 
Treos used by employees, since employees have access to corporate data 
that the contractors do not, says Tom Swift, the bank's executive vice 
president of field technology.

No matter how tightly the enterprise chooses to manage handheld 
provisioning, the consumer nature of the deviceswhich are typically sold 
through the cellular carriersmeans that there can be multiple versions 
of devices to manage. Fortunately, the makers of the two most popular 
types of connected handheldsthe BlackBerry and the Treohave reduced the 
version churn in recent years and have kept the interface and management 
functions consistent across models, says Greg Nelson, senior consultant 
in the IT group at Russell Investment Group, a brokerage and financial 
services provider. That wasn't the case just a few years ago.

A final management concern: You must manage the number of cellular 
providers. While many companies can standardize on one if their usage is 
within a region where one carrier has good coverage, firms with national 
or international presence often need multiple carriers.

Giving a choice of cellular carriers, while often necessary for coverage 
reasons, can lead to device envy: Carriers often get short-term 
exclusive distribution deals for new devices, so users of one carrier 
may not be able to get the same sexy device their colleagues using the 
other carrier can. Also, devices typically can't be replaced without a 
penalty for two years, so some users get itchy when the new devices 

"These are challenges for us, so we explain that it could cost $600 to 
terminate a plan so they can upgrade," notes Greg Inginio, the senior 
vice president of IT operations at IndyMac Bank.

Get in Front

Whatever variation works for your enterprise, "the key is having strong 
policies up front. Control what they do," says Farmers & Merchants 
Bank's Graham. But don't forget the carrot. "Encourage the use of 
[company] smart phones and PDAs, so employees don't carry their own," he 

At Tastykake, O'Malley makes a point to provide the leading-edge 
connected handhelds, so usersespecially executives with the power to say 
no to ITaren't tempted to get their own devices. "We figure out what 
people need and give it to them," he says.

Encouraging connected-handheld use does increase costsfor equipment, 
cellular plans and device managementbut is well worth the extra 
productivity and the data security protection, Graham and O'Malley say. 
But not having a mobile plan will cost you more in the long run. As 
InterAct's Wroten puts it, "This is a cost of doing business."

Galen Gruman is a frequent contributor to CIO. He can be reached at 
ggruman (at) zangogroup.com.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:17:56 PST