Here are a few operational scenarios for a risk-based system. Let's assume that your company maintains two device groups, employee-owned and company-owned. IT sets different policies for each:
>> If any device is jailbroken or rooted, it immediately loses access to e-mail, and IT is notified to make a decision on whether to wipe. This is an extreme situation warranting a decisive response.
>> If a company-owned device has certain applications on it that violate acceptable use policies--for example, games, inappropriate content, even music--the user and IT are automatically notified, and the employee is given a chance to back out the change. Until then, the device can't access corporate resources.
>> If an employee-owned device has the same apps or content on it, perhaps no action is taken. But these devices may have less access to data than the company-owned devices.
>> If the device (let's assume it's based on iOS) has a passcode and thereby has enabled data protection, apps with proprietary information are made available for the user to download from the private enterprise app storefront--for example, an app that lets the user review specs for the latest engineering project. If there's no data protection enabled, then that app doesn't even appear in the user's app catalog.
Mobile device management is a challenge as our perimeters become harder to define. The innovative CIO will turn this challenge into a business opportunity--show that IT can help people be more connected and collaborative, regardless of location. When executed correctly, letting employees use their own devices, regardless of platform, to securely access enterprise data saves money--and wins friends and allies. And if safeguards are built in, conversations with auditors come much easier--you're able to prove that risks are addressed appropriately.
Grant Moerschel is co-founder of WaveGard, a technology consulting firm. Write to us at [email protected]