Managing and securing employee-owned and corporate mobile devices in a traditional office environment is complex enough, but what if a company is growing rapidly? What if it owns no technology infrastructure? What if most employees work remotely — throughout the U.S. and abroad?
That’s the dilemma Inspirage Chief Security Officer Norm Messenger faced as his firm grew from a 40-person startup to a 525-employee global consulting powerhouse over the last six years.
“Most employees are virtual,” Messenger says. “And even when employees are in an office, they are still virtual, in the sense that we use the cloud and don’t have a network.”
Inspirage, which has a small headquarters in Bellevue, Wash., and three offices in India, deploys supply chain management software for some of the world’s biggest companies. Its consultants work onsite at customer locations in 40 countries and rely on notebook computers. Mobile security is paramount for dealing with sensitive customer data.
To manage its notebooks and meet customer security requirements, Messenger and his IT team recently turned to the cloud. First, they installed Active Directory in the cloud to authenticate users. Then Inspirage deployed VMware AirWatch, cloud-based enterprise mobility management (EMM) software to enforce security policies.
“Now, we have real-time, line-of-site visibility to our computers and can tell customers that we can meet all their security requirements,” he says.
Companies like Inspirage are integrating multiple security solutions to better manage mobile devices, as well as risk. They are using a combination of technologies such as EMM, identity and access management software, anti-virus protection, encryption and data loss prevention tools to improve visibility into devices and bolster security.
EMM software from the likes of BlackBerry, Citrix, IBM, Microsoft, MobileIron and VMware enables central configuration, monitoring and security of notebooks, tablets and smartphones. While vendors initially focused on mobile device management (MDM), they have added application and content management tools in recent years.
Some vendors are further integrating their products, such as desktop virtualization, identity management and EMM, so that corporate IT leaders can seamlessly implement mobile security, says Jack Gold, president and principal analyst at J.Gold Associates.
“You have an integrated suite of tools under one management console,” he says. “It’s like buying Microsoft Office instead of buying Microsoft Word and Excel separately. It’s getting everything you need as opposed to buying everything on an ad hoc basis.”
Businesses can buy on-premises or cloud solutions and choose the features they want to deploy, giving IT leaders the flexibility to customize to their specific needs, Gold says.
For example, the NBA’s Sacramento Kings recently opened a new state-of-the-art basketball arena in California’s capital city. With a new Tier 4 data center in place, the team is revamping how it deploys, manages and secures desktop computers and mobile devices — and it’s using an integrated software suite from VMware to do it, says Eric King, the team’s technology director.
The team is adopting a virtual desktop infrastructure (VDI) using VMware Horizon. It’s part of an integrated suite called Workspace One that includes VMware Identity Manager for identity management and AirWatch for MDM.
Once the Kings install the software this spring, the technology will provide employees with single sign-on access to corporate applications on any device. It’s primarily designed to provide VDI on company-owned thin-client desktops and notebook computers, but employees will also be able to log in and access virtualized applications on their personal tablets and smartphones.
“Smartphone screens are small, but they could log in in a pinch to look up something quick,” King says.
About 40 percent of the team’s employees currently use regular desktops, while the other 60 percent use notebooks. The team also launched a bring-your-own-device program two years ago, allowing employees to access corporate resources on personal mobile devices.
Centralizing computing in the data center will enhance desktop and mobile security and simplify management, King says. “It’s about preventing breaches and lost data, but it’s also the convenience of managing Windows patches and updates in the data center.”
King will use AirWatch to enforce security policies on employee-owned smartphones and tablets, such as requiring phones to automatically lock when not in use. He will also let employees access corporate email, but will deploy an encrypted container to segregate email from personal apps and data. If employee devices get lost or stolen, he can then remotely erase corporate data.
When Edward Rose & Sons recently equipped employees with Apple iPads and iPhones, the rental management company took advantage of Apple’s Device Enrollment Program (DEP), its Volume Purchasing Program (VPP) and MobileIron’s cloud-based EMM suite to streamline device management and security.
Based in Bloomfield Hills, Mich., Edward Rose & Sons owns 140 properties throughout the U.S. Last year, the company invested in 615 mobile devices to eliminate paper-based processes.
Now, leasing agents can sign up renters using application forms on iPad Air devices. Maintenance workers can retrieve and update electronic work orders on iPad Mini devices. And property managers have iPhones, so they can be reached in emergencies.
“It has really streamlined work,” says Levi Johnstone, team leader of the company’s technology engineering team.
Apple DEP, which allows for large-scale corporate device deployments, and Apple VPP, which lets companies push apps to devices without having to use Apple IDs, simplifies and speeds the deployment process, Johnstone says.
Instead of having to configure each individual device, he simply goes to the Apple DEP website to remotely preconfigure settings. Johnstone also connects devices to the company’s MobileIron account. So when users turn on their iPads for the first time, MobileIron automatically enforces security policies.
“The combination of MobileIron and DEP makes it absolutely secure,” he says. “There’s no way to bypass it.”
At Inspirage, Messenger and his staff are taking a best-of-breed approach. They initially planned to use AirWatch to administer both company-owned notebooks and employee-owned smartphones.
But countries have differing privacy laws, and “it’s really easy to violate a privacy rule with BYOD,” Messenger says. For now, Inspirage plans to secure corporate data on mobile phones using Microsoft Information Rights Management and Data Loss Prevention tools.
Most employees use their phones to read work email or view files, and the security tools will let the company protect Office 365 and SharePoint Online files.
As for notebooks, Inspirage wanted to better manage and secure its computers. In the past, the IT staff had no way of knowing if individual employees complied with corporate IT security policies. Plus, clients want assurance that the notebooks Inspirage employees use are secure before granting them access to their networks. Previously, Inspirage would either use client-owned computers or let clients manage its employees’ computers.
“We had to find a way to get near-real-time, line-of-site visibility into our PCs without building our own network and having to defend it,” Messenger says.
Now they can, thanks to cloud services. The company’s Active Directory in the cloud, which lets the IT staff set group security policies, connects to AirWatch’s cloud-based EMM and Microsoft Azure Active Directory, which gives employees single sign-on access to Office 365 and a virtual private network that connects to company resources in the cloud.
As part of the deployment, Inspirage last year equipped employees with new Lenovo ThinkPad notebooks running Windows 10, which includes Windows Defender anti-virus software and the BitLocker full-disk encryption tool.
So far, Inspirage’s IT department has rolled out AirWatch to half its employees. This year, the company will complete the deployment.
With AirWatch installed, employees are required to meet corporate IT policy: Anti-virus must be up to date, BitLocker turned on and the computer monitor set to automatically lock after five minutes of inactivity. AirWatch also locks down USB ports, preventing users from copying data onto USB drives.
“It’s a matter of enforcing good PC hygiene,” he says.
As Inspirage’s IT staff works to complete the AirWatch implementation, the improved mobile security is already having an impact. Employees with AirWatch no longer have to use client-owned computers or let clients manage their devices.
“When we tell our customers what we’re doing, they say, ‘Cool. You are good to go,’” Messenger says.