Mobility Asset Management and BYOD Challenges

Posted 2013-02-04

By Barb Rembiesa

Many users have incorporated smartphones and tablets into their daily lives, and are blending activities such as Web browsing, games and mobile payments with business uses such as corporate email. As a result, the federal government and the private sector are confronting how to fully embrace mobile devices in their environments.

IT asset management has now evolved to not only account for company-owned IT assets, but also to ensure that the proper security—both physical and cyber—is implemented and accounted for on all mobile devices entering and exiting the work environment, whether company-issued or employee-owned. Mobile asset management (MAM) is the key element in managing a mobile environment that must ensure the security of data and information in conjunction with physical security practices.

Enterprise mobility brings productivity great promise, but at what price? The bring-your-own-device (BYOD) trend brings with it a variety of devices, operating systems, access points and applications that are forcing IT to re-examine the traditional defense-in-depth security model that served it well while managing PCs and laptops. MAM must be in step with IT security in defining this new mobile security model. It must take into consideration: controls across iOS, Android, BlackBerry and Windows 8 devices; and strategies for securing devices and squashing threats.

Many variations of data retention and transmission coexist in today’s IT environment:

·         Direct in-house data access via a closed network using IT asset management (ITAM) practices, accounting for all endpoint devices that are connected to the network;

·         Remote access by company-provided endpoint devices that can access data only through preconfigured portals in the security framework, enabling the remote user to connect to the environment;

·         Remote access to the company’s environment with nonprovided company assets via the Internet, with separate access to select areas of the data environment;

·         Inside or remote access to company data via user-owned mobile devices, such as iPhones, iPads, tablets, other smartphones, memory sticks and external storage devices

The U.S. government has implemented policy and standards that define the security and accountability of the IT environments for both the private and public sectors. The Office of Management and Budget has been charged with governing the guidelines.

The Federal Information Security Management Act of 2002 (FISMA) and the associated National Institute of Standards and Technology (NIST) standards are driving all federal agencies and government contractors to adopt a security risk-management approach for their IT environments. Specific IT controls from NIST's Special Publication 800-53 have become the “holy grail” for federal agencies, and NIST's Special Publication 800-37 document drives a risk-based approach to the prioritization of work to be performed, modeled on the principles of confidentiality, integrity and availability. 

FISMA compliance and the underlying NIST documentation require MAM to either lead or support the following:

  • Inventory the environment.
  • Categorize both fixed assets and mobile devices.
  • Define minimum security controls.
  • Establish an ongoing risk-assessment process.
  • Develop system security plans for fixed assets and mobile assets.
  • Conduct regular certification and accreditation of the systems.
  • Provide ongoing monitoring of the IT environment.

The goal of FISMA is to verify through an annual audit that agencies and contractors can respond to changes in the IT architecture—both foreseen and unforeseen—in an efficient, consistent and prioritized manner based on asset information and information risk.

To protect against malicious or accidental network intrusion, detection devices are required throughout the network. A multilayer security approach is recommended, with routers and firewalls that protect the perimeter of the corporate network. MAM is required to function in conjunction with the IT security group and maintain firewall and router access lists to segment the network and allow certain traffic parameters.

Security is required to perform content scanning of various types of traffic in the segments and implement content filtering in accordance with corporate internal network usage and security policies. Antivirus software is also deployed on the endpoint and server environments. These applications are managed by the ITAM organization and ensure that software security is maintained. FISMA standards will shift agencies to real-time threat monitoring of the IT infrastructure.


Integrating Processes and Data

Even with a solid strategy, there are other challenges, especially when the MAM program is driven by multiple functional integration points throughout the asset life cycle. Meeting this challenge requires capturing the relevant asset data from the many related environments and processes managed by numerous stakeholders outside the IT environment. Not only are IT managers forced to meet multiple user needs in the mobility environment, but they are also required to rely on the integration of processes and data they do not own.

MAM must ensure robust internal communication to effectively raise end-user awareness of MAM’s importance in the changing environment; make senior management aware of potential risks to corporate proprietary information; provide input into decision-making processes affecting the information transfer and architecture; and collaborate with teams such as HR, IT security, internal audit and privacy policy groups. Communication with external contacts—including vendors, auditors and consultants—is also required.

Making decisions and quantifying risks about mobile devices can be difficult without good data about the mobile devices in your environment. For example, it’s not uncommon for terminated employees to still be using corporate mobile devices—but you can’t stop this unless you know about it. Deploying an inventory tool on all devices can keep track of and report on how mobile devices are being used and by whom. Make sure that the solution:

• empowers IT services to troubleshoot devices;

• is accessible outside of IT (for example, HR should have access during exit interviews to turn off devices for employees who are leaving the company); and

• includes strong application inventory and search capabilities.

Security can monitor data streams in real time and search terabytes of historical data to continuously monitor data coming from any source. The security team can alert MAM whenever an attempted intrusion occurs.

ITAM is required to pull data from an asset management database that may contain contextual information about hosts, such as security classifications, system owner information and uptime requirements. Part or all of this information should be presented in reports and dashboards to users.

Whether in government or the private sector, when IT asset accountability morphs from an inventory management function to a more strategic financial management role, it must manage risk and develop financial awareness. As technology evolves and access to information multiplies, the role of mobile asset management is to provide value-driven, asset-related cost analysis and industry security direction to senior management in support of all IT management decisions. The people managing MAM must have the requisite communication skills to deliver the message and demonstrate the needed risk/benefit analysis when required. 

Barb Rembiesa, founder and CEO of the International Association of IT Asset Managers, has led the organization for 20-plus years. The IAITAM is a worldwide association focused on education, with individual and enterprise members in more than 50 countries. Its Asset Management certification courses have become the industry standard. Most recently, Rembiesa was the CEO of Astria Software Services.