According to Apple’s quarterly reports, more than 74 million iPhones and almost 15 million iPads were sold as of the end of 2010. Google’s Android and RIM’s BlackBerry are close behind in terms of market share, according to Nielsen’s State of the Media report for 2010.
There’s power in those numbers. Smartphone users — which include just about everyone in your company — can’t be ignored when they come clamoring for ever-increased access to more core applications across a broad range of devices.
That means that managing users’ demand for tools to do their jobs more efficiently and while they’re on the go is a huge priority (see related story) . So, in this blog and the next, we’ll explore what you need to be thinking about as it relates to architecting security and management infrastructure for multiple mobile devices; creating efficiencies across multiple platforms; and planning your physical architecture solutions to ensure capacity, clustering, security and so on.
Mobile Device Management (MDM)
Your first architectural consideration should be the management and provisioning of mobile devices in and across your enterprise. You need to consider the en masse provisioning of devices (ensuring that proper applications and security settings exist); how applications and updates are distributed to the devices (often via over-the-air distribution); and such other issues as remote monitoring, diagnostics, backup and restore, and asset tracking.
Standards need to be set and enforced regarding which devices will be used and how they will be secured, of course. Each platform has its unique strengths and weaknesses. For instance, Blackberry devices can be managed by Blackberry Enterprise Servers, and Microsoft devices can be managed with ActiveSync. The device's carrier should also be considered during the standards setting process; i.e. what are the monthly costs, limitations, roaming fees, and international plans?
The point is, if the enterprise architect doesn’t set the tone here, IT can forget about actually creating alignment with business goals. All available time will be spent just trying to keep the architect’s head above water as more phones, and ever more-capable ones, too, enter the workspace from a plethora of carriers, manufacturers, and based on a number of technologies Or worse, they’ll be building one-off solutions that don't integrate with the rest of the corporate architecture, usually creating increased security risks and making standardization at a later date more difficult. This can result in costly duplication of effort and conflicting implementations.
MDM software can include many ofthe components for configuring an entire fleet of devices, managing application installs and updates, security settings and even remote OS upgrades. MDM solutions can also allow monitoring, and remotely controlling, devices through over-the-air commands sent as binary short message service (SMS) messages. A typical MDM solution can plug into your architecture as seamlessly as possible, as shown in Fig. 1.
Fig 1. Mobile Device Management Architecture. Illo Credit: Eric Bruno
On the left are the mobile devices to be managed remotely. These devices may have management client software installed on them directly, or may be managed with the devices’ built-in features. In the middle are the central components of the MDM system that communicate with the devices via a well-defined and secure protocol — perhaps implemented with binary SMS, or over Microsoft ActiveSync or other proprietary systems like the Blackberry Enterprise Server (BES) solution. The provisioning servers work with your configuration management and release system to handle software releases and updates for in-house software, third-party software, and the OS. The MDM authority interfaces with your existing LDAP systems to manage user rights and controls for the mobile devices and their provisioned software packages.
However, keep in mind that not all mobile platforms expose integration capabilities to third-party applications. For example, Apple’s iOS devices limit what third-party MDM solutions can do to their phones. Some MDM solutions are certified only for specific phones from specific carriers, rather than an operating system.
The Open Mobile Alliance (OMA) has created a device-independent specification and protocol for device management, called the OMA Device Management initiative. It contains formal specifications and protocols for the various pieces in Fig. 1. Most device vendors, including Nokia, Apple, Microsoft and Sony Erickson, have built-in support for device management, many are even implementing the OMA standards. For the others, third- party vendors provide solutions based on the OMA Device Management that can be installed on your devices, Howver, the mechanisms to deliver OMA standards-based policies still vary across devices from different vendors..
Other independent specifications include the OMA's SyncML initiative, which specifically focuses on device and data synchronization. For more on the OMA and its protocols and specifications for device management, read here.
Don’t Let Mobile Device Security Be the Worst of All Worlds
It’s a mixed bag when it comes to securing data on mobile devices and ensuring secure access to the device for your applications. Some mobile platforms, such as Android, offer little security besides what’s present to protect the built-in applications and the kernel itself. In contrast, Apple and RIM specifically provide software and tools to remotely locate, lock and even erase devices if lost or stolen. Thinking ahead about lost devices should drive the adopting organization to test and implement specific procedures..
Again, the OMA defines protocols as part of its MDM standards that specify secure content exchange, secure remote identification (of devices, applications and users), and user-profile management. But what about secure enterprise data integration? To fully benefit the mobile workforce, devices should enable more than just remote e-mail access. You need to synchronize calendars, contacts and communication with ERP, CRM and other enterprise systems — securely.
In general, you need to guard against unsecured wireless access, mobile malware, unguarded sensitive data on the device, and unauthorized network access. RIM offers the BlackBerry Enterprise Solution, along with its Enterprise Servers, to provide secure access to remote data. This includes device authentication over the carrier’s network, encryption of data sent and received, and digital signatures along the way to identify users and their data.
Device-independent products include CA Technologies’ Mobile Device Management software suite. Besides offering all of the management features mentioned in the previous section (over-the-air provisioning, tracking, software installation and so on), it provides security features such as inventory tracking, device scanning, policy-based identity and configuration, and integration with enterprise client management solutions. Other companies with security solutions include:
- MobileIron: MDM solution for iOS, BlackBerry, Symbian, webOS and Windows Mobile
- SyncShield: MDM solution for iOS, Symbian, Android and Windows Mobile
- Microsoft’s System Center: for Windows Mobile and Windows Phone 7 devices, with a Software-as-a-Service (SaaS) management solution
- Columbitech: to secure wireless communication over various transport systems
- Sybase iAnywhere: for secure mobile access to databases, e-mail, as well as on-device data protection
Next time, we’ll look at how your existing enterprise architecture and its implementation may be affected by your mobile workforce’s data usage.