How to protect data on mobile employees

Mobile office is a cool thing. You can access work applications and documents from your tablet or smartphone. For those who work on the road or on business trips, this saves time, who often “in the field” simply needs it, and for those who are in the office, it is more than convenient.

True, from the point of view of the security men, every smartphone or tablet is a hole in the information security the size of a mining truck. Therefore, in order for all this to work, you need to build the process of managing mobile devices of employees. Both personal and enshrined at the corporate level. And there are solutions for this, including out of the box.
')
After we say that it is possible, for example, to set a policy of turning off a smartphone’s camera on the territory of a protected area, many people start to simply radiate with happiness.

How does it start?

Most often, the customer has some basic things such as separation of corporate mail and personal, your own server and certificates, for example. Sometimes you can find your own applications such as viewing cameras at sites (for employees) or a protected browser with access to the internal network of the enterprise, regardless of the location of the device, and so on. But all this is scattered and not integrated into the system. In the West, MDM solutions ( Mobile Device Management ) have been studied for a long time and are well known to everyone, but here we have complete implementations well if there are several dozen throughout the country. And very few people understand exactly what is needed: the most frequent case is when security guards say “it is necessary”, while the rest try to find a solution that is also convenient.

What can you do?

MDM - Mobile Device Management is the management itself, by the device itself, that is, by the iron parameters. Here you can set Wi-Fi settings, prohibit the use of the camera, receive data about the location of the device, configure VPN, deliver certificates, and so on. The employee changed the piece of iron - he rolled the same settings, and he continues to work with pleasure, because spared from frequent visits to the “sysadmins' den” in order to make the new piece of hardware work.

There is software - MAM - Mobile Application Management. This is the next level, because Settings are already set at the application level (implied - corporate). Here, for example, you can open corporate mail, copy text. And insert it into an unincorporated application is no longer possible. And the attachment can only be opened in an authorized application for this. And screenshots can not be done. There are almost no pure MDMs in practice, there is at least a partial MAM functionality.

In order to realize the management of corporate applications, containers are made to separate corporate data from user data. For example, in order to dismiss it, it is easy to take and make the corporate part frozen with a certificate revocation. The main question is whether there will be a media platform, which will act as a kind of gateway. If you just need to control - dozens of solutions. If you need a system that provides data exchange between heterogeneous iron and OS, you need a single platform that will prepare the data and channels for each specific device.

All together - this is an EMM-system (Enterprise Mobility Management). There are only a few of them on the Russian market.

How is it being introduced?

Most often - from security. Let's quote from the last project for the Aviadvigatel design bureau (they make aircraft engines, gas turbine plants for power generation and gas pumping, supplies gas turbine power plants). In general, a big important object. In the state of 2 500 people. The cost of information of such organizations is higher than the cost of its protection. The task was quite simple - an emphasis on the fact that employees did not carry the data. The solution is minimalistic, without a media platform or complex policies. Just management and control. And remote wipe. Plus VPN, remote updates, data protection in open communication channels. Here is:

“CROC specialists used a comprehensive solution for implementing BYOD security policy in our Aviadvigatel OJSC: the MDM system, which allows centralized management of mobile devices, and Check Point’s SSL VPN subsystem, provides secure access to the company's internal information resources.

“Thanks to the integration of two solutions in Aviadvigatel, user access rights to various information resources of the enterprise are differentiated and the confidentiality of data is ensured when they are transmitted via open communication channels,” says Anton Razumov, head of the security consultants group at Check Point Software Technologies. “It is important that as a result of the implementation of the system, it was possible to ensure the integrity of information on mobile devices and introduce centralized distribution of software and updates.”

If something more complicated was needed, it would be worth looking in the direction of XenMobile from Citrix. This is a complete EMM solution — remote control of devices, and geolocation, setting access policies when moving an employee from one branch office to another, the ability to isolate applications from each other at a logical level, auto-configurators, and so on. We are now implementing this thing at another facility, but so far at the testing stage in the department of 250 people.

And another question that may be interesting is how corporate applications appear on mobile and tablet employees? It's simple - they take them from the sites, as they used to. Just without having a corporate account access to them does not get.

This is how applications look in the corporate view:



And this is the launch bar for corporate applications for their aggregation in one place:



In this case, for example, it is impossible to force the application to the user, in any case, he should click the "OK" button. But everything goes to reduce the dependence on the decision of the user. For example, innovations for device management and control over data in the corporate segment in IOS 7 — data access control policies have already emerged within corporate and personal applications, secure tunnels to the enterprise network at the application level, and not at the device level. Vendors who produce EMM systems actively support such initiatives and rather quickly integrate new functionality into their solutions, often expanding it.

The most frequent tasks

If you do not touch the security - then this documents , BPM and PPM. The application allows you to work together on documents, send them along the chain, sign directly from the phone.

The document flow looks especially nice push-notifications about the documents to be signed, or payments that need to be agreed. The speed of bookkeeping increases in places by an order of magnitude.


Here, for example, a screenshot of the non-cash payment order form, which comes to be responsible for approving our statement at KROK. It is seen that you can confirm or reject the application in one click.

You can set tasks remotely. Applied versions of PPM (Project Portfolio Management) are popular - managers set tasks outside the office, and performers report remotely. Another situation is insurance, which gain access to knowledge bases directly from tablets when talking to a specific client. Logists also love to be aware of the supply online, it is also important for them to make the right corporate applications, which means there is a need for MDM.

MRO systems (maintenance and repair) are sometimes used, and, for example, when going around equipment, all important information will be immediately entered into the system. Here, however, there is a nuance - we need special mobile devices, a typical iPad in the workshop will live two or three days, not more.

Features of mentality

In the West, customers seek to maximize the built-in capabilities of the system. In our country, people are simply not ready to put up with what they need, to seriously adjust the business to the platform, and they are altering it. The result is a ready-made mobile client for CRM, for example, is no longer suitable, it has to be finished. The second great feature is that sometimes it is easier to select phones at the entrance on site than to set security policies. But this is not a question for us.

Everything. Ready to answer your questions. If you suddenly need something in a personal type of price assessment for a specific project - write to KShogenov@croc.ru .