As mobility becomes more of an essential item, it is getting to be more of a headache for IT managers. Devices including PDAs and smartphones are coming into the building, and onto the network, that the IT manager has little control over. These devices are bought on personal budgets and are connected to company data by deceptively simple procedures of synchronisation.
"Companies are starting to realise it's a bigger problem than they might want to acknowledge," says Andrew Warriner, head of technical services, at ON Technology, a company that has extended its management products to mobiles. "The cost of managing these things is far greater than the cost of buying them."
It certainly is, because it spreads across a whole range of areas, from security and asset management, to the social issues of making sure your users have sensible data habits.
In this article, we intend to set out the boundaries of the problem - watch for future articles that will deal with specific areas in depth. And go to our forum to tell us what you think we should cover.
How much mobility?
The root of any security problem is not the technology but the policies. Before you respond to mobile devices, you need to find out how many of your users are likely to use them and what for.
There's no consensus about this, says Warriner: "You get every style from people that completely ignore them to other extreme where IT departments are dishing them out." And there's every permutation in between: "Some IT departments help out and have tools in place. Others try to ignore mobile devices."
The only certain thing is there is more of this to come - not less. Mobile communications gives users access to their email and other data wherever they are, so they can be more productive.
They can complete paperwork more quickly - for example, police and social workers are being given devices that let them fill in case reports while still "on the beat". And if emails reach people while they are out of the office, they can respond more quickly.
IT departments are going to have to take responsibility for mobile devices and take control. This may mean using budget arguments to press for company standards.
The security and management problems of any new-ish technology are inversely proportional to its age. You can guarantee that there are issues with smartphones that haven't arisen yet, simply because they haven't logged as many user-hours. "Smartphone management is a couple of years behind PDAs," says Warriner. "But they will merge, when 3G kicks in."
For now, of the three major classes of mobile devices, laptops will have the fewest security and management problems (simply applying the relevant desktop management controls will get you a long way), followed by PDAs, with smartphones posing the most problems.
But the biggest problem is the variety. "Unless you go the whole hog and say this is standard device, people will get every kind of device known to man and the IT dept doesn’t have enough staff to know what to do with this," says Warriner. "You are just not going to manage them."
Warriner suggests offering support for one specific product from each class: a laptop, a PDA and a smartphone.
The biggest problem is users?
If a technology is this new, it needs to be controlled and that can only be done by co-operation with users. All too often this is the trickiest part of an IT manager's job.
You will need to make sure that users realise what is entailed when they have a smartphone or PDA and start to synchronise it. These devices will have corporate information on them, whether that is the person's business contact list, or the emails they are sending about a new project. A large proportion of users have been found to store their main system passwords in plaintext on their PDAs.
There's always resistance to using passwords, especially (paradoxically) on something as personal as a phone. They bought it with their "own" expense account, so why should the IT department poke their nose into it? Why should they have to secure it with some weird, hard-to-remember password when it's "their" smartphone?
As with any security and management approach, you want to make it as invisible as possible, but as hard to get round as possible. You also want it as automated as possible to minimise the hours of admin required. Wi-Fi networks such as Aruba and Vernier have features that detect problems on users' laptops, and quarantine them, re-directing them to firewall and anti-virus software and refusing access to the corporate network until the problem is fixed.
Enabling the users
First off, though, remember that your job is to give the user the IT they need to do the job. If the mobile gadgets you are expected to support are not just an executive toy, but meet a real need, then the best way to get the users on-side is to make sure that the devices do what they want to.
To do this, look at products like Good Technology's synchronisation service, which keeps e-mail and other information on PDAs and smartphones current while on the move. It is possible that a system like this may actually reduce effort since synchronisation over the wireless takes the place of any desktop cradles. The synchronisation is with the server, wherever the user connects from.
Mobile devices should not be random adjuncts to your IT systems, but should be managed assets. You need to be sure what devices are in use for what tasks, what software they have on them and issues that require support.
As well as ON Technology, there are plenty of mobile management specialists: two we are aware of are XcelleNet, whose product links to Microsoft's management solutions and Extended Systems.
You need to look for software that can do all this and works with the devices that you have (or hope to limit your users to) and the applications you are running. You need to make sure that what you do is tailored to the networks you are using - so that huge software updates are not sent over expensive bandwidth when they could be saved to go over free Wi-Fi on the next visit to the office.
Warriner suggests that offline working is possible too: "Upgrades can sit on the device's storage and be applied on April 1 in response to a signal from the management console."
Keeping up with security
Products intended for management or application delivery will often have security features. For example, Good's mobile synchronisation product will attempt to wipe the data from any device that is reported lost or stolen.
Unfortunately, that only works if the thief has left the radio connection turned on. Basically, you will need to look at full-blown security products. As well as making sure that devices are linked securely to the network (so that malicious outsiders can't access data), you need to make sure that the data on the device itself is secure.
Utimaco and Pointsec are two products that we are aware of, which can be used to enforce security policies on mobile devices. Both will require users to set passwords and will not allow access to the network from devices that do not have the right security settings. They can be used to enforce encryption on mobile devices, and all storage devices attached to them, so data is less likely to fall into the wrong hands if the device is stolen (see our article on mobile data security).
Best of British luck
The next few years are going to bring a lot of experience for IT managers in managing mobile devices. They will also bring horror stories but they can be avoided.
Keep ahead of the game, understand what your users want to do and find the safe way to support it. Understand the security risks and take appropriate action. Support your users and protect them and you may even find they are grateful.
What did we leave out? Tell us in our forum