Remote Control: Managing mobile workers
Mobile devices make working far more flexible, but they also represent a challenge for IT managers.
Mobile devices may be the worker's best friend, liberating them from the desk to operate wherever and whenever they want. But they are also the IT manager's worst nightmare. Keeping a desktop computer in your office secure, particularly before the age of the Internet, was more a matter of ensuring nobody broke in and stole it. Now, however, the device could be anywhere, and potentially in transit between places. In this feature we look at how you can keep your mobile workers' devices protected, so they can remain productive.
The most obvious challenge with a mobile device is that it can be mislaid or stolen much more easily than a system kept permanently in the office or at home. This can potentially mean the loss of important or even mission-critical business data. Login security policies are a must, but a corporate-grade system that requires this before devices can be accessed is optimal. Even better are devices that incorporate biometric security such as a fingerprint reader. Some Intel-based notebooks will incorporate a Trusted Platform Module chip to provide security at the hardware level.
Although a TPM is not an absolute necessity for this, it also goes hand-in-hand with BitLocker Drive Encryption, a feature that has been available on Ultimate and Enterprise editions of Windows Vista and 7, and now with the Pro and Enterprise versions of Windows 8. BitLocker allows the securing of entire volumes using 128-bit or 256-bit AES encryption, so they can't be accessed even if removed from a password-protected system.
Of course, passwords can keep legitimate users out of a system as well. A system secured with a password stored in a TPM does not have a back door, and if its hard disk has been encrypted with BitLocker, that probably won't be accessible ever again if the password is lost either. So system administrators must ensure they maintain a method of access. Biometrics are obviously tied physically to specific employees, too, so there needs to be policies and systems in place to cater for when an employee leaves the organisation.
If you don't want to go all the way down the BitLocker route, Windows NTFS volumes have had a less global encryption ability available for years. This is a simple checkbox in a folder's properties, and means that folder will only be accessible to the user who enabled it. The folder will be inaccessible to another user, or anyone who removes the storage in an attempt to access the folder externally. This more limited encryption can be used to keep important business data out of the wrong hands in the case of loss or theft, but limits the impact of the user forgetting their security details.
The situation has been considerably complicated by the trend towards Bring Your Own Device (BYOD), however. This is where your employees have the option to use their own smartphones, tablets and laptops. Whilst this has been shown to make for happy employees, the devices are likely to be much more difficult to secure and manage due to their heterogeneous nature.
At the very least, employees should be trained to secure their mobile devices with a password or lock code, and one that doesn't make life easy for any unwanted recipients. Remembering passwords is a bane of modern life, but a worrying number of people use this as an excuse to use passwords that are trivial to guess, like 1234 or "password". Employees need a small amount of training here. Pin numbers based on phone numbers that you still remember but haven't been in service for a while can be a good compromise. For a text password, taking the first letter from each word in a memorable phrase will produce a string that will look like random gibberish, but will be easy to recall.
Unfortunately, though, BYOD will often limit how much further you can go with centralised protection. If employees are using their own non-Windows devices, they may not have equivalent encryption. Mac OS has offered FileVault since Panther 10.3, with version 1 allowing encryption of the Home folder, and version 2 introduced with OS X Lion enabling encryption of the entire boot drive in a similar fashion to BitLocker.
However, Google Android-based phones and tablets, and Apple iOS devices, don't have folder encryption built in as standard. Instead, an app like Find My Phone could be used to locate a lost phone or tablet. This also offers a Lost mode which lets the device be permanently locked, whilst the Windows Phone version even lets you erase the contents remotely. Although the threat from traditional viruses and malware is not particularly great for iOS and Android devices, there have been cases of infection, and anti-virus software is available for both. It's still an essential utility for Windows systems.
On the other hand, when your workforce is operating primarily on Windows, their systems can be remotely managed even when they are not on the local network. A Windows 8 tablet is still running Windows, so can be brought within the same auditing and updating policies as Windows desktops in your office building. It can even be configured to accept remote desktop connections, for direct administration. But part of the lure of BYOD is the ability to use the latest non-Windows device, which will entail other methods for keeping control of your remote workers.
Perhaps the most foolproof way to keep the data of any of your remote workers secure, no matter what platform they are on, is not to have it stored locally on the mobile devices at all, or at least not exclusively. Keeping data in the cloud reduces the importance of the device itself. A commercial or private cloud-based system can be used either as a backup or main storage, although the latter means your users will need Internet connectivity whenever they want to access their data, which can cause restrictions. But there are numerous commercial cloud services that could be used, such as Google Drive, Dropbox, Windows Live, and SugarSync, or you can use a corporate private system such as HP Cloud Objects.
One step further is to use the mobile device as merely a window on services that remain hosted on your corporate local network, using a VPN. This is even built into Windows, since version 7, via DirectAccess. Corporate LAN resources available via DirectAccess will become available automatically whenever an adequate Internet connection is made, although once again this system is only available for Windows devices.
The mobile revolution may have brought with it considerable headaches for systems administrators. But the benefits for flexible working far outweigh the difficulties. The problems may be significant, and could cause interruption to productivity if not managed adequately. But ensuring your workers keep their devices password protected, encrypt any sensitive files, and keep mission critical documents backed up in the cloud will mean that their remote activities remain under control.
For more advice on transforming your business, visit HP BusinessNow
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now