We recently sat down with Carhartt CIO John Hill to discuss mobile security management, threats and best practices to help mitigate risks. Here’s Hill’s advice on how enterprise IT teams can maintain a secure mobile environment:
Q: Why is mobile security management becoming such an IT imperative?
Hill: If you look at today’s application footprint, everything we do and everything we build now has to be able to perform in a mobile environment. The challenge is, once we got out into the mobile environment, the degree of control that we have over that ecosystem is reduced. You want to make sure you spend a lot of time thinking about how to protect the device, because it’s connecting to various networks that may not be as secure as your own network.
Q: It’s almost inevitable that sensitive data will be distributed in the mobile environment, so what can be done to safeguard that loss of control you have once those devices leave your four walls?
Hill: We have a MAM [mobile application management] solution in place and we are very clear with the application teams about making sure that when they structure things, it’s got to be able to work inside that MAM container. The other thing we do is educate our business colleagues about not doing things that involve sensitive information outside of that container. This includes not forwarding information to their own personal space or use storage solutions that don’t flow through the container.
Our approach is to be able to allow them to do everything they need to do on their phone, but we do want it to be in our mobile application management suite so that we can support the device — whether they bring their own or they choose one of our devices.
Q: Apps play a big role in any mobile environment. What are some of the mobile security threats and what should enterprises be doing to mitigate those risks?
Hill: As much as possible, we want to use standard apps. We prefer not to use a browser to control the apps because then we lose the functionality that’s inherent in the mobile application, but we take the same kind of security approach to mobile apps as we would to email, or links that generate from email, in the browser.
Q: When enterprises are building their own mobile apps, what are the mobile security best practices they should be thinking about?
Hill: Start by thinking about the framework and getting an expert to ensure your architecture is secure, but if you use a MAM or an MDM application, that helps provide extra protection in case there is some inherent flaw in the app that you built.
As much as possible, I think the other thing is to take advantage of the frameworks that are out there. For example, if you’ve got SAP, you can use SAP Fiori to build your apps so that you’ve got a better standard framework in place, as opposed to doing it custom on your own from scratch. That’s our approach right now. In fact, other than a consumer-facing application, we will not build any kind of custom applications for use in our enterprise.
Q: Mobile security management in a BYOD environment is a huge challenge. Carhartt’s approach is to whitelist certain devices for BYOD, but how do you decide which ones?
Hill: For starters, we only go with top brands. We’re not going to allow a tier two type of product. We want to know that there’s a lot of R&D and support behind the devices, so that’s our number one approach. Secondly, we tend not to put new devices as an option people can choose. Eventually, they will come on the list, but we wait to see if there’s any kind of issues with the device before it gets added. But we really only pick two brands, one of which is Samsung.
Q: IoT is beginning to really heat up. What are the concerns around IoT?
Hill: Back to my point about liking to keep our mobile device whitelist to two big brands — it all falls apart in IoT. There are just so many factors and so many ways that things can connect. The biggest challenge is: how do you manage it and how do you stop things from getting connected that shouldn’t be connected? Luckily, we’re not at a point yet where we have too much IoT, so we have time to think about it. But I think the pure management of IoT, and making sure that everything is kept current and has the necessary security, is going to be the biggest challenge.
Q: It’s been great hearing from you and your insights to managing mobile security threats. What parting advice do you have for IT teams on how to balance mobile security with end-user productivity?
Hill: First is not to have too much variability in your approach. Decide what the overall framework is and say, this is how we’re going to deploy it — whether it’s a MAM or something else. As soon as you start deciding to use MDM for some things and MAM for others you’ve inserted opportunities for mistakes.
Secondly, a lot of times people think about mobile after the project is done and that causes rework. So I tell people to really think about mobile right from the beginning, even if you are building something that’s mainly going to be used in a desktop world, because it just makes it harder at the end to make sure you get the right solution that’s going to be attractive to those end users, secure, and will work across the ecosystem.
Tune into Samsung’s Business Disrupted podcast, Episode 3: Mobile Security and the Enterprise, for more great insights from Carhartt CIO John Hills as well as Mickey Panayiotakis, managing partner at Infamia.