Protecting data and enabling the mobile enterprise

Inform—an HP Insight series business white paper

2

3 Executive summary

4 Introduction

4 Protecting data in the modern enterprise

5 Adopting a bring your own device policy

5 Someindustryspecifics

8 Mobile assets come with higher risk of data loss

8 How can data be lost or compromised?

8 Mobility changes are often driven or led by technology

9 What can a CIO do now? A 5-step approach

10 What about the future?

12 Conclusions

Table of contents

3

Executive summaryYour employees, your partners, and your customers want instant access to the information they need—now—no matter where they are, what time it is, or which device they have in their hands. With the pervasiveness of personal mobile technology that’s always on, always accessible, and always connected, the “consumerization of IT” is changing the way we work and live.

Supporting this mobility is critical in enabling a distributed work model for a global workforce; individuals want to work this way. ChiefInformationOfficers(CIOs)reportanincreaseduserdemandfor access to work email and other key business applications from consumer technologies, including personal and non-corporate devices. Instead of trying to stem the tide or restrict access, you need to develop a plan to manage the associated risk. To protect the company’s core infrastructure, information, and sensitive data, connectivity must be tightly controlled, data access must be secured, and the security of the device must be assured.

HP recommends a holistic approach that expands your current security policies to encompass this growth area. It starts with collaborationbetweentheChiefInformationSecurityOfficer(CISO)and the business owners to develop a risk-based plan for mobile security investment and policy decisions. This base of good practices and principles should balance options and may involve trade-offsintermsofthedegreeofriskacceptabletotheorganization. The end result is a clear mobile security strategy that aligns with the business and determines how it will engage mobilitywithinitsriskprofile.

Ofcourse,thissecuritystrategywillbemuchmorefluidthanthoseof the past. However, with the help of security experts, enterprises can plan now for future changes. For example, HP Labs has been researching systems’ security architectures for the next-generation cloud-based enterprise, and has developed innovative technologies to address these IT environments. Our security specialists also use HP modeling to build shared understanding of complex situations and explore “what if” scenarios that help predict security issues as our context-aware work habits continue to develop.

Aswithanysecuritypolicy,amobilityplanmustbeflexibleenoughto allow high volumes of interaction, but pervasive enough to mitigate risk and assure compliance—which means advanced security tools that cover exchanges both inside and outside of the enterprise. When the technology is evolving fast, sophisticated and evolving protection can be a major IT undertaking—but one that positions the enterprise to achieve better results in a competitive world.

4

IntroductionOverthelastfewdecades,technologyhassignificantlyalteredhowthe enterprise operates, especially on a personal level. Beginning in the1970s,awholesalecomputerizationoftheoffice,includingtheemergence of desktops and laptops in the ‘80s and ‘90s and, more recently, the proliferation of removable media options, has occurred. We’re now adjusting to the widespread adoption of smartphones and “app stores” within the workplace, alongside the advent of the cloud model, de-perimeterization, and the social media phenomenon. Collectively, these trends focus the modern workplace in one direction—mobility.

The biggest behavioral change in this space is the “consumerization of IT,” the expectation that self-selected technology tools—usually from the consumer market—be used in the work environment. This changeisoftensynonymouswith“bringyourowndevice”(BYOD),which can be summed up as a desire for access to information “Anytime Anyplace Anyhow,” using whatever device you want.

Supporting mobility is critical in enabling a distributed work model for a global workforce, though tension clearly exists between mobility support and data-loss restriction.

AccordingtoIDC’sCustomITConsumerSurvey(April2011),thedevicesmostoftencombinedforbothpersonalandbusinessuse(indecreasingorder)arelaptops,desktops,smartphones,andtablets.That order is rapidly changing, however, and we should expect the usurping of the “most common Internet access device” mantel fromthePC(desktop/laptop)whichhasbeenkingsincethe1990s.AccordingtothelatestInformationSecurityForum(ISF)ThreatHorizon report, the proportion of smartphones—that is, mobile phones with web browser and email support—is set to increase from around 20 percent today to 80 percent in 2013.

Supporting mobility is critical in enabling a distributed work model for a global workforce. In fact, CIOs are likely to be judged on how proactive their stance is and how successful they are in cultivating thebenefitsoftheconsumerizationmodelwhilemanagingitsformidable risks.

For most enterprises, this will be an organizational challenge. Tension clearly exists between mobility support and data-loss restriction. However, the dichotomy must be addressed in the face of this persistent trend. This paper aims to give insight into thedifferencesinattitudeandapproachbetweencustomersandindustries. It also outlines the range of responses being considered acrossorganizationsandidentifieswaysinwhichHPcanhelpCIOsinimplementing a secure and realistic plan for incorporating mobility into the workplace.

Protecting data in the modern enterpriseMany obvious challenges arise when workers self-select their technology devices—whether those devices are owned by the individual or by the enterprise—regarding how mobile users operate,whattheyuse,whichmanagementcontrolsare(orcanbe)putinplace,andanyregulatoryimplicationsthatmightarise.However, adoption is rapid and somewhat inevitable. Organizations cannotaffordtoignorethephenomenonortryto“holdbackthetide.” Instead, they must adapt to the change and integrate mobility into the IT policy and processes.

CIOs should consider the question: “What types of devices will be on my network in three to five years?”

The bottom line is this: employees want to use their own devices—andenterpriseswanttoattractthetoptalentthatreflectstheirconsumer base. Employers want Generation Y employees who representourconsumers.Decisionsaroundmobilityareoftendominated by consumer trends, especially among senior executives themselves;theyareoftenthefirsttoinsistonbeingallowedtouse their iPads or iPhones, even when it causes the CISO’s team headaches due to the additional risks and complications to the infrastructure. Looking forward, CIOs should consider the question: “Whattypesofdeviceswillbeonmynetworkinthreetofiveyears?”

ButBYODisnotpurelyatechnologicalfad.Aworkforcewithmobilecapabilities is becoming increasingly necessary due to the global round-the-clock nature of today’s business. For example, one respondenthasreportedhavingastaffof51in19locationsandsupporting 24x7 globally distributed activities.

An emerging issue for the CIO develops when employees are allowed (orrequired)toadoptBYOD.Theemployeesownthedevicesandfeelentitledtousethemastheychoose,installingwhateverapps/games/socialmediatheywant.Introducingconfidentialenterpriseinformation into this environment is dangerous, and requiring or allowing employees to purchase their own devices, and then tell themhowtheyaregoingtousethem,presentsadifficultchallenge.

Employees want their “personas” to be mobile, too—in a device-agnostic manner. A persona is a person’s identity-related information,e.g.,preferences,images,andprofilescreatedonFacebook, Google™, etc.

5

Adopting a bring your own device policyAllowing individuals to use their personal technology for business use, ranging from productivity improvements, convenience, and operational cost savings to new business innovations,createsstrongbenefitsfortheemployeeandtheenterprise.However,adoptingaBYODstrategypresentspracticalchallenges. For example:

•Devicemanagementstrategiesmaybefragmentedandcumbersome due to potential proliferation of devices, ambiguity around responsibilities for data, and increasing expectations for how the devices can be used

•Rich device functionality, with easy-to-use social networking tools, present challenges for enterprises in providing platforms andsoftwaretotheiremployeessuchthattheyarefun(anddistracting)aswellasproductive

•Corporate/sensitiveinformationmaybeleaked,distorted, and/orbeunavailablewhenrequired

•Demonstrationofregulatorycompliancemaybecome moredifficult

Some industry specificsAll interviewed respondents agreed that mobility is essential to their businesses and resulting data-loss challenges exist across all the verticals. As one individual said, “Industry is always behind the curve in making consumer technology ready for the enterprise.” But consumer technology was not initially designed with enterprise requirements in mind, which has led to challenges and delays in adoption by organizations. In their personal lives, consumers may be concerned with losing their emails or latest photos on their devices, but rarely does this result in reputation damage or a lawsuit resulting from divulging personal information—both major considerations for enterprise mobility use.

Industry is always behind the curve in making consumer technology ready for the enterprise.

Although each sector and business is unique in many ways, common mobility challenges exist. For example, desktop application management is an issue for most organizations due to the monolithicOSarchitecturesthatrequiresignificantefforttoperformupgrades securely. Interviewed respondents noted additional insightsandindustry-specificconcernsasfollows:

Public sector

Inmanypartsofthislargesector,informationconfidentialityisgenerally the main security consideration. For instance, unintended disclosure of information in the context of the military and police can be very damaging. The main focus is on citizen data loss and reputational damage. However, with increasing acceptance of mobile working practices and the use of personal devices, more attention will have to be given to availability of data and its integrity as well.

Acultureofdataclassificationexiststosomedegree,inwhichwecategorize information into pre-designated levels with controls regarding who can access information at each level. Human error is also a factor, causing accidental breach of physical media-handling procedures rather than as the result of hacking or malicious insider disclosure.

6

Technology companies

Mobility adoption is driven primarily by a need for 24x7 global operations and a disparate, technically literate workforce.

Enterprises in this sector are generally early technology adopters, with employees either working from home some of the time or on the move. A respondent stated that only 50 percent of his organization’s operating countries had any “IT assets,” so a huge reliance on cross-border communications and mobility exists.

Technology companies also have legitimate needs to support non-standardITsolutions,suchasspecialaccessorconfigurationsfor their technically capable workforce, which often prevents the rollout of standard solutions that help to enable security and mobility.Off-the-shelfoptionssimplydon’tfit.

The technology industry is also an area where hackers strike on many occasions, and clearly this is a key concern. Such breaches cost massively in terms of recovery and reputation. The main foci are intellectual property loss, reputational damage, and loss of program source code, bringing much attention to protecting intellectual property rights, including a high take-up of laptop disk encryption.

Mobile devices play into this mix. As one respondent noted, “there are now enough of them [mobile devices] on the network for attackers to start prioritizing them.” Policy enforcement on employee-owned devices is still in development, however.

Financial services

Incontrasttothetechnologysector,thefinancialservicesindustry(FSI)verticalappliestightcontrolovertheworkingenvironmentandthus a high level of enforcement through standardized systems.

As many data-loss incidents have been recognized as being due tohumanerrors/abuse,theCSOiswidelyacceptedasbelongingoutside of the IT function, possibly in a broad risk role. In fact, occurrencesofinformalinsidertrading(e.g.,traderssocializingonweekends)arenotuncommon.

Financial organizations are generally “backed into acceptance of mobility” by users. Executives are often in the front line, demanding theuseof“cool”mobiledevices.Next-generationstaffmayexpectthe freedom to mix their private and business lives—and seamlessly incorporate their state-of-the-art technology across their personal and professional worlds.

Mobility is recognized as a big opportunity for innovation in the financialservicesindustry,drivenbymanyperceivedbenefits,althoughfewhaveactuallybeenquantifiedtodate.BYODandnearfieldcommunications(NFC)—thewirelessexchangeofdatabetween smartphones in close proximity to one another—are seen as fundamental to these innovations.

On the consumer side, payment by cell phone is still an experimental area fraught with challenges regarding the creation and management of new networks of suppliers, but it is receiving much attention. Likewise “digital money,” self-checkout, mobile banking, migrant-worker money transfers, and mobile adjudication of insurance claims are mobile innovations on the rise.

Still,thefocusforfinancialservicesisturnedinternally:“Risksaround use of mobility should be kept in perspective—over 50 percent of security breaches are from insider actions,” said one respondent.

Forafinancialinstitution,themainconcernisprotectingconsumertrust—a bank collapses after its reputation is hit. Financial services is also an industry with many regulatory compliance requirements, includingBaselandPaymentCardIndustryDataSecurityStandard(PCI-DSS).InPCI-DSS-affectedorganizations,lossofcarddataisahot topic. Additionally, U.S. banks are obliged to report any security breach to federal regulators, possibly exposing embarrassing processflaws.

InEurope,theMiddleEast,andAfrica(EMEA),concernoverpersonaland commercial transaction privacy and compliance with national andEuropeanguidelines(strictnessdependsoncountry,however)is a major factor, as well as concern around “time-sensitive information” leakage, such as merger and acquisition information, budgets, and accounts.

7

Retail

“The current hot button here is customer data,” said a retail industry respondent. Companies in this sector are now able to collect more information on the consumer via devices such as iPhones and iPads, making mobility services an appealing option for interaction with customers. Mobility is reducing the reliance on supply chain relationships for access to customer data and demographics.

However, mobility in the workforce is a little more complex. Respondentsstatedthatasmallfractionoftheworkforceisoffice-based—the majority are either in stores or in distribution. “In stores, staffturnoverishigh—theyareyoungandwanttobringtheirowndevices to work.” This results in a multi-tier security requirement: certaincontrolsforall(includingstorestaff),withmorestringentcontrolsforofficeworkers.

Consumerization is seen as an evolving problem. The era of provisioningofcorporatemobiledevicesisending.BYODisconsidered acceptable for mobile devices but not for PCs due to the lack of standardized apps. Locking everything down can have serious consequences for a company because employees will continue to use their own devices, but without enterprise security policies and safeguards in place to manage access and mitigate risk.

BYODandthereforeconsumerizationaresymptomaticofanunderlyingcause,therealissuebeingthedesireforflexibility/self-service.GuidelinessuchasPCI-DSS(forcreditcardtransactions)and the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(formedicalprescriptionsandotherhealthinformation)areimportant,andgenerallyquiteeffective.

Manufacturing

According to respondents, increased productivity is perhaps a bigger driver for IT consumerization than employee demand in a cost-sensitive vertical.

And usability of apps is key. Employees should not have to navigate complexapplicationsinordertouseappseffectively.

Although a clear, logical distinction between types of users and their access to data exists, user segmentation is immature in this sector. Any controls are largely implemented across the board.

Healthcare

Within healthcare, most attacks on mobile devices target the application level; therefore, much work focuses on this area.

Extrafiltering/blockingcontrolsrequiredbystatelawsexertsomeregulatory pressure. However, our interviewee felt that monitoring toolsformobiletrafficwereimmatureandmorerobustsolutionswere needed.

Executives see risk through a “reputation lens” and data breaches are taken very seriously. This sector is seeing an increased level of hacker attacks, many of them targeting mobile applications and infrastructures.

8

Mobile assets come with higher risk of data lossMobile devices are typically present in a variety of situations, as users want them by their sides most of the time. Because of this, organizations can no longer rely on work-related or enterprise-owned mobile devices being kept in reasonably secure workplaces.

Mobile devices are also becoming more and more attractive to thieves and hackers, as the devices can often contain business information and be used as portals onto enterprise back-end systems and data. In fact, a myriad of inward routes require protection.

Another serious security consideration is that data loss can easily occur through misplaced or compromised mobile devices, and may not be detected for a long time—if ever.

How can data be lost or compromised?•Datalosscanoccurthroughthemisplacementortheftoflaptops,

tablets, and smartphones containing enterprise data, access to corporate systems, and even local copies of the corporate “address book.” For instance, one respondent told us that his organization loses approximately 1,500 of their 400k laptops each year.

•The confusion of corporate and personal mail systems side-by-side can cause users to send sensitive corporate information to personal contacts. Mobile devices typically include a single email applicationthatcanaccessmultipleaccounts,whiledesktops/laptopstraditionallyusedifferentemailapplicationsfordifferentaccounts.

•User carelessness can create inadvertent exposure of corporate informationand/orcredentials.

•Users may deliberately circumvent controls by taking shortcuts (oftenindesperationortosavetime)andsendingpotentiallysensitive business emails to personal mailboxes.

•Malware on a device may enable data to be interfered with or copied elsewhere.

Mobility changes are often driven or led by technologyMobile devices are often viewed as fashion accessories, and uptakeisaffectedbysociety.Usermobilebehaviorislikewiseinfluencedbythetechnologyavailableandwhatitcando,with many inherent risks.

Furthermore, consumerization is about personas and personalization, not just devices. For example, employees are likely to want to have access to online identities, such as a Facebook profile,atanytimeandinavarietyofforms.Theyalsowantfeaturesthatfindandadjusttotheirlocation—likeGoogleMaps™—and allow access to remote services—like HP ePrinting. All of these options make mobile devices more appealing, but also track and store personal—and usually unsecured—information about the user.

Duetothespeedoftechnologychangeasdevelopersrushtokeepup with this demand, attackers are likely to target users who do nothavesufficientlymaturedsecurity.Iforganizationsarepurelyreacting to changes in the mobility mix—for example, a new device or OS upgrade—they will struggle to secure the “bleeding edge” devices in a timely manner.

Inshort,manybusinessstakeholdersarenotsufficientlyinformedof the implications of technology and behavioral changes; as one respondent commented, we require “a user-centric view of the world” moving forward.

Security/MobilityRewards/Risks

Security/MobilityRewards/Risks

Security/MobilityRewards/Risks

9

What can a CIO do now? A 5-step approachAs with most security challenges, technical solutions are only part of the puzzle. A more rounded approach to the problem is needed, as outlined below:

1. Support collaboration between the CISO and the technical or business owners who are driving mobility

By understanding the business motivations for the enablement of mobility, a CISO can manage the resultant risk in accordance with the enterprise’s risk tolerance and therefore better support its adoption. The alternative is the too-common situation in which security solutions must be “bolted on” or applications updated and retested, resulting in increased cost—and, with frequent changes to mobility devices and apps, a likelihood of growing security gaps.

2. Develop a risk-based approach to mobile security investment and policy decisions

CIOsneedtobeconfidentthattheirCISOshaveestablishedprinciples and practices to ensure a base level of security in all processes that the business relies upon—and that they are collaborating with relevant stakeholder groups to maintain this level.

CISOs must consider the risks of mobility enablement due to the loss of centralized control when determining potential business rewards, such as increased revenue derived from the ability to innovate, or the attraction of talent due to a business’s perceived progressive stance on technology use in the workplace.

By undertaking a formal risk assessment of an enterprise’s mobility strategy, the CISO can more fully understand the risks these mobile devices can introduce and the threat they pose to an enterprise’s critical assets. However, understanding the risksisonlythefirststep.Riskmanagementteamsmustthendetermine the maximum risk the enterprise wishes to entertain and how much residual risk it should accept, and perhaps even consider transferring to an insurer.

Duetothevelocityofchangeinmobiletechnology,increasedfrequency of risk assessments is warranted for certain devices and applications. An informed decision requires an understanding of users’ actual or potential actions, as mobile contextsaremoredynamicthandevicesusedwithinfixedcontrolledenvironmentssuchasoffices.Forexample,whenentering a foreign country, employees may be asked to surrender corporatemobiledevicestothebordercontrolofficials.

3. Utilize good practices, principles, and technology

Mobility is inherently about people, process, and technology, thusmakingstandardapproachestoriskanalysisdifficult.Thefollowing approach is recommended:

• People—train and raise awareness to encourage employees to perform the right actions

• Process—provide the appropriate channel and auditability to securely enable users

• Technology—present the appropriate tools to rely upon

However, the reality is that these basic guidelines don’t always work in practice. HP’s Security Analytics professional services offering,acommercializationofHPLabs’TrustEconomicsresearch, uses economics and cognitive science to more rigorouslyexploreoptionsandtrade-offs.

WhenconsideringBYODasanoption,thefollowinghigh-levelquestions should be asked:

• What level of risk is acceptable?

• Who are the groups of users who need to be mobile? (And which users will be mobile whether they need it or not?)

• What mobile platforms need to be supported?

• What applications—both professional and personal—will be used?

• What technologies will be used, e.g., Web 2.0?

• How will these applications be deployed and managed?

• How will devices be secured and managed?

• How will regulatory compliance be achieved?

• How will access be provisioned and revoked?

• Will users be educated and made aware of mobile security risks on an ongoing basis?

Security/MobilityRewards/Risks

Security/MobilityRewards/Risks

10

• Are security technologies like remote wipe, two-factor authentication (or strong password enforcement), self-service password resetting, device encryption, sandboxing of application, and automated OS patch management possible on the proposed devices (especially if the device is owned by the individual)?

• Do data classification policies exist, and are these enforceable on the selected platforms?

• Will monitoring and logging capabilities be enabled on device and management systems?

• Are there specific processes for detecting, correlating, resolving, and reviewing mobile data-loss incidents?

Thelastquestionisverysignificant,asCIOs/CISOsneedaneffectivewaytorevokeaccessintheeventofemployeeseparation, whether voluntary or involuntary. In the past, this has meant reclaiming the device from the employee, but, with BYOD,enterprisesmustcreateaprocesstorevokeaccessandreclaim data without taking possession of the device.

4. Develop secure applications specifically for mobile users and platforms

Including security requirements such as “authentication” and “segregation” and consulting expertise within the software development lifecycle will lead to a wider understanding of securityriskswithinthedevelopmentprocess.Doingsocreatesa more proactive security culture—reducing costs by shifting security spend from high-cost last-minute activities to a model in which security requirements are captured at design time, with application functionality built around these requirements. Including these features should result in reducing the number of security defects on end-user devices.

Enterprises should also consider creating an enterprise app store to provision applications to users, giving them a one-stop shop for all their business apps. Because an app store is a controlled portal, app submissions can be restricted to only internally developed, tested, and trusted apps, thereby reducing user education and easing adoption of mobility.

5. Develop a clear mobile security strategy that aligns with the business

Consider a mobile security maturity model. Mobile security is a wide area; as such, it requires a phased approach. How the enterprise engages with mobility and how mobility supports the business’s objectives must be understood, and the security strategy should explore risk management and mitigation through a combination of people, processes, and technology.

Risk review frequency should follow the pace of mobile technology releases and the business’s own change frequency. By regularly reviewing new technologies and business trends, an enterprise can better support its mobility strategy and manageitsriskprofileaswellasthethreatsintroducedby these changes.

What about the future?Trust economics—business-aligned decision support

Decision-makingandriskassessmentformobilityanddatalossisverydifficultbecause:

• Enablementandriskmitigationpresentachallengingtrade-off

• Stakeholdersmaintaindifferentviews/incentives/knowledge/responsibilities

• Humanfactors—notjusttechnology—holdsignificance

To address these changing variables, HP Labs has developed model-based methodology to analyze risks, allowing stakeholders to build shared understanding of complex situations and explore what-if scenarios using HP’s models. These scenarios have worked well in process and technology situations such as identity management, system-on-chip(SOC)design,andvulnerabilityandthreatmanagement.

In collaboration with academic economists and cognitive scientists, we have extended this methodology to account for human behavior (seehttp://bit.ly/rXL5F3)inrelationtotheexplorationofissueslikeUSBstickpolicy,digitalrightsmanagement(DRM),andothermobility and data-loss situations.

To better understand how HP is helping its clients to better manage theirrisks,watchthefollowingcasestudy(http://bit.ly/xC9GFB).

11

Managing cloud communities with trusted cloud-client management solutions—“safe and cost-effective end-to-end security management in a consumerized world”

Many of the current issues in enabling mobility are due to the inability to enforce security requirements relevant for data classification(s).Bycontainerizingourdata,wegainnotonlytheability to separate corporate from personal data, but can selectively introduce functionality such as remote wiping, advanced threat monitoring, or intrusion prevention.

Research promises to take containerization-based security management models to mobile devices more generally, with the appropriate cloud integration for manageability as these technologies mature.

“Wouldn’t it be great if we could express policy once and the infrastructure would know how to implement our requirements whether the device is a desktop, laptop, tablet, or smartphone?”

HP Labs has also been researching systems security architectures for the next generation of cloud-based enterprise, and has developed innovative technologies such as:

• Trusted Computing A system architecture for remotely verifying a device’s properties in order to establish trust

• Trusted Virtualization A device architecture that can provide container-based security policies for multiple operating systems on a single device, simultaneously supporting multiple independent IT domains to be managed securely on a single client device

Today, HP Labs is researching how to use such state-of-the-art developmentsinordertofacilitatecost-effective,cloud-basedsecurity management enterprise in a consumerized world.

HP experts believe that, from an IT department perspective, “cloud communities”couldbedefinedandsecurelymanagedthroughout,from the end-user cloud client devices to the data center. Importantly, the HP Labs approach is designed to allow end-user devices to be registered with multiple communities, rather than being limited to just one personal and one business persona.

By supporting multiple personas, next-generation devices and services will allow multiple IT departments to have advanced security management control over their communities of mobile users and business applications, enabling end users to maintain privacy and choice for their own devices, within other cloud communities, or within personal applications.

Mobile security maturity model (supported by good governance, risk, and compliance practices)

HP recommends a systematic approach to mobility adoption and management, taking steps to progress up through the maturity levels of the model below.

Throughout the process, remember a few important considerations:

• Takeaholisticandevolutionaryapproachthatincludespeople/process/technology,whichreducesdependenceonsolelytechnical solutions

• Perform a risk assessment for each new mobility-use case

• Establish strong governance mechanisms including communications between stakeholders

• Automate controls as often as possible

Additionally, the IT team should support users in a consumerized environment just as they have always done in the workplace. The key aspects are:

• Set clear expectations

• Provide support options that work on the users’ terms

• Allow access to as much support as possible

• Support what you control—the data and environment; devices will come and go

• Maintain a baseline and use it as fall-back

Mobility maturity matrix

•Communityengagementtoimproveunderstanding of mobility drivers

•Communityinteractiontounderstandhowtoincorporatehuman and economic factors into risk assessments

•Strategicuseofmobility-relatedcloudservices

•Goodpracticesandprinciplesestablished

•Riskassessmentscompletedforeachsituation

•Adoptionofsomemobility-relatedcloudservices

•Longer-termstrategicview(ratherthanriskassessingeach caseonitsmeritspotentiallinktocontainerizationstrategy)

•CISOteamcollaborationwith(orembeddedin)mobilityand business teams

•Mobilitystrategynotoverlyfocusedontechnology

Leve

l 1Le

vel 2

Leve

l 3Le

vel 4

Get connectedhp.com/go/getconnected

Get the insider view on tech trends, support alerts, and HP solutions.

©Copyright2012Hewlett-PackardDevelopmentCompany,L.P.Theinformationcontainedhereinissubjecttochangewithoutnotice.The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Google™ and Google Maps™ are trademarks of Google Inc.

4AA4-0919ENW, Created April 2012; Updated June 2012, Rev. 1

Share with colleagues

ConclusionsAll industries need to embrace mobility as an evolution of IT in the workplace. But this adoption must deal with the information-related risks that come with this.

The main challenges around embracing mobility in a controlled manner are:

• High user expectations due to the advent of consumerization

• A wide variety of devices and systems to manage—many of which may not belong to the enterprise

• The velocity of change in mobile technology, which means constant re-assessment of security measures

• A broadening of technology into personas and personalization, not just devices, which opens the user to greater vulnerabilities

• More opportunities for data loss than in traditional workplace IT

These challenges are largely common across industry sectors. However,nuancesandspecificrequirementsmustbetakenintoaccount as policies are developed.

Further, to mitigate risk to corporate and other sensitive information, the CIO should both be sure that the CISO’s team has established principles and best practices and involve this team in the right loops and conversations to understand and support mobility business policies.

Finally, the need to continually assess risk and be agile in appropriately adapting new mobility solutions always exists. This is a rapidly developing area that adds both complexity and opportunity to the organization. HP recommends:

• A holistic and evolutionary approach that incorporates people, process,andtechnology—specificallytoreducedependenceonsolely technical solutions

• A risk assessment for each new mobility-use case

• Strong governance mechanisms including communications between stakeholders

• Automation of controls as often as possible

HP Enterprise Security has the expertise and insight you need to tackle these emerging challenges. Our focused framework leverages ourfullportfoliotomeetyourspecificmobilityneeds.HPLabsisalso working on bleeding-edge research in risk management and technology to address future problems, and is actively working with our clients to implement forward-looking plans.

While other security companies focus on security threats and lock down information in order to protect it, our success is driven by viewinginformationsecuritydifferently.HPtakesaproactiveandrisk-based approach, ensuring that technologies like workplace mobilityfitwithinandaroundtheorganizationwhilecreatingnewopportunities. Let us help enable your organization to respond to changing expectations of IT.

ContributorsChristine Atkins—Senior Vice President, Group IT Ahold

Ralph Loura—CIO, Clorox

Neti Hanumantha—CISO, Clorox

Elinor MacKinnon—CIO, Blue Shield of California

Sherry Ryan—CISO, Blue Shield of California

Michael Cunningham—CTO, Kraft Foods

Rene Steenvoorden—CIO, Rabobank

SimonArnell(author)—InformationAssuranceConsultant, HP Enterprise Services

NeilPassingham(author)—TechnicalSolutionDirector, HP Enterprise Services

Betsy Hight—Vice President, Cybersecurity Solutions, U.S. Public Sector, HP Enterprise Services

JamesCooper—DistinguishedTechnologist,PortfolioResearchandDevelopment,HPEnterpriseServices

BorisBalacheff—SeniorSecurityResearcher,HPLabs, Cloud and Security Lab

Simon Shiu—Senior Research Manager, HP Labs, Cloud and Security Lab

Rich Armour—Vice President, Global Cyber Security, HP Global Information Technology

Larry Ryan—Chief Technologist, Financial Service Industry, HP Financial Services