Financial institutions have some of the strictest security and compliance regulations, which can make providing bring your own device (BYOD) and mobile access sticky. But James Gordon, Needham Bank's vice president of technology, says he couldn't afford to limit the productivity mobile access enables. In fact, he took mobility on full force, implementing a combination of mobile device management software from MobileIron and a remote desktop solution from Array Networks in order to allow personal devices onto the network with access to key applications.
In this interview, Gordon explains how a pretty simple combination of technology enables his enterprise mobility program.
What kind of mobile devices are on your network?
James Gordon: We have been deploying iPhones since 2008, and we started deploying iPads since the week they came out. We also support the BYOD concept, provided that users understand what kind of security we are going to bring to the table and what restrictions we put in place. [BYOD] started top-down, but it's now used for anyone who wants to bring their own device.
We've done some unique things with [company-issued] iPad technology. We have a construction security committee, and its job is to review properties to make sure that before we front the money for rugs and the dishwasher, there is a roof in place, or before we give money for the roof, we make sure that the foundation is poured. Basically, we manage our risk by not giving the money for the whole house up front. We track all those things on a construction draw. Before, those construction draws weren't allowed to leave the bank. By giving [committee members] an iPad, it brought about five or six different solutions just for their one goal of reviewing a property.
How do you manage and secure access with these devices?
Gordon: On the bank-owned iPads we have full device encryption and jailbreak detection courtesy of MobileIron. We also block iCloud on all devices.
Why block iCloud?
More on mobile device management software
Managing mobile devices smarter not harder
How to create a BYOD policy
Gordon: For us it's critical because we can't have data reside in a third-party data center on which we have not done vendor management. We have to make sure all of our security conditions are met. Apple is probably not going to produce an SAS 70 or SAS 80 16 9 audit, the defacto standard to make sure we have our ducks in a row.
Do things get stickier when it comes to managing and securing personal devices?
Gordon: We manage personal devices in much the same way, with the exception of making sure that the user understands our terms of security. We have the geo-location in the device still enabled, and we are still going wipe the device upon [an employee's] termination. And we indemnify ourselves by having them sign a document stating as such. Some people partake and some people [don't].
Do all employees have mobile access to webmail?
Gordon: They have access to webmail, but we restrict it by use of an RSA token, so we have two-factor authentication. The token makes it enough of a roadblock to where it's not passive. The users of iOS and those devices are much more, dare I say, engaged and responsive because they're always being probed and prodded.
Where does MobileIron fit in for the management of both sets of devices?
Gordon: It's crucial for both sets of devices. If someone has just ActiveSync, they have a Microsoft server proxy to Internet, and that's probably not ideal. Secondly, [MobileIron] leverages a lot of capabilities within the device; a good example of that is keeping on the geo-location service. Now I can beyond a reasonable doubt say, 'No your iPhone wasn't stolen; it's in your house somewhere.' So it prevents some of the fire drills we've had in the past.
MobileIron takes advantage of whatever capabilities iOS lets us do. The first and foremost is jailbreak detection. We want the device to be in a known state that some hacker hasn't tried to play with. Then we can also make sure everyone is on a current version of the firmware and block prior versions, which might have had issues.
What's lacking in current mobile device management software?
Gordon: The most requested feature at MobileIron is the ability to push out a different set of configuration profiles depending on user location. So if you're within the hospital walls -- within that specific set of GPS coordinates -- the camera could be disabled, for example. Then when you roam off the hospital grounds, you can use the camera.
Speaking of policy, how do you get granular in user-access policy?
Gordon: We use a product from Array Networks called Desktop Direct, which we have rebranded. It's a hardened appliance box, and it lets iPhones and iPads, Androids, and Windows devices communicate over a secured RDP (remote desktop) session. So the people with iPads also have a Windows 7 virtual PC. I am a firm believer in keeping data within the data center and not letting it leak out to these devices.
That also means you don't have to have a granular policy-management system.
Gordon: Correct. It's a beautiful thing. The site we use to proxy the desktops is called NeedhamLink.com. It has two-factor authentication. We are trying to make compliance convenient.