Layer your security. As with other IT security strategies, layering security makes sense for the Android environment. If you look at the mobile security stack in layers (starting from the bottom up) as network/carrier layer, hardware layer, operating system layer, and application layer, the chances of exploits increase as you climb the ladder, says Tyler Shields, a senior analyst for mobile and application security at Forrester Research. "Enterprises also have less control the lower we go in the stack," Shields says.
To try to mitigate the risk at each layer, Shields recommends a combination of mobile security technologies each specifically aimed at a different security layer. "The baseline security requirement is to have [an MDM] system managing every device in your environment," he says. "This will help with the remote-wipe capabilities, tracking lost devices, and general management and baseline security requirements."
Deploy MDM. Companies that have rolled out Android broadly agree with the MDM recommendation. "Android devices should not be deployed in any enterprise without robust MDM," says Abhi Beniwal, senior vice president of global IT at Daymon Worldwide's Interactions subsidiary, a provider of in-store product demonstrations for retailers and manufacturers. With an MDM platform in place, enterprise IT has the visibility it needs into mobile devices and can proactively manage security vulnerabilities and threats, Beniwal says.
Interactions has deployed Android-based tablets and mobile apps in more than 1,000 stores in North America. Most of its workforce is field-based, and mobile technology allows users to share real-time information, Beniwal says.
The company implemented an MDM platform from AirWatch before deploying any Android device in the company, and it hasn't experienced any security-related problems with the devices, Beniwal says. "At the same time, we take it very seriously and are always monitoring and proactively managing any potential security threat to our devices," he adds.
Also relying heavily on MDM is the Center for Young Professionals in Banking (CYP), a training center in Zurich that has rolled out 1,400 Android tablets that students use to access CYP's learning management system. CYP uses MobileIron's platform for enterprise mobility management. The platform ensures that only approved apps are installed on devices, and it reports any breaches.
Among CYP's concerns about Android security and management are data loss prevention, malware, OS version control, and data on lost devices. The MobileIron platform addresses each of these and other concerns, says Thomas Fahrni, deputy general manager of CYP, as do most serious MDM systems.
Create a compliance policy. Aberdeen strongly recommends that companies create a compliance policy for BYOD units, so that not every smartphone or tablet is acceptable for use within the work environment.
"Organizations should test the vulnerability of the most popular platforms and versions and verify that they can be managed securely" before granting those devices access to the corporate network, Aberdeen's Borg says. "This is a BYOD policy with constraints. An unbridled BYOD policy is very problematic" because it invites access to the network by devices that might not be secure.
Sign up for CIO Asia eNewsletters.