Central support goes into the field
How can a mobile workforce be brought back into the IT management fold?
Enterprise mobility accelerates the trend towards centralisation and consolidation of information technology - in particular the management and governance of data.
However, the mobile devices capable of running high-end IT applications and delivering gains in productivity also bring big security, management and compliance challenges. Enterprises are responding by bringing tools like smart phones, PDAs and even USB memory sticks within the realm of existing IT policies, support teams, and management systems. Often mobility is the last nail in the coffin for the data networking configurations that have dominated enterprise IT since the early 1990s: client/server is finally conceding to the 'big iron' it once looked like obliterating.
The key move for many enterprises is to bring all mobiles under the umbrella of IT, rather than traditional telephony management, according to Leif-Olof Wallin, research vice president at the Gartner Group. "Mobile phones have been under some kind of administrative or facilities management function," Wallin says, "but our more advanced clients have brought responsibility for mobile phones into IT, under the same team that manages the desktops."
Application development staff are also having to add mobility to their IT skills repertoire, Wallin believes, and embrace the challenge of writing software for devices that are not always connected, and yet whose data has to be synchronised effectively with centralised storage systems. The challenges this sets for IT management are complex, but not insurmountable.
Keys to coherence
The starting point of a mobile data strategy though should be to recognise that it is all about creating new opportunities for the business, and that it should solve problems - not create them. Paradoxically, even IT departments that pride themselves on a forward-facing focus can be prone to Ludditism, and averse to directives that change or threaten established tools and procedures.
As Steve Reynolds, vice president of the Mobile Data Association (MDA) points out, mobile devices can not only boost productivity and increase satisfaction, but actually represent a distinct improve--ment over preceding paper-based procedures, even with respect to security and compliance where they are thought to be vulnerable. "These devices are normally deployed to replace an existing paper process that is prone to error, loss, accidental and malicious breaches in privacy and company process," Reynolds says. "Mobility brings to a large degree an element of compliance and security [that is] not possible with use of paper."
This sounds like a no-brainer; but there's more to the transition than swapping like for 'better-like'. The MDA's Reynolds agrees that mobility-minded enterprises must adopt a robust approach to the technology takeover in order to gain full advantage of these benefits, and avoid productivity savings being offset by increased data management costs - or, worse, major losses of intellectual property and breaches of compliance.
IT departments already have processes to manage desktops and have usually extended these to laptops. Now it is equally vital that PDAs, smart phones, and other devices, are managed in the same way, and indeed with additional consideration given to the new risks and threats.
"First, successful mobilisation in the enterprise relies heavily on centralising IT systems, for having disparate IT will add to the complexity, cost, delivery and ultimately the success of the final solution," Reynolds reckons.
Centralisation will help deliver the other core components of a truly coherent mobile data strategy, which, according to Reynolds, include a clear definition of the applications or data that is to be mobilised, mobile device management, mobile device security, a list of approved mobile devices, appropriate training, usage policy, compliance with the Data Protection Act, and - above all - user support via a help desk.
The actual approach taken to centralisation in the mobile context is crucial, according to Gartner's Wallin. Some enterprises tend to regard mobility as a 'third tier' of IT within some kind of client/server environment, in which case devices such as smart phones connect to central data and IT management functions via PCs or intermediate servers. This model is not efficient, and makes it harder to comply with emerging compliance regulations, because data can be harder to locate or keep control of.
For this reason, enlightened enterprises are cutting out the middle layer, and enforcing direct synchronisation of data and applications between the mobile device such as smart phone or BlackBerry PDA, and the ultimate master data location, such as a Microsoft Exchange Server. "This makes it easier to support, and reduces the compliance challenge," observes Wallin.
Whether or not this approach is taken, reliable, regular, and efficient synchronisation is critical, certainly for larger enterprises. Without this, data management becomes impossible and loss of valuable or confidential information inevitable, given the ease with which mobile devices can be dropped, stolen or lost.
There is, then, a choice between relying on the user manually synchronising the data, or - usually better - having it done automatically via a central application. In either case the process relies on regular wireless connectivity. Indeed, one of the main IT decisions relating to mobiles is how to handle the issue of intermittent connectivity, from the perspectives both of data synchronisation, and mobile client application.
The best solution depends on the reliability and frequency of wireless communication, and on the application requirement. For a sales force using a laptop to give presentations, the required software clearly must run in the client. Similarly, for staff frequently at locations out of range of the radio access network, client software is indicated.
But, on the other hand, if connectivity is good, and the security requirement high, it may be best to execute applications from the centre. For security reasons, it may also be desirable to delete data as soon as it is no longer needed for a one-off application, which may be more practical than the alternative of total end-to-encryption of all data.
Synchronisation too can be a problem in the event of intermittent connectivity. Therefore, according to the MDA's Reynolds, there should be a robust implementation protecting data against loss during synchronisation if the connection is lost: "With mobile data applications it should be possible to ensure that any data entered while the device has no wireless connectivity automatically synchronises once the device picks up a wireless connection, thus taking out the manual process and minimising the risk of data loss," he says.
Device-specific security levels
For larger enterprises in particular it is usually wise to avoid taking a 'one-size-fits-all' approach to mobile data management, for not all 'road warriors' have the same requirements. Some will keep far more critical or valuable data on their mobile devices.
The loss of data held on a relatively junior salesperson's PDA may be tolerable for example, as it is less likely to be sensitive and may pertain to a relatively small number of clients or prospects. However, the head of sales may hold aggregated sales data on a device, whose theft could potentially affect the share price or be valuable to a competitor.
For this reason, as Gartner's Wallin notes, some enterprises have implemented tiered policies for mobile data security, with junior staff perhaps having so-called vanilla phones with lower security, while executives and those generating sensitive or valuable data being given a top-range BlackBerry, or comparable device, with encryption.
The security threat is exacerbated further by devices such as memory sticks that can remove data and bypass protection mechanisms in the case of notebook, laptop or palmtop computers, with flash memory cards posing similar risks for smart phones or PDAs.
According to Wallin, some enterprises have even resorted to blocking ports with glue to prevent attachment of memory sticks to computers. Similarly, the camera function of mobile phones can now pose a threat by allowing photographs to be taken that might compromise the civil liberties or even intellectual property of other individuals or companies.
Many of these issues relating to integration between mobile devices and the existing infrastructure are faced only by larger enterprises. For smaller companies, the main requirement is for access to the Internet and email, without the same complex integration, security or compliance issues, according to Mike Shirley, small business segment manager at the operator T-Mobile.
But, even then, there may be a need for synchronisation, so that, for example, emails accessed from a mobile device are also consolidated on a central server, although this may then be hosted by a third party or provided by an off-the-shelf package. "There are some fairly easy to deploy robust mobile email solutions for smaller enterprises," agrees Shirley.
Compliance issues and mobility
Even smaller enterprises will be affected by emerging regulations governing data compliance, which will increasingly enforce centralisation and ordain how data should be managed and backed up. In this sense compliance is a unifying theme, ensuring that all but the smallest businesses will need a policy for their data, and that must include mobile data.
This theme has emerged most swiftly in the US, where new rules about legal discovery have led to some companies being ordered to establish litigation servers that store copies of data - including emails - considered likely to be required in possible future litigation. This is deemed necessary to create a level playing field for court action in the electronic age.
It requires at the very least that mobile data is replicated and available via a centralised storage system, although this does not necessarily have to reside in a single physical location. The requirement is for 'virtual centralisation', meaning that there is a single point of access, control and governance.
It has been argued that the logical extension of this is for enterprises to be denied the right to look after their own data, with control passing to a third party in escrow, as it were. If this scenario were to take off, it could bring about a whole new dimension in expensive ultra-high level integrity assurance that would have to be factored into corporate budgets.