Mobile enterprise content management (ECM) is catching on, and in a big way. According to trade association AIIM International, the number of organizations lacking mobile access to their content management systems dropped from 68% to 37% in the past year. Though more than a third of those groups are still going without, it’s clear that more people than ever are enjoying access to all the information they need to do their jobs from anywhere, at any time.
One outcome of this is the growing need to ensure the security of these content interactions -- not only by protecting the information being viewed, but by securing the untethered devices enabling mobile ECM strategy. While this has some significant mobile ECM governance ramifications, this article will discuss the balance to be struck between applying the proper protections and locking the devices down so tightly that they become difficult to use -- two extremes that, left unchecked, will erode the business benefits mobile ECM was intended to provide in the first place.
A two-sided fix
Securing mobile devices and content should be tackled from two different directions: one from the device side, and the other from the system side -- in other words, from both ends of the content transaction.
Find out more about mobile content management
Read about Ektron’s take on mobile ECM and security issues
Learn what Forrester analysts say about the mobile content and security management
Read another Q&A about mobile content management and cloud security
Activity at the device level begins with the need to secure the devices themselves, informing users in no uncertain terms that this must be done and teaching them how to do it. Remarkably, research by authentication provider Confident Technologies found that while more than 65% of respondents reported they use their mobile devices to access work email or the company computer network, more than half said they do not use a password or PIN to lock a smartphone or tablet. If that’s true, it would be a stretch to believe they are giving any thought at all to the security of the systems they are connecting to. And they must be indoctrinated to the need for enterprise security.
Whether or not your employees buy into what you tell them, there are a few more technical methods you can employ. Characteristic of the challenge, though, there are pluses and minuses associated with each one, and you’ll have to strike the balance that best suits organizational needs. Here are but three examples:
- Require the use of a virtual private network (VPN) when connecting. The benefit here is that the connection with enterprise content will always be secure. The downside is that establishing the VPN connection is an extra step for the user, and the software required places an additional load on the device, which might not have the horsepower to perform under the load.
- Restrict content access from a mobile platform so that it can be displayed but not downloaded. The benefit to this is that it eliminates the opportunity for information to escape if the viewing device is lost or stolen. But it also sacrifices the ability to annotate or amend the material, and it means content cannot be read while users are disconnected.
- Engage the Global Positioning System capability built into many mobile devices to restrict usage to specific locations. The advantage here is that access can be monitored and controlled by geography, not just by user, content type and time of day. Yet it also undermines many of the primary advantages of going mobile in the first place.
Options abound on the systems side as well, where much of the attention historically has focused on making it easier for users to log on. For example:
- Using auto logon means users don’t have to remember their access credentials, because the device does it for them. The down side here, of course, is that anyone with access to the device automatically can gain entry to the system -- whether approved or not.
- Single sign-on involves the same sort of push-pull. On the plus side, it frees the user from having to remember and enter multiple logins for multiple systems. But one well-placed breach makes all accessible systems vulnerable to mischief at once.
- Then there’s device dependence, which restricts access to certain types of documents to only devices that are able to properly display them (e.g., no large spreadsheets on a smartphone). The benefit here is that it eliminates the possible use of unsuitable devices from the access pool, and perhaps nips unsatisfactory user experiences in the bud as well. The shortcoming, though, is that it also removes potentially valuable alternative means of access from users who might benefit from them, and there’s nothing quite like being left out in the cold to kill any hope of usability.
If at first you don’t succeed, welcome to the club
Figuring out which route to pursue is a challenge, but it might help to know that there are no wrong answers. To be sure, the lack of an industry rulebook is frustrating, but as long as you make choices that suit your users and work toward your business objectives, things should be all right.
Perhaps the most valuable piece of advice to keep in mind is to design your approach to be flexible and plan to revisit it on an ongoing basis. No one strikes the perfect balance the first time out, and in fact, it is unrealistic to expect this type of perfection. Events in both business and technology inevitably necessitate reviews from time to time. Your goal is to personalize the experience for every user, role, device, location and access behavior -- securing the content all the while. Get this even close to right and you will make your mobile users and your content stewards happy indeed.
ABOUT THE AUTHOR
Steve Weissman provides guidance and professional training on content, process and information management. Weissman is president of the AIIM New England Chapter and principal consultant at Holly Group. He can be reached at firstname.lastname@example.org.