This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
"For employees, when you come on board and you need a mobile device, you're going to get a BlackBerry. If you're a senior executive, you can somewhat specify what you want--most have stuck with our standard, but some have moved to Windows Mobile or iPhone. We have four BES servers to handle that traffic, plus two ActiveSync servers," says Koval.
For company-managed BlackBerries, Koval can offer a full suite of management and security services such as over-the-air provisioning, authentication, data encryption, monitoring and decommissioning. "We go through a process of procuring the device and pushing the core OS and standard applications that we want our management team to have. At certain times we have to pull data from them--for example, to comply with a subpoena. If someone loses a device or
| doesn't turn a device in, we can just brick [remotely disable] it."
But these operations are not yet feasible for iPhones. "I don't think of the iPhone as an enterprise device--it's a consumer device with a hook into Exchange and Web management," says Koval. "To enter my world as a [trusted] device, Apple would need to build a console to add/subtract and configure those devices from a central location."
However, this does not stop Long and Foster from supporting the iPhone in a limited fashion in order to provide its sales associates with a high level of service. "If they want a Palm or Windows Mobile or iPhone, I need to support them. Google Android will be coming into our organization the second the first agent buys one," says Koval.
Providing support to various devices is expensive and requires a full-time staff, Koval says, in addition to software and hardware and close relationships with all the wireless vendors "We do it because we want to be a good provider to our sales force and give them another reason to work with us," he says.
So how does Long and Foster deal with devices they neither own nor manage? "On agent [owned] devices, we don't get into putting programs on them or taking things off them. We apply a few Web filters, but other than that, we let users go where they want," says Koval. Instead of attempting to secure sales associate devices, the firm focuses on securing the systems they access. For example, most sales associates use thin clients to drill into multiple listing databases protected by SecureMLS token authentication.
At the end of the day, there's one security capability Koval would like to require from every device: the ability to kill it. "Even though they are owned by agents, I need this control, because they're part of our enterprise environment," he says. "We generally don't exercise this control unless an agent loses a device."
This was first published in November 2008