Avert Security Risks of Messaging Apps in the Enterprise
February 25, 2015 No CommentsFeatured article by Pankaj (PJ) Gupta, Amtel, Inc.
BYOD users like the ease of consumer apps for messaging and calling, in both personal and corporate use. Does this undermine the security of enterprise messaging and business calling? What should the enterprise do to make sure that corporate data in messages and call logs are protected in this situation?
The problem with consumer messaging apps, in business use, is that they don’t provide the security, privacy, archival, and eDiscovery capabilities needed in an enterprise environment. With instant messaging usage on the rise in companies, it becomes critical to find ways to protect corporate content and data that are being shared with messaging. CIOs and CSOs must take a hard look at the apps that employees use for business communications.
Security
Does the messaging solution protect corporate information by encrypting data at rest and in transit, with strong keys? It is important to note that consumer messaging apps typically don’t use strong encryption like AES-256, or secure transport for protecting data communications. This leaves a vulnerability that can lead to Man in the Middle Attack (MITM) where an intruder sneaks in and captures data and in many cases, passwords in clear text – unacceptable situation for securing enterprise data.
Privacy
A key issue for employee privacy is that calling or messaging a customer from a personal phone exposes the private phone number to strangers. Unlike consumer messaging apps, an enterprise messaging app for mobile devices can protect BYOD privacy. For example, the solution can provide a company issued separate phone number on a personal device, masking the employee’s personal number. Employees can then feel more secure in using their phones to call or send text message to customers and suppliers.
Consumer apps try to access the user’s phone or email address book to build the network by adding users and linking them. This is neither good for protecting the employee’s privacy, nor for preserving the integrity of corporate contacts – benefits provided by an enterprise messaging app.
Archival
Organizations need to meet archival and eDiscovery requirements for compliance with regulations such as HIPAA, FINRA and SOX. When using consumer apps for business messaging, the employee’s personal information is intermingled with business, making it virtually impossible for a company to isolate and archive business messages and content.
With an enterprise messaging solution that uses a separate workspace on the mobile device, in which business contacts, call logs, voice mail recordings, text messages, and attachments are stored, business information is isolated from personal. This workspace can be archived for compliance and audit purposes, and removed from the BYOD device, in case it is lost or stolen. There is no need to touch any of the employee’s personal information on the device.
Management
With consumer messaging on a BYOD device, corporate contacts, call logs, and messages are intermingled with personal. It is challenging for IT to manage and control corporate content dispersed on a user device. What happens when an employee leaves the company, or in the case a device is lost or stolen?
Security controls are needed for corporate information protection on BYOD. An enterprise messaging app should provide corporate IT, the tools needed for provisioning, controlled sharing, and easy administration. Security policies may need to be set up for groups within the company for restricted collaboration and sharing of sensitive information, and for monitoring and tracking of messaging activity for audit controls. Such management features can be found in an enterprise messaging solution, but not in a consumer messaging app.
Another enterprise messaging feature is automatic archival of message logs and attachments, and secure access to archived information for eDiscovery purpose. For business continuity, it should provide an easy way to load the business contact list, message logs and content from archive. This can also come in handy for replacing a lost mobile device for an employee, or for providing an employee the business context for a new role that another person vacated.
Enterprises can solve BYOD communications and management challenges with Amtel Plum, enterprise app for secure messaging and calling, with workspace separation.