It's your employees' technology ... but your problem.
No bank official understands that simple truth of today's workplace better than someone like James Gordon, the chief information officer at Needham Bank in Massachusetts, who is trying to cope with a huge influx of smartphones, tablets and other devices that employees are bringing from home and want to use on the job, too.
"Managing [information technology] for 200 employees used to mean supporting 200 computers, 50 printers and 20 servers," Gordon says. "Now, 200 employees means 50 printers and 20 servers but it also means 200 iPads, 200 iPhones and many other devices. It's taking on a world of its own. I often go to sleep at night thinking, how do we even support this?"
Other banks are facing similar challenges, according to a recent Ponemon Institute survey of bank IT and security practitioners. They expect the average number of smartphones used in their companies to grow to 14,000 from 7,430 in a year. And 69% believe smartphones and tablets will replace most desktops and laptops.
A partial answer is mobile device management software that helps track and enforce company policy on employees' devices, particularly for so-called BYOD environments. (Depending on whom you ask, BYOD stands for "bring your own device" or "bring your own disaster.")
MDM software has been available for awhile, but it is being slowly adopted by banks.
Many of these banks once used only BlackBerry products, but the Ponemon study found that 23% of banks are migrating from BlackBerry to a multi-OS mobile environment and 18% plan to do so.
And a recent Forrester survey found that 20% of "mobile decision-makers" at U.S. companies with more than 1,000 employees are so eager to use their own devices that they would be willing to help pay for the opportunity; 11% said they would be willing to pay the entire cost if they could get the smartphone of their choice.
Another driver for MDM software in banking is the Federal Financial Institutions Examination Council's guidelines on cloud computing, which were issued in mid-2012 but are still being digested by many in the industry. The regulators say, among other things, that banks must know where their data is at all times.
At the $1.4 billion-asset Needham Bank, MDM software from MobileIron has helped with regulatory compliance and automatic provisioning. "It gives auditors an increased level of comfort that we know exactly what's going on with that fleet [of devices]," Gordon says. "We can also help users set up devices more rapidly than we would have otherwise."
A recent IT project proved the software's worth, Gordon says. The bank redeployed a wireless network, setting up sub-networks to handle data security and software distribution separately for executives, IT and general users.
"We didn't have to go visit 200 devices," Gordon says. "With a couple of clicks, we were able to deploy that wireless network out to all those devices." And only the network administrator knows the network passwords, an added plus.
Needham was an early adopter of iPhones in 2008 and eagerly accepted security controls as Apple rolled them out. "If you can turn a switch on and it adds security, regulators are going to write you up for not having it," Gordon observes.
But more was needed. "In banking, I knew full well that two or three basic controls would never satisfy regulators, examiners or auditors," he says.
Gordon suggests that any banks that haven't bought an MDM solution are past due. "The regulators have woken up -- they've caught on and they are auditing for that," he says. "The time to buy it to avoid regulatory criticism would have been in 2012."
What to Look For
Kenneth Johnston, who is chief information officer of the $639 million-asset Guaranty Bank in Springfield, Mo., cares first and foremost that an MDM solution supports multiple platforms. Some programs provide strong support for Apple devices and limited or no support for Android and Windows-based devices, he says.
"It is not about putting all of your eggs in one basket, [but] it is all about not having to carry six baskets while trying to gather your eggs," Gordon says.
To suitably manage the growing BYOD environment, a solution should support iOS, Android and Windows operating systems, he says.
One thing Gordon looked for in MDM software was the ability to tell if a device has been "jailbroken" in other words, whether restrictions set by the manufacturer, operating system provider or telecom provider have been removed. "I wanted to know if somebody had altered the Apple iOS in some way and could then install third-party applications that might not have been vetted by Apple," he says.
He also felt a strong need to monitor the apps employees download to their devices, especially any he doesn't consider "bank appropriate," such as Dropbox, Box or other programs that could be used to leak corporate data. For instance, an employee could open a company's strategic plan in Dropbox and share it with others from there.
The bank has never lost sensitive data through a mobile device, Gordon says. But he's very aware of the FFIEC's guidelines on cloud computing, which emphasize banks' responsibility to protect their own and customers' data.
Five MDM Options
All MDM solutions support the basic controls provided by device manufacturers, according to Jim Haviland, chief strategy officer at Vox Mobile, a mobility consulting and services provider. "For giving users basic access to their work email and calendar without complicated security settings, any will do," he says.
"The guidance we give our clients is to think beyond email and calendar and make sure they have the flexibility to support broader-use cases with things like application management, content management and single sign-on," Haviland says.
There are more than a dozen MDM options in the market. Most provide centralized management of, and support for, mobile devices; software distribution to the devices; security and policy management; remote backup, data wiping and password resetting; as well as the ability to track device location.
American Banker contacted nine vendors; the following five responded to a request for information in time for our deadline.
- AirWatch was bought by VMware in February. It supports all mobile platforms (including Android, iOS for iPhone, iOS for iPad, Windows Phone, BlackBerry, Kindle Fire, Mac OSX, Windows OS, Windows Mobile and Symbian). In addition to support for the basic MDM features noted above, AirWatch offers tools for complying with Sarbanes-Oxley and Financial Industry Regulatory Authority rules. It monitors devices for unauthorized users, compromised devices, and blacklisted apps. When a threat is identified, AirWatch can block access to enterprise email, applications and resources, and lock and wipe a device automatically. Simplicity Bank, National Bank of Canada and Phelps County Bank use AirWatch.
- BlackBerry is pinning its hopes for the future on its device management software. Today, it offers limited device support it works with newer versions of Android, iPhone and iPad devices as well as older BlackBerrys and BlackBerry 10s. It doesn't support Windows Phone but plans to support it in the forthcoming BlackBerry Enterprise Service 12.
Along with support for basic MDM features, BlackBerry offers BBM Protected, a secure enterprise messaging app, and BlackBerry Balance, software that lets mobile workers separate their personal and corporate data on their phone. At press time, the company had not shared a list of bank customers. NCG Banco, Bancolombia and Itau Banco use BlackBerry's mobile device management software.
- Citrix's XenMobile supports all mobile operating systems and basic MDM features. It also supports mobile application management, secure email, and secure browsing. It works with several other Citrix products to support data collaboration, access to Windows apps and single sign-on. It provides jailbreak checks before device enrollment. Ratnakar Bank and Starkey Mortgage use it.
- MobileIron supports most smartphones and tablets with the exception of the Kindle Fire. The only basic MDM feature it doesn't include is remote backup. A tool called Help@Work lets users remotely share iOS screens with help desk staff. Another called Insight lets IT staff view, monitor and manage mobile devices from their iPads and Android tablets. A third, AppConnect, puts apps in a secure container on the device, where they're encrypted and protected from unauthorized access. Citadele Bank, UniCredit and Thames River Capital use MobileIron software (as well as Needham Bank).
- Tangoe's MDM, along with support for all major mobile devices and basic MDM features, includes a digital credential management system that provides authentication for users, machines and applications; end-to-end encryption for VPNs; automation for repetitive tasks like enrollment, activation, upgrade and replacement; and electronic signatures to reduce paper handling. Tangoe did not share bank client names but says its clients include five out of the top ten financial institutions.
Overcoming Employee Objections
Employees do not uniformly embrace MDM software because they fear employers will monitor their activity on their personal devices.
"That's where we have to have a conversation with them and let them understand that we don't monitor anything [on the mobile device] that we don't monitor anyway, which is emails, contacts and calendar," Gordon says.
Needham Bank handles this issue as a series of tradeoffs. If the employee installs a banned app on their phone, the bank's email app is automatically removed from the device. If the user uninstalls the problematic app, the company email software will be reinstated. Similarly, if users alter their VPN certificates, the software will automatically revoke their VPN privileges.
The bank also provides a $90 stipend for the employee's use of a personal device for work, making the restrictions more palatable.
Even with mobile device management, challenges remain for IT staff overseeing mobile devices, Gordon says.
Users come in with a new device and they expect the IT department to be experts at Google Android 4.3 or 4.4 or 4.5, he says.
"They come to us and say, 'How come I have six calendars on my iPhone? How do I send photos? How do I use Siri?' Then when the device doesn't work as advertised, users don't go to the Apple Store or Verizon store, they go to their IT department."
If only there were an app for those situations.