Users may be carrying a significant amount of their company’s intellectual property on their smartphones, tablets...
and other ultraportable devices -- and that data needs to be protected.
First, a little math. Consider an organization with 5,000 employees, 20% of whom are knowledge-based workers with a reason to have corporate data on their mobile devices. Then assume that each worker is carrying 20 GB of corporate data on their devices. With a simple calculation, we can determine that this hypothetical organization has 20 TB of potentially unprotected data stored on mobile devices.
No organization would stand for a 20 TB hole in its data protection strategy inside its data center, yet such holes are routinely ignored outside the data center. Ironically, the data floating around outside the data center is at even greater risk for loss. It’s easy to see how quickly small amounts of data across large numbers of devices can add up to a significant problem.
What’s a mobile device?
To start addressing the issue of data protection for mobile devices, let’s determine exactly what devices should be included under that term. Laptop PCs would represent the most significant repository of mobile data and, too often, they’re overlooked as containers of valuable corporate data. Rapidly gaining ground as data repositories are tablets and sophisticated smartphones, which we’ll refer to as “ultraportable devices.” These devices have internal flash storage typically ranging from 8 GB to 64 GB, and many have secure digital (SD) card expansion slots, providing significantly more storage capacity. And you can expect the capacities of these ultraportable devices will continue to expand dramatically.
Organizations must recognize the potential risk these devices represent. Most have well-defined policies that prohibit the use of corporate devices for personal tasks. But this line is routinely crossed, whether the nonconforming activity involves personal email, calls, text messages, or document creation or editing.
Ultraportable devices make enforcing the line between personal and business use even more difficult. Users are increasingly employing personal devices they’ve purchased themselves for business-related activities and personal tasks. Examples include iPhones, BlackBerrys and Android-based smartphones that people use to connect to their business email accounts. iPads and other tablets may also be used to view, send and receive business email using Web browsers, and may be used to edit and store documents. Sales reps may be able to download price lists, proposal materials and other sales documentation using any Web-enabled device. It’s becoming increasingly impossible and impractical to prohibit the mingling of personal and business use of ultraportable devices. In many cases, it’s a company’s executives driving the move to allow tablets to access corporate resources. And if it’s OK for the boss, others won’t be far behind.
It’s not unusual for a knowledge-based worker to have a laptop, tablet and a smartphone. Thus, in our earlier fictitious company example, 1,000 knowledge workers might be toting around as many as 3,000 devices, all with corporate data stored on them. To deploy a backup solution for this scenario you must address a high volume of devices with low volumes of data per device. Bandwidth is rarely a problem, but deployment, standardization, support and updates make it a challenge.
The deployment of ultraportable devices is growing exponentially, so the question is, how can IT managers get out in front and address the issue proactively? The good news is that it may be easier than you might think. The bad news is that it may be more complicated than some think it will be. Let’s dissect the issues and see why this is a good news/bad news issue.
Your policies may not be enough
Although organizations generally have clear policies regarding the separation of private and business use of devices, they rarely specify data protection requirements or procedures. Mobile device backup often falls between the cracks. Backup is the domain of the data storage organization, but PCs are the domain of the end-user computing group, and cell phones are typically within the domain of the telephony or telecomm group. Tablets haven’t found a place in most companies yet, so they may just be the domain of the user. So, the physical asset is managed by one group and the process by another; neither group assumes ownership. Hence, the first step in establishing a policy is determining who owns the whole operation. In practice, it will require the coordination of all groups.
This cross-functional complication is an excellent reason to consider outsourcing the whole thing to a cloud backup provider. Third-party providers will manage the whole process, including deployment, management and technical support. There may be cases, however, due to security, compliance (or corporate governance) or IT’s reluctance to use third-party services, that make outsourcing an unattractive alternative. In those situations, IT must instigate the data protection policy based on business requirements.
Backup policies are ordinarily driven by recovery time objectives (RTOs) and recovery point objectives (RPOs). Mobile backup is a bit different and needn’t be as complicated. RPO may not be easy to establish, as it may be driven by network connectivity, a daily backup schedule or product options. The variables of ultraportable device availability make backup timing less certain than an always-on storage array in the data center. Information changes on individual devices aren’t as volatile as data center devices. Therefore, recovery certainty is more important than backup timing. Moreover, a 24-hour RPO is probably a vast improvement over the intermittent or non-existent data protection users have today.
The essence of a mobile backup policy is pretty simple: who, what, when and how. The “who” can be the user (i.e., user-initiated backups) or system/software control (i.e., pre-scheduled and automatically launched). The “what” is the device, the “when” the backup event and the “how” the backup utility. That’s about as complicated as it needs to get for typical applications and users.
PCs: The center of the mobile universe
To get a handle on ultraportable devices, the first thing to do is to designate the PC as the center of the mobile universe. Some might argue that tablets are quickly supplanting PCs as a primary device. This may be true for certain tasks, such as Web surfing, video conferencing and even document lookup, but tablets still have a long way to go for effective document, spreadsheet or presentation creation. Tablets may be great display devices, but PCs remain the go-to platform for document creation. (This article is being written on a PC, while an adjacent iPad plays tunes.) Nobody does any serious document creation on a smartphone and the inherent form factor of those devices makes it forever unlikely. The larger size of tablets may allow them to evolve to supplant PC functionality, but for the foreseeable future consider PCs the hub of the mobile world.
From an ultraportable perspective, PCs play a key role as the central repository for syncing data with multiple devices. This will most often include calendars, contacts, email and the like. Yes, this data can and often is synced to external servers. However, BlackBerrys may be synced to a BlackBerry server, Exchange to an Exchange server and so on. By using the PC as a central syncing device, the user has one central location to recover data on a self-service basis. The added inherent remote sync gives the best of both worlds with user self-service and protection from data loss. Moreover, if one service experiences an outage, users have a “high-availability” solution from other devices. Not bad for what’s essentially a no-cost solution.
Placing the PC in this key role exposes the vulnerability of most PC backup strategies or, more accurately, the lack of a strategy. Even though they’re well understood, they’re not necessarily well protected. Organizations that don’t have an automated laptop backup solution must seriously consider one. Convenient in-house solutions are available from most name-brand backup vendors, including CommVault, EMC and Symantec, and specialized vendors such as Copiun and Druva. Remote laptop backup is also a perfect application for the cloud, as provided by well-known vendors such as Asigra, Barracuda Networks, Carbonite, Mozy (EMC) and Norton (Symantec). Cloud-based solutions provide consistent policies across the organization, while minimizing the impact on the IT organization.
By using the PC as the central syncing platform, it becomes the backup server for the ultraportable devices. In most cases, the sync process is automatic. In this architecture, backing up tablets and smartphones takes less effort to protect corporate soft assets than one might think.
Device-specific ultraportable backup
Even though a PC-centric approach will protect the majority of corporate data, the plethora of applications for smartphones and tablets ensures that at least some users will continually push the devices into uses that no one could reasonably anticipate. Consequently, IT organizations shouldn’t overlook the need to back up the devices in addition to syncing them.
Let’s start with the easy part of backing up smartphones and tablets. For those devices that use an SD card, or other such storage format, users can remove the card and copy it to a PC. Of course, this requires user discipline to do so on a periodic basis. Period reminders from the help desk may be enough to foster the desired behavior.
The first thing one will notice when considering ultraportable backup is the fragmented nature of the task. Pictures, videos and music may be backed up to iTunes, Google Picasa or a PC. Application backup may go to Titanium Backup (Android) or the Apple iStore. When looking into the specifics of these backup applications, one finds that they tend to be very use-case specific. Some may back up the Android home screen, for example, while others sync contact and calendar information, and still others back up files. Users who are serious about data protection may be forced to use a suite of applications.
This fragmentation obviously makes backup of ultraportable devices more complicated. Even so, it can be beneficial because IT organizations can tailor solution specifications for corporate data only. User data, such as pictures, music and videos, should rightly be the responsibility of the user. However, a corporate decision to deploy a particular encryption product may interfere with user data if it encrypts the entire device. This may lead users to disable the product, thus defeating the efforts of the IT department.
The next thing one will notice when searching for ultraportable backup is a shortage of name-brand solutions. Given the tens of millions of ultraportable devices sold, it would seem to have significant market potential. Symantec offers a beta version of Norton Connect for iPad/iPhone backup in the Apple App Store. The app itself is free, but it requires a Norton Online Backup subscription. Of the other 32 applications for “data backup” in the App Store, all are boutique-type solutions that don’t appear to be geared toward enterprise deployment.
As IT organizations decide how to cope with corporate data on ultraportable devices, there are many factors to weigh. The first is how to cope with very large device populations, unpredictable connectivity and highly individualized environments. Despite these difficulties, best-practice organizations will address the need to protect corporate assets. Cloud-based solutions offer the advantages of offloading the deployment, management and support to specialists. Cloud providers will also be prepared to address the needs of enterprises.
For organizations that prefer to architect and manage their own solution, they must first decide which part of the IT organization will own and manage the solution. In deciding what tools to use, they’ll find that ultramobile backup becomes a stack of its own. By focusing on what data is valuable to the organization, much of the peripheral personal data can be ignored. The task is to reduce the number of variables to those that count and thus make enterprise deployment a manageable process.
BIO: Phil Goodwin is a storage consultant and freelance writer.