Mobile devices have become heavily integrated into enterprise networks, and the trend shows no signs of slowing down. As mobile devices continue to become more powerful and push the boundaries of what a computer really is, organizations need to better secure these systems through mobile device management products.
By applying custom policies to smartphones and tablets through mobile device management (MDM), an administrator can, for example, regulate these devices to be used only in ways that an organization deems appropriate under its security policy. This can limit the risk of lost data, stop unapproved software installs and prevent unauthorized access to the mobile devices accessing corporate data and networks.
Mobile security, meanwhile, isn't just for large enterprises. It should be seriously considered throughout all verticals -- no matter the size of the company.
The mobile security characteristics of MDM
When evaluating mobile device management products and vendors, these are the features (at a minimum) to look for to form a baseline mobile security policy:
- PIN enforcement. Also seen as a password to the system, admins can manage PINs to lock individual devices.
- Full disk encryption -- or containerized encryption -- of data or disks. An MDM product should be able to enforce encryption on any device it manages.
- Remote wipe. In case of loss or theft.
- Secures data at rest and in transit. Ability to stop certain data from being copied or sent while on the device.
- Jailbroken or rooted device detection. Jailbreaking poses a significant risk because it allows users to install unapproved software and make changes to the mobile device's operating system (OS).
There are additional MDM features (e.g., GPS tracking, VPN integration, certificate management, Wi-Fi policies, among others) that are useful, but not for all companies. At the very least, the five bullets above should be verified when looking at MDM products. Also verify that the selected mobile device management products support all the smartphone and tablet platforms (iOS, Android, Windows Phone and others) that the organization intends to manage and secure.
While MDM does quite a bit when it comes to securing devices, there are a few things it doesn't do. For starters, many think Web filtering is a default feature, when in fact, most -- if not all -- MDM vendors rely on separate systems to perform that function. Another function people assume mobile management products perform is data backups. Mobile security vendors are not backing up mobile devices' data. If data is lost, it's gone unless a separate backup system has been put into place. This is usually done via third-party apps and configuration settings, but not natively through mobile device management products. So there may be additional mobile security software protection needed beyond MDM.
Licensing options for mobile device management products
Currently, there are two main licensing methods for purchasing MDM products and mobile security software: one license per device or multiple devices per license.
The first, the standard one-license-per-device scenario, works well for smaller companies without many users, or with businesses that are able to tie one mobile device system to each user. If an organization is only applying MDM towards smartphones, and there is no chance end users will use another mobile device on the network, this method is a wise choice.
However, due to the need for flexibility and increased use of mobile devices -- especially due to bring your own device (BYOD) initiatives -- it may become necessary to have multiple mobile devices (typically three) protected under a single user license. This comes in handy when users tend to have multiple devices (a smartphone, tablet, and the like.), but the business doesn’t want to go through the hassle and expense of paying for a separate license for each device.
While generally more expense than single-device licensing upfront, user-based licensing can save a substantial amount of money over time as employees adopt more mobile devices.
Mobile management deployment options
The most common way to deploy MDM products is via a virtual image, but almost all vendors will offer a hardware-based product if needed, and many are increasingly providing these services over the cloud.
The virtual images are normally delivered in either OVA (Open Virtual Appliance) or OVF (Open Virtualization Format) file formats, and are fully contained OSes that allow organizations to import the software into existing virtual environments (Hyper-V, VMware, and others). The virtual images allow for quick installation of the MDM vendor's software, with resource management owned by the customer.
There are, of course, MDM customers that either don't have a virtual environment installed or want to have the mobile management system running on isolated hardware for performance issues or security concerns. In those instances, MDM vendors ship a dedicated MDM system to the customer with detailed instructions on how to configure the hardware.
Running an MDM system on-premises can be cumbersome for customers, however. So a number of the larger MDM vendors have started offering their products remotely as software as a service (SaaS) in the cloud. This deployment option is growing in popularity, especially among MDM customers with limited resources.
Rolling out MDM products
Once MDM products are installed on the network -- either by virtual image, hardware or cloud -- administrators need to come up with an implementation plan across all device types. A slow rollout (or enrollment) across the enterprise is a smart choice, since there's going to be a learning curve for end users and administrators supporting the product.
All MDM products have apps that are either in Google Play or the Apple App Store for users to download. Once enrolled, users are sent an email or text with installation instructions. When they download the app and it authenticates -- typically via LDAP or a one-time passphrase -- the organization's MDM policy with the preconfigured options is installed on the mobile device.
At this point, the mobile device is under control of MDM and is able to be appropriately managed by the IT staff.
Who manages mobile security?
Depending on company size, a number of different teams may assist with the management of mobile security. Many large enterprises have resources dedicated to mobile security, while an SMB might have it added to an IT administrator's growing responsibilities.
The scope of admins really depends on whether a dedicated resource is needed to manage mobile security as a whole. It's very common in the midmarket, for example, to see different groups managing particular sections of an MDM system. The information security team could be responsible for creating mobile security policy, with tech support assisting with issues or operational incidents after the mobile device is deployed, and a telecom group assisting with onboarding and removing the mobile security policies that have been created.
The cost of MDM deployment
Like all IT security products, there are going to be hard and soft costs to consider when deploying mobile security via MDM.
The hard costs of implementing mobile security for the first time would include the costs of the product itself, potential new hardware to run it, initial support expenditures, testing and (potentially) professional management services.
The soft costs of running MDM include the additional hours of support required for troubleshooting, installing and maintaining the system. In addition, depending on the install base, there may need to be additional training, or even additional employees, added to support the product.
The threat of mobile keystroke logging is growing
Mobility in the enterprise has both benefits and risks