Mobile endpoint security: What enterprise infosec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
The consumerization of IT, and the enormous popularity of touchscreen devices such as Apple iPads and Google Android tablets, is uprooting traditional approaches to mobile device management (MDM) and data security. Mobile innovations and demand for IT support of the latest devices from the rank-and-file—and C-level executives—can result in cost benefits, despite the security implications of mobile applications and devices that may not be visible to IT.
Currently, 63% of companies support bring your own device (BYOD) environments in some shape or form. However, workers’ preferences for Apple’s iOS and Google’s Android mobile operating systems are driving out enterprise-friendly platforms such as BlackBerry’s longtime OS (now called BlackBerry 10) and Microsoft’s Windows Mobile OS. As MDM solutions continue to evolve, next generation technologies are geared to help CISOs move beyond consumer-oriented endpoints and their inherent security tradeoffs.
Employees expect their devices to have anytime, anywhere access to corporate resources. While allowing this type of access may align with business goals and help workers’ productivity, it creates security concerns. Extending the virtual walls of the organization while maintaining security and compliance, is a difficult proposition for security professionals.
The growth of MDM, the suite of tools used to secure and leverage the functionality of today’s mobile endpoints within the enterprise, is significant within companies. Its adoption is being driven primarily by companies’ need to properly manage an increasingly diverse population of devices. According to Nemertes Research, more than half of all organizations—56%—use MDM today, and 84% expect to deploy MDM by the end of 2014.
Transferring device and office costs
As companies look to reduce the substantial cost of their office buildings, telecommuting shifts some of the cost to employees in much the same way as BYOD programs: employees get flexibility in return for taking on the cost of home offices. Fieldwork is also responsible for extending the walls of the enterprise, as employees outside the office require the same level of access to corporate resources to complete tasks, as their non-field colleagues. In this way, telework and BYOD are alike—the tradeoff for transferring the device and office costs to the employee creates significant security implications and new cost considerations.
Another overlapping category is employees who use Wi-Fi or cellular as their only means of access throughout the workday. Organizations that have wireless-only workers expect more than 11% of employees to fall into this category by the end of 2013, as shown in Figure 1. More than one-third of these companies (38%) reported cost reduction as a driver behind their wireless-only workforce. This trend is forecast to grow over time as companies build out WLAN as their only mode of access, particularly as 802.11ac is ratified and matures, promising throughput on par with most wired Ethernet (1 Gbps).
The majority of companies, however, report that work function (87%) and user preference (63%) are driving wireless-only work. To accommodate anytime, anywhere access for these workers, CISOs should re-evaluate the infrastructure and policy requirements of providing in office, home office and field access to their employees.
Tablets as the primary work device
Adjacent to BYOD and telework is the increasing popularity of tablets, particularly as work devices. The functionality and popularity of these devices has increased over the last few years, such that tablets are likely to usurp the laptop as the primary work device across industries and roles over the next five years. For example, in organizations citing this trend, 9% of users are using a tablet as their primary work device. Additionally, 47% of organizations expect tablet replacement of laptops to go up this year, at an average rate of 5%. Security considerations for these devices vary widely based on operating system; Windows Surface Pro and equivalent offerings are essentially Windows PCs crammed into tablet form factors. As such, the infrastructure and security requirements don’t vary substantially from laptops. Conversely, the far more popular iPad and Android tablets are running on the same hardware and OSes as their smartphone brethren, requiring much more infrastructure for proper management.
The average company now has a device population that is 45% iOS, 30% BlackBerry, 24% Android and 1% Windows Mobile. Essentially, this means that less than a third of the devices—the sum of the average organization’s BlackBerry and Windows Mobile plant—can be fully managed by their IT departments without the acquisition of additional management tools. This is because the commonly deployed BlackBerry Enterprise Server (BES) and Exchange ActiveSync (EAS) can only fully manage BlackBerry and Windows Mobile devices, respectively.
The iOS and Android devices remain firmly consumer-focused. Of course, EAS continues to be used by IT departments to force limited security policies onto iOS and Android devices, such as requiring PINs, passwords and other authentication credentials for access onto Exchange. However, it remains unable to manage core device functionality including apps. As a result, the remaining 70% of devices in the average company require an additional MDM solution.
MDM technology choices
Security and management professionals have a variety of options to choose from with MDM, as device management solutions have evolved at a pace to rival consumer smartphones and tablets, as shown in Figure 2. This rapid evolution has resulted in a broad selection of MDM solutions that integrate different mixes of technologies:
- Secure containers
- Virtual Desktop Infrastructure (VDI)
- Virtual Phone (on-phone hypervisor)
- Native OS management
- Network-based controls
As Table 1 shows, different technologies are better suited to address specific security requirements and business goals.
MDM: From then to now
Early MDM solutions were designed to rein in the functionality of iPhones and Android devices, using secure container technology. These technologies provided a secure, managed workspace for employees to log into in order to access company data and core business tools such as email, calendars and contacts. Unfortunately, for many employees, these solutions proved to be too security focused; the secure container technologies got in the way, made apps inconvenient to use, and interfered with the integrated user experience (UX) that made these devices so appealing. Most solutions, at the time, did not support single sign-on (SSO), which forced workers to re-enter their authentication credentials every time their device woke from sleep mode in order to get back to work. Today’s secure container solutions have evolved to better meet both usability and security requirements, in addition to offering functionality that reflects the growing importance of apps in the workplace.
Of course, BYOD devices that aren’t provisioned specifically for work—that don’t have a container solution or a client installed—are unknown to IT. Accordingly, many software MDM vendors are partnering with WLAN vendors to integrate Network Access Controls (NAC) functionality into their offerings.
As mobile OSes have matured, security professionals have become more comfortable with the level of security that can be leveraged by configuring the native management functionality on mobile devices. Most of today’s top MDM solutions use native device management, augmented by secure containers for on-device documents, encrypted contacts and enterprise apps data.
Whether it’s built around native-feature management, a non-container or container client—or some mix—MDM can be deployed either on-premises in the data center, or via a cloud-managed solution. Currently, 31% of companies use a cloud-based MDM solution and 6% have adopted a hybrid of in-house and cloud.
Shifting the focus from data to apps
As mobile devices go from being the black sheep that security experts are forced to deal with to being seen as viable work platforms worthy of app development and deployment, companies are exploring app development, enterprise app stores and more. More companies—albeit by a slight margin—are using their MDM and Mobile Application Management (MAM) solutions to secure app data (63%) rather than sensitive corporate data (61%), as shown in Figure 3.
As enterprises grapple with how to provide applications to mobile users, today’s options range from remote access to native- and Web-based cross-platform development. Remote access includes both off-the-shelf clients to SaaS systems and remote access to in-house applications, via terminal services or VDI.
VDI is the most popular delivery method, with 54% of companies using it today. The value proposition for mobile use of VDI—that it extends the large existing library of PC apps to mobile devices—is a strong one, particularly in companies that have already invested in the underlying VDI infrastructure. However, tablets and smartphones are touch-oriented while PCs are controlled by a mouse and keyboard combination, which results in a less-than-ideal end user experience. (And, of course, tablet and smartphone screens are much smaller!) Consequently, only 14% of organizations have plans to implement VDI on mobile devices.
Companies are starting to look for ways of delivering mobile-optimized apps. Thirty-two percent of organizations are developing native apps for mobile devices, and 22% are evaluating or planning to build software. Though native apps are far more expensive, they offer end-users the best possible experience. However, native app development either assumes a standardized platform (iOS or Android) or forces IT to develop for both operating systems to avoid leaving a significant population of users out in cold. To address today’s broader enterprise device population, Web/HTML5 apps are becoming increasingly popular; though only around 8% of companies are using them today, and 44% are either planning or evaluating deployment.
Already in use in 29% of organizations, MAM enables IT to use a central policy engine, such as Active Directory, to control group, role or even person-specific app distribution, maintenance and security. As the role of mobile devices and their associated apps continues to grow within the enterprise, another 34% of companies are either evaluating or have plans to deploy MAM through 2013.
As MDM solutions continue to evolve to support the changing functionality and growing role of mobile devices within the enterprise, the risk of these endpoints as an attack vector mounts. As BYOD grows, companies have an increasingly incomplete picture of their device population, and what these devices are doing.
Enter network-based MDM (NMDM), which largely ignores the endpoints. Instead, it uses network standards such as QoS, 802.1x and flow control in combination with vendor-specific functionality such as device fingerprinting and security stance monitoring. NMDM allows an otherwise invisible device population to be controlled from a data and app perspective as soon as the devices access the WLAN.
In most implementations, this functionality can be extended to devices that are outside the companies’ physical network presence by applying the same rules throughout the WAN. While only 12% of organizations are using this nascent technology, adoption will grow as its functionality is better understood within the enterprise, and it’s bundled with a growing number of popular software-based MDM providers.
Mobility continues to grow within the enterprise as device capabilities meet and eclipse the functionality found in traditional PCs and laptops. Worker behavior and usage patterns—exemplified by BYOD and telecommuting—are requiring security-minded IT professionals to rethink mobility strategies. Evaluate existing and near-future expectations for your mobile device population, as well as the security posture of these devices. If you don’t have an MDM tracking this information, comparing your WLAN access list against your directory should provide a baseline for known vs. true device count.
Do you have a large tablet population? If so how often are employees using these devices (i.e., complete laptop replacements, often instead of laptops, as complementary to laptops, occasionally)? Identify the use cases; for instance, are employees using tablets for content consumption only or creation, at least some of the time? Where workers are using tablets for content creation, tablets may require a solution more robust than VDI—be sure to survey your employees on the usability of VDI.
Assess your mobile app requirements. Are you deploying custom, in-house or externally developed apps? Make sure that your organization is using a MAM solution or enterprise app store to ensure that the correct parties get the right apps deployed or made available to them based on their role, group, job title and so on.
Review your mobile provisioning policies and find out to what extent BYOD is being used. Look to deploy NMDM where you have heavy BYOD use; for example, employees bringing in devices that require varying levels of access to email, calendaring and more sensitive corporate data.
Rather than push back against workers’ preferences, companies are finding greater success when they leverage mobile work and devices in the form of MDM, MAM, VDI, app development and mobile device-specific WLAN or network functionality.
About the author:
Philip Clarke is a research analyst at Nemertes Research, where he is a co-leader of the Wireless and Mobility research track, advises clients on wireless topics, writes key trends and thought leadership reports, conducts statistical analysis and develops research reports.