Mobile endpoint security: What enterprise infosec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
More than six years have passed since the introduction of Apple's iPhone, yet organizations still struggle to effectively manage and secure these devices on the corporate network. Today, IT departments are faced with an enormous array of user-owned devices, causing organizations to long for the days when the iPhone was their only mobile device challenge.
IT teams must be able to successfully address the mobile device management challenge to adequately protect organizations while still allowing enough flexibility to reap the rewards of mobility. The landscape of mobile management products is dynamic and large. A common query is, "Which product is right for my organization, mobile application management (MAM) or mobile device management (MDM)?" The answer can be both and perhaps neither, depending on the use case.
MDM for policy enforcement
MDM products evolved as a means of centrally controlling mobile endpoints. For years, IT has had mature tools such as Group Policy Objects on Windows PCs to tightly enforce company policies and restrictions. In the early days of smartphones, BlackBerry was the dominant platform and provided similar capabilities with its Blackberry Enterprise Server.
More recently, iOS and Android devices entered the marketplace. These consumer-centric devices lack some of the uniform, reliable capabilities organizations desire to help protect these new endpoints. MDM products can range from simple to complex. Microsoft Exchange ActiveSync Server can check the device for simple items like a PIN lock being set or send command for a remote wipe of the device if it's lost. AirWatch's MDM can control nearly every aspect of the managed device from GPS location to the Wi-Fi networks it can connect with.
MDM is commonly deployed to enforce policies. An organization might use MDM to enforce device encryption, a strong PIN code, lock after X minutes of being idle and allow for remote wipe in the event of theft or loss. On BYOD this might be the limit of what can be done with MDM. BYOD users would likely resist the full gamut of MDM functionality, which could include GPS tracking, inventory of installed applications and other "none-of-your-business" items. Conversely, with company owned devices, MDM's higher functions might make perfect sense to enable. Mobile platforms in education are another good example of where a heavier hand makes sense.
MAM for application policies
MAM products emerged to deal with MDM's shortcomings in addressing BYOD requirements and to offer a means of setting policy on a more granular level. MAM deemphasizes the device and instead sets policy at the application level, which can often align more effectively with BYOD use cases.
For example, a mobile user may need access to the corporate intranet or other internal website. MAM can provide a securely wrapped Web browser that doesn't require a cumbersome VPN client to be set up in advance. MAM can provide a handy internal app store of private and approved/licensed public applications.
A common BYO scenario is delivering an organization's email. MAM functionality can help. MAM can deliver a "containerized" email client that the organization can manage, regardless of where the client is running and whose device it is. MAM that focuses on email can be referred to as mobile email management (MEM). MEM products can deliver a vendor-supplied email client or provide a management framework around the native email clients built into iOS and Android. MEM, for example, can set policy on email forwarding and encrypting.
Beyond these scenarios, MAM product capabilities are limited. Employees may want to use other applications to be productive. A BYO Android tablet user might use Quickoffice to edit internal Word documents, Evernote to type up notes for a new product launch or Salesforce to obtain customer information for a sales call.
MAM products require applications to be packaged or "wrapped" to manage them. Wrapping an application typically involves taking the unsigned original application package and compiling it with management code from the MAM vendor. Gaining access to unsigned applications is difficult because it requires cooperation with the app vendor. MAM vendors such as Citrix have acknowledged this challenge and are now partnering with software vendors to have pre-wrapped versions of its applications available, but this capability has not reached critical mass. For example, as of this writing, the Citrix Worx gallery of wrapped applications offers a scant 100 applications. The MAM private app store can't keep up with the near constant pace of updates. The Apple App Store and the Google Play store each have more than one million applications available. This amounts to a Sisyphean task for IT to effectively maintain a parallel store to the public versions.
Perhaps partly in response to the growth of the MDM and MAM product markets -- not to mention demand from enterprise customers -- mobile device providers such as Samsung (with Knox) and Apple (with iOS 7) are building many of the features of MDM and MAM into their platforms. They are also exposing these features with application programming interfaces that app developers can use to latch on to the security these provide. Apple iOS 7 provides the developer with application-level VPN, data encryption and the ability to restrict access to data by other apps.
BlackBerry Balance, Samsung for Enterprise and VMware Horizon Workspace go a step further than isolating just the application as in the MAM approach. They logically separate the work and personal persona of a mobile. This allows the organization to impose the stricter controls needed for security while allowing users to have a space of their own with their own applications. Knox, a customized version of Android, allows only Samsung's digitally signed applications to run in the tightly restricted work persona. Balance can restrict operations such as copying and pasting work-side data into a personal-side application. In a BYO scenario, the work personality can be remotely destroyed without disrupting the user's personal applications and data. This split-brain approach has some shortcomings, however. In practice it isn't that easy to dissect the use of a device down the middle.
Virtualized mobile access
Another approach to mobile management is to give access to the corporate workspace by presenting a virtualized remote desktop or Windows application to mobile devices using desktop virtualization products such as Citrix XenApp and XenDesktop or VMware Horizon View. The advantage of these products is that the data is never directly accessed from or left on the device itself, so it should be more secure.
A large drawback is that many of the consumerized platforms don't provide an optimal experience because the remote desktop or applications frequently need a keyboard, mouse and a large display to be used effectively. The virtually presented application or desktop is not available offline, which is a common scenario for the worker on the go. While the data may start in the remote workspace, there is no guarantee that it will remain there. A user may simply copy the file to Dropbox or forward a sensitive document to Gmail, for example, to bypass IT's controls for a better experience using less secure means.
One of the presumed benefits of MDM and MAM was improved security. CISOs and other information security professionals are arriving at the realization that MDM and MAM are not a panacea to the complex mobile security question. Data is the prize for hacking any device, and mobility changes little in that equation. MDM and MAM do address data security by encrypting the device or the specific document at rest. Once the device is unlocked and the data is in use, there may be little to prevent the data from leaking to unwanted places. This analysis keeps bringing us back to the secure consumption of data, regardless of where it is located or being consumed.
MIM emerges for information and user policy
Mobile information management (MIM) is software that goes to the next logical level of managing the information and how mobile devices use it.
MIM is the genesis of boiling down why we have security in the first place: to protect an organization's data. Data can be almost anything: email, documents, photos or video. Organizations that fall under local, federal and international regulations have much to worry about if that data is breached or leaked. MIM-centric approaches such as WatchDox, MokaFive, Citrix Sharefile and VMware Horizon Data attempt to bridge the worlds of mobility, traditional digital rights management and file encryption.
Apple iOS 7 includes some MIM capability built-in, allowing for rules about what apps and accounts can be used to open documents and attachments. MIM allows for specific rules for who has access to the data and where it can go. These rule sets are combined with standalone secure applications to edit them and enable trusted apps to have access. MIM makes which device the worker chooses to use less important. Data can be managed at a much more atomic level. This method requires some labor investment versus simply dropping a heavy-handed MDM policy on a smartphone, but likely it will do a better job of addressing the root need of securing an organization's valuable data.
MIM is not without drawbacks. Current MIM-centered products can manage only certain files such as Microsoft Office and Adobe PDF. Popular mobile applications such as Evernote don't use document files at all. How do you protect data in these? MIM at its current maturity level will not appeal to a broader set of scenarios.
A blend of MDM/MAM/MIM functionality known under the umbrella term enterprise mobility management (EMM) can achieve much in helping secure mobile platforms. Many products now blur the lines among device, applications and information management making them effective for a greater number of use cases. Fundamental information security concepts still apply though the technology to achieve them may have changed. Layering security, and not relying on any one solution, is still pertinent in the age of consumerized devices and mobile workers. A careful examination of organizational requirements and how each of these areas can help secure the data, application and endpoint is required. Security should still be a risk/reward-balanced exercise. Mobility can be an effective means of increasing productivity and agility. Well-intentioned, but overzealous restrictions can minimize that benefit in the end.
About the author:
Matt Kosht is Director of IT at an Alaskan utility company. He has worked in various information technology-related roles throughout his 25-year career. Follow him on Twitter (@flippytheclown) and on Google Plus (+Matt Kosht).