Mobile devices are essentially mandatory tools into today’s business world of fast-moving, data-driven end users. While smartphones and tablets provide employees with the flexibility to perform their jobs with elasticity and without borders, they engender major concerns regarding data security and privacy risks for organizations. Enter mobile device management (MDM) products, which allow people to perform their jobs efficiently and effectively while assisting IT in protecting company data and securing mobile devices from malicious access.
There are three major scenarios to consider when deciding to implement MDM products: the protection of data on mobile devices, defending mobile systems themselves, and securing sessions and data in transit between smartphones/tablets and the company network.
MDM product scenario #1: Data protection
No reason for deploying MDM products is as important as securing data on mobile devices. That's because mobile devices are in reality small computers with powerful processors and large amounts of storage and memory that -- when used within an enterprise -- hold and have access to the same data as a standard PC or laptop. With that in mind, organizations must extend enterprise-grade data protection to these devices without limiting their important, elastic roles at the company.
MDM vendors employ two methods, or ideologies, to protect data on mobile devices: containerization vs. non-containerization.
Taking a containerized approach to MDM
A mobile security product that uses the containerized ideology will dedicate a small partition in storage to the MDM application on the mobile device, limiting all corporate data, apps and communication to this containerized section. With a containerized approach, the data from a smartphone or tablet can’t be inserted into the MDM application either (and vice versa), and these types of mobile device security platforms normally add an extra layer of protection by requiring users to log into MDM separately from the device itself.
The pros of implementing containerized MDM is that if the mobile device is ever lost or stolen, or someone leaves the organization, a wipe of the MDM app on the smartphone or tablet will remove all instances of corporate data. That way admins will never have to worry about missing something important.
The cons to containerized MDM is that end users often can't use apps that they're accustomed to, and organizations often don't have the flexibility to leverage custom tools or programs. This is because MDM vendors need to partner with app creators to allow software to enter the encrypted partition. And, while many MDM vendors do work with software developers, not every app is natively compatible.
The non-containerized approach to MDM products
The non-containerized approach to mobile security allows users to access their mobile devices with a native experience and offers the ability to use traditional apps. So the non-containerized method to mobile security, unlike the containerized approach, provides users with the flexibility to run the apps they're used to and allows for easier access to data from third-party software than the containerized-approach. This goes for both business and personal data. It depends on the policy that's created by the MDM administrator, but the configurations can also allow for the locking of company apps and/or personal apps.
This approach, while gaining in popularity over containerization due to its flexibility for the end user, needs to be reviewed in great detail beforehand by administrators.
Here, there are options for using data loss preventions tools on mobile systems that aren't containerized. These allow for the inspection and protection of data before it leaves the mobile device.
The protection of data on mobile devices is paramount. It factors heavily in the remaining two scenarios outlined below, and should be at the forefront of the decision-making process when looking to deploy an MDM product.
MDM product scenario #2: Device protection
Now that the data has been secured, let's review ways in which MDM can assist with protecting mobile devices themselves. This is an important topic because if a smartphone or tablet isn't secure, it can lead to the infection of the network and compromised data.
Most MDM systems can alert admins should a user attempt to jailbreak/root a smartphone or tablet. A rooted or jailbroken mobile device allows a user to access a mobile system to perform functions (admin access, download and install apps from outside the app store, malware, among others) not intended by the manufacturer or approved by IT and the organization. Sure, these aren't all necessarily that bad, but jailbreaking opens up risks to the corporate network that are best avoided by negating the ability for users to root their smartphones and tablets in the first place.
PIN and passcode enforcement
The first line of defense that every mobile device requires is password protection. Having MDM push down a policy to enforce a PIN or passcode to smartphones and tablets (with a timeout period) is an easy way to secure systems from unintended access by intruders that may have stolen or found a device. Although seemingly very small and not very significant, enforcing password security through MDM should be mandatory.
The option to remote wipe a smartphone or tablet is a lifesaver when it comes to devices that are no longer in possession of their rightful owner. This assures that anything on a smartphone or tablet is no longer accessible, as the value of data on a smartphone or tablet is worth a whole lot more than the value of the mobile hardware itself.
Operating system changes and apps
With a simple MDM policy, an administrator can restrict what apps are installed -- and limit what OS changes can be performed -- by users or hackers to a smartphone or tablet. For example, by only allowing the installation of certain apps using a whitelist and making sure all cameras are turned off on supported smartphones. This reassures the organization that rogue apps that could infect its mobile devices, which can lead to data loss or worse, won't be installed. It also keeps mobile systems in a baseline OS configuration for the network, making them easier to manage. This level of app and system control is a must have when it comes to distributing mobile devices to end users.
Mobile device encryption
Companies should encrypt all mobile devices that contain important company data. An MDM product can assist in this by forcing encryption on all supported smartphones and tablets -- similar to the way full disk encryption does for laptops and desktops. Encryption protects the mobile device itself and the data that lives on it. It is important to enable on all mobile devices, even for enterprises that use a containerized MDM product.
MDM product scenario #3: Protecting mobile connections
Now that MDM has protected mobile data and the mobile devices themselves, it's time to focus on how to make sure these smartphones and tablets communicate safely. This last scenario centers on how MDM products can help secure the connections and sessions established between mobile devices and company resources.
With MDM, organizations can mitigate the risk of insecure communication by blocking third-party configurations to remove certain functions on the mobile device and enabling certain features within a mobile management product. For the former, one area to review is the ability to enable VPN connections on mobile devices so they communicate back to the organization securely.
In addition, there are many times when users need to access data or services on the internal network. So, instead of letting them access these resources insecurely, many MDM products allow admins to require VPN terminations to the corporate site for secure data access.
Another method to secure company network access is to restrict insecure access by limiting the service set identifiers that wireless devices can use. While this can become somewhat restrictive, admins can create a policy to always have mobile systems, in range of the corporate network, use secured wireless connections as a priority, instead of an insecure wireless network that might also be available and accessible.
Having the ability to use internal certificates pushed to mobile devices from company servers for an extra layer of authentication is also recommended.
There are MDM options available that limit access to certain websites. Called secure Web browsing, this technology is normally connected back to the corporate network and allows for implementation of an additional policy to keep users' browsing experience secure via an organization’s normal Web proxy or Web filtering service. Since mobile devices are extensions of the corporate network, having the same Web policy pushed to them as onsite computers allows for consistent security and user experiences when it comes to Web access.
Lastly, certain MDM systems include a feature called geofencing that only allows mobile devices to work within a certain geographical location. This may be too restrictive for users that travel with their smartphones and tablets, which -- granted -- are most. But for those mobile devices that shouldn't leave a certain location, say mobile PoS systems, after the handheld goes beyond a pre-determined area, it'll be deemed unusable by company policy.
Mobile devices are de facto business tools for almost everyone working today. Due to this wave of popularity, organizations need to secure the data, systems and connections mobile devices use and the smartphones and tablets themselves.
The difference between an OS keylogger and a mobile keylogger and how to defend against them
Risks and benefits of smartphone and tablet use