Mobile endpoint security: What enterprise InfoSec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
As workforces became more mobile, products evolved to help enterprises maximize business benefits while meeting business requirements for visibility and control. Long gone is the era of company-purchased, IT-provisioned mobile devices, carried by a privileged few. It is now common for users to stay connected throughout the workday, using two or three mobile devices to carry out a mixture of personal and business activities. More often than not, these smartphones and tablets are consumer devices and employee-owned.
This evolution caused many enterprises to abandon old single-OS mobile device management tools, seeking more versatile products to handle a rapidly evolving consumer-driven population of mobile devices and applications. Ultimately, a new class of management tools emerged to fill this need, dubbed enterprise mobility management (EMM). But just as workers and devices are diverse, so are the EMM products created to manage them.
How EMM Works
Enterprise mobility has morphed over the years, driven by more powerful and affordable devices, more ubiquitous mobile broadband and popular mobile-app stores. These factors put individual consumers into the driver’s seat. As workers experienced benefits in their personal lives, they pushed these devices and apps into the workplace, with or without the employer’s blessing.
At the same time, enterprises were drawn to mobility to revamp workflows, increase business efficiency and leverage near-continuous availability of workers and data. Today, enabling safe, productive mobility is a business essential. Companies large and small across all sectors are now scrambling to gain competitive advantage by capitalizing on mobility’s benefits. However, doing so effectively requires:
- Enabling safe business use of mobile devices to fit each individual worker;
- Easily deploying innovative mobile apps to better accomplish business tasks;
- Facilitating secure mobile communication, including access to business data; and
- Avoiding and mitigating associated business risks.
EMM emerged to address these needs. This is how EMM specifically evolved:
- EMM began as an offshoot of single-OS MDM products, such as BlackBerry Enterprise Server, bringing a hodge-podge of BYODs under a common ruler that could deliver unified IT visibility and control, independent of device type or ownership.
- The EMM market quickly grew to embrace mobile apps, delivering centralized over-the-air inventory and installation of apps that workers needed.
- Similarly, EMMs became important for IT configuration of network connections, email accounts and other features workers use to access business data on the go.
- To address growing concern over potential loss of business data—especially on BYODs—EMM gave IT tools to manage this risk, letting them provision and enforce enterprise security policies from afar.
The EMM market was initially chaotic and it was hard to find a feature baseline for meaningful comparisons, but these days EMM products can all be expected to include the following features.
Mobile device management (MDM): Although most enterprises are moving away from locking down devices used for business, every EMM must allow administrators and users to add new devices over-the-air through an enrollment portal. Capabilities include assessing devices against acceptance criteria, authenticating the worker and requiring employee acceptance of the conditions for business use. MDM features should also allow IT to issue credentials to approved devices and inventory their hardware and software, provision devices with configuration and security policies as appropriate for that user, group or device. MDM should also be able to install any required apps or data.
Remote monitoring and actions: Even enterprises that focus on apps and data require basic monitoring and command capabilities, most notably remote wipe of EMM-installed apps or data, remote lock and password reset, and remote find. Increasingly, EMMs provide self-help portals so that users can execute these commands themselves. IT often focuses more on remote monitoring, especially the ability to run integrity checks on each enrolled device to report on and enforce policy compliance and to detect and respond to deviations.
Mobile application management (MAM): EMM products can be expected to support over-the-air installation, update and removal of public and enterprise apps. Products must also configure mobile apps and associated policies to some extent—for example, automatically push a required iOS app executable and profile onto an enrolled iPhone or iPad, or provide an enterprise app catalog from which users may choose. Many EMMs offer additional features, such as built-in secure mobile apps (see MCM, below) or letting IT “add security” to third-party apps using app wrappers.
Mobile Content Management (MCM): EMM products can be expected to help IT address concerns about business data loss and leakage by offering a secure (authenticated, encrypted) data container, along with tools to push, update and remove contained business files. It is also common for EMM products to provide secure mobile access to enterprise data stores—for example, by linking a container to SharePoint or an enterprise cloud. Some products are taking MCM further by delivering file sync-and-share services and other features that facilitate workforce collaboration.
As the EMM market matures, vendors are sharpening their focus on business assets and issues. According to Jim Haviland, Vox Mobile CSO, use-case-based security via containerization is now the “ante up” position. The next step in EMM progression is contextual security.
But contextualization can be accomplished in many different ways. For example, Good Technology reports that secure Web browsing remains the most popular app outside of email, followed by secure instant messaging and custom apps. To support each of these specific use cases, EMM capabilities and policies must drill deeper; for example, EMM can offer a built-in app for secure instant messaging to address IT concerns that SMS texts are leaking enterprise data.
Contextualization can also be applied to both MAM and MCM by letting IT define policies to restrict the flow of data between managed and unmanaged applications, or between managed containers and other applications or interfaces. Such policies can help enterprises prevent common accidental data leaks without depending upon workers to avoid them.
Contextualization can also be accomplished through integration with identity and access management (IAM) systems. In this way, enterprises may not be as limited to “one size fits all” mobile app and data policies. IAM-integrated mobile policies may be more easily customized for an individual or group, and can be automatically updated when circumstances and access rights change. The mobile experience may also become more frictionless through single sign-on and other techniques that transparently tie enterprise identity to mobile activities.
The bottom line
As the percentage of mobile-only users is quickly surpassing desktop-only users, choosing an EMM product is a strategic decision that could have a far-reaching impact on your business. Look carefully at both common capabilities and emerging features to assess fit with your workforce needs, today and tomorrow. Finally, consider each product’s ease of use, scalability, adaptability and cloud deployment options—private, public and hybrid—to make the best choice for your enterprise.
About the author:
Lisa Phifer owns Core Competence, a consulting firm specializing in business use of emerging network and security technology. She has been involved in the design, implementation and evaluation of internetworking, security and management products for over 25 years.