Employees can't get enough of the cool new mobile devices handheld vendors are churning out with surprising alacrity. For IT security managers, however, these devices pose a variety of challenging data security and privacy problems. That's where mobile device management (MDM) technology comes in. MDM products allow enterprises to manage and secure a variety of corporate- and employee-owned mobile device platforms, essentially allowing enterprises IT administrators to oversee and control the way smartphones, tablets and the like are used in the corporate environment.
Enterprises need a solution to allow mobile devices to securely integrate with their corporate infrastructure such as directory services, email, Wi-Fi, VPN
John Marshall, CEO, AirWatch
"Enterprises need a solution to allow mobile devices to securely integrate with their corporate infrastructure such as directory services, email, Wi-Fi, VPN," said John Marshall, CEO for Atlanta-based MDM vendor AirWatch LLC.
Ojas Rege, vice president of products and marketing for Mountain View, Calif.-based mobile management vendor MobileIron Inc., said MDM products are designed to address five key challenges that come with managing security for a variety of consumer-oriented mobile devices.
Rege said MDM products offer asset management to keep track of smartphone and tablet inventory and ownership; configuration management to control mobile device settings for enterprise connectivity, privacy, security and applications; data protection for both data at rest on the device and data in motion flowing to and from the device; enterprise application management, often enabling an enterprise to offer its own "app store" to distribute mobile applications and ensure the security of application data; and troubleshooting and help desk functions to support end users.
MDM use cases, pain points
According to Marshall, MDM products are best for midsize or large enterprises that want to allow corporate or employee-liable devices to access internal resources such as email, VPNs, Wi-Fi, mobile applications, or enterprise applications such as Microsoft SharePoint, ERP or other proprietary systems.
Rege said MDM works well when an organization has permitted or supports only one type of device, such as a BlackBerry, but wants to allow the use of other mobile devices and needs to secure corporate data on these additional mobile platforms. Or, if the organization is moving beyond mobile email to mobile apps and needs to provide mechanisms for distribution, end-user discovery and app data security.
"A pain point for many enterprises is the BYOD (bring your own device) pressure from employees," said Lisa Pittenger, product manager for enterprise mobility at Santa Clara, Calif.-based security vendor McAffee Inc.
"As more personal devices begin accessing corporate data, there is still some pain surrounding governance and privacy concerns if an employee were to leave in terms of wiping the device," Pittenger said. "It is important for the enterprise to have a BYOD policy in place and clear guidance on what will happen to the data in that type of event."
According to Kevin Johnson, a SANS instructor and security consultant with Jacksonville, Fla.-based consultancy Secure Ideas, MDM pain points include designing the policies and getting approval from key players to restrict the functionality to the chosen mobile device features. Johnson also said managing what devices are subscribed to the MDM in the light of ongoing mobile device turnovers can be a pain point.
According to Rege, designing a new class of mobile device security and privacy policies can challenge staff because MDM is fundamentally different than desktop / laptop norms for technology, behavior and user requirements where the user experience sometimes suffers to enhance security or remote management. Rege said MDM should allow user choice of device and apps, and not interfere with device performance or user experience.
To be successful, Rege said, MDM products must support at least three or more mobile device operating systems, such as iOS and Android, feature baseline and advanced security settings, and an inline proxy for securing data in motion.
Rege said other must-have features should include tight integration with Active Directory and Lightweight Directory Access Protocol (LDAP), as well as other identity management (IM) and security systems, along with end-to-end mobile application management.
According to Marshall, it’s important to consider whether a product is capable of advanced grouping or multi-tenancy for autonomy across regions or P&Ls, but offers some level of centralized control and asset management.
"We’re seeing a lot of point solutions or distributed decisions from large multinationals, primarily due to a sense of urgency to get started quickly," Marshall said.
Johnson said MDM products must be able to group users and devices to specific configurations. He also emphasized the need for solid reporting capabilities so organizations can see what's going on with the devices and the configurations.
Multiple stakeholders can be a pain point, according to Vizay Kotikalapudi, senior manager of endpoint management and mobility with vendor Symantec Corp.
"Who manages mobility in the organizations is still unclear, and there are multiple teams that have interest in mobility," Kotikalapudi said. "For instance, the messaging team for mobile email, the infrastructure team for mobile apps, the security team for security, the operations/help desk team for day-to-day tasks.
"There is bound to be some organizational friction as the needs of these different teams evolve," Kotikalapudi added. "Having clear goals, shared teams and end-user buy-in will help alleviate these pains."
Near-term MDM change agents
According to the Gartner's April 2011 magic quadrant report for the mobile device management market, current market leaders include AirWatch, Good Technology, MobileIron and Sybase. However, the research firm has stated that no single vendor offers a comprehensive product for management of applications, services, policy, devices and security, meaning the feature-sets of today's MDM products are likely to expand further in an effort to cover these gaps.
Yet there are other change agents driving the growth and evolution of the MDM product market. McAfee's Pittenger said the growth of dangerous mobile malware has increased the importance of providing comprehensive safeguards for mobile devices before allowing them access to corporate networks and their resources.
"App distribution, app compliance and app-level security will become increasingly important over the next several months," Marshall said. "To be fully productive, mobile workers expect to use not only the latest mobile devices, but also a suite of complementary apps. In addition, mobile apps have become a strategic initiative across many organizations, creating a competitive differentiator in their marketplace."
"The security/compliance requirements in this new context are going to be more complex," Kotikalapudi noted. "Having an information-centric approach, vs. a device-centric approach, is going to work best for the long term."
About the author:
Bill Hayes is a freelance security writer and consultant based in Nebraska.