Information Security

Defending the digital infrastructure

Gunnar Assmy - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Mobile security: Protecting the corporate 'crown jewels'

Lisa Phifer explores the uptake in the use of enterprise mobility management as a means to deliver secure mobility for BYODs through the use of more granular security policies, richer management suites and greater integration to enable secure mobility.

Bring your own devices (BYODs) revolutionized how employers enable safe, productive mobility, forcing hardware-centric mobile device management (MDM) products to mature into enterprise mobility management (EMM) suites. As BYOD adoption grows, so do both secure mobility challenges and the EMM market. According to the technology research company Radicati Group Inc., worldwide EMM revenues will hit $1.4 billion this year, topping $5.7 billion by 2018. To understand how EMM tackles BYOD risks, let's consider what drove this evolution.

Where MDM fell short

MDM emerged over a decade ago in products that managed Windows CE and BlackBerry phones. When the iPhone kick-started BYOD adoption, MDM products embraced Apple and Android phones, but still focused primarily on device-centric goals: hardware asset management, OS configuration and remote find and wipe. In short, MDM helped customers bring personal devices under IT control by managing the entire device.

This traditional desktop-management approach may have been fine for corporate-issued phones, but it strained to fit mixed-use devices; employees had concerns about personal privacy and the approach also left IT in the undesirable position of dealing with personal apps and data. Moreover, according to Ojas Rege, MobileIron's vice president of strategy, device management focused on the wrong attack vectors.

"Architectures drive attack vectors," said Rege.

In the Windows desktop world, attacks primarily exploit the open-file system and kernel-mode applications. But iOS, Windows Phone and (to a lesser extent) Android eliminated those vectors through strict user space separation and application sandboxing. Instead, said Rege, threats to mobile devices involve jailbreaking, spyware, wireless exposure and user behavior -- architectural differences that required a different approach.

And so EMM shifted IT's focus from protecting devices to protecting data and to controlling how enterprise data flows between apps so as to safeguard both data at rest and in motion. This EMM approach is not only better at handling mobile threats, but it also makes it possible for IT to manage just the "business part" of each smartphone or tablet.

Using EMM to enforce security policy

According to Gartner's criteria, EMM products must include hardware and application inventory, OS configuration management, mobile app deployment, updates, removal, and configuration and policy management, remote troubleshooting and actions, and also mobile content management. Many of these functions were pioneered by MDM products and continue to be table stakes for EMM. The EMM tipping point at which an MDM product matures into an EMM suite comes with content and application management, giving IT the ability to provision, monitor and enforce more granular security policies.

Blake Brannon, lead solutions engineer at AirWatch by VMware, said that needs around mobile security typically trigger EMM adoption by customers. "Vendors, contractors, employees with BYODs -- all of these use cases share the need for more control around containerization, specifically apps and data," he said. "For example, many devices support encryption, some more gracefully than others. In some cases, you don't want to force device encryption on all BYODs. Other cases may require FIPS-level encryption, or just stronger-than-native encryption. Containers allow more granular encryption policies that go beyond what any given device supports at the hardware level."

John Nielsen, senior product manager at Fiberlink, an IBM company, described a similar trend for applications. "It's not just about securing content at rest on BYODs. It's also about the ability to wipe [only corporate] content and control content flow between containers. EMM can whitelist apps, specifying where data is allowed to flow, including third-party apps, storage and cloud. Controls can be as simple as blocking copy/paste or screen shots or printing for content that is sensitive. Or [controls] can be more advanced, such as allowing a file to be opened only in a corporate version of, but not in iCloud or Google Drive."

According to Rege, the well-intentioned user continues to be low-hanging fruit. "The user gets an email and opens an attachment in DropBox -- now you have corporate data sitting in an uncontrolled public cloud. This threat exists on traditional devices, but is more important for mobile because cloud is so tightly integrated. [EMM] must keep data encrypted as it moves to and from devices." This is why mobile application management (MAM) plays such a significant role in EMM.

For example, when someone runs a business app on a smartphone or tablet, that app user must be identified (perhaps using enterprise authentication or single sign-on), and app execution must be authorized (based on device integrity and even geolocation). The app itself must be properly installed and configured, any data associated with the app must be encrypted to the required level, and data leak protection must be applied. The latter may involve limiting app-to-app data flow, invoking trusted apps ("open in" policies) or forcing data through secure sessions and gateways. If the device is lost or the employee leaves the country, integrity is compromised and the app must be quarantined or wiped to mitigate business risk without affecting the rest of the device or the worker's personal data and apps.

How enterprises use EMM to address BYOD business risks

EMM brings all of these capabilities to the table, delivering full lifecycle management for secure containers that reside on personal devices. However, EMM suites tend to include a rather broad suite of capabilities with many separately priced modules. Security teams must align their needs with those of MIS departments to ensure that any EMM product purchase will cost-effectively meet both groups' objectives. To that end, let's consider the current state of EMM adoption.

Over the past year, according to Nielsen, more Fiberlink customers have sought containerization. "But key asks for containerization are mostly around email, which is still the most important productivity app on mobile devices," Nielsen said. "Secure mail is more popular than ever, but more customers are moving toward app containerization, ensuring that third-party apps can participate in our containerized environment and enabling [private] apps with SDKs."

In other words, efficient, easy-to-use containers can't be islands; they must allow secure, policy-based data flow between trusted apps that together create a safe mobile work environment on a device.

Brannon notes that, in addition to secure mail and secure content, some AirWatch customers also need a secure browser app. "Every organization has some form of intranet -- maybe a SharePoint site or a help desk. Our secure browser gives employees an ability to get secure access [to their intranet] without having to connect to a VPN; and it gives IT the ability to ensure that data moves securely and is protected from data leaks," he said.

Rege says that more MobileIron customers are deciding what level of access to provide to each user and device, based on user identity and device posture. "There are some technologies that become much more important in the mobile world -- PKI and NAC are two," he said. This is why integration with enterprise identity management and/or network infrastructure can be important when choosing an EMM suite, so as to bring together separately administered security policies and deliver both more robust protection against mobile threats and a more seamless user experience.

For example, an enterprise WLAN may auto-detect a new personal device, redirecting it to an EMM system for enrollment, certificate installation and container deployment. Thereafter, the WLAN may consult EMM to verify the device's integrity before granting it network access; it also plays a role in quarantining noncompliant devices.

Thinking through these scenarios and considering automation when choosing an EMM helps enterprises not just tolerate but fully embrace personal devices on a very large scale by using more granular security policies, richer management suites and greater integration to enable secure mobility.

About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in the business use of emerging Internet technologies. Lisa has been involved in the design, implementation and evaluation of internetworking, security and management products for 30 years. At Core Competence, she advises large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. She teaches about wireless LAN and mobile device administration and security and has written extensively for numerous publications.

Article 2 of 2
This was last published in October 2014

Dig Deeper on BYOD and mobile device security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All