IT security pros mulling over an investment in a new mobile device management (MDM) system in order to reduce BYOD risks should first conduct a thorough review of their mobile device security policies to get a better understanding of how the
y plan to use the MDM technology.
That was the message from a variety of security experts at InfoSec World Conference and Expo 2012 held in April. Far too many enterprises are selecting and implementing MDM technology and then failing to understand how to use its capabilities to the fullest, says Diana Kelley, founder and principal analyst at consulting firm Security Curve.
“Once they get it deployed, they quickly realize they don’t know how to manage the tool and they’re not using it effectively,” Kelley says.
In fact, a variety of businesses can use security features already native to most Google Android and Apple iOS devices, Kelley says. Both mobile platforms provide remote lock and wipe capabilities as well as support for password management for mitigating BYOD risks. Although its capabilities are limited, Microsoft’s Exchange ActiveSync (EAS) provides some mobile device management and policy control. It works for organizations that limit corporate data on devices to email, contacts, calendar, tasks and notes.
“It’s about managing the corporate assets on the device, not necessarily the device itself,” said Lisa Phifer, owner of Core Competence, a consulting firm.
The problem is organizations aren’t doing a good job at creating a formal set of security policies for mobile devices, and those that do are not effectively communicating them to employees, says Darrin Reynolds, vice president of information security at New York City-based marketing and communications firm Diversified Agency Services, a division of the Omnicon Group. Reynolds says his firm was a bit late to the game with its policies; the security-aware culture around corporate data had been fostered so much over the years that employees were the first to ask about a security policy around mobile devices.
“Thinking about security is something that has been evolving over time among the user base,” Reynolds said. “That aspect is top of mind for anything they do now.”
The company’s formal policy states that employees can buy any smartphone they want, but those devices must support a PIN/passcode, remote auto lockout, encryption and remote wipe capabilities. Reynolds says having the formal policy in place has helped the company realize that it can enforce its guidelines without the need of an MDM platform. The company uses a combination of BES server for Blackberrys and Microsoft EAS to enforce its restrictions on other types of devices.
“BYOD allows us from a corporate standpoint to save money on the devices we were purchasing by allowing users to purchase them themselves,” Reynolds says. “From our standpoint, it didn’t make sense to then take that savings and buy an MDM platform.”
If a business need requires more sensitive data on corporate devices, Reynolds says his team would consider MDM software in the future. MDM can help manage additional security capabilities by isolating corporate data and enforcement of more restrictive policies, he says.
“If you can limit that exposure to corporate data into a vault or a sandbox, then the user knows a remote wipe will not hit their personal data -- it’s a real feel-good feature for the employee,” Reynolds says. “That’s why for now we see MDM as providing more capabilities in managing the mobile environment and not really to be a cost-savings piece.”
About the author:
Robert Westervelt is news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org.