Manage Learn to apply best practices and optimize your operations.

An MDM strategy in a BYOD world must focus on data first, then devices

In the BYOD era, mobile device security requires a strategy that focuses on data, not device, protection.

Not so many years ago, a typical corporate IT user had a desktop computer at the office. Some might get a laptop for travel and occasional teleworking, and perhaps a corporate-issued BlackBerry for phone services and casual access to email and messaging.

Today the landscape has changed drastically: Many organizations issue a laptop instead of a desktop to each user, and many employees also get equally powerful corporate smartphones and tablets. Add to this the rise of the bring your own device (BYOD) movement, in which users work from their personally owned laptops, smartphones and tablets, and the net result is often a single employee using a half-dozen different devices for work.

It's no exaggeration to state that the rise of a diverse set of mobile device platforms has been relatively sudden and dramatic. For enterprise network and security managers, it's a common occurrence to see a new platform for the first time only after the device it resides on has connected to the corporate network.

Unfortunately, mobile device security has lagged significantly behind the advances in mobile device technologies. Smartphones and tablets increasingly have many of the same security vulnerabilities as desktops and laptops because they're based on the same software, but smartphones and tablets lack the built-in security controls that desktops and laptops have, such as host-based firewalls and intrusion detection systems. To mitigate vulnerabilities, it's important that as part of a mobile device management (MDM) strategy the appropriate third-party security controls be added to mobile devices. This article provides several practical tips for security practices via an MDM strategy that can better safeguard mobile devices and their data.

Use MDM software

Attackers have shifted their focus from exploiting operating system vulnerabilities to harvesting data.

MDM software has become the fundamental security control of choice for mobile devices, and must be considered when developing your MDM strategy. It provides centralized management of mobile device security that can protect the sensitive data stored on and accessed by a mobile device. It takes care of all the basic operating system security controls, such as installing patches and configuring the operating system securely. It also adds various data security controls, including storage encryption, device control and data loss prevention (DLP) technologies. MDM software is most easily deployed and used for organization-controlled mobile devices (including laptops), but MDM can also be deployed and used to a somewhat more limited extent for BYOD devices.

Focus on the data, not the operating system

Despite the security challenges that mobile operating systems present, organizations have gotten relatively good at securing them, thanks to the rise of MDM software. Simultaneously, data has become more valuable, especially financial records and personally identifiable information. Not surprisingly, attackers have shifted their focus from exploiting operating system vulnerabilities to harvesting data. A single data breach can cost an organization millions of dollars, and a single lost or stolen mobile device can lead to such a breach.

Organizations need to consider where their data may reside and ensure that the data is secured from a variety of threats. DLP technologies and media encryption (both built-in and removable media) have become critical. Fortunately, mobile operating systems are starting to provide media encryption, and both DLP technologies and media encryption are also available through MDM technologies.

Keep sensitive data off mobile devices

One rule may seem overly simplistic, but organizations often suffer major compromises because they fail to adhere to it: Keep your organization's sensitive data off your users' mobile devices. If sensitive data never resides on mobile devices, compromises of those devices will be much less damaging to the enterprise. Instead of storing sensitive data on a mobile device, store the sensitive data centrally and provide only the necessary chunks of data -- preferably images of that data -- to mobile device users. That minimizes the possible exposure of the data.

Thwart Web-based malware

Once overhyped, the threat of malware is an increasingly legitimate concern for mobile devices, especially when it comes to Web-based malware. Organizations have traditionally relied on Web security gateways to detect and block such malware. Unfortunately, with the rise of mobility, these gateways are less helpful because mobile devices most often are on external networks and consequently, are not using the gateways. There are two options to resolve this: Either place Web security controls on the mobile device (potentially via an MDM strategy) or force the organization's mobile devices to route all their traffic through a centralized proxy, which includes network security controls such as Web security gateways. Although the latter approach can provide overall superior security by using enterprise-grade network security controls on all mobile device traffic, it also has significant cost and performance issues that organizations should carefully evaluate before adopting such a solution.

This was last published in July 2014

Dig Deeper on BYOD and mobile device security best practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I agree with Karen that data is actually what enterprises care about when trying to secure devices for BYOD. The best protection, as Karen suggested, is to keep those sensitive data off the devices and just access an image of it. I would like to add that true enterprise mobile solution should not just focus on securing content but also provided added end-user benefit of extending mobile productivity like kiteworks by Accellion. kiteworks provides users ability to edit and create Office documents and PDF files on the go, yet also provides maximum control for IT including access privileges, remote wipe capabilities, and access to enterprise contents all within a secure container. Check out for more info.