Manage Learn to apply best practices and optimize your operations.

How key MDM features affect mobile security policy management

As MDM features become more robust, enterprises must not only look for mature products, but also evolve mobile security policies accordingly.

There's no doubt that IT security professionals charged with securing enterprise information assets know that mobile devices present new challenges. As the role, variability and specific requirements of mobile devices become increasingly important within the enterprise, so do the controls necessary to secure data accessed by those devices.

More from Philip Clarke

Information Security magazine cover story: Using MDM to secure a mobile workforce
As MDM products rapidly evolve to support the growth of BYOD smartphones and tablets, security professionals need to rethink mobility policies.

Special presentation: Securing mobile devices in a BYOD world
Learn about mobile device management (MDM) design, best practices, and security implications, and how enterprises must address these issues and opportunities in order to leverage mobile devices in an effective manner.

In order for security managers to ensure corporate data is secure, they require an accurate and comprehensive view into rapidly shifting employees' work and device preferences. These preferences are moving traditional IT assets into the public domain via trends such as bring your own device (BYOD), app-centric content usage, tablet adoption and wireless-only workers. The broader IT organization must rely on information security professionals to confirm that company data used by an increasingly mobile workforce is secure, and this is largely occurring through a variety of technologies that support identity-based usage policies.

Software-based mobile device management (SMDM) continues to be the go-to technology for securing a rising number of consumer-centric mobile devices within the enterprise. According to The Nemertes Research Group Inc., 46% of companies have deployed enterprise mobile device management (MDM), and 84% expect to do so by the end of 2014. Mobile device convergence trends suggest it's not a moment too soon: One-quarter (25%) of employees are expected to use tablets as a complementary device for work by the end of 2014, and a small (10%) but growing number of workers have already replaced their laptops with tablets within companies reporting this trend.

Vendors, naturally, are striving to differentiate MDM features in their products. Many now leverage native, container-based or even virtual desktop infrastructure (VDI) device management, and most -- if not all -- include many of the following technologies:

  • Mobile application management (MAM) or enterprise applications stores
  • Secure containers or workspaces for documents, apps and personal information management data
  • Secure document sharing (SDS) on-device, cloud services/partnerships or application programming interfaces (APIs) for integration with popular platforms, such as Microsoft SharePoint, Dropbox or Google Drive
  • WLAN integration or network-based MDM (NMDM) functionality
  • Advanced features such as geo-fencing, app-wrapping, certificate authority integration and email data loss/leakage prevention

Of these MDM features, mobile application management, which is used by 29% of companies today, is the most widely adopted and crucial. In the same way that consumer and app-centric devices are driving adoption of enterprise mobile device management technologies, companies' growing app development initiatives require management through MAM and enterprise app stores. MAM provides workers with a familiar app store interface for corporate apps. Licensing, distribution and updating policies are controlled by IT through a directory service, such as Active Directory or Apple Open Directory.

Secure document sharing is a similar, directory service-driven approach to document sharing and control. SDS for mobile devices differs from more controlled endpoints like laptops because mobile operating systems don't have much in the way of native, enterprise-friendly management options. In order to bring mobile on par with more traditional endpoints, MDM providers offer APIs for popular enterprise document sharing systems and email/app attachment controls. Most MDMs also have some combination of on-device secure document lockers, cloud SDS integration and VDI-enabled remote access to documents.

More on enterprise MDM

Enterprise mobile device security control essentials

Survey says users neglect mobile device security measures

Mobile device security policies: Revisit and revise

MDM is also gaining steam; though only 11% of companies are using this technology today, enterprise adoption is growing, according to Nemertes Research. Much of the network-based MDM appeal for companies is due to its ability to identify key device metrics and apply policy through network management software using largely standard network protocols. Because most NMDM features aren't proprietary, it doesn't require new networking hardware or investment to function, either in tandem with a software-based MDM or as a standalone product. This allows security professionals to leverage functionality such as device fingerprinting, security posture reporting, mobile app QoS and app-level virtual private networks without requiring a client to first be installed on an endpoint. Essentially, NMDM gives security professionals the tools to block, redirect or prioritize network traffic generated on devices and their apps, and it's especially well-suited to BYOD environments.

How MDM evolution affects mobile security policy
Sifting through the ever-changing landscape of MDM features has proved to be difficult for even the most diligent IT security practitioners. However, in light of the availability of the features noted above, enterprises should address the following considerations while crafting or updating a mobile security policy:

  • Review the mobile provisioning policies you are supporting and to what extent BYOD is being used. The features noted above may allow using a larger variety of mobile applications or more flexible use cases to enhance employee productivity.
  • Similarly, evaluate your existing and near-future expectations for the mobile device (phone and tablet) population, as well as the default and security posture of these devices.
  • Track the number of employee-owned mobile devices within the organization that are known and/or managed by IT versus unknown to IT. Then:
  • Look to deploy NMDM where heavy BYOD use exists; for example, employees bringing in devices that require varying levels of access to email, calendaring and more sensitive corporate data. Make sure the policy accommodates and properly balances security with usability.
  • Policy should dictate that users are educated based on your security and compliance rules to either not bring BYOD devices into work or be sure to provision them using the MDM system's on-boarding process (usually via a specific URL or portal).

Finally, MDM (SMDM or NMDM), MAM and SDS should be the primary tools for ensuring mobile devices are secure. If all three aren't in place today, evaluate products using requests for information (RFIs), requests for proposals (RFPs) and pilots. Here are key questions to ask:

  • Are you deploying custom, in-house or externally developed apps? If so, evaluate MAM to block, prioritize and improve the security of public apps.
  • Review the SDS capabilities in place today: Are they sufficient for mobile devices, or do they lag behind SDS for desktops? Evaluate applicable cloud, on device, integration and enterprise mobile device management products accordingly with the goal of supporting a consistent policy that can be applied across all endpoints.

About the author:
Philip Clarke is a research analyst at The Nemertes Research Group Inc., where he is a co-leader of the wireless and mobility research track, advises clients on wireless topics, writes key trends and thought leadership reports, conducts statistical analysis and develops research reports.

This was last published in June 2013

Dig Deeper on Network Access Control technologies