barefoot cybersecurity

security… mobility… cloud… technology… whatever…


Leave a comment

Mobile Device Management 101

Like it or not, smartphones and tablets are all over our enterprise networks. Users now expect to be able to carry around their mobile devices and have instant access to their corporate email account and documents. As business leaders we mostly embrace this change and welcome mobility into the work environment. We want to empower our users to work from anywhere and increase productivity levels using technology they enjoy carrying. However, those of us with at least one foot in the security department understand the greater risks of letting users loose to roam the globe carrying the companies’ most sensitive information on the world’s most steal-able devices.

BYOD

Times where that only remote users and exec level employees would be issued with a company owned device. But when a technically savvy general population where able to buy their own smartphone and Apple devices started to make their way into the boardroom, we saw the introduction of BYOD. Bring Your Own Device. The move towards mobile working for all is here.

MDM

BlackBerry brought mobile email to mass business market so we installed enterprise servers to enforce some security and increase user experience (who needs to know how to configure an IMAP server on a phone anyhow?). The landscape has changed and most businesses trying to manage devices from Apple, Samsung, BlackBerry, Nokia to name a few, will struggle without some kind of enterprise software solution to roll out configurations and enforce security.

This is the primary function of a Mobile Device Management (MDM) solution. Manage which devices belong to each user and configuration policies based on various criteria. For instance is the device owned by the company or the employee, what is its operating system and what is the confidentially level of the information the user is accessing. These policies are enforced with rules that specify the consequences of being out of policy including blocking further email to the device or sending SMS and email notifications to the user and IT administrators informing them of policy violations.

Furthermore leading MDM solutions understand the source of the data residing on each device and therefore which data belongs to the user personally and which belongs to the business. This is extremely useful when an employee leaves the business to ensure that not only is their access to corporate resources revoked but the companies data residing on their device is wiped whilst preserving the user’s personal email, docs, photos and music. This is known as a selective wipe of the device which may be done in preference to an entire wipe of all data if, for instance a device was permanently lost.

Basic security

According to BackgroundCheck.com, $2.7 billion worth of smartphones were lost in 2011. It’s fair to say that the majority of those phones did not have even the most basic of security measures applied, a simple PIN code to protect privacy. Businesses today invest money and effort enforcing data leakage controls on their networks to protect company information so it stands to reason that if a user is to read their corporate email on their phone, a security policy should be applied. Of course you could just tell a user to please enable a PIN and encryption but it would be impossible to police against users turning it off because of the inconvenience. MDM enforces these policies and has the capability to wipe all the corporate data if users do not comply.

WiFi/Email/VPN Settings

Imagine the time and effort involved in supporting every new user on multiple difference mobile operating systems configure their Exchange email account, connect to the WiFi, configure the VPN. With MDM, these configuration settings can be distributed, over-the-air to each new user that is registered on the MDM server.

Application Control

Another key benefit of MDM is the integrated ability to manage mobile apps for business users. Businesses typically want the ability to securely manage which mobile applications are installed on their devices. Administrators select which applications are required, allowed or disallowed. The company’s preferred CRM and VoIP app may be recommended to all uses whilst it difficult to think of good reason why Angry Birds should be installed on a company owned iPad!

Document Control

Then there is the Dropbox problem. Unless users are provided legitimate methods to carry around the documents they require, the will inevitably find an alternative way. Dropbox and Gmail give users exactly that opportunity which is why leading MDM solutions provide access to, storage and viewing of documents from email and SharePoint and enable the business to protect these documents from unauthorised distribution.

…and the rest

Of course, MDM can deliver much more. Depending on the solution used, you may disable certain features like the camera or Bluetooth on company owned devices. Ensure that devices only connect to WiFi networks with adequate security and can be located on maps if lost. Often there are cost control features to warn or prevent excessive usage and roaming charges. The detection of jailbreaked or rooted devices that are more susceptible to malware is another important feature.

In all of this, it is key to remember to work with a vendor that can support all your operating systems and preserve the user experience. One thing is for sure, today’s users are as smart as their devices and if their user experience is spoilt by a poor implementation of MDM, they will look for a way to bypass it.


Leave a comment

MDM: MobileIron Vs Good Technology

Most of us working in Information Security understand today’s requirement to secure our users’ mobile devices. Why would any enterprise allow it’s most valuable asset (it’s confidential corporate data) to reside on the most stealable devices (tablets, smartphones) without enabling at least the basic security like PIN enforcement, encryption and the ability to locate and wipe if necessary? Sounds obvious right?

I’ve been working with MobileIron for Mobile Device Management (MDM) solutions over the last year or so to implement (mostly) enterprise “bring you own device” (BYOD) strategies,

I was recently given a demonstration of the Good Technologies MDM product at the ITWeb Security Summet. Importantly there is a major difference in the way it works in comparison to MobileIron. Good Technology requires that usage of protected information (mail, docs etc) is done from within their mobile app. This means to read your corporate email, rather than going to your native email application on your device, you have to launch the Good App and work within it. From what I see, their claim is that this provides a sandboxed container to secure all the protected information and enable easier management for wiping etc.

MobileIron has a mobile app which manages the connection to the server. When a device a registers with the server a profile is installed which manages security. This means that users use their native OS apps. People tend to buy an iPhone because they like using IOS and Apple devices. Same is usually true of users of other devices. My view is it’s important if people are to be encouraged to “bring your own device” that they are empowered to maintain that native user experience. Otherwise they start looking for ways to avoid using the app by putting docs in Dropbox or forwarding to Gmail.

If you’re looking for some validation of this, just look at the reviews on the Apple AppStore:

http://itunes.apple.com/gb/app/good-for-enterprise/id333202351?mt=8

http://itunes.apple.com/gb/app/mobileiron-myphone-work-client/id320659794?mt=8

Strange also that Good Technology does not support RIM BlackBerry. I know it’s dying but surely the user base is large enough?

The 2012 Gartner Magic Quadrant for Mobile Device Management Software can be viewed here.