With the rise of mobile computing -- first via laptops, then smartphones and now tablets -- the IT landscape changed within the enterprise. No more was IT just about the local network, WANs and security for desktops and servers: it now had to incorporate mobile devices, spanning all manner of manufacturers, operating systems, and platforms and to do so without compromising security. The sheer volume of devices and the different software they run is a natural antithesis to network security. Yet, these devices are integral to the way business works today, and so the IT department must adapt.
Which is why Mobile Device Management (MDM) is a rapidly growing and evolving segment: as more and more mobile devices in all their forms find themselves integrated into the business network, the need to manage and secure them only increases. And thanks to the BYOD (bring your own device) phenomenon, it's not going out of fashion. If anything, it's more essential now than ever before. According to a study by Forrester, 37 per cent of employees are using devices on a business network before formal policies are instituted. The study is from 2011, so imagine what it's like today?
It doesn't help that most BYOD products -- aka the type your average consumer purchases -- weren't designed for the enterprise, further complicating. Hence MDM solutions are now at their fore, and there are plenty on offer.
MDM is the catchphrase du-jour at the moment, but not without good reason. Mobile devices are a part of the workplace landscape and are inescapable so it's up to IT to both incorporate these devices and manage them within the security of the network. This can be no easy task, depending on the size of the business. Good MDM software typically aims to:
- Control configuration settings on a mobile device
- Protect business data
- Distribute updates and patches
- Monitor and build reports
- Reduce support costs
- Minimise risk
- Support multiple architectures and platforms.
And, of course, providing secure access to the network, which is ultimately also where the greatest risk lies: a compromised device connecting to the network could give free reign to unscrupulous software or individuals. And that's a fine line CSOs need to walk, providing business continuity through the ever-increasing role of mobile devices while protecting business data from the many and varied attack vectors mobile devices naturally provide.
The term ‘mobile’, also, spans an increasingly larger repertoire of devices: it's not just smartphones but also tablets, laptops, portable printers -- anything really that can connect to your network.
It gets complicated further by BYOD. While traditionally devices such as smartphones can be provided by the company -- in which full control and ownership is assumed -- this trend is slowly dying. According to a recent study by Gartner, half of all employers will expect employees to bring their down devices by 2017, with 38 per cent of surveyed CIOs in the study stating subsidised devices will be phased out by 2016. Importantly, it also notes that the number of employees using mobile applications in the workplace will double by 2015.
All of which makes the CSO's job more important than ever. It's one thing to set policy and full control over a corporate sponsored device, but how much leeway do you have over personal devices?
Naturally there has to be some give and take, and for MDM software to work client devices must install software to interact with the MDM solution. If employees are to BYOD, they need to submit their device to be both controlled and monitored via client software to ensure it complies with security policy for the organisation. Any employees refusing to use the software need to have their devices locked out of the network. In a world where data can be shared in seconds and distributed half a world away via the internet, it's the only logical route to take.
Security Information and Event Management is yet another utility in the CSO's toolbox, with the goal of reporting real-time security alerts from network hardware and applications. Technically SIEM is an amalgamation of Security Event Management (SEM) and Security Information Management (SIM), with the former focusing on monitoring and notification of events and the latter on the long-term storage, reporting and analysis of this data. SIEM products can be found as both managed software services and hardware appliances.
Ideally an MDM solution should integrate with SIEM services to consolidate event reporting and management and aid in incident response, not to mention simply providing improved response to events through SIEM dashboards and make to it easier to track policy compliance among the multitude of devices managed by MDM software.
Server and client
MDM solutions encompass a server component, which sends out management commands to mobile devices, and a client component which runs on the device itself. Typically a MDM vendor provides both, but some products will work interchangeably with others.
Beyond the local network, OTA (over-the-air) programming capabilities are considered a central component, allowing devices to be managed and controlled even while out in the field by responding to specially crafted binary SMS messages. The versatility of an MDM solution should allow the ease of management of single specific device, or a whole fleet of devices, through local and OTA commands. This provides for a device or a fleet of devices to be configured, updated, locked or wiped—even while out in the field—and thereby protect stored data. Lost or stolen devices are inevitable, so being able to remotely wipe a device is core to the MDM manifesto.
Just as there are a wide variety of devices, MDM software should be able to manage disparate telco service providers. Additionally some MDM products are cloud-based, and accessible via self-service portals. Typically these are good for companies overwhelmed by the rapid growth of BYOD products and prefer outsourced solutions, not to mention that they can save costs on dedicated server equipment.
By controlling and protecting data and settings for all mobile devices on a network this, MDM software can not only help minimise risk but also help reduce support costs.
However, given the wide scope of devices mobile now encompasses, and that every business has different needs, trialling MDM solutions is a must. Beyond examining how it will integrate into your current services offerings, it's essential to see how well it runs with pilot users and their devices and laptops in the organisation. Additionally, this can help adoption of an MDM solution too—with the pilot users becoming advocates for adoption of MDM in the organisation once it's realised that having BYOD devices fall under the purview of the IT department isn't as bad as it might initially seem. This does depend, in part, however, on how well the MDM solution makes enrolling and device management for users as seamless and painless as possible.
What to look for
What to look for when shopping for a MDM product is as varied as the companies and the mobile devices they encompass. Every business has different needs, different policies, and different budgets. However, we can distil the collective experience and wisdom of MDM solutions to provide a guide on what's important when considering a product, and the type of questions you should ask before you sign up with any one vendor.
Security: There are a range of standard features you would hope are included, but it's worth asking none the less. These include policy enforcement for both device and application configuration, remote wipe capability, being able to disable Bluetooth, restrict access to the phone's app-store equivalent, detection of rooted devices, server access policies based on user and device, and strong password enforcement. This is the bare minimum, but there's plenty more to look at as we cover below.
Password management: The ability monitor the quality of passwords used on remote devices: throwing up warnings for weak passwords for example that could compromise a device's security, or preventing them being set in the first place. Weak passwords are an easily mitigated security risk. What level of granularity does the solution provide for password management? Does it work the same way across all supported platforms?
Application management: being able to disallow access to a program on the device or remove it remotely on demand is essential, as well as preventing a known list of bad applications from being installed. If you don't have control over what applications can run on the device that might access network data, then you have no control on where that data is going. Can you set access privileges on the applications your business uses? Does it support all the device platforms in use?
Self-service options: At the same time it's helpful to let users take care of their own needs, especially as it can save on support costs. How easy is it for them to setup a new device themselves to access the network? Or reset or change their passwords? Is there a portal or automated process they can use to manage their device?
Simple device enrolment: Complexity breeds non-compliance, so does the product make it simple for users to install the client software and agree to your usage policies? Can it install, setup, and configure in one go and with minimal interruption for the user?
Selective wipe: In the event of loss or theft you want a complete remote-wipe, but the option for wiping only corporate data should be present too: this way if an employee leaves the company or they simply upgrade a device it can be cleaned of business data without impacting their personal data. Naturally, this should also preserve a user's personal settings, favourite apps, and contacts.