Mitigating mobile information security risk with mobile device management (MDM)

The proliferation of mobile devices - company-owned and BYOD - is boosting corporate productivity. But it also presents a new management issue to IT, which needs straightforward ways to ensure these devices are appropriately and securely configured and to oversee compliance with usage policies. Enter mobile device management (MDM).

Multiple surveys show the widespread use of personal devices in corporate environments. In an August 2011 global survey, conducted for Dell KACE, 87% of respondents said employees were using their own devices for work purposes. It seems to be even more widespread in Australia - a January 2012 survey conducted for VMware found 93% of surveyed organisations know that employees are using their own devices. 51% of respondents (all executives) said they worked more efficiently when able to choose what web-based or customised software and apps they use at work.

The problem for IT is to provide appropriate governance (eg, taking steps to ensure that sensitive information isn’t stored on the device, that all corporate information can be wiped from the device if it is reported lost or stolen and that password complexity rules are applied).

Such steps need to be taken without unduly interfering with the user. If you want full control over devices, then buy them for your users - but don’t be surprised if they still opt to use personal devices for work purposes. On the other hand, if you’re paying the phone bill, it’s legitimate to ask a particular employee why they’re consuming more data on weekends than they are between Monday and Friday - to do that conveniently, you’ll need the right tools.

“You can’t actually control these devices… so it’s about governance. We call it the carrot and stick approach,” said Robertson Roe, managing director, Australia and New Zealand, AirWatch. For example, it isn’t possible to prevent an iOS device owner jailbreaking it, but if they do, mobile device management (MDM) software can respond, perhaps by remotely wiping all the corporate assets it contains.

“Most companies lack the people, processes and tools to manage the rapidly expanding number of mobile devices that require access to corporate information. Enterprises are struggling with smartphone and tablet (mobile endpoint) management, which results in increased security risk, growing usage costs and diminished IT control,” said Michael Disabato, research vice president, Gartner.

“The era of fully supporting a single-vendor, company-owned, enterprise-class device (eg, BlackBerry) is declining while the era of offering tiered support for multivendor, employee-owned, consumer-class devices (eg, iPhone and Android) is growing. Mobile device management solutions help enterprises manage smartphones and tablets by providing centralised, multivendor device management that results in lower risk and improved cost of ownership.” AirWatch and Good Technology are among the vendors that Gartner regards as leaders in MDM.

And according to Brian Duckering, senior manager, product marketing, Symantec: “when all the hype dies down, mobile devices are just another endpoint” that needs to be managed. The question then becomes “what are the policy settings and controls that are right for your company, industry and location?”

Provisioning

Setting up a device with the right set of applications, support files and settings can be a chore. The list can include: generally available apps that you want on your users’ devices (free and paid; the absence of volume licensing for Australian customers of Apple’s App Store will hopefully be remedied soon, in which case the ability to manage iOS licence codes will become important); apps that you don’t want them to use (eg, a mechanism for removing blacklisted apps, although that can be a contentious issue and there are other ways of maintaining the corporate/personal separation - see below); company-specific apps; security certificates (eg, for VPN access); settings such as forcing the use of a passcode; and configuring a corporate email account.

It will also help if the MDM software can operate on a self-service basis when an employee arrives with a new device. This will most likely require integration with Active Directory or another directory service so that the device receives the right configuration, based on the user’s identity or membership of particular groups.

Since BYOD extends to notebook computers, it may be worth looking for software that handles Windows and Mac OS X as well as iOS, Android and other mobile platforms.

Secure storage

There is particular (and perhaps excessive) concern about the risk of losing - or losing control of - sensitive data stored on mobile devices in the event they are stolen or mislaid or when the owner of the device leaves the company.

There are two basic approaches: either avoid storing data on the device in the first place or use encryption to make life difficult for the finder.

The first approach typically involves using web apps or virtualisation. The software runs on a remote server rather than on the device itself and only the results are displayed. If the device is lost, the information cannot be extracted from local storage. The downside is that such applications aren’t available if the device is offline (eg, when travelling by air).

“I have no concern about security,” said Peter James, food service division general manager at Craig Mostyn Group, even though his sales staff use unmanaged iPads. That’s because the ERP and CRM data remains on the server, so the issues are the same as they would be in a traditional environment.

Encryption can either be applied to individual files or to a ‘container’ holding the corporate apps and data on the device. The latter approach is used by Good Technology. “We are by far the largest player in our market,” said Jim Watson, vice president and corporate general manager APAC, Good Technology, with major Australian customers in the banking, mining, legal, professional services, and healthcare sectors. Good for Enterprise provides a native-like experience for calendars, contacts and so on, while allowing optional integration with the native equivalents.

With implementations for iOS, Android, Windows Phone and others, Good for Enterprise also provides provisioning (including support for self service), policy management by user or group, remote lock/wipe and more.

An advantage of being able to remotely wipe just the container is that “if you find the device… you’ve still got all your personal data,” said Watson. Good also offers third-party developers an API to containerise their apps in this way.

Mobile users are accustomed to the convenience of services such as Dropbox, so companies such as AirWatch have built secure equivalents into their MDM offerings. “We see people so worried about Dropbox,” said Roe, explaining that his company uses 256-bit AES encryption to protect the data on the device and SSL to protect it in transit. Documents can be downloaded automatically or on demand and may be time limited (eg, so a price list can only be seen during its period of validity). There’s also a mechanism to stop them being saved as normal files on the device.

Network access

There are two main aspects to network access for mobile devices. The first is ensuring that only ‘authorised’ devices can connect to the organisation’s network and other resources; the second is managing expenditure on carrier networks (for phone calls and data).

Connecting devices securely to corporate networks is a well defined process. The role of MDM software, in this regard, is to simplify and automate it as much as possible. An employee may be able to arrive at work with a new device and make an initial wireless connection that triggers an enrolment process (based on the user’s identity as verified through a password and possibly another authentication mechanism). The process would provision the device, as described above, and grant access to the relevant resources.

Managing the use of carrier networks is more about gaining immediate visibility of how and when the device is being used, especially if the organisation is picking up the bill. The data collected can be used to provide guidance to any employees that may be going beyond the realms of reasonable private use.

A related issue is internet filtering. While in-house use may be controlled at the firewall, there is sometimes a desire to control off-premises browsing on company sanctioned (though privately owned) devices.

AirWatch plans to add a ‘secure browser’ to its product which will enforce blacklists or whitelists, even when the device is not connected to a corporate network. This would be used in conjunction with the product’s ability to block the device’s standard browser.

Good Technology recently announced Good Mobile Access for Android, a secure mobile browser for access to behind-the-firewall applications (such as SharePoint) and other resources, without the need for a VPN. Cookies, caches and other browser data are encrypted within the Good container, on the device.

Duckering notes that Symantec’s software can restrict the use of certain apps to particular geographical areas without maintaining a record of where the device has been.

If you’re concerned with self-service provisioning, including secure network access but not detailed device management, Aruba Networks’ ClearPath provides an alternative to full-blown MDM products. “Our job is to get the device onto the network,” explained Mark Verbloot, director of systems engineering for Asia Pacific. The onboarding process can include checking that important operating system and application updates have been applied.

Break glass in event of emergency

If a mobile device is lost or stolen it can be useful to be able to locate it. MDM software may offer this capability by tracking the location of the device using its built-in GPS functionality (much like Apple’s Find My iPhone service but under corporate control), but it is appropriate (and in some situations mandatory) to obtain the individual’s consent.

GPS tracking is regarded as “a dangerous precedent” by most of Good’s customers, said Watson. However, there may be times when the ability to locate a device is necessary, so MDM often includes this capability. What’s needed is a set of procedures and safeguards to minimise the risk of misuse and thus show respect for employees’ expectations of privacy in the hope they will agree to tracking.

Whether or not location capability is available, it may be considered important, or even essential, to delete any corporate information and apps as quickly as possible. Given that the provisioning and data management aspects of an MDM product should make it quick and easy to restore this material to a found or replacement device, it is hard to argue against prompt remote wiping. However, it does require network access to the device, so this is not an excuse for failing to encrypt sensitive information.

That leaves the question of whether user data should be wiped at the same time, as MDM software can provide a complete remote wipe (aka device reset) without requiring the user’s explicit permission. Again, it is up to the IT organisation to put the right processes in motion. Put yourself into the shoes of a user who has just captured a once in a lifetime video clip and then loses their smartphone before backing it up. You probably wouldn’t want your personal files wiped along with the corporate data unless you were sure the device was gone forever. Possibilities include various combinations of self-service remote wipe, building consent into the acceptable use policy for personal devices, and allowing first-level support staff to wipe corporate data, while requiring escalation for a complete wipe.

Monitoring

Location tracking may be a delicate issue, but it is easy to justify usage monitoring when the organisation is picking up the phone bill. MDM software may be able to track and report on voice and data usage, disable international roaming (even if it can’t stop the user turning it back on), check the MDM agent on the device is still running and generally indicate that settings and usage remains in compliance with policy.

Cloud or on premises?

Cloud implementations of MDM are particularly convenient for smaller organisations with relatively unsophisticated IT. There’s no need to install and manage software, just pay each month for the number of devices your people are currently using. For example, AirWatch charges $3.50 per device per month and it has servers in Australia, taking care of data sovereignty issues.

According to Phil Offer, director, mobility and convergence at Optus Business, organisations have been waiting for a carrier to provide a MDM service and the latest update to Optus Mobile Device Management will provide comprehensive cover for company and employee-owned devices. The service is a rebranding of an unspecified vendor’s product - customers wanted to deal directly with Optus, he said. Optus MDM is offered on a 24-month contract in batches of 25 device licences. Offer said the service was relevant to “any organisation with a large smartphone fleet.”

Organisations that already use a systems management tool may prefer an MDM product that fits into that framework. Duckering said Symantec’s recent acquisition of Odyssey Software had given it a mechanism to provide MDM to users of Microsoft System Center Configuration Manager, along with support for Android and Windows Phone 7, in addition to iOS.

Similarly, McAfee Enterprise Mobility Management supports iOS, Android, Windows Phone 7 and BlackBerry devices and integrates with McAfee ePolicy Orchestrator and other corporate IT services. Likewise, Kaseya’s Mobile Device Management (for iOS, Android, BlackBerry and others) integrates with the rest of the Kaseya IT Automation Framework so mobile devices, desktops and servers can all be managed from one place.

An anonymous example

An Australian professional body found it was issuing board members with as many as 500 pages of papers prior to meetings, which was particularly inconvenient when travelling. Delivering the material via tablet was an attractive alternative, but the nature of some of the material meant the organisation wanted a mechanism to remotely lock or wipe lost or stolen tablets. Another consideration was the desire to easily provision tablets for different groups of users, explained the organisation’s business solutions manager. (Corporate policy prevented him from identifying his organisation.)

At that time, there were just a few vendors in the MDM space and it found AirWatch was the only one prepared to make its people available during Australian business hours (the company now has an Australian presence). In addition to meeting the needs set out above, AirWatch also provides the ability to manage devices in terms of unacceptable apps, excessive data use and overseas roaming for data.