MDM: Part of the mobile security solution?

MDM works best when you own the device. When you provision it. When you can wipe the entire device.

The good news for enterprises: Mobile devices are packed with power. A new iPhone is 100 times lighter, 100 times faster, and 10 times less expensive than the luggable notebooks of the early 1980s.

What's good news for enterprises is also bad news for CISOs. Mobile devices can store substantial quantities of data, the applications are powerful, and their network speeds are forever increasing. And, oh yeah, users are bringing their own devices, downloading their own apps, surfing the Web from whatever connections they choose--all with little to no direct control by the enterprise.

[Also see 5 questions to ask about your mobile device security policy]

To help make mobile devices more manageable, enterprises are increasingly turning to mobile device management (MDM) applications and services. And MDM can help with security issues - but how much? Experts say this tool can absolutely reduce mobile risk. But they also say relying on an MDM-only mobile security program is like sitting on a one-legged stool.

Mobile Mania

According to Forrester Research, there are more than 40 vendors in the MDM market, offering software with core features such as configuration management, troubleshooting and support, inventory, remote control and reporting capabilities. The market is growing: Research firm IDC pegged the MDM market at about $265 million in 2009, growing at more than 9 percent annually. The firm expects that growth rate to rise to more than 10 percent next year.

These applications reduce risk by being able to detect and remotely wipe data, and by enforcing password and encryption policies.

"It makes sense to move to MDM and enforce security policies in a more automated way," says Pete Lindstrom, research director at Spire Security.

"With mobile device sprawl, and the value of the applications and data on the devices increasing, more enterprises are going to want to manage the configuration of the devices, what the devices are and where they're being used--many of the things one would expect in traditional asset-management capabilities," he says.

However, just as traditional asset-management applications helped create some level of security and control over notebooks and telecommuters' systems, they certainly fell short of managing everything necessary to keep those systems and data secure. MDM will be no different.

Dig Deeper Than Just the Device

"You can't just focus on the device and expect to have a high level of security," says Rafal Los, chief security evangelist at HP Software Worldwide.

"You have to look at the system holistically. That includes the infrastructure, the applications, how data is accessed and used," argues Los. "That includes looking at not only the inherent security of the applications on the device, but also the application servers and databases they connect," Los says.

Application security has been a plague since before the Web, whether the application resides on a server, desktop, notebook, website or mobile device. And it's a crucial area where MDM tools don't play much of a role beyond pushing patches out to at-risk devices. Consider the privacy flaw in Skype for Android that was discovered last spring: Skype's instant messages were not stored securely, so a malicious app or anyone with access to the device could view the messages' contents. That incident wasn't isolated, and many other mobile app vulnerabilities--including a weakness in a Citibank mobile application--have been identified since.

BYOD Changes Everything

"Mobile security is more about the data and the application than it is about the device itself. This is especially true now with the bring-your-own-device [BYOD] trend," says Lindstrom.

Brian Katz, director of mobility at global healthcare company Sanofi, agrees. "When you look at today's mobile device management applications, they were built in the shadow of, 'This is how we do IT today.' They look at device management the same way that enterprises have controlled laptops and desktops for years," says Katz.

"That means MDM works best when you own the device. When you provision it. When you can wipe the entire device. When you can decide what you want to do with it. But with BYOD, none of that applies," he says. "You don't own the device, so you can't dictate everything that is done on the device."

Because the enterprise doesn't own the device, it's more dependent on policy--and on trusting that employees will handle the phone or tablet with care. "But that's extremely hard with small devices, even corporate-owned devices," says Lindstrom. "Enterprises anticipate (and tolerate) that there will be more personal use on these devices, as they're expected to be with the employee at all times."

Which brings up another issue as a result of BYOD: privacy.

"You have to think about MDM in terms of legality. For example, a lot of MDMs provide the ability for operations teams and IT employees to track the coordinates of the phone. In some countries there are privacy laws that forbid that. The corporation may not be allowed to track you. You have to look at whether that needs to be turned on or turned off by default, and how you're handling that to make sure that you don't break privacy laws there," Katz says.

[Also see Mobile phone security dos and don'ts]

To handle those privacy concerns, and so they can focus more closely on corporate-owned applications and data, more enterprises are turning to mobile app management (MAM), which enables organizations to manage specific applications and data without having to worry about the entire device or an employee's personal data. "This approach makes it much easier to manage BYOD in an organization because you have the same features in MAM that you have in MDM, but you're approaching it on an app-by-app basis," says Katz.

That ability makes it more straightforward to wipe only enterprise-owned and -managed data and set password requirements that affect only the enterprise apps. That's why he thinks the industry will move away from MDM and toward MAM, "which will help move the security focus from the device to the data and the applications--where it belongs," says Katz.

Join the CSO newsletter!

Error: Please check your email address.

More about CitigroupetworkForrester ResearchHewlett-Packard AustraliaHPIDC AustraliaSkypeSpireSpire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place