Solutions if Mobile Device Management Fails
Until relatively recently, mobile device management looked likely to become the de facto means by which organizations would stop data stored on employees' smartphones and tablets ending up in the wrong hands. Indeed, a little over a year ago Gartner forecast nearly two-thirds (65%) of enterprises would have adopted MDM by the end of 2017.
Six months later, however, an analyst for the same group told its 2013 Security and Risk Management Summit the market was "going to die." According to CRN, John Girard spoke at length about how MDM was in chaos and how vendors that are sharp "know the end is in sight".
So what changed? Even if you account for the fact Girard was being deliberately provocative, it's hard to dismiss some of his points. While MDM might have seemed a valid solution to the problems posed by bring-your-own-device when the trend kicked off, it's increasingly clear it's not a quick fix – and might even be more trouble than it's worth.
The limitations of MDM. For the uninitiated, MDM refers to techniques an organization can use to manage smartphones and tablets in the same way it would laptop and desktop computers. Even those without much technical knowledge should appreciate that BYOD has made this something of a stretch – for many reasons, it's harder to control employee-owned devices as for corporate ones.
Here are some of the most common issues that lead to MDM solutions failing:
- Variety of platforms. It's relatively easy for the enterprise to manage corporate laptops desktops running Windows. Not so with the workforce's smartphones, however – organizations have to contend with iOS, Android, Windows Phone devices and more. Android in particular poses problems because it's so fragmented, with a large proportion of users still running 3-year-old distributions.
- Advancing technology. Back when MDM arrived on the scene, most smartphones used for business were BlackBerry handsets. Users expected a relatively humble set of features, like the ability to send email and make phone calls. Today, the enterprise mobility landscape is unrecognizable - not only do device owners expect to be able to run a wide variety of third-party, potentially harmful apps, they transmit near endless streams of data through them. Gartner recently predicted that by 2017, smartphone users will send personal data to more than 100 apps and services per day – a nightmare for any IT department to manage.
- Limited security controls. The app development tools for mobile operating systems like iOS and Android rarely allow the kind of low-level control MDM requires – and there's no other way for engineers to run their code on these devices. As Girard said: "I can't really whitelist or blacklist apps or have remote control or permission to wipe your device, and I can't tell you where to take your device because of BYOD."
- Resistance from end users. Finally, implementing MDM is a struggle because typically, employees don't want IT poking around on the devices they own and use for leisure. Similarly, not many people are likely to report lost smartphones to their bosses if their employer's solution is to wipe it remotely, deleting personal data at the same time as business assets.
Employee-owned devices – to block or not to block? To summarise, then, BYOD has made old-school MDM prohibitively difficult. A consumer-driven smartphone market has resulted in an array of competing platforms, with security taking a backseat to profitable app ecosystems. This makes for a massive IT overhead, even before end users are educated to the risk of a data breach.
Read more: So how else to cope?
So how else can organizations cope with BYOD? For some, blocking employee-owned devices entirely might seem like an attractive solution. This could actually pose a bigger risk, though, as it invites so-called “shadow IT” setups – situations where the workforce uses technology in unsanctioned, un-vetted ways.
A better alternative is to secure the data, not the device. Instead of trying to manage employee-owned devices themselves, organizations need to consider putting their data first – delivering sensitive information to unsecured smartphones and tablets, but in a controlled way that minimizes the risk of loss or theft. This could be done using a single app, so long as the following steps are taken:
- Secure the connection between device and server, so data in transit is encrypted and can't be intercepted.
- Use strong authentication, possibly two-factor, because it's so easy for an employee to lose their smartphone or tell someone else their PIN.
- Block any leakage vectors so your data stays in a secure environment. This means both putting barriers around suspicious network traffic and disabling user interface functions like taking screenshots.
- Use policy-based access controls so data is delivered in a way that's suitable for the device. For example, you might want to encrypt a file for extra security if it's opened on a smartphone or tablet.
- Encrypt sensitive data at source so it can't be intercepted before it even lands on the device. It should remain encrypted for as long as it's in memory.
- Convert files to read-only versions if it's too risky to give users access to the original. You could also watermark these documents so if they're leaked, the breach can be traced back to the party most likely to be responsible.
- Log everything, satisfying the requirements of compliance auditors and giving bosses early warning of suspicious behavior.