IT administrators are being asked to come up with ways to permit mobile devices onto the corporate network in a secure fashion (via MDM Solution or other technology) . This subject touches a few technology areas such as access control, secure wireless, data protection and secure management of mobile devices however the focus for this piece will be mobile device management. Members of my team have tested the MDM leaders such as Mobile Iron, Airwatch, Zenprise, Good Technology, McAfee, Symantec, etc. and summed up the following as things to consider when evaluating a Mobile Device Management solution.
The first thing to consider is your desired MDM Solution Policy. Typically there are three scenarios to address:
1) GUESTS / PERSONAL DEVICES – Devices coming on the network as guests that you don’t manage or access internal data
2) CONTRACTORS / PERSONAL DEVICES ON NETWORK- Devices coming on network with partial access to corporate data
3) EMPLOYEES / CORPORATE DEVICES - Devices with full network access and managed by corporate.
The target of most MDM solution requirements is addressing items 2 and 3 while item 1 is typically covered by an access control technology. The two common approaches taken by MDM vendors are a sandbox or endpoint management offering. Sandbox or secure container technologies provide the most security by protecting corporate data within a sandbox application. Policies for encryption, data loss prevention and limiting data access can be controlled through MDM issued access methods rather than what is offered by the device manufactures. Most mobile device offerings give power to users (all but blackberry) however sandbox technology protects the data regardless of rights provided to users. The main con against the sandbox approach is not utilizing native device applications such as built in email, which tends to impact user acceptance. Good Technologies is an example of a sandbox based MDM solution.
MDM solutions that offer an endpoint management approach support specific vendors (Apple iOS, Android, etc) and compliment existing native applications. Application management MDM solutions leverage an agent on mobile devices to control applications as well as issue commands such as remotely wiping sensitive data. Its hard to say application management MDM solutions address a specific threat category however risk is dramatically reduced by using them to remove hacked / jail-broken devices, permitting approved applications and managing native security options such as passwords and data removal. Application management MDM solutions tend to be more suited for “Bring your own device” requirements while sandboxed MDM solutions favor corporate issued mobile devices.
Other factors to consider are provisioning mobile devices and proper control of data access. Consider the activation and enrollment options for the three use cases listed above (Guests, Contractors and Employees). Can employees register personal devices for access via a GUI or will it require an administrator? How well does the MDM solution assign and manage corporate controlled devices? What are the maintenance options regarding standardizing and upgrading mobile device software for corporate managed assets? Can the MDM solution provide reports listing all applications on mobile devices accessing the network? A strong MDM solution should handle all of these, which specific data access is controlled based on how users authenticate via local authentication or advance access control solutions.
The final thing to consider is MDM security features which usually are common across the leading vendors. Top features include verifying device configuration policies such as checking for hacks or jailbreaks. Policies should be flexible depending on if devices are corporate or personal. Mobile device applications should be verified and controlled to avoid vulnerable software such as a game with backdoor malicious intent. Remote wipe capabilities should be available and focus only on corporate data (IE do not wipe personal email, contacts, etc. without the end-users’ permission). Data protection such as password enforcement should be enabled through a centralized platform. All of these features should be displayed in a report so leadership can verify the security status of mobile devices accessing corporate data.
Every MDM vendor has their own way to accomplish its features so it’s a good idea to develop your policy and match it to MDM solution rather than an open comparison between products. Hopefully this gives you some points to consider for your MDM evaluation. Also note subjects like access control, two-factor authentication, secure wireless and other technologies should be considered for a complete solution.
