MDM is dead.
Note: This commentary is not connected with a Yankee Group report of the same name. The naming was a coincidence.
This is not really news; if you've listen to vendors and experts in the space for at least the last year they've all come to the conclusion that mobile device management, as we have come to understand it, has become at best commoditized. At worst, it's a problem, an impediment to the whole point of mobility in business computing.
A session I attended here at Interop New York brought out much of this reasoning. In a sense this is not surprising, as it had a panel of mobile security vendors, but the arguments are hard to dispute. The session was on enterprise mobility management (EMM). Think of EMM as the new MDM.
MDM has its origins in the BlackBerry Enterprise Server (BES), the feature that gave BlackBerry such a great reputation for secure mobile computing. After the iPhone came along and blew up the BlackBerry's business model, Apple implemented a set of MDM APIs fairly analogous to those in BES. The fact that this feature set is the full extent of what you can do on iOS has made for instant maturity of the MDM space: there are scores of companies selling MDM and--at least for iOS devices--they all offer the same features because that's all Apple will let them do. Instant commoditization.
MDM is about locking down devices, preventing users from performing certain tasks they might want to do on their phones and tablets. From a security standpoint this is a perfectly reasonable thing to do, but users don't like it. Incredibly, what users like and don't like matters these days. And in a BYOD environment, restricting what users can do and threatening to wipe their devices is a recipe for bad will.
The members of the panel generally argued that the right way to look at security solutions is in the context of the organization's security problems. The problems aren't all device problems; in fact, arguably none of them are device problems. What you want to secure is the organization's data and, by way of that, the apps.
Numerous categories of mobile security products have emerged to address the problems that really do exist in organizations. The number of approaches is, in fact, far too great and the industry is in dire need of consolidation so that buyers have fewer choices to make, but that's another column. The panel moderator, Chris Hazelton, research director at 451 Research, referred to all of them under the umbrella term EMM.
The first main category to emerge in the post-MDM era is mobile application management (MAM). There are many companies in this business, including Apperian, represented on the panel, and all the other major vendors including Zenprise, MobileIron and, with their purchase of AppCenter, Good Technology. The idea is to wrap the app in a security layer that restricts its abilities, subject to policy. This approach can be done at the source-code level, which both Apperian and Good do, or as an outside code wrapper applied to application binaries, which everyone is doing.
Cimarron Buser, VP of at Apperian, points out that different companies have different approaches: "BYOD is important, but so is COPE - corporate owned, personally enabled. Businesses realize that it's positive for users to feel they can put their own content on their phone; it means that the user will be more engaged with the corporate apps as well." Apperian's offerings are flexible, with an enterprise app store that attracts users and improves the ability of IT to secure, distribute and manage apps, no matter who owns the device. Their wrapping technology then lets IT control what the apps can do.
Purnima Padmanabhan, chief operating officer of MokaFive, focused on protecting the company's intellectual property. To do that, MokaFive creates secure "containers" for the data and applications that operate on it. Secure the container and it doesn't matter what device it runs on. They all can be managed up to and including wiping the containers.
Neil Cohen, VP of marketing at Visage Mobile, says you should manage users, not devices. A user might have many devices, but wherever he goes, if he is managed then the system is secure. The device need not be.
Finally, Dimitri Sirota, chief strategy and marketing at Layer 7 Technologies, said that his company functions as a Mobile Backend as a Service, or MBaaS. This is a middleware approach that typically provides authentication services, native notifications to the user, search functionality across stored data, MAM, and maybe even development facilities.
Each of these approaches is worth many full stories apiece so I won't attempt to explain them further here, but the main point of it all is that mobile security is growing up. To do so, it needs to put MDM behind and look for ways to empower users, not restrict them.