BYOD Requires Mobile Device Management 2

The proliferation of smartphones and tablets is putting mobile security squarely on IT's radar: 70% of the 1,084 respondents to our InformationWeek Analytics 2011 Strategic Security Survey say these devices pose some level of threat to their companies' security right now. An additional 20% foresee problems down the road. A lucky few are still able to maintain the "corporate liable" mobility model, where the company buys the device (typically a BlackBerry), arranges and pays for the service plan, and manages the environment with BlackBerry Enterprise Server (BES). Because BES offers more than 400 ready-made policies, it's easy to require a strong power-on password, specify which (if any) applications may be downloaded, and wipe lost or stolen devices clean. These capabilities no doubt helped Research In Motion eke out a top spot in our most recent Application Mobilization Survey, where 90% had BlackBerrys in wide or limited use. However, the lead is narrow--82% support the iPhone, 70% Android devices. And BlackBerry's margin is getting smaller all the time.

You'd be forgiven, then, for thinking companies are being proactive about mobile data protection. But our 2011 Strategic Security Survey shows only 33% of 1,084 respondents use mobile device management (MDM) software to enforce a unified security policy.

Let's be clear: You can't secure a mobile workforce without a well-thought-out policy. And you can't expect people to adhere to policies that aren't enforced. CIOs can try to get executives and HR to state flat out that disregard for security mandates may lead to termination. But that's always been a hard sell--and it's even harder now because the biggest mobile risk takers are often executives themselves.

A better choice for CIOs than fighting with HR is an MDM system that can provide security comparable to what is available in a BES environment. If you haven't looked into these products in a few years, you may be pleasantly surprised. Functions such as policy enforcement and remote wipe are now standard, and the range of supported platforms has increased to include Apple's iOS and Google's Android; if you manage Windows Phone 7 or WebOS devices, you'll have to look a little harder, but the capabilities are out there. Further, MDM vendors are looking beyond core security functions to better asset management and remote troubleshooting.

The result is a boom in interest for management systems from the likes of BoxTone, MobileIron, Sybase (now part of SAP), Zenprise, and others. While our Strategic Security Survey finds the penetration of these tools to be modest now, at 33%, an additional 36% are evaluating. We expect interest to spike as budgets recover and companies come to realize the importance of maintaining security while meeting employee requests for a greater choice of devices. The total worldwide market for desktop and mobile security clients will top $7 billion by 2015, Infonetics Research predicts, with mobile clients claiming 25% of those sales. SaaS offerings will likely be a significant presence. Already, mobile security client revenue has jumped, up 58% worldwide in 2010 from the previous year.

Think you'll never get funding? In our practice, we see plenty of companies embracing the "bring your own device" movement as a way of transferring some mobility costs to employees. In our 2011 End User Device Management Survey, just 35% resist or put strict limits on consumer-centric technology accessing corporate email, and potentially other applications as well. Let them use their own devices, and the pressure lessens to supply employees with hardware.

Why not direct some of those savings to better management and security?

The threats are certainly there. The most-cited concern in our survey (at 64%) is that sensitive info will be on a device that is lost, stolen, or in the possession of someone who leaves the company. But mobile security goes beyond that. At No.2 is an infected personal device connecting to the corporate network (59%) followed by malicious apps downloaded by a user (37%) and theft of data via uploading to a personal device (36%).

The two nonnegotiable elements to look for in an MDM system are the ability to enforce security policies and to wipe remotely all the devices you support. Policy enforcement typically calls for a small client to be installed on the device, which in turn communicates with the MDM server. The server typically interfaces with the LDAP directory to determine the employee's location, department, job title, supervisor, and other information. From there, the user is typically assigned to a group for which there will be a default policy that may, for example, require a strong password that's entered every time the device is turned on; ensure on-device file encryption; disable the camera; and specify which applications are allowed, banned, or mandatory.

Of course, many users will balk at installing clients and want to simply set up their devices to tap into their corporate email accounts. MDM can help here as well. For example, MobileIron's Sentry product taps into Active Sync and can identify all mobile devices accessing the email server and alert IT to any that aren't registered as MobileIron users.

As part of the configuration, MDM servers can also provision Wi-Fi and VPN settings to ensure that data exchanges are done in a secure fashion. For more challenging environments, systems like NetMotion Wireless' Mobility XE can maintain persistent wireless connectivity as a user moves from Wi-Fi to cellular coverage without having to restart the data connection--a nice touch.

In case a device is lost, virtually all MDM systems can perform remote wipe, a capability also available in Microsoft's Active Sync for Exchange environments. Early implementations had problems distinguishing corporate from personal information, and "remote wipe" often meant "there go the baby pictures." Most MDM systems can now delete information selectively, typically by partitioning a "sandbox" within the device that is under the control of the management system.

When Apps Attack

The specter of mobile malware brings a whole different set of considerations to mobile security. That fear got a boost in March when Google had to withdraw more than 50 Android applications that were found to include viruses. We also need to worry about devices transmitting information, like unique identifiers or location, unbeknownst to the user. Apple's latest dustup over tracking is a case in point, and federal prosecutors in New Jersey are conducting an investigation to determine if app makers are fully describing the type of data they're collecting.

Clearly, application security isn't going away as a concern as we get more mobile.

Fortunately, there are steps IT can take. First, insist that all apps on devices that access corporate data be within a controlled-distribution model. RIM has always controlled software for its devices, and Apple took the same approach with the iPhone and the iTunes store. Microsoft had initially taken a more open stance with Windows Mobile but moved to controlled distribution with Phone 7. As its recent difficulties seem to attest, Google is still coming to grips with security on the Android platform, but we expect the company will address it in the near term. Meanwhile, your MDM system can provide screening. Applications on the device are scanned, and the suites generally allow for in-house app stores to control distribution, sometimes even alerting users when newer versions are available. That protection could be jeopardized if your employee jailbreaks an iPhone or roots an Android device, but MDM systems can typically identify and isolate those devices.

Mobile antivirus software is available from companies like F-Secure, Kaspersky Lab, and Symantec. However, weigh the potential benefit against how much the antivirus software hurts device performance and battery life. The bigger concern is a PC virus that is picked up by the mobile device and then introduced into the PC environment through the Active Sync process. The solution there is a system that would scan for those agents centrally, rather than on the mobile devices themselves. Sybase, for example, partners with Juniper for centralized antivirus scanning.

Not Enough?

Along with security functions, MDM systems have made strides in terms of managing the mobile environment. For example, they typically can maintain a record of each device, its usage pattern, applications installed, versions, identifier, phone number, carrier, and other vital stats. Most also feature software distribution capabilities, so application upgrades can be pushed to devices. One challenge for IT teams wanting to do such automatic software updates is that Apple iOS and Android devices employ a "user permission" model, so users must "accept" applications before they are loaded on the device. However, network administrators can limit network access by devices with noncompliant software. And there are factors that will endear the MDM system to users, such as features to assist in troubleshooting. Many provide an alert when users are traveling internationally to hold down roaming costs or even allow a help desk technician to switch on a misplaced device's ringer remotely, then call it so the user can find it, even if it had been set to silent mode.

When choosing an MDM system, start by reviewing your mobility policy. Since not all suites manage a full range of platforms, define what IT will support and match that to the degree of control that can be exerted. BlackBerry is still the most secure environment, and Apple's iOS has improved dramatically with v4.2 and later. The security features of Android and Windows Phone 7 are works in progress; in particular, updates for WP7 have been spotty and problematic.

Your policy should also address acceptable use, ownership, user responsibilities, and penalties for noncompliance. And here's one you may not have considered: Say your top salesperson uses her personal iPhone for business. The contact number customers have goes with her when she leaves to work for your competitor. Roles where mobile numbers need to be owned by the company must be spelled out in the mobility policy.

If you're starting with a blank slate, the Enterprise Mobility Forum publishes an Enterprise Mobility Guidebook that provides a template for mobile policy development.

As for cost, MDM prices vary widely, but plan on $2 to $10 per device per month, says Philippe Winthrop, managing director of the Enterprise Mobility Forum; variables include high-availability and the number of devices that can be supported on a single server. For a company with hundreds or thousands of mobile employees, that's not pocket change. However, companies have come to recognize that mobility pays off in increased productivity--and secure, manageable mobility can help you avoid even bigger costs down the road.

Michael Finneran is principal of dBrn Associates. As an independent consultant and industry analyst with over 30 years in the networking field, he specializes in wireless technologies and mobile unified communications. Write to us at [email protected].