IT Focus Area: strategy
June 7, 2012
How to Create a Mobile Device Management Strategy
Like it or not, enterprise IT organizations are quickly realizing that mobile devices are eclipsing PCs and laptops as the devices of choice for employees in the workplace and beyond. Mobile devices such as smartphones and tablets offer incredible power and flexibility in both our business and personal lives, which is leading to great pressure to integrate them within the enterprise.
Mobile computing today, when done right, creates an opportunity for workers to be more productive and happy, while also offering a major competitive advantage for the organization. However, if not done right, the consequences can be quite devastating. This was the main topic of conversation during a recent series of workshops we hosted for public and private companies on the impact the proliferation of mobile devices is having on enterprises. Interestingly, not a single organization in attendance had a fully formulated Mobile Device Management strategy.
Most, if not all, were still on the ground floor trying to figure out what to do. They realize there are significant risk mitigation issues that they need to address, but because IT is often resource-constrained—especially in today’s tight economic conditions—they continue to struggle to address these issues.
That is why many large, medium and even small corporations are seriously considering a formalized enterprise Mobile Device Management (MDM) strategy to deal with the proliferation of mobile devices knocking on their doors. This means not only using MDM specific applications and products, but also combining them with the right mix of policy, procedures and end user training.
Done correctly, enterprise MDM can be a practical approach that first assesses the organization’s challenges, and then evolves with the dynamic, constantly changing business needs. By working together and developing a pragmatic approach with MDM, an organization’s IT and business leaders are much more likely to embrace today’s mobile world – and benefit from it.
The mobility gold rush
It's not hard to see why these devices have spurred this gold rush to mobility in the enterprise. Sometimes, it comes from the top. The board or C-level execs may favor a certain device. Meanwhile, employees down the chain are often adopting the latest devices, platforms and applications much faster than corporate IT departments can react.
Social media is growing as a business application as well, blurring the work and home environments. Shifting business models also require tech-savvy employees, who are looking to connect to the enterprise with their iPhones, iPads, Androids, Blackberries and other mobile platforms. And along the way, employee expectations of corporate IT’s ability to manage their mobile needs are changing.
But this consumerization of IT also presents some significant challenges. Of course, the cost of keeping up with the mobile world is always a factor. Many companies simply cannot afford to dedicate in-house resources to keep up.
Regardless of whether they do it themselves or engage outside expertise, organizations have to address the issue of integrating mobile into existing business processes. This includes managing the productivity of a remote workforce, determining the reliability of the mobile technologies, and most critical, security issues.
For instance, a recent joint study by Carnegie Mellon's CyLab and McAfee found that almost half of users keep sensitive data on their mobile devices, including passwords, PIN codes and credit card details. The ramifications of losing a device or having it compromised can be devastating – not only to the individual, but to the organization whose sensitive data, or at least the keys to it (passwords, PINs, etc.), may be held within the device.
For corporate IT, there are five major security risks that must be addressed:
Device and application attacks
The interception of communications
Too often, the decision makers jump right to which tools they should buy and want to know what kinds of bells and whistles are out there to “lock these things down.” To paraphrase former U.S. Secretary of Defense Donald Rumsfeld, when it comes to mobility there are “known knowns,” “known unknowns,” and “unknown unknowns.” And most organizations don’t know what they don’t know when they look at how they are going to mitigate risk in a mobile environment.
So where do we begin?
In our opinion, it is always best to use those tried and true methodologies, or best practices, that security professionals have been preaching for years.
An effective approach begins with a risk assessment that assesses, evaluates, manages and measures each of these security risks. It is also important that the enterprise IT department work with the business units to understand their mobile requirements.
Without a comprehensive risk assessment, the purchasing decision will more than likely not reflect the reality of what they are looking to protect.
Before moving forward, organizations need to be able to answer several key questions:
1. How many mobile devices are connected to our network?
2. How do we know how many mobile devices we have?
3. How are these devices connecting?
4. How often are these devices connecting?
5. What data and services are these devices accessing?
6. How many of these devices are managed?
7. How many comply with our corporate policies?
8. What would be the ramifications if any of these devices are compromised, lost or stolen?
From here, a matrix of controls can be developed to help enhance the risk mitigation. For instance, organizations need to determine what technologies and practices need to be implemented to control different classes of information that mobile devices can access or store. They also need to think ahead and extend acceptable use policies to all current and future mobile devices. And all mobile device users must agree to company-defined processes and regulations before being granted access to corporate resources.
The next step is to design effective training and communication plans. Although the overwhelming majority of organizations have policies in place for mobile devices, fewer than one in three employees are aware of their company’s mobile security policy.
Consider this: many legit iPhone and iPad apps leak personal data to third parties. Users don’t help – some still insist on using 0000 or 1234 as their password, making it easy to hack the device. Jailbreaking also puts iPhone users at risk for downloading infected applications, and also often leave the device with a standard root password that may grant an attacker administrator-level access to the device.
The threat is real. Just last year, a hacker pleaded guilty to electronically stealing data from more than 100,000 iPad users. Employees need to be aware that just because data is contained in electronic form on their phone, it is no less confidential and should be treated no less carefully than if it were on paper. And ideally, this requirement needs to be written into their employment contract and reinforced through regularly scheduled training.
One very simple, yet elegant, solution is to insist that users turn on the built-in security mechanisms on their devices. Even before establishing a thorough risk mitigation strategy, organizations can insist that users must install a PIN number on their iPhone if they plan to use it to access the network. Mobile devices also have location awareness tools that can help the IT department conduct a remote wipe if the devices are lost or misplaced.
Although the overwhelming majority of organizations have policies in place for mobile devices, fewer than one in three employees are aware of their company's mobile security policy.
One size does not fit all
It is also important to realize that one size does not fit all when it comes to mobility. In fact, the ability to standardize on only one mobile operating platform within the enterprise is going the way of the rotary dial with the advent of these new devices and technologies.
Users are looking to blend their personal devices into their work lives, and that means organizations need to prioritize which devices they will support and at what levels. For instance, one issue that will need to be considered is what images will be displayed on the various operating systems. And security remains an ever-present concern, since nobody has yet been able to develop a universal centralized security app for the variety of phones being released by vendors to the market.
It is most likely that within any corporate environment there will never be a "one size fits all" solution. Employees, depending on their job requirements, will likely require varying levels of access to data and services. Thus it makes sense to consider some form of a multi-tiered answer to the problem. One suggestion is to segment the environment into three basic levels.
Tier one would be executives and others who need access to very specific types of highly sensitive information and services, and who will use the mobile devices as a critical facet of their jobs. Tier two would be those whose mobile devices aren’t a necessity for the corporation, but can benefit both themselves and the organization with some access. Finally, Tier three would be individuals to whom a minimal level of access (perhaps email only) is granted, but strictly as a convenience to the individual.
For this scenario a multi-tiered solution may look something like this:
Tier one – Users qualify for corporate-liable devices and are provisioned with Mobile Device Management software and business applications.
Tier two – Users qualify for personally owned devices that are “lightly” managed and supported by the organization.
Tier three – Users are free to connect their own devices with web-based applications, but they don’t qualify for reimbursement of any kind, nor are they supported by the organization.
Organizations must also reserve the right to manage any and all mobile devices that require access to corporate resources. This management responsibility needs to be independent of who actually owns the mobile devices, and may require the installation of the firm’s security policies on the mobile devices as a condition of being granted access to corporate resources.
One thing that can be easily overlooked is the need to protect the integrity and privacy of corporate data by isolating that data inside the firewall from personal data. This can be done either by “sandboxing” or taking a virtualized approach to data storage.
Of course, the key to this matrix of controls is enforcement of strong security policies that prevent data security breaches. These polices should address encryption, PINs and passwords, auto-lock capabilities, location tracking, remote wipes, disabling non-approved applications, features and functionality, and policy removal prevention.
Once all of these controls are in place, organizations can prioritize and determine how and when users will be provisioned with enterprise-class applications, and address ramifications for non-compliance with these controls. Enterprise MDM risk mitigation policies should also be reviewed at least yearly.
The apps story
More than 300,000 mobile applications have been developed in the last three years alone, and users have downloaded 10.9 billion apps over that same time period. Clearly, the proliferation of apps has helped drive the consumerization of IT.
The challenge is that most apps being published to the app store are developed autonomously and don’t have a high level of quality assurance when it comes to security. Yes, Apple and others will say they provide security checks, but those are mostly rudimentary. Once the app is downloaded and installed, it is caveat emptor – back doors and coding objection flaws probably haven’t been addressed in today’s app stores. Users are at the mercy of the app, and they aren’t really seeing what’s being communicated and how it’s being communicated across the network.
For instance, a colleague recently accessed a well-known airline’s mobile app to check in. He was shocked when he immediately received a notification from his personal DLP (Data Loss Protection) service that his check-in request had been blocked due to a violation in the DLP security policy. It turns out that the airline’s app did not enforce the transmission to be encrypted through a secure HTTPS connection, but rather simply passed it through clear text HTTP. So sensitive information—including his phone number, house address and flight information—would all have been transmitted had the DLP not stepped in and prevented it.
At the enterprise level, it’s critical to understand which apps are mission-essential and standardize mobile users on those apps. Those can be published for download only while a user is on the corporate image and connected to the network. Organizations should also examine their internal app store and focus on setting restrictions on apps that are not business-essential.
Location. Location. Location.
The big problem with mobility is that organizations don’t know where people are going to be when they try to access the network with their devices.
Whether they are sitting in a coffee shop or at a desk in their home or at work, users are more and more frequently looking to access their network through their mobile device than through a PC or desktop terminal.
So part of the risk assessment also needs to examine how users plan to connect to the network, where they will be using it, and what access points are acceptable. For instance, what will the corporate profile look like if a user is connecting through a hotspot at the airport, as compared to connecting via a wireless modem within the company’s headquarters? It will also be important to decide how to authenticate to the access point itself. Will it be through a shared key, or will a third-part database be used to help authenticate users at corporate?
Organizations need to constantly keep their guard up when it comes to mobility. Employees will continue to adopt the latest devices, platforms and applications much faster than corporate IT departments can react.
However, by leveraging an effective security centric approach to risk mitigation, organizations today can understand where the security risks lie, whether their operating systems are secure, if the mobile devices being used have adequate security features, and how to battle malware-laden code in applications. And that will let them—and their mobile users—rest easier.
An earlier version of this article appeared in InSecure Magazine.