It is important to determine the security policies that need to be put in place within the mobile environment and how it compares to other policies within the overall corporate architecture. The current mobile space is different from traditional IT implementations or those through proprietary vendors who tightly control all aspects of the security. It is very difficult to leverage current security policies as outlined and extend them to a mobile environment. It is critical to identify the needs of the environment and what components of the security policy can and should be met, given the device ownership and uses. Corporate information needs to be secured, but limiting the use of a device, whether it is the internal GPS or camera, needs to be managed appropriately to ensure all applications function properly for all uses of the device. The mobile security industry typically identifies data, communication, and device security as the three main topics that need to be handled in a security policy.
Some of the data that is stored on the device whether at rest or in transit needs to be secured; the broader question though is what data sets need to be covered. Personal data belonging to the owner of the device may be sensitive to the owner, but is not important or deemed to be corporate data and therefore, should be left out of the policy. Corporate data such as business contact information, electronic messages, documents, and corporate applications need to have their contents secured against theft of data. Defining what can and cannot be stored on the device and how to effectively secure the data while on the device or if stolen should be clearly identified. Each organization will need to determine the types of data that need to be secured, and the importance assigned to each data set.
The communication of information has to be secure. Typically, corporate IT departments will have IT security standards in place that govern the use of secondary authentication and where communication devices can be placed in the network. It is important to understand that this needs to extend to the ability for end users to leverage Wi-Fi resources (secured and unsecured) along with differing communication companies. Securing the transit of the data is important; therefore, leveraging HTTPs over HTTP and VPN technology over secure data networks will be important to articulate.
By definition, mobile devices are intended to move with the user of the device. This creates a situation where human error or malicious behavior can compromise the device and ultimately, the data and communication that the devices leverage. The ability to locate, identify, and ultimately manage the device remotely is important. The security policy should deal with the human factors of security, such as loaning the device or leaving it unattended in a public space, but also with the loss of control that comes from the human failures. The process for identifying data and resources to be removed and the ability to manage the removal of data and service is vital for an effective mobile security policy.
There are a number of regulated industries that leverage mobile communication; it is important to understand the impacts of government regulations before completing a security policy. Government regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require the protection of personal sensitive data. It is important to understand how all prevailing laws and regulations affect the mobile environment and potential security requirements.
The next step is to determine what devices will be supported based on who owns the device and the service being provided. As noted earlier, the introduction of non-corporate owned assets through a BYOD program can add complexity to the device and service that is required. The ownership and maintenance of devices will significantly impact the policy and how it is developed. This is important because in many cases the device may be owned by the end user, but the service is being provided by the corporate environment. As noted earlier, when people think of devices, the first product many think of is a smartphone, but there are many other devices that exist in the world today that significantly impact the delivery of technology to end users; when looking at Apple technology as an example, the iPhone, iPad, and iPod must all be considered due to how they leverage different operating systems.
Although it seems strange to consider for some people, smart television usage is growing with the inclusion of Wi-Fi, Internet-based applications, and cameras. These sorts of smart televisions can connect to the corporate environment and allow for the hosting of a web conference through the corporate infrastructure. The management of these devices and the ability for end users to leverage them in the corporate environment need to be identified with the appropriate policies put in place.
It is important to understand what is being gained through the deployment of an MDM solution over the native features that are present in the devices and the current infrastructure. These technologies offer the utilization of standard features that are delivered within the products such as the IBM Traveler service or Microsoft Exchange natively. It is also important to understand if the solution that is being considered can be leveraged within the environment for other elements of the technology infrastructure; adding another component that could be covered by another current infrastructure adds complexity and can potentially add little value.
Tools such as IBM Endpoint Manager and Microsoft System Manager can offer a robust environment that spans the complete IT environment within the corporation, if it is determined that an MDM solution is required to meet security standards. Broader MDM solutions will collect data on environment usage and should manage a complete inventory of devices and services being utilized within the architecture. If an MDM solution is identified as required, it is important to ensure that tools such as this should be leveraged rather than multiple point solutions that do not meet the security requirements of the environment.
The following sections will review the aspects of traditional MDM solutions in the marketplace (this is not intended to be an exhaustive list or a comparison of solutions). These solutions will not only increase security within your environment, but they will also add complexity and costs.
The following gives a broad overview of the different elements of MDM that exist within product offerings on the market today. A lot of this technology is an outcropping of the technology that was delivered with the Blackberry Enterprise Server.
Managing the device and controlling it through an inventory process is key to understanding what exists in the environment and what assets are required to be supported. The specific management of the device as an asset is typically accomplished through the following functions:
Inventory management: This determines the devices in the environment and identifying ownership of the asset. This allows for management of the physical asset as a part of the corporate IT asset management process.
Use of VPN, Wi-Fi, cellular, and so on: These perform managing the types of access that devices have to the network, whether the device is accessing the environment through cellular or Wi-Fi (secure or unsecure) technology will impact the protection afforded the environment.
Updates and compliance: As new operating systems, applications, and policies are identified and deployed, it is important that the devices are maintained and do not stay in a static state. The MDM solution should be able to manage the compatibility and update process to ensure required software along with software and security policy updates are deployed.
Managing the applications on the device to ensure that all required applications exist, and those applications that could compromise corporate data are not installed or allowed cross-application access on the device.
A review of installed applications: This compiles a list of applications installed on the devices. This can be invasive if the device is part of a BYOD strategy, but understanding exposure is a key first step.
Distributing and managing corporate applications: These identify applications that are required on the device such as corporate VPN or security software that is required to ensure proper security on the device, or determine which applications should not be present as they represent a risk to corporate security.
Recommended applications: These provide the recommended applications that exist within the app stores, such as editors, specific mapping, or GPS tools.
The data that exists on the device can be split into two easy categories: corporate and personal. No matter who the owner of the device or the provider of the connectivity services is, both types of data will exist on the device. It is important to understand how to manage both types of data; the removal of data should be selective, while the protection of the data should be universal. The entire device can be compromised through theft or loss; therefore, partial and complete wipe capabilities along with proper encryption and security need to exist.
Selective wipe: This refers to removing only specific data that is relevant to the corporation, such as e-mail, calendar, and PIM data, ensuring that personal data to the device owner remains or is controlled by the owner is important. This includes specific applications and should not be limited to collaboration tools that exist on the device from one provider.
Complete wipe: There are instances when a complete device needs to be wiped and all data should be removed. Some data, such as that located in programs like Dropbox, needs to be removed from the device even though the application is not a corporate app.
Remote lock: Some devices that are stolen or accidently lost need to be locked down to avoid the loss of corporate data. The ability to lock the device remotely is a key requirement when dealing with mobile security.
Password and encryption: The requirement of device-level password policies and the employment of encryption policies needs to be enforced on the devices to minimize security risks.
Lockdown of select applications: If the security policy is set that devices attached to the corporate environment cannot leverage resources such as the camera or specific applications such as YouTube, Facebook, and so on, the solution should support the enforcement of internal policies.
Location of data: With the extensibility of the corporate environment to the Cloud through readily available consumer services, there is a potential of mixing personal and corporate data in consumer containers in the Cloud. If limiting exposure of corporate data to the Cloud is within the security policy, it is important to identify known services and manage access.
Controlling access to the environment by certain devices, operating systems, or certificate credentials should be managed. Some devices and recently released operating systems may cause problems within the corporate environment due to incompatibilities. Additionally, if the end user mistakenly or intentionally stops communicating back to corporate resources, it is important to identify these issues and correct the situation to avoid complaints and issues.
Synchronization: It is important that the device communicates with the corporate infrastructure and mail/calendar/PIM information along security processes which are extended to the devices. If this is not managed properly, the device will get out of sync and cause issues.
Password/certificate management: The management of different passwords and certificates is important for the ease of the device usage, but can cause exposures to the corporate environment. The management of issuing, controlling, and removing security credentials is vital.
Device type/OS management: The ability to restrict and manage the device based on the device type and operating system will greatly determine the level by which you upgrade and manage the corporate environment.
There are a number of strong MDM solutions on the market with each providing different advantages and disadvantages. MDM products and features change as the market environment changes, which is rapidly. It is important to identify changes that impact your environment and address changes within your deployed environment against the vendors providing the services. It is important to work with each provider to ensure compliance. This appendix is intended to provide an overview of the process; please conduct a complete security and device review prior to deploying the solution that best meets the corporate requirements.
A strong starting point to understand the current players in the market is the Gartner Magic Quadrant for Mobile Device Management Software (subscription to Gartner or purchase of the individual report may be required). While one analyst's view of a large and diverse marketplace should not be viewed as complete, the Magic Quadrant information does provide a strong foundation of the market, players, and information about solutions provided.