Today's enterprises are, increasingly, including mobile devices. Sometimes the organization will provide the devices, sometimes it will restrict the types of devices that can be used on the network, but most often organizations are allowing users to bring their own smartphones and tablets and connect. When any of these scenarios happens - but most critically, the last - some form of security management is necessary.
Mobile device management - or MDM - is the way forward when mobile devices become part of the enterprise. There are several challenges to MDM. The obvious first one is discovering the devices on the network. This can be challenging since these devices come and go as users connect and disconnect. The next one is ensuring that the devices that do connect do not bring security risks with them. Finally, we must not forget that, as devices on the enterprise, they may be subject to the same regulatory requirements to which any other connected device is subject. In fact, the challenges with keeping mobile devices compliant probably exceed the challenge inherent in most other types of devices.
Mobile device management - or MDM - is the way forward when mobile devices become part of the enterprise.
|
The usual method for ensuring compliance with enterprise security policies is to create a policy that can be pushed out to the device as a prerequisite for joining the device to the network. This brings with it a number of challenges, many political as well as technical. The first thing an administrator must do is determine what kinds of devices to allow on a network. If the organization is supplying the devices, that can be pretty straightforward. If you have BYOD in place, the challenges increase astronomically.
The next thing to consider is what you will allow on the mobile devices, how you will control that and what other tools - such as data leak prevention - you might need to add into the mix. All of this can be controlled by a competent MDM tool and a well thought-out policy. Having been through the BYOD issue at my university, I can speak to all of these challenges with the background of one of the most difficult environments in which to deploy a BYOD policy.
Universities are the seat of learning and along with learning goes a centuries-old tradition of openness. While that is great academically, it simply won't work in today's unsecure world. So how does one balance usability with control? First, start with a security policy that addresses the problem. The policy should articulate very clearly what is expected in terms of mobile device security, why it is expected and how the policy will be enforced. There also must be consequences for attempting to circumvent established controls.
In this policy, make sure that you do not place more restrictions than are necessary to protect your data. There are two aspects to securing a mobile device. First, what damage can it introduce into the enterprise and, second, what damage can it do to data. Usually, as I have emphasized many times, it's all about the data. Here, though, a mobile device can be a sort of "Typhoid Mary," bringing infections to the enterprise without succumbing to the infection itself.
A good MDM tool should allow you to create a policy that can be pushed to the device and that can prevent - or allow you to prevent - connection to the network until the device passes muster. That means that there should be some sort of interaction with Active Directory or whatever you use to provide that service. That interaction can control when the device is allowed to join the network and how it can be kicked off the network if it is not compliant with policy.
The MDM tool should allow a rich set of functions that can translate your mobile device policy into actual configurations and then can enforce those configurations. One of the most important of those is remote wipe. Mobile devices are small and, thus, easy to lose. When a mobile device is lost or stolen, proprietary data, network connections, etc., must be deleted from it.
There is an explicit assumption that the thief - or someone who finds the device - may want to see its contents. In those cases, the only thing to do is to delete all data on the device. This can cause a serious political backlash because users with personal information - such as music, pictures or videos - balk at having them wiped in case they recover the device.
This is just one example of what an MDM tool can provide. The assurance that policy is translated to configuration and that compliance with policy is enforceable is critical to your selection of an MDM tool. Generally, you should select a tool that allows that level of control.